openstack
/
puppet-tripleo
Code Issues Proposed changes

Merge "Remove implementation to manage firewall rules by Puppet"

This commit is contained in:
Zuul 2022-05-25 17:45:49 +00:00 committed by Gerrit Code Review
parent ccc6719a73 373dee4156
commit f4bb643e1e
10 changed files with 0 additions and 738 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
manifests/firewall.pp
View File

@ -1,203 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo
#
# Configure the TripleO firewall
#
# === Parameters:
#
# [*manage_firewall*]
# (optional) Completely enable or disable firewall settings
# (false means disabled, and true means enabled)
# Defaults to false
#
# [*firewall_chains*]
# (optional) Manage firewall chains
# Default to {}
#
# [*firewall_rules*]
# (optional) Allow to add custom firewall rules
# Should be an hash.
# Default to {}
#
# [*purge_firewall_chains*]
# (optional) Boolean, purge all firewalli rules in a given chain
# Defaults to false
#
# [*purge_firewall_rules*]
# (optional) Boolean, purge all firewall resources
# Defaults to false
#
# [*firewall_pre_extras*]
# (optional) Allow to add custom parameters to firewall rules (pre stage)
# Should be an hash.
# Default to {}
#
# [*firewall_post_extras*]
# (optional) Allow to add custom parameters to firewall rules (post stage)
# Should be an hash.
# Default to {}
#
class tripleo::firewall(
$manage_firewall = false,
$firewall_chains = {},
$firewall_rules = {},
$purge_firewall_chains = false,
$purge_firewall_rules = false,
$firewall_pre_extras = {},
$firewall_post_extras = {},
) {
if $manage_firewall {
if $purge_firewall_chains {
resources { 'firewallchain':
purge => true
}
}
# Only purges IPv4 rules
if $purge_firewall_rules {
resources { 'firewall':
purge => true
}
}
# To manage the chains they must be named in specific ways
# https://github.com/puppetlabs/puppetlabs-firewall#type-firewallchain
# Example Hiera:
# tripleo::firewall::firewall_chains:
# 'FORWARD:filter:IPv4':
# ensure: present
# policy: accept
# purge: false
#
create_resources('firewallchain', $firewall_chains)
# anyone can add your own rules
# example with Hiera:
#
# tripleo::firewall::firewall_rules:
# '300 allow custom application 1':
# port: 999
# proto: udp
# action: accept
# '301 allow custom application 2':
# port: 8081
# proto: tcp
# action: accept
#
create_resources('tripleo::firewall::rule', $firewall_rules)
ensure_resource('class', 'tripleo::firewall::pre', {
'firewall_settings' => $firewall_pre_extras,
})
ensure_resource('class', 'tripleo::firewall::post', {
'firewall_settings' => $firewall_post_extras,
})
# Ensure we don't get any unmanaged rules in the firewall.
#
# iptables-services package pushes some rules we don't want to see in the
# firewall, as they conflict with the ones we are actually managing:
# - opens ssh to the world (see https://review.openstack.org/632468)
# - reject connections (and this reject happens before the logging we push,
# preventing logging to happen)
# - some repetitions like RELATED,ESTABLISHED, and ICMP related rules
#
# See https://bugzilla.redhat.com/show_bug.cgi?id=1667887
# for more context and detail.
exec {'save ipv4 rules':
command => '/usr/sbin/iptables-save > /etc/sysconfig/iptables',
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
}
exec {'save ipv6 rules':
command => '/usr/sbin/ip6tables-save > /etc/sysconfig/ip6tables',
before => Service[$::firewall::params::service_name, $::firewall::params::service_name_v6],
}
Class['tripleo::firewall::pre']
-> Firewall<|tag == 'tripleo-firewall-rule'|>
-> Class['tripleo::firewall::post']
Service<||> -> Class['tripleo::firewall::post']
# Allow composable services to load their own custom
# example with Hiera.
# NOTE(dprince): In the future when we have a better hiera
# heat hook we might refactor this to use hiera's merging
# capabilities instead. Until then rolling up the flat service
# keys and dynamically creating firewall rules for each service
# will allow us to compose and should work fine.
#
# Each service can load its rules by using this form:
#
# tripleo.<service name with underscores>.firewall_rules:
# '300 allow custom application 1':
# dport: 999
# proto: udp
# action: accept
$service_names = hiera('service_names', [])
tripleo::firewall::service_rules { $service_names: }
# puppetlabs-firewall only manages the current state of iptables
# rules and writes out the rules to a file to ensure they are
# persisted. We are specifically running the following commands after the
# iptables rules to ensure the persisted file does not contain any
# ephemeral neutron rules. Neutron assumes the iptables rules are not
# persisted so it may cause an issue if the rule is loaded on boot
# (or via iptables restart). If an operator needs to reload iptables
# for any reason, they may need to manually reload the appropriate
# neutron agent to restore these iptables rules.
# https://bugzilla.redhat.com/show_bug.cgi?id=1541528
exec { 'nonpersistent_v4_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
onlyif => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -q neutron- /etc/sysconfig/iptables',
}
exec { 'nonpersistent_v6_rules_cleanup':
command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
onlyif => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -q neutron- /etc/sysconfig/ip6tables',
}
# Do not persist ephemeral firewall rules mananged by ironic-inspector
# pxe_filter 'iptables' driver.
# https://bugs.launchpad.net/tripleo/+bug/1765700
# https://storyboard.openstack.org/#!/story/2001890
exec { 'nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/iptables',
onlyif => [
'/bin/test -f /etc/sysconfig/iptables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector'
]
}
exec { 'nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup':
command => '/bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/ip6tables',
onlyif => [
'/bin/test -f /etc/sysconfig/ip6tables',
'/bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector'
]
}
Exec['save ipv4 rules'] -> Firewall<| |>
Exec['save ipv6 rules'] -> Firewall<| |>
Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v4_rules_cleanup']
Firewall<| |> -> Exec['nonpersistent_ironic_inspector_pxe_filter_v6_rules_cleanup']
}
}

