From 6aa59fc004b856ecce5a67768231cc857292fff9 Mon Sep 17 00:00:00 2001 From: lnemsick-simp Date: Tue, 17 Nov 2020 15:20:04 -0500 Subject: [PATCH] (SIMP-8691) Does not manage service when use_firewalld=true on EL6 (#87) - Fixed a bug in which the iptables services and rules were not managed when iptables::use_firewalld was set to true on an EL6 system. - Maintenance - Removed unit test cruft left over from experimental firewalld support. - Split out firewalld suite into its own tests in the .gitlab-ci.yml so that individual test suite status could be more easily tracked. - Allow the default OEL nodeset to fail due to bugs in updating xt_recent with scanblock SIMP-8691 #close --- .gitlab-ci.yml | 72 +++++-- CHANGELOG | 9 + manifests/init.pp | 3 +- manifests/listen/all.pp | 2 +- manifests/listen/icmp.pp | 2 +- manifests/listen/tcp_stateful.pp | 2 +- manifests/listen/udp.pp | 2 +- manifests/rule.pp | 2 +- manifests/rules/mod_recent.pp | 1 - manifests/service.pp | 90 ++++---- metadata.json | 2 +- spec/acceptance/nodesets/default.yml | 4 - spec/acceptance/nodesets/oel.yml | 7 +- spec/acceptance/nodesets/rhel7.yml | 5 +- spec/acceptance/nodesets/rhel8.yml | 4 +- .../suites/firewalld/00_default_spec.rb | 72 ++++--- spec/classes/init_spec.rb | 83 ++++++-- spec/defines/listen/all_spec.rb | 65 ++++-- spec/defines/listen/firewalld/all_spec.rb | 138 ------------- spec/defines/listen/firewalld/icmp_spec.rb | 46 ----- .../listen/firewalld/tcp_stateful_spec.rb | 46 ----- spec/defines/listen/firewalld/udp_spec.rb | 46 ----- spec/defines/listen/icmp_spec.rb | 66 ++++-- spec/defines/listen/tcp_stateful_spec.rb | 172 ++++++++++------ spec/defines/listen/udp_spec.rb | 193 ++++++++++++------ spec/defines/rule_spec.rb | 38 +++- 26 files changed, 597 insertions(+), 575 deletions(-) delete mode 100644 spec/defines/listen/firewalld/all_spec.rb delete mode 100644 spec/defines/listen/firewalld/icmp_spec.rb delete mode 100644 spec/defines/listen/firewalld/tcp_stateful_spec.rb delete mode 100644 spec/defines/listen/firewalld/udp_spec.rb diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2824bde..ef0f5b1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -208,10 +208,10 @@ variables: BEAKER_PUPPET_COLLECTION: 'puppet6' MATRIX_RUBY_VERSION: '2.5' -.pup_6_16_0: &pup_6_16_0 +.pup_6_18_0: &pup_6_18_0 image: 'ruby:2.5' variables: - PUPPET_VERSION: '6.16.0' + PUPPET_VERSION: '6.18.0' BEAKER_PUPPET_COLLECTION: 'puppet6' MATRIX_RUBY_VERSION: '2.5' @@ -294,8 +294,8 @@ pup6-unit: <<: *unit_tests <<: *with_SIMP_SPEC_MATRIX_LEVEL_2 -pup6.16.0-unit: - <<: *pup_6_16_0 +pup6.18.0-unit: + <<: *pup_6_18_0 <<: *unit_tests # ------------------------------------------------------------------------------ @@ -312,60 +312,96 @@ pup5.5.20: <<: *pup_5_5_20 <<: *acceptance_base script: - - 'bundle exec rake beaker:suites' + - 'bundle exec rake beaker:suites[default,default]' pup5.5.20-fips: <<: *pup_5_5_20 <<: *acceptance_base script: - - 'BEAKER_fips=yes bundle exec rake beaker:suites' + - 'BEAKER_fips=yes bundle exec rake beaker:suites[default,default]' pup5.5.20-oel: + allow_failure: true <<: *pup_5_5_20 <<: *acceptance_base + <<: *with_SIMP_ACCEPTANCE_MATRIX_LEVEL_3 script: - 'bundle exec rake beaker:suites[default,oel]' pup5.5.20-oel-fips: + allow_failure: true <<: *pup_5_5_20 <<: *acceptance_base <<: *with_SIMP_ACCEPTANCE_MATRIX_LEVEL_3 script: - 'BEAKER_fips=yes bundle exec rake beaker:suites[default,oel]' +pup5.5.20-firewalld: + <<: *pup_5_5_20 + <<: *acceptance_base + script: + - 'bundle exec rake beaker:suites[firewalld,default]' + +pup5.5.20-oel-firewalld: + <<: *pup_5_5_20 + <<: *acceptance_base + script: + - 'bundle exec rake beaker:suites[firewalld,oel]' + pup6: <<: *pup_6 <<: *acceptance_base script: - - 'bundle exec rake beaker:suites' + - 'bundle exec rake beaker:suites[default,default]' pup6-fips: <<: *pup_6 <<: *acceptance_base script: - - 'BEAKER_fips=yes bundle exec rake beaker:suites' + - 'BEAKER_fips=yes bundle exec rake beaker:suites[default,default]' + +pup6-firewalld: + <<: *pup_6 + <<: *acceptance_base + script: + - 'bundle exec rake beaker:suites[firewalld,default]' -pup6.16.0: - <<: *pup_6_16_0 +pup6.18.0: + <<: *pup_6_18_0 <<: *acceptance_base script: - - 'bundle exec rake beaker:suites' + - 'bundle exec rake beaker:suites[default,default]' -pup6.16.0-fips: - <<: *pup_6_16_0 +pup6.18.0-fips: + <<: *pup_6_18_0 <<: *acceptance_base script: - - 'BEAKER_fips=yes bundle exec rake beaker:suites' + - 'BEAKER_fips=yes bundle exec rake beaker:suites[default,default]' -pup6.16.0-oel: - <<: *pup_6_16_0 +pup6.18.0-oel: + allow_failure: true + <<: *pup_6_18_0 <<: *acceptance_base + <<: *with_SIMP_ACCEPTANCE_MATRIX_LEVEL_3 script: - 'bundle exec rake beaker:suites[default,oel]' -pup6.16.0-oel-fips: - <<: *pup_6_16_0 +pup6.18.0-oel-fips: + allow_failure: true + <<: *pup_6_18_0 <<: *acceptance_base <<: *with_SIMP_ACCEPTANCE_MATRIX_LEVEL_3 script: - 'BEAKER_fips=yes bundle exec rake beaker:suites[default,oel]' + +pup6.18.0-firewalld: + <<: *pup_6_18_0 + <<: *acceptance_base + script: + - 'bundle exec rake beaker:suites[firewalld,default]' + +pup6.18.0-oel-firewalld: + <<: *pup_6_18_0 + <<: *acceptance_base + script: + - 'bundle exec rake beaker:suites[firewalld,oel]' diff --git a/CHANGELOG b/CHANGELOG index 927109d..ae73498 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,12 @@ +* Mon Nov 16 2020 Liz Nemsick - 6.5.4 +- Fixed a bug in which the iptables services and rules were not + managed when iptables::use_firewalld was set to true on an + EL6 system. +- Fixed an ordering issue with setting `xt_recent` parameters that + could occur on OEL7 nodes. However, there are other issues + with `xt_recent` on OEL that may prevent this module from + working on OEL in some circumstances. + * Fri Oct 23 2020 Trevor Vaughan - 6.5.3 - Ensure that systems that