From 0595e6e8a98feba474dd01572026d41f392b4a87 Mon Sep 17 00:00:00 2001 From: Morgan Haskel Date: Fri, 16 Jan 2015 13:35:26 -0800 Subject: [PATCH] QENG-1678 - Need to stop iptables to install ipset Firewalls are fun :) --- spec/acceptance/firewall_spec.rb | 41 ++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 8f1769542..92df09390 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1450,13 +1450,28 @@ class { '::firewall': } end #ip6tables only supports ipset, addrtype, and mask on a limited set of platforms - if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/ - describe 'ipset' do - it 'applies' do - pp = <<-EOS - package { 'ipset': ensure => present } + if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-14\.04/ + #ipset is really difficult to test, just testing on one platform + if default['platform'] =~ /ubuntu-14\.04/ + describe 'ipset' do + it 'applies' do + pp = <<-EOS + exec { 'hackery pt 1': + command => 'service iptables-persistent flush', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + package { 'ipset': + ensure => present, + require => Exec['hackery pt 1'], + } + exec { 'hackery pt 2': + command => 'service iptables-persistent start', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + require => Package['ipset'], + } + class { '::firewall': } exec { 'create ipset': - command => 'ipset create blacklist family inet6 hash:ip,port maxelem 1024 hashsize 65535 timeout 120', + command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120', path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', require => Package['ipset'], } @@ -1465,7 +1480,6 @@ class { '::firewall': } path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', require => Exec['create ipset'], } - class { '::firewall': } firewall { '612 - test': ensure => present, chain => 'INPUT', @@ -1475,14 +1489,15 @@ class { '::firewall': } provider => 'ip6tables', require => Exec['add blacklist'], } - EOS + EOS - apply_manifest(pp, :catch_failures => true) - end + apply_manifest(pp, :catch_failures => true) + end - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m comment --comment "612 - test" -m set --match-set blacklist src,src -j DROP/) + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m comment --comment "612 - test" -m set --match-set blacklist src,src -j DROP/) + end end end end