65
manifests/firewall/post.pp
View File

@ -1,65 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::firewall::post
#
# Firewall rules during 'post' Puppet stage
#
# === Parameters:
#
# [*debug*]
# (optional) Set log output to debug output
# Defaults to false
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be a hash.
# Default to {}
#
# [*logging_settings*]
# (optional) Allow to add custom parameters to the logging firewall rule
# Should be a hash.
# Default to {}
#
class tripleo::firewall::post(
$debug = false,
$firewall_settings = {},
$logging_settings = {},
){
if $debug {
warning('debug is enabled, the traffic is not blocked.')
} else {
$default_logging_extras = {
'burst' => '15',
'limit' => '20/min',
}
$logging_extras = merge($default_logging_extras, $logging_settings)
tripleo::firewall::rule{ '998 log all':
proto => 'all',
jump => 'LOG',
tag => 'tripleo-firewall-postrule',
extras => $logging_extras,
}
tripleo::firewall::rule{ '999 drop all':
proto => 'all',
action => 'drop',
extras => $firewall_settings,
tag => 'tripleo-firewall-postrule',
}
notice('At this stage, all network traffic is blocked.')
}
}

62
manifests/firewall/pre.pp
View File

@ -1,62 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::firewall::pre
#
# Firewall rules during 'pre' Puppet stage
#
# === Parameters:
#
# [*firewall_settings*]
# (optional) Allow to add custom parameters to firewall rules
# Should be an hash.
# Default to {}
#
class tripleo::firewall::pre(
$firewall_settings = {},
){
# ensure the correct packages are installed
include firewall
# defaults 'pre' rules
tripleo::firewall::rule{ '000 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
extras => $firewall_settings,
tag => 'tripleo-firewall-prerule',
}
tripleo::firewall::rule{ '001 accept all icmp':
proto => 'icmp',
extras => $firewall_settings,
tag => 'tripleo-firewall-prerule',
}
tripleo::firewall::rule{ '002 accept all to lo interface':
proto => 'all',
iniface => 'lo',
extras => $firewall_settings,
tag => 'tripleo-firewall-prerule',
}
tripleo::firewall::rule{ '004 accept ipv6 dhcpv6':
dport => '546',
proto => 'udp',
state => ['NEW'],
destination => 'fe80::/64',
tag => 'tripleo-firewall-prerule',
}
}