do not have firewalld will not attempt to configure it. diff --git a/manifests/init.pp b/manifests/init.pp index ccd3820..9a3fe1f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -120,8 +120,9 @@ simplib::assert_metadata($module_name) + $firewalld_mode = ( 'firewalld' in pick($facts['simplib__firewalls'], 'none') ) and $use_firewalld if $enable != 'ignore' { - if ( 'firewalld' in pick($facts['simplib__firewalls'], 'none') ) and $use_firewalld { + if $firewalld_mode { simplib::assert_optional_dependency($module_name, 'simp/simp_firewalld') include 'simp_firewalld' diff --git a/manifests/listen/all.pp b/manifests/listen/all.pp index baf6e54..08ec996 100644 --- a/manifests/listen/all.pp +++ b/manifests/listen/all.pp @@ -70,7 +70,7 @@ ){ include 'iptables' - if $iptables::use_firewalld { + if $iptables::firewalld_mode { simplib::assert_optional_dependency($module_name, 'simp/simp_firewalld') simp_firewalld::rule { "all_${name}": diff --git a/manifests/listen/icmp.pp b/manifests/listen/icmp.pp index 4640f8f..5a5a757 100644 --- a/manifests/listen/icmp.pp +++ b/manifests/listen/icmp.pp @@ -80,7 +80,7 @@ ) { include 'iptables' - if $iptables::use_firewalld { + if $iptables::firewalld_mode { simplib::assert_optional_dependency($module_name, 'simp/simp_firewalld') simp_firewalld::rule { "icmp_${name}": diff --git a/manifests/listen/tcp_stateful.pp b/manifests/listen/tcp_stateful.pp index 1769a72..b68e0f1 100644 --- a/manifests/listen/tcp_stateful.pp +++ b/manifests/listen/tcp_stateful.pp @@ -77,7 +77,7 @@ ) { include 'iptables' - if $iptables::use_firewalld { + if $iptables::firewalld_mode { simplib::assert_optional_dependency($module_name, 'simp/simp_firewalld') simp_firewalld::rule { "tcp_${name}": diff --git a/manifests/listen/udp.pp b/manifests/listen/udp.pp index d0f5dd2..b5aa657 100644 --- a/manifests/listen/udp.pp +++ b/manifests/listen/udp.pp @@ -77,7 +77,7 @@ ) { include 'iptables' - if $iptables::use_firewalld { + if $iptables::firewalld_mode { simplib::assert_optional_dependency($module_name, 'simp/simp_firewalld') simp_firewalld::rule { "udp_${name}": diff --git a/manifests/rule.pp b/manifests/rule.pp index 223b67b..69ac5c5 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -83,7 +83,7 @@ ) { include iptables - if $iptables::use_firewalld { + if $iptables::firewalld_mode { $_caller = simplib::caller() notify { 'iptables::rule with firewalld': diff --git a/manifests/rules/mod_recent.pp b/manifests/rules/mod_recent.pp index 9ac1725..eef1419 100644 --- a/manifests/rules/mod_recent.pp +++ b/manifests/rules/mod_recent.pp @@ -61,7 +61,6 @@ refreshonly => true } - Xt_recent['/sys/module/xt_recent/parameters'] -> File['/etc/modprobe.d/xt_recent.conf'] File['/etc/modprobe.d/xt_recent.conf'] ~> Exec['reload xt_recent'] ### End workaround for kernel panic diff --git a/manifests/service.pp b/manifests/service.pp index 9a63715..adfcfb0 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -15,64 +15,62 @@ ){ simplib::assert_metadata($module_name) - unless $iptables::use_firewalld { - if $enable != 'ignore' { - if $enable { - $_ensure = 'running' - $_enable = true - } - else { - $_ensure = 'stopped' - $_enable = false - } + if $enable != 'ignore' { + if $enable { + $_ensure = 'running' + $_enable = true + } + else { + $_ensure = 'stopped' + $_enable = false + } + + service { 'iptables': + ensure => $_ensure, + enable => $_enable, + hasrestart => false, + restart => '/sbin/iptables-restore /etc/sysconfig/iptables || ( /sbin/iptables-restore /etc/sysconfig/iptables.bak && exit 3 )', + hasstatus => true, + provider => 'redhat' + } + + service { 'iptables-retry': + enable => $_enable, + provider => 'redhat' + } - service { 'iptables': + if $ipv6 and $facts['ipv6_enabled'] { + service { 'ip6tables': ensure => $_ensure, enable => $_enable, hasrestart => false, - restart => '/sbin/iptables-restore /etc/sysconfig/iptables || ( /sbin/iptables-restore /etc/sysconfig/iptables.bak && exit 3 )', + restart => '/sbin/ip6tables-restore /etc/sysconfig/ip6tables || ( /sbin/ip6tables-restore /etc/sysconfig/ip6tables.bak && exit 3 )', hasstatus => true, + require => File['/etc/init.d/ip6tables'], provider => 'redhat' } - service { 'iptables-retry': - enable => $_enable, + service { 'ip6tables-retry': + enable => true, + require => File['/etc/init.d/ip6tables-retry'], provider => 'redhat' } + } - if $ipv6 and $facts['ipv6_enabled'] { - service { 'ip6tables': - ensure => $_ensure, - enable => $_enable, - hasrestart => false, - restart => '/sbin/ip6tables-restore /etc/sysconfig/ip6tables || ( /sbin/ip6tables-restore /etc/sysconfig/ip6tables.bak && exit 3 )', - hasstatus => true, - require => File['/etc/init.d/ip6tables'], - provider => 'redhat' - } - - service { 'ip6tables-retry': - enable => true, - require => File['/etc/init.d/ip6tables-retry'], - provider => 'redhat' - } - } - - # firewalld should be disabled - service{ 'firewalld': - ensure => 'stopped', - enable => false - } + # firewalld should be disabled + service{ 'firewalld': + ensure => 'stopped', + enable => false + } - exec { 'fully stop firewalld': - command => 'pkill firewalld', - onlyif => 'pgrep firewalld', - path => [ - '/bin', - '/usr/bin' - ], - require => Service['firewalld'] - } + exec { 'fully stop firewalld': + command => 'pkill firewalld', + onlyif => 'pgrep firewalld', + path => [ + '/bin', + '/usr/bin' + ], + require => Service['firewalld'] } } } diff --git a/metadata.json b/metadata.json index 9f9e74c..9b76830 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "simp-iptables", - "version": "6.5.3", + "version": "6.5.4", "author": "SIMP Team", "summary": "Safely manages IPTables firewall rules", "license": "Apache-2.0", diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml index ef07763..6f1538d 100644 --- a/spec/acceptance/nodesets/default.yml +++ b/spec/acceptance/nodesets/default.yml @@ -8,7 +8,6 @@ HOSTS: el7: roles: - - server7 - default - iptables - firewalld @@ -18,16 +17,13 @@ HOSTS: el6: roles: - - server6 - iptables - - firewalld platform: el-6-x86_64 box: centos/6 hypervisor: <%= hypervisor %> el8: roles: - - server8 - firewalld platform: el-8-x86_64 box: generic/centos8 diff --git a/spec/acceptance/nodesets/oel.yml b/spec/acceptance/nodesets/oel.yml index d14023a..9dc7904 100644 --- a/spec/acceptance/nodesets/oel.yml +++ b/spec/acceptance/nodesets/oel.yml @@ -8,22 +8,23 @@ HOSTS: oel7: roles: - - server7 - default + - iptables + - firewalld platform: el-7-x86_64 box: generic/oracle7 hypervisor: <%= hypervisor %> oel6: roles: - - server6 + - iptables platform: el-6-x86_64 box: onyxpoint/oel-6-x86_64 hypervisor: <%= hypervisor %> oel8: roles: - - server8 + - firewalld platform: el-8-x86_64 box: generic/oracle8 hypervisor: <%= hypervisor %> diff --git a/spec/acceptance/nodesets/rhel7.yml b/spec/acceptance/nodesets/rhel7.yml index 1647079..92f91cc 100644 --- a/spec/acceptance/nodesets/rhel7.yml +++ b/spec/acceptance/nodesets/rhel7.yml @@ -8,10 +8,9 @@ HOSTS: server-el7: roles: - - server - default - - master - - simp_server + - iptables + - firewalld platform: el-7-x86_64 box: generic/rhel7 hypervisor: <%= hypervisor %> diff --git a/spec/acceptance/nodesets/rhel8.yml b/spec/acceptance/nodesets/rhel8.yml index f9bacdd..5197fd4 100644 --- a/spec/acceptance/nodesets/rhel8.yml +++ b/spec/acceptance/nodesets/rhel8.yml @@ -8,10 +8,8 @@ HOSTS: server-el8: roles: - - server - default - - master - - simp_server + - firewalld platform: el-8-x86_64 box: generic/rhel8 hypervisor: <%= hypervisor %> diff --git a/spec/acceptance/suites/firewalld/00_default_spec.rb b/spec/acceptance/suites/firewalld/00_default_spec.rb index f634493..204fd3c 100644 --- a/spec/acceptance/suites/firewalld/00_default_spec.rb +++ b/spec/acceptance/suites/firewalld/00_default_spec.rb @@ -3,13 +3,13 @@ test_name "iptables class in firewalld mode" hosts.each do |host| - next unless host[:roles].include?('firewalld') - describe "iptables class #{host} in firewalld mode" do let(:default_manifest) { <<-EOS class { 'iptables': - enable => 'firewalld' + # Explicitly set this to verify that on el6 nodes the code + # 'does the right thing' even if the user configures otherwise. + use_firewalld => true } # Ironically, if iptables applies correctly, its default settings will @@ -31,7 +31,7 @@ class { 'iptables': apply_manifest_on(host, default_manifest, :catch_changes => true) end - if host.file_exist?('/etc/firewalld') + if host[:roles].include?('firewalld') it 'should have "99_simp" as the default zone' do default_zone = on(host, 'firewall-cmd --get-default-zone').output.strip expect(default_zone).to eq('99_simp') @@ -49,47 +49,45 @@ class { 'iptables': end end - if host.file_exist?('/etc/firewalld') - context 'TCP listen' do - let(:manifest) { - <<-EOM - #{default_manifest} + context 'TCP listen' do + let(:manifest) { + <<-EOM + #{default_manifest} - iptables::listen::tcp_stateful { 'allow_tcp_listen': - trusted_nets => ['1.2.3.4/24', '3.4.5.6', '5.6.7.8/32'], - dports => 1234 - } - EOM - } + iptables::listen::tcp_stateful { 'allow_tcp_listen': + trusted_nets => ['1.2.3.4/24', '3.4.5.6', '5.6.7.8/32'], + dports => 1234 + } + EOM + } - it 'should work with no errors' do - apply_manifest_on(host, manifest, :catch_failures => true) - end + it 'should work with no errors' do + apply_manifest_on(host, manifest, :catch_failures => true) + end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) - end + it 'should be idempotent' do + apply_manifest_on(host, manifest, :catch_changes => true) end + end - context 'UDP listen' do - let(:manifest) { - <<-EOM - #{default_manifest} + context 'UDP listen' do + let(:manifest) { + <<-EOM + #{default_manifest} - iptables::listen::udp { 'allow_udp_listen': - trusted_nets => ['2.3.4.5/8', '3.4.5.6', '5.6.7.8/32'], - dports => 2345 - } - EOM - } + iptables::listen::udp { 'allow_udp_listen': + trusted_nets => ['2.3.4.5/8', '3.4.5.6', '5.6.7.8/32'], + dports => 2345 + } + EOM + } - it 'should work with no errors' do - apply_manifest_on(host, manifest, :catch_failures => true) - end + it 'should work with no errors' do + apply_manifest_on(host, manifest, :catch_failures => true) + end - it 'should be idempotent' do - apply_manifest_on(host, manifest, :catch_changes => true) - end + it 'should be idempotent' do + apply_manifest_on(host, manifest, :catch_changes => true) end end end diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index 2fe3187..296a180 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -4,23 +4,77 @@ context 'supported operating systems' do on_supported_os.each do |os, os_facts| let(:facts) do - os_facts + # many of the tests assume the simplib__firewalls fact does not exist + facts = os_facts.dup + facts[:simplib__firewalls] = nil + facts end context "on #{os}" do context "iptables class without any parameters" do + let(:facts) do + facts = os_facts.dup + if facts[:os][:release][:major] == '6' + facts[:simplib__firewalls] = [ 'iptables' ] + else + facts[:simplib__firewalls] = [ 'firewalld', 'iptables' ] + end + + facts + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to create_class('iptables').with_enable(true) } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to contain_package('iptables').with_ensure('installed') } + it { is_expected.to contain_service('iptables').with_ensure('running') } + it { is_expected.to contain_service('iptables-retry').with_enable(true) } + it { is_expected.to create_class('iptables::rules::base').with_allow_ping(true) } + it { is_expected.to create_class('iptables::rules::prevent_localhost_spoofing') } + it { is_expected.to create_iptables_optimize('/etc/sysconfig/iptables').with_disable(false) } + it { is_expected.to