42
manifests/firewall/service_rules.pp
View File

@ -1,42 +0,0 @@
# Copyright 2016 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Define: tripleo::firewall::service_rules
#
# Define used to create firewall rules for composable services.
#
# === Parameters:
#
# [*service_name*]
# (optional) The service_name to load firewall rules for.
# Defaults to $title
#
define tripleo::firewall::service_rules ($service_name = $title) {
$underscore_name = regsubst($service_name, '-', '_')
# This allows each composable service to load its own custom rules by
# creating its own flat hiera key named:
# tripleo.<service name with underscores>.firewall_rules
$dots_rules = hiera("'tripleo.${underscore_name}.firewall_rules'", {})
# Supports standard "::" notation:
# tripleo::<service name with underscores>::firewall_rules
$colons_rules = hiera("tripleo::${underscore_name}::firewall_rules", {})
# merge rules
$firewall_rules = merge($colons_rules, $dots_rules)
create_resources('tripleo::firewall::rule', $firewall_rules)
}

26
manifests/haproxy.pp
View File

@ -78,11 +78,6 @@
# Can be "user" or "admin"
# Defaults to "user"
#
# [*manage_firewall*]
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
# (false means disabled, and true means enabled)
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
#
# [*controller_hosts*]
# IPs of host or group of hosts to load-balance the services
# Can be a string or an array.
@ -543,7 +538,6 @@ class tripleo::haproxy (
$haproxy_stats_user = 'admin',
$haproxy_stats_password = undef,
$haproxy_stats_bind_address = undef,
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$controller_hosts = hiera('controller_node_ips'),
$controller_hosts_names = hiera('controller_node_names', undef),
$service_certificate = undef,
@ -787,7 +781,6 @@ class tripleo::haproxy (
listen_options => $default_listen_options,
frontend_options => $default_frontend_options,
backend_options => $default_backend_options,
manage_firewall => $manage_firewall,
}
$service_names = hiera('enabled_services', [])
@ -1314,7 +1307,6 @@ class tripleo::haproxy (
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
service_network => $horizon_network,
manage_firewall => $manage_firewall,
}
}
@ -1510,15 +1502,6 @@ class tripleo::haproxy (
server_names => $mysql_server_names_real,
options => $mysql_member_options_real,
}
if $manage_firewall {
include tripleo::firewall
$mysql_firewall_rules = {
'100 mysql_haproxy' => {
'dport' => 3306,
}
}
create_resources('tripleo::firewall::rule', $mysql_firewall_rules)
}
}
if $rabbitmq {
@ -1656,15 +1639,6 @@ class tripleo::haproxy (
options => union($haproxy_member_options, ['on-marked-down shutdown-sessions'], $redis_ssl_member_options),
verifyhost => false,
}
if $manage_firewall {
include tripleo::firewall
$redis_firewall_rules = {
'100 redis_haproxy' => {
'dport' => 6379,
}
}
create_resources('tripleo::firewall::rule', $redis_firewall_rules)
}
}
if $ceph_rgw {

43
manifests/haproxy/endpoint.pp
View File

@ -111,11 +111,6 @@
# fetching the certificate for that specific network.
# Defaults to undef
#
# [*manage_firewall*]
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
# (false means disabled, and true means enabled)
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
#
# [*authorized_userlist*]
# (optional) Userlist that may access the endpoint. Activate Basic Authentication.
# You'll need to create a tripleo::haproxy::userlist in order to use that option.
@ -154,7 +149,6 @@ define tripleo::haproxy::endpoint (
$use_internal_certificates = false,
$internal_certificates_specs = {},
$service_network = undef,
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$authorized_userlist = undef,
$sticky_sessions = false,
$session_cookie = 'STICKYSESSION',
@ -320,41 +314,4 @@ define tripleo::haproxy::endpoint (
options => $member_options,
}
}
if $manage_firewall {
include tripleo::firewall
# This block will construct firewall rules only when we specify
# a port for the regular service and also the ssl port for the service.
# It makes sure we're not trying to create TCP iptables rules where no port
# is specified.
if $service_port_real {
$service_firewall_rules = {
"100 ${name}_haproxy" => {
'dport' => $service_port_real,
},
}
}
if $service_port_real != $haproxy_port_real {
$haproxy_firewall_rules = {
"100 ${name}_haproxy_frontend" => {
'dport' => $haproxy_port_real,
},
}
} else {
$haproxy_firewall_rules = {}
}
if $public_ssl_port {
$haproxy_ssl_firewall_rules = {
"100 ${name}_haproxy_ssl" => {
'dport' => $public_ssl_port,
},
}
} else {
$haproxy_ssl_firewall_rules = {}
}
$firewall_rules = merge($service_firewall_rules, $haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
if $service_port_real or $public_ssl_port {
create_resources('tripleo::firewall::rule', $firewall_rules)
}
}
}