create_file('/etc/init.d/iptables').with_ensure('file') } + it { is_expected.to create_file('/etc/init.d/iptables-retry').with_ensure('file') } + it { is_expected.to create_file('/etc/sysconfig/iptables') } + it { is_expected.to contain_service('firewalld').with_ensure('stopped') } + it { is_expected.to_not create_class('simp_firewalld') } + else + it { is_expected.to create_class('simp_firewalld') } + it { is_expected.to_not create_iptables__ports('firewalld') } + it { is_expected.to_not create_class('iptables::install') } + it { is_expected.to_not create_class('iptables::service') } + it { is_expected.to_not create_class('iptables::rules::default_drop') } + it { is_expected.to_not create_file('/etc/sysconfig/iptables') } + it { is_expected.to_not create_iptables_optimize('/etc/sysconfig/iptables') } + end + end + + context 'iptables class with use_firewalld=true' do + let(:facts) do + facts = os_facts.dup + if facts[:os][:release][:major] == '6' + facts[:simplib__firewalls] = [ 'iptables' ] + else + facts[:simplib__firewalls] = [ 'firewalld', 'iptables' ] + end + + facts + end + + let(:params) {{ :use_firewalld => true }} + it { is_expected.to compile.with_all_deps } it { is_expected.to create_class('iptables').with_enable(true) } - it { is_expected.to contain_package('iptables').with_ensure('installed') } - it { is_expected.to contain_service('iptables').with_ensure('running') } - it { is_expected.to contain_service('iptables-retry').with_enable(true) } - it { is_expected.to create_class('iptables::rules::base').with_allow_ping(true) } - it { is_expected.to create_class('iptables::rules::prevent_localhost_spoofing') } - it { is_expected.to create_iptables_optimize('/etc/sysconfig/iptables').with_disable(false) } - it { is_expected.to create_file('/etc/init.d/iptables').with_ensure('file') } - it { is_expected.to create_file('/etc/init.d/iptables-retry').with_ensure('file') } - it { is_expected.to create_file('/etc/sysconfig/iptables') } - it { is_expected.to contain_service('firewalld').with_ensure('stopped') } + + if os_facts[:os][:release][:major] == '6' + it { is_expected.to_not create_class('simp_firewalld') } + it { is_expected.to create_class('iptables::install') } + it { is_expected.to create_class('iptables::service') } + else + it { is_expected.to create_class('simp_firewalld') } + it { is_expected.to_not create_class('iptables::install') } + it { is_expected.to_not create_class('iptables::service') } + end end context "iptables class with firewall enabled from hiera via 'simp_options::firewall: true'" do @@ -28,13 +82,12 @@ it { is_expected.to compile.with_all_deps } it { is_expected.to create_class('iptables').with_enable(true) } - - # iptables rules are only applied if the iptables_optimize resource is not disabled - it { is_expected.to create_iptables_optimize('/etc/sysconfig/iptables').with_disable(false) } end context "iptables class with 'firewalld' enabled" do let(:facts){ + # this does not represent El6 accurately, but does test a + # code path os_facts.merge({ :simplib__firewalls => ['iptables', 'firewalld'] }) @@ -64,7 +117,7 @@ it { is_expected.to create_iptables_rule('log_all').with_apply_to('all') } end - context "default spoofing prevention" do + context 'default spoofing prevention' do let (:facts) { os_facts.merge( ipv6_enabled: true ) } it { is_expected.to compile.with_all_deps } diff --git a/spec/defines/listen/all_spec.rb b/spec/defines/listen/all_spec.rb index adf9f62..bdaf842 100644 --- a/spec/defines/listen/all_spec.rb +++ b/spec/defines/listen/all_spec.rb @@ -1,30 +1,71 @@ require 'spec_helper.rb' -describe "iptables::listen::all", :type => :define do +describe 'iptables::listen::all', :type => :define do context 'supported operating systems' do - on_supported_os.each do |os, facts| + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do + facts = os_facts.dup + + if facts[:os][:release][:major] == '6' + facts[:simplib__firewalls] = [ 'iptables' ] + else + facts[:simplib__firewalls] = [ 'firewalld', 'iptables' ] + end + facts end - context "with trusted_nets in IPv4 CIDR format" do - let( :title ){ 'allow_all_1234' } - let( :params ){{ - :trusted_nets => ['10.0.2.0/24'] - }} - it { is_expected.to create_iptables__listen__all('allow_all_1234') } + context 'with default firewall settings' do + context 'with trusted_nets in IPv4 CIDR format' do + let( :title ){ 'allow_all_1234' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'] + }} + + it { is_expected.to create_iptables__listen__all('allow_all_1234') } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("all_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("all_#{title}") } + end + end + + context 'with trusted_nets in IPv6 CIDR format' do + let( :title ){ 'allow_all_1234' } + let( :params ){{ + :trusted_nets => ['fe80::/64'], + :apply_to => 'ipv6' + }} + + it { is_expected.to create_iptables__listen__all('allow_all_1234') } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("all_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("all_#{title}") } + end + end end - context "with trusted_nets in IPv6 CIDR format" do + context 'when explicitly using firewalld' do + let( :hieradata ) { 'firewall__firewalld' } let( :title ){ 'allow_all_1234' } let( :params ){{ - :trusted_nets => ['fe80::/64'], - :apply_to => 'ipv6' + :trusted_nets => ['10.0.2.0/24'] }} + it { is_expected.to create_iptables__listen__all('allow_all_1234') } - it { is_expected.to create_iptables_rule('all_allow_all_1234') } + + if os_facts[:os][:release][:major] == '6' + it { is_expected.to create_iptables_rule("all_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("all_#{title}") } + end + end + end end end diff --git a/spec/defines/listen/firewalld/all_spec.rb b/spec/defines/listen/firewalld/all_spec.rb deleted file mode 100644 index 