27
manifests/haproxy/horizon_endpoint.pp
View File

@ -71,11 +71,6 @@
# fetching the certificate for that specific network.
# Defaults to undef
#
# [*manage_firewall*]
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
# (false means disabled, and true means enabled)
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
#
class tripleo::haproxy::horizon_endpoint (
$internal_ip,
$ip_addresses,
@ -88,7 +83,6 @@ class tripleo::haproxy::horizon_endpoint (
$use_internal_certificates = false,
$internal_certificates_specs = {},
$service_network = undef,
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
) {
# Let users override the options on a per-service basis
$custom_options = hiera('tripleo::haproxy::horizon::options', undef)
@ -193,25 +187,4 @@ class tripleo::haproxy::horizon_endpoint (
options => union($member_options, ["cookie ${server}"]),
}
}
if $manage_firewall {
include tripleo::firewall
$haproxy_horizon_firewall_rules = {
'100 horizon_haproxy' => {
'dport' => 80,
},
}
if $public_certificate {
$haproxy_horizon_ssl_firewall_rules = {
'100 horizon_haproxy_ssl' => {
'dport' => 443,
},
}
} else {
$haproxy_horizon_ssl_firewall_rules = {}
}
$horizon_firewall_rules = merge($haproxy_horizon_firewall_rules, $haproxy_horizon_ssl_firewall_rules)
if !empty($horizon_firewall_rules) {
create_resources('tripleo::firewall::rule', $horizon_firewall_rules)
}
}
}

7
manifests/profile/base/haproxy.pp
View File

@ -36,11 +36,6 @@
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
#
# [*manage_firewall*]
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
# (false means disabled, and true means enabled)
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -49,14 +44,12 @@
class tripleo::profile::base::haproxy (
$certificates_specs = {},
$enable_load_balancer = hiera('enable_load_balancer', true),
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$step = Integer(hiera('step')),
) {
if $step >= 1 {
if $enable_load_balancer {
class {'tripleo::haproxy':
internal_certificates_specs => $certificates_specs,
manage_firewall => $manage_firewall,
}
unless hiera('tripleo::haproxy::haproxy_service_manage', true) {