77232e0..0000000 --- a/spec/defines/listen/firewalld/all_spec.rb +++ /dev/null @@ -1,138 +0,0 @@ -require 'spec_helper.rb' - -# This covers the iptables::rule tests for the following: -# -# * ALL rules -# * IPSets -# * Non-IPSets -# * Rule/Family mismatches -# * IPv4 and IPv6 working rules -# -# Protocol-specific tests are in the other test files in this directory. -# -describe "iptables::listen::all", :type => :define do - context 'supported operating systems' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts - end - - let(:ipv4_nets) { - [ - '10.0.2.0/24', - '10.0.2.33/32', - '1.2.3.4/32', - '2.3.4.0/24', - '3.0.0.0/8' - ] - } - - let(:ipv6_nets) { - [ - 'fe80::/64', - '2001:cdba:0000:0000:0000:0000:3257:9652/128', - '2001:cdba:0000:0000:0000:0000:3257:9652/16' - ] - } - - let(:hostnames) { - [ - 'foo.bar.baz', - 'i.like.cheese' - ] - } - - context 'firewalld mode' do - let(:hieradata) { 'firewall__firewalld' } - - context "with hostnames in the address list" do - let( :title ){ 'hostnames' } - - let(:params){{ - :trusted_nets => ipv4_nets + hostnames + ipv6_nets - }} - - it { is_expected.to compile.with_all_deps } - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - - context "with '0.0.0.0/0' in the address list" do - context 'all protocols' do - let( :title ){ 'allow_all' } - - let( :params ){{ - :trusted_nets => ipv4_nets + ['0.0.0.0/0'] - }} - - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - - context 'IPv4 only' do - let( :title ){ 'allow_all_ipv4' } - - let(:params){{ - :trusted_nets => ipv4_nets + ['0.0.0.0/0'], - :apply_to => 'ipv4' - }} - - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - - context 'IPv6 only' do - let( :title ){ 'allow_all_ipv6' } - - let(:params){{ - :trusted_nets => ipv4_nets + ['::/0'], - :apply_to => 'ipv6' - }} - - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - - context 'IPv4 mismatched application' do - let( :title ){ 'ipv4 nets on ipv6' } - - let(:params){{ - :trusted_nets => ipv4_nets, - :apply_to => 'ipv6' - }} - - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - - context 'IPv6 mismatched application' do - let( :title ){ 'ipv6 nets on ipv4' } - - let(:params){{ - :trusted_nets => ipv6_nets, - :apply_to => 'ipv4' - }} - - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - end - - context "with trusted_nets in IPv4 CIDR format" do - let( :title ){ 'allow_all' } - let( :params ){{ - :trusted_nets => ipv4_nets - }} - - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - - context "with trusted_nets in IPv6 CIDR format" do - let( :title ){ 'allow_all' } - let( :params ){{ - :trusted_nets => ipv6_nets, - :apply_to => 'ipv6' - }} - - it { is_expected.to create_simp_firewalld__rule("all_#{title}") } - end - end - end - end - end -end diff --git a/spec/defines/listen/firewalld/icmp_spec.rb b/spec/defines/listen/firewalld/icmp_spec.rb deleted file mode 100644 index 0981827..0000000 --- a/spec/defines/listen/firewalld/icmp_spec.rb +++ /dev/null @@ -1,46 +0,0 @@ -require 'spec_helper.rb' - -describe "iptables::listen::icmp", :type => :define do - context 'supported operating systems' do - on_supported_os.each do |os, facts| - context "on #{os}" do - let(:facts) do - facts - end - - let(:ipv4_nets) { - [ - '10.0.2.0/24', - '10.0.2.33/32', - '1.2.3.4/32', - '2.3.4.0/24', - '3.0.0.0/8' - ] - } - - let(:ipv6_nets) { - [ - 'fe80::/64', - '2001:cdba:0000:0000:0000:0000:3257:9652/128', - '2001:cdba:0000:0000:0000:0000:3257:9652/16' - ] - } - - context 'firewalld mode' do - let(:hieradata) { 'firewall__firewalld' } - - context "with trusted_nets in CIDR format" do - let( :title ){ 'allow_icmp_1234' } - let( :params ){{ - :icmp_types => '8', - :trusted_nets => ipv4_nets + ipv6_nets - }} - it { is_expected.to compile.with_all_deps } - - it { is_expected.to create_simp_firewalld__rule("icmp_#{title}") } - end - end - end - end - end -end diff --git a/spec/defines/listen/firewalld/tcp_stateful_spec.rb b/spec/defines/listen/firewalld/tcp_stateful_spec.rb deleted file mode 100644 index c246268..0000000 --- a/spec/defines/listen/firewalld/tcp_stateful_spec.rb +++ /dev/null @@ -1,46 +0,0 @@ -require 'spec_helper.rb' - -describe "iptables::listen::tcp_stateful", :type => :define do - context 'supported operating systems' do - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) do - os_facts - end - - let(:ipv4_nets) { - [ - '10.0.2.0/24', - '10.0.2.33/32', - '1.2.3.4/32', - '2.3.4.0/24', - '3.0.0.0/8' - ] - } - - let(:ipv6_nets) { - [ - 'fe80::/64', - '2001:cdba:0000:0000:0000:0000:3257:9652/128', - '2001:cdba:0000:0000:0000:0000:3257:9652/16' - ] - } - - context 'firewalld mode' do - let(:hieradata) { 'firewall__firewalld' } - - context "with trusted_nets in CIDR format" do - let( :title ){ 'allow_tcp_range' } - let( :params ){{ - :trusted_nets => ipv4_nets + ipv6_nets, - :dports => [1234, '234:567'] - }} - - it { is_expected.to compile.with_all_deps } - it { is_expected.to create_simp_firewalld__rule("tcp_#{title}") } - end - end - end - end - end -end diff --git a/spec/defines/listen/firewalld/udp_spec.rb b/spec/defines/listen/firewalld/udp_spec.rb deleted file mode 100644 index ace08e4..0000000 --- a/spec/defines/listen/firewalld/udp_spec.rb +++ /dev/null @@ -1,46 +0,0 @@ -require 'spec_helper.rb' - -describe "iptables::listen::udp", :type => :define do - context 'supported operating systems' do - on_supported_os.each do |os, os_facts| - context "on #{os}" do - let(:facts) do - os_facts - end - - let(:ipv4_nets) { - [ - '10.0.2.0/24', - '10.0.2.33/32', - '1.2.3.4/32', - '2.3.4.0/24', - '3.0.0.0/8' - ] - } - - let(:ipv6_nets) { - [ - 'fe80::/64', - '2001:cdba:0000:0000:0000:0000:3257:9652/128', - '2001:cdba:0000:0000:0000:0000:3257:9652/16' - ] - } - - context 'firewalld mode' do - let(:hieradata) { 'firewall__firewalld' } - - context "with trusted_nets in CIDR format" do - let( :title ){ 'allow_udp_range' } - let( :params ){{ - :trusted_nets => ipv4_nets + ipv6_nets, - :dports => [1234, '234:567'] - }} - - it { is_expected.to compile.with_all_deps } - it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } - end - end - end - end - end -end diff --git a/spec/defines/listen/icmp_spec.rb b/spec/defines/listen/icmp_spec.rb index 2c42f72..d6881df 100644 --- a/spec/defines/listen/icmp_spec.rb +++ b/spec/defines/listen/icmp_spec.rb @@ -1,31 +1,71 @@ require 'spec_helper.rb' -describe "iptables::listen::icmp", :type => :define do +describe 'iptables::listen::icmp', :type => :define do context 'supported operating systems' do - on_supported_os.each do |os, facts| + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do + facts = os_facts.dup + + if facts[:os][:release][:major] == '6' + facts[:simplib__firewalls] = [ 'iptables' ] + else + facts[:simplib__firewalls] = [ 'firewalld', 'iptables' ] + end + facts end - context "with trusted_nets in IPv4 CIDR format" do - let( :title ){ 'allow_icmp_1234' } - let( :params ){{ - :icmp_types => '8', - :trusted_nets => ['10.0.2.0/24'] - }} - it { is_expected.to create_iptables__listen__icmp('allow_icmp_1234') } + context 'with default firewall settings' do + context 'with trusted_nets in IPv4 CIDR format' do + let( :title ){ 'allow_icmp_1234' } + let( :params ){{ + :icmp_types => '8', + :trusted_nets => ['10.0.2.0/24'] + }} + + it { is_expected.to create_iptables__listen__icmp('allow_icmp_1234') } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("icmp_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("icmp_#{title}") } + end + end + + context 'with trusted_nets in IPv6 CIDR format' do + let( :title ){ 'allow_icmp_1234' } + let( :params ){{ + :icmp_types => '8', + :trusted_nets => ['fe80::/64'], + :apply_to => 'ipv6' + }} + + it { is_expected.to create_iptables__listen__icmp('allow_icmp_1234') } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("icmp_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("icmp_#{title}") } + end + end end - context "with trusted_nets in IPv6 CIDR format" do + context 'when explicitly using firewalld' do + let( :hieradata) { 'firewall__firewalld' } let( :title ){ 'allow_icmp_1234' } let( :params ){{ :icmp_types => '8', - :trusted_nets => ['fe80::/64'], - :apply_to => 'ipv6' + :trusted_nets => ['10.0.2.0/24'] }} + it { is_expected.to create_iptables__listen__icmp('allow_icmp_1234') } - it { is_expected.to create_iptables_rule('icmp_allow_icmp_1234') } + + if os_facts[:os][:release][:major] == '6' + it { is_expected.to create_iptables_rule("icmp_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("icmp_#{title}") } + end end end end diff --git a/spec/defines/listen/tcp_stateful_spec.rb b/spec/defines/listen/tcp_stateful_spec.rb index 6017732..ada61f6 100644 --- a/spec/defines/listen/tcp_stateful_spec.rb +++ b/spec/defines/listen/tcp_stateful_spec.rb @@ -1,87 +1,141 @@ require 'spec_helper.rb' -describe "iptables::listen::tcp_stateful", :type => :define do +describe 'iptables::listen::tcp_stateful', :type => :define do context 'supported operating systems' do on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - os_facts - end + facts = os_facts.dup - context "with trusted_nets in IPv4 CIDR format" do - let( :title ){ 'allow_tcp_1234' } - let( :params ){{ - :trusted_nets => ['10.0.2.0/24'], - :dports => [1234, '234:567'] - }} - it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_1234').with_dports(params[:dports]) } - it do - expected = "-m state --state NEW -m tcp -p tcp -s 10.0.2.0/24 -m multiport --dports 1234,234:567 -j ACCEPT\n" - is_expected.to create_iptables_rule('tcp_allow_tcp_1234').with_content(expected) + if facts[:os][:release][:major] == '6' + facts[:simplib__firewalls] = [ 'iptables' ] + else + facts[:simplib__firewalls] = [ 'firewalld', 'iptables' ] end - end - context "with trusted_nets in IPv6 CIDR format" do - let( :title ){ 'allow_tcp_1234' } - let( :params ){{ - :trusted_nets => ['fe80::/64'], - :dports => 1234, - :apply_to => 'ipv6' - }} - it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_1234').with_dports(1234) } - it { is_expected.to create_iptables_rule('tcp_allow_tcp_1234') } + facts end - # This tests for the bug reported in SIMP-263 - context "with more than 10 ports" do - let( :title ){ 'allow_tcp_more_than_10_ports' } - let( :params ){{ - :trusted_nets => ['10.0.2.0/24'], - :dports => (101..111).to_a - }} - # does the catalog accept it? - it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_more_than_10_ports').with_dports((101..111).to_a) - } + context 'with default firewall settings' do + context 'with trusted_nets in IPv4 CIDR format' do + let( :title ){ 'allow_tcp_1234' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'], + :dports => [1234, '234:567'] + }} - # does it create the correct rule? - it { - is_expected.to create_iptables_rule('tcp_allow_tcp_more_than_10_ports').with_content(/ --dports 101,102,103,104,105,106,107,108,109,110,111 -j ACCEPT/) } - end + it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_1234').with_dports(params[:dports]) } - context 'with more than 15 individual ports' do - let( :title ){ 'allow_tcp_more_than_15_ports' } - let( :params ){{ - :trusted_nets => ['10.0.2.0/24'], - :dports => (101..121).to_a - }} + if os_facts[:os][:release][:major] != '8' + it do + expected = "-m state --state NEW -m tcp -p tcp -s 10.0.2.0/24 -m multiport --dports 1234,234:567 -j ACCEPT\n" + is_expected.to create_iptables_rule("tcp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("tcp_#{title}") } + end + end + + context 'with trusted_nets in IPv6 CIDR format' do + let( :title ){ 'allow_tcp_1234' } + let( :params ){{ + :trusted_nets => ['fe80::/64'], + :dports => 1234, + :apply_to => 