226
spec/classes/tripleo_firewall_spec.rb
View File

@ -1,226 +0,0 @@
#
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::firewall' do
let :params do
{ }
end
shared_examples_for 'tripleo::firewall' do
context 'with firewall enabled' do
before :each do
params.merge!(
:manage_firewall => true,
)
end
it 'configure basic pre firewall rules' do
is_expected.to contain_firewall('000 accept related established rules ipv4').with(
:proto => 'all',
:state => ['RELATED', 'ESTABLISHED'],
:action => 'accept',
)
is_expected.to contain_firewall('000 accept related established rules ipv6').with(
:proto => 'all',
:state => ['RELATED', 'ESTABLISHED'],
:action => 'accept',
:provider => 'ip6tables',
)
is_expected.to contain_firewall('001 accept all icmp ipv4').with(
:proto => 'icmp',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('001 accept all icmp ipv6').with(
:proto => 'ipv6-icmp',
:action => 'accept',
:state => ['NEW'],
:provider => 'ip6tables',
)
is_expected.to contain_firewall('002 accept all to lo interface ipv4').with(
:proto => 'all',
:iniface => 'lo',
:action => 'accept',
:state => ['NEW'],
)
is_expected.to contain_firewall('002 accept all to lo interface ipv6').with(
:proto => 'all',
:iniface => 'lo',
:action => 'accept',
:state => ['NEW'],
:provider => 'ip6tables',
)
end
it 'configure basic post firewall rules' do
is_expected.to contain_firewall('999 drop all ipv4').with(
:proto => 'all',
:action => 'drop',
)
is_expected.to contain_firewall('999 drop all ipv6').with(
:proto => 'all',
:action => 'drop',
:provider => 'ip6tables',
)
end
end
context 'with custom firewall rules' do
before :each do
params.merge!(
:manage_firewall => true,
:firewall_rules => {
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
'302 fwd custom cidr 1' => {'port' => 'all', 'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
'303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
'305 add gre rule' => {'proto' => 'gre'},
'306 add custom cidr 2' => {'port' => 'all', 'destination' => '::1/24'},
'307 add custom nat rule' => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
'308 add custom INPUT v4' => {'ipversion' => 'ipv4', 'port' => '67', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
'309 add custom INPUT v6' => {'ipversion' => 'ipv6', 'port' => '546', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
}
)
end
it 'configure custom firewall rules' do
is_expected.to contain_firewall('300 add custom application 1 ipv4').with(
:port => '999',
:proto => 'udp',
:action => 'accept',
:state => ['NEW'],
:provider => 'iptables',
)
is_expected.to contain_firewall('301 add custom application 2 ipv4').with(
:port => '8081',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
:provider => 'iptables',
)
is_expected.to contain_firewall('302 fwd custom cidr 1 ipv4').with(
:chain => 'FORWARD',
:proto => 'tcp',
:destination => '192.0.2.0/24',
:provider => 'iptables',
)
is_expected.to_not contain_firewall('302 fwd custom cidr 1 ipv6')
is_expected.to contain_firewall('303 add custom application 3 ipv4').with(
:dport => '8081',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
:provider => 'iptables',
)
is_expected.to contain_firewall('304 add custom application 4 ipv4').with(
:sport => '1000',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
:provider => 'iptables',
)
is_expected.to contain_firewall('304 add custom application 4 ipv6').with(
:sport => '1000',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
:provider => 'ip6tables',
)
is_expected.to contain_firewall('305 add gre rule ipv4').without(:state)
is_expected.to contain_firewall('306 add custom cidr 2 ipv6').with(
:proto => 'tcp',
:destination => '::1/24',
:action => 'accept',
:provider => 'ip6tables',
)
is_expected.to contain_firewall('307 add custom nat rule ipv4').with(
:destination => '192.168.0.0/24',
:source => '192.168.0.0/24',
:jump => 'RETURN',
:table => 'nat',
:provider => 'iptables',
)
is_expected.to contain_firewall('308 add custom INPUT v4 ipv4').with(
:chain => 'INPUT',
:port => '67',
:proto => 'udp',
:action => 'accept',
:state => ['NEW'],
:provider => 'iptables',
)
is_expected.to contain_firewall('309 add custom INPUT v6 ipv6').with(
:chain => 'INPUT',
:port => '546',
:proto => 'udp',
:action => 'accept',
:state => ['NEW'],
:provider => 'ip6tables',
)
end
end
context 'with TCP rule without port or dport or sport specified' do
before :each do
params.merge!(
:manage_firewall => true,
:firewall_rules => {
'500 wrong tcp rule' => {'proto' => 'tcp', 'action' => 'accept'},
}
)
end
it_raises 'a Puppet::Error', /500 wrong tcp rule firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport./
end
context 'with firewall chain' do
before :each do
params.merge!(
:manage_firewall => true,
:firewall_chains => {
'FORWARD:filter:IPv4' => {
'ensure' => 'present',
'policy' => 'accept',
'purge' => false
}
})
end
it {
is_expected.to contain_firewallchain('FORWARD:filter:IPv4').with(
'ensure' => 'present',
'policy' => 'accept',
'purge' => false)
}
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge(OSDefaults.get_facts({ :hostname => 'node.example.com' }))
end
it_behaves_like 'tripleo::firewall'
end
end
end

37
spec/defines/tripleo_firewall_service_rules_spec.rb
View File

@ -1,37 +0,0 @@
require 'spec_helper'
describe 'tripleo::firewall::service_rules' do
let :pre_condition do
'include tripleo::firewall'
end
shared_examples_for 'tripleo firewall service rules' do
context 'with existing service_rules' do
let(:title) { 'dynamic-rules' }
it 'should compile' do
is_expected.to compile.with_all_deps
end
it 'should configure firewall' do
is_expected.to contain_tripleo__firewall__rule('11-neutron')
end
end
context 'with NON-existing service_rules' do
let(:title) { 'no-rules' }
it 'should compile' do
is_expected.to compile.with_all_deps
end
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge(OSDefaults.get_facts({ :hostname => 'node.example.com' }))
end
it_behaves_like 'tripleo firewall service rules'
end
end
end