'ipv6' + }} + + it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_1234').with_dports(1234) } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("tcp_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("tcp_#{title}") } + end + end + + # This tests for the bug reported in SIMP-263 + context 'with more than 10 ports' do + let( :title ){ 'allow_tcp_more_than_10_ports' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'], + :dports => (101..111).to_a + }} + # does the catalog accept it? + it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_more_than_10_ports').with_dports((101..111).to_a) + } + + if os_facts[:os][:release][:major] != '8' + # does it create the correct rule? + it { + is_expected.to create_iptables_rule("tcp_#{title}").with_content(/ --dports 101,102,103,104,105,106,107,108,109,110,111 -j ACCEPT/) } + else + it { is_expected.to create_simp_firewalld__rule("tcp_#{title}") } + end + end + + context 'with more than 15 individual ports' do + let( :title ){ 'allow_tcp_more_than_15_ports' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'], + :dports => (101..121).to_a + }} - it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_more_than_15_ports').with_dports((101..121).to_a) - } + it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_more_than_15_ports').with_dports((101..121).to_a) + } - it do - expected = <<-EOM + if os_facts[:os][:release][:major] != '8' + it do + expected = <<-EOM -m state --state NEW -m tcp -p tcp -s 10.0.2.0/24 -m multiport --dports 101,102,103,104,105,106,107,108,109,110,111,112,113,114,115 -j ACCEPT -m state --state NEW -m tcp -p tcp -s 10.0.2.0/24 -m multiport --dports 116,117,118,119,120,121 -j ACCEPT - EOM - is_expected.to create_iptables_rule('tcp_allow_tcp_more_than_15_ports').with_content(expected) + EOM + is_expected.to create_iptables_rule("tcp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("tcp_#{title}") } + end + end + + context 'single port ranges' do + let( :title ){ 'allow_port_range' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'], + :dports => '150:300' + }} + + it { is_expected.to create_iptables__listen__tcp_stateful('allow_port_range').with_dports('150:300') + } + + if os_facts[:os][:release][:major] != '8' + it do + expected = <<-EOM +-m state --state NEW -m tcp -p tcp -s 10.0.2.0/24 -m multiport --dports 150:300 -j ACCEPT + EOM + is_expected.to create_iptables_rule("tcp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("tcp_#{title}") } + end end end - context 'single port ranges' do - let( :title ){ 'allow_port_range' } + context 'when explicitly using firewalld' do + let( :hieradata ) { 'firewall__firewalld' } + let( :title ){ 'allow_tcp_1234' } let( :params ){{ :trusted_nets => ['10.0.2.0/24'], - :dports => '150:300' + :dports => [1234, '234:567'] }} - it { is_expected.to create_iptables__listen__tcp_stateful('allow_port_range').with_dports('150:300') - } + it { is_expected.to create_iptables__listen__tcp_stateful('allow_tcp_1234').with_dports(params[:dports]) } - it do - expected = <<-EOM --m state --state NEW -m tcp -p tcp -s 10.0.2.0/24 -m multiport --dports 150:300 -j ACCEPT - EOM - is_expected.to create_iptables_rule('tcp_allow_port_range').with_content(expected) + if os_facts[:os][:release][:major] == '6' + it do + expected = "-m state --state NEW -m tcp -p tcp -s 10.0.2.0/24 -m multiport --dports 1234,234:567 -j ACCEPT\n" + is_expected.to create_iptables_rule("tcp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("tcp_#{title}") } end end end diff --git a/spec/defines/listen/udp_spec.rb b/spec/defines/listen/udp_spec.rb index e2f6498..8474612 100644 --- a/spec/defines/listen/udp_spec.rb +++ b/spec/defines/listen/udp_spec.rb @@ -1,94 +1,153 @@ require 'spec_helper.rb' -describe "iptables::listen::udp", :type => :define do +describe 'iptables::listen::udp', :type => :define do context 'supported operating systems' do on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do - os_facts - end + facts = os_facts.dup - describe "with IPv4 trusted_nets" do - let( :title ){ 'allow_udp_range' } - let( :params ){{ - :trusted_nets => ['10.0.2.0'], - :dports => [1234,'9999:20000'] - }} - it { is_expected.to create_iptables__listen__udp("allow_udp_range").with_dports(params[:dports]) } - it do - expected = "-m state --state NEW -p udp -s 10.0.2.0 -m multiport --dports 1234,9999:20000 -j ACCEPT\n" - is_expected.to create_iptables_rule('udp_allow_udp_range').with_content(expected) + if facts[:os][:release][:major] == '6' + facts[:simplib__firewalls] = [ 'iptables' ] + else + facts[:simplib__firewalls] = [ 'firewalld', 'iptables' ] end - end - describe "with IPv4 trusted_nets in CIDR notation" do - let( :title ){ 'allow_udp_1234' } - let( :params ){{ - :trusted_nets => ['10.0.2.0/24'], - :dports => 1234 - }} - it { is_expected.to create_iptables__listen__udp('allow_udp_1234').with_dports(1234) } + facts end - describe "with IPv6 trusted_nets" do - let( :title ){ 'allow_udp_1234' } - let( :params ){{ - :trusted_nets => ['fe80::'], - :dports => 1234, - :apply_to => 'ipv6' - }} - it { is_expected.to create_iptables__listen__udp('allow_udp_1234').with_dports(1234) } - it { is_expected.to create_iptables_rule('udp_allow_udp_1234') } - end + context 'with default firewall settings' do + describe 'with IPv4 trusted_nets' do + let( :title ){ 'allow_udp_range' } + let( :params ){{ + :trusted_nets => ['10.0.2.0'], + :dports => [1234,'9999:20000'] + }} - describe "with IPv6 trusted_nets in CIDR format" do - let( :title ){ 'allow_udp_1234' } - let( :params ){{ - :trusted_nets => ['fe80::/64'], - :dports => 1234, - :apply_to => 'ipv6' - }} - it{ - is_expected.to create_iptables__listen__udp('allow_udp_1234').with_dports(1234) - } - it{ - is_expected.to create_iptables_rule('udp_allow_udp_1234') - } - end + it { is_expected.to create_iptables__listen__udp('allow_udp_range').with_dports(params[:dports]) } - describe 'with more than 15 individual ports' do - let( :title ){ 'allow_udp_more_than_15_ports' } - let( :params ){{ - :trusted_nets => ['10.0.2.0/24'], - :dports => (101..121).to_a - }} + if os_facts[:os][:release][:major] != '8' + it do + expected = "-m state --state NEW -p udp -s 10.0.2.0 -m multiport --dports 1234,9999:20000 -j ACCEPT\n" + is_expected.to create_iptables_rule("udp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } + end + + end - it { is_expected.to create_iptables__listen__udp('allow_udp_more_than_15_ports').with_dports((101..121).to_a) - } + describe 'with IPv4 trusted_nets in CIDR notation' do + let( :title ){ 'allow_udp_1234' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'], + :dports => 1234 + }} - it do - expected = <<-EOM + it { is_expected.to create_iptables__listen__udp('allow_udp_1234').with_dports(1234) } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("udp_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } + end + end + + describe 'with IPv6 trusted_nets' do + let( :title ){ 'allow_udp_1234' } + let( :params ){{ + :trusted_nets => ['fe80::'], + :dports => 1234, + :apply_to => 'ipv6' + }} + + it { is_expected.to create_iptables__listen__udp('allow_udp_1234').with_dports(1234) } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("udp_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } + end + end + + describe 'with IPv6 trusted_nets in CIDR format' do + let( :title ){ 'allow_udp_1234' } + let( :params ){{ + :trusted_nets => ['fe80::/64'], + :dports => 1234, + :apply_to => 'ipv6' + }} + + it { is_expected.to create_iptables__listen__udp('allow_udp_1234').with_dports(1234) } + + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule("udp_#{title}") } + else + it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } + end + end + + describe 'with more than 15 individual ports' do + let( :title ){ 'allow_udp_more_than_15_ports' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'], + :dports => (101..121).to_a + }} + + it { is_expected.to create_iptables__listen__udp('allow_udp_more_than_15_ports').with_dports((101..121).to_a) } + + if os_facts[:os][:release][:major] != '8' + it do + expected = <<-EOM -m state --state NEW -p udp -s 10.0.2.0/24 -m multiport --dports 101,102,103,104,105,106,107,108,109,110,111,112,113,114,115 -j ACCEPT -m state --state NEW -p udp -s 10.0.2.0/24 -m multiport --dports 116,117,118,119,120,121 -j ACCEPT - EOM - is_expected.to create_iptables_rule('udp_allow_udp_more_than_15_ports').with_content(expected) + EOM + is_expected.to create_iptables_rule("udp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } + end + end + + describe 'single port ranges' do + let( :title ){ 'allow_port_range' } + let( :params ){{ + :trusted_nets => ['10.0.2.0/24'], + :dports => '150:300' + }} + + it { is_expected.to create_iptables__listen__udp('allow_port_range').with_dports('150:300') } + + if os_facts[:os][:release][:major] != '8' + it do + expected = <<-EOM +-m state --state NEW -p udp -s 10.0.2.0/24 -m multiport --dports 150:300 -j ACCEPT + EOM + is_expected.to create_iptables_rule("udp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } + end end end - describe 'single port ranges' do - let( :title ){ 'allow_port_range' } + context 'when explicitly using firewalld' do + let( :hieradata ) { 'firewall__firewalld' } + let( :title ){ 'allow_udp_range' } let( :params ){{ - :trusted_nets => ['10.0.2.0/24'], - :dports => '150:300' + :trusted_nets => ['10.0.2.0'], + :dports => [1234,'9999:20000'] }} - it { is_expected.to create_iptables__listen__udp('allow_port_range').with_dports('150:300') } + it { is_expected.to create_iptables__listen__udp('allow_udp_range').with_dports(params[:dports]) } - it do - expected = <<-EOM --m state --state NEW -p udp -s 10.0.2.0/24 -m multiport --dports 150:300 -j ACCEPT - EOM - is_expected.to create_iptables_rule('udp_allow_port_range').with_content(expected) + if os_facts[:os][:release][:major] == '6' + it do + expected = "-m state --state NEW -p udp -s 10.0.2.0 -m multiport --dports 1234,9999:20000 -j ACCEPT\n" + is_expected.to create_iptables_rule("udp_#{title}").with_content(expected) + end + else + it { is_expected.to create_simp_firewalld__rule("udp_#{title}") } end end end diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index cb00d55..2b485b1 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -2,10 +2,18 @@ # NOTE: This is well exercised by the different 'listen' defines, this is only # for basic testing. -describe "iptables::rule", :type => :define do - on_supported_os.each do |os, facts| +describe 'iptables::rule', :type => :define do + on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) do + facts = os_facts.dup + + if facts[:os][:release][:major] == '6' + facts[:simplib__firewalls] = [ 'iptables' ] + else + facts[:simplib__firewalls] = [ 'firewalld', 'iptables' ] + end + facts end @@ -16,19 +24,27 @@ }} context 'by default' do - it { is_expected.to create_iptables_rule(title) } + if os_facts[:os][:release][:major] != '8' + it { is_expected.to create_iptables_rule(title) } + else + it { is_expected.to create_notify('iptables::rule with firewalld') + .with_message(/cannot be used.+Called from/) + .with_loglevel('warning') + } + end end - context 'when using firewalld' do + context 'when explicitly using firewalld' do let(:hieradata) { 'firewall__firewalld' } - it { is_expected.to create_notify('iptables::rule with firewalld').with( - { - :message => /cannot be used.+Called from/, - :loglevel => 'warning' - } - ) - } + if os_facts[:os][:release][:major] == '6' + it { is_expected.to create_iptables_rule(title) } + else + it { is_expected.to create_notify('iptables::rule with firewalld') + .with_message(/cannot be used.+Called from/) + .with_loglevel('warning') + } + end end end end