cb-iptables-ng /test/cookbooks/iptables_ng_test/files/default/tests/minitest/recipe_install_test.rb

Language Ruby Lines 112
MD5 Hash 23d441275669c77e7ad2544f869b40e0
Repository https://github.com/sewer2/cb-iptables-ng.git View Raw File View Project SPDX
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
require File.expand_path('../support/helpers', __FILE__)

describe 'iptables-ng::install' do
  include Helpers::TestHelpers

  it 'should set all default policies to ACCEPT' do
    file('/etc/iptables.d/filter/INPUT/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/filter/OUTPUT/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/filter/FORWARD/default').must_include('ACCEPT [0:0]')

    file('/etc/iptables.d/nat/OUTPUT/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/nat/PREROUTING/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/nat/POSTROUTING/default').must_include('ACCEPT [0:0]')

    file('/etc/iptables.d/mangle/INPUT/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/mangle/OUTPUT/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/mangle/FORWARD/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/mangle/PREROUTING/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/mangle/POSTROUTING/default').must_include('ACCEPT [0:0]')

    file('/etc/iptables.d/raw/OUTPUT/default').must_include('ACCEPT [0:0]')
    file('/etc/iptables.d/raw/PREROUTING/default').must_include('ACCEPT [0:0]')
  end


  it 'should not apply other iptables rules' do
    ipv4 = shell_out('iptables -L -n |wc -l')
    ipv4.stdout.must_include('8')

    # RHEL uses a kernel <= 2.6.35, which doesn't have the INPUT chain in nat table
    ipv4 = shell_out('iptables -L -n -t nat |wc -l')
    if node['platform_family'] == 'rhel'
      ipv4.stdout.must_include('8')
    else
      ipv4.stdout.must_include('11')
    end


    ipv4 = shell_out('iptables -L -n -t mangle |wc -l')
    ipv4.stdout.must_include('14')

    ipv4 = shell_out('iptables -L -n -t raw |wc -l')
    ipv4.stdout.must_include('5')
  end

  it 'should not apply other ip6tables rules' do
    ipv6 = shell_out('ip6tables -L -n |wc -l')
    ipv6.stdout.must_include('8')

    ipv6 = shell_out('ip6tables -L -n -t mangle |wc -l')
    ipv6.stdout.must_include('14')

    ipv6 = shell_out('ip6tables -L -n -t raw |wc -l')
    ipv6.stdout.must_include('5')
  end


  it 'should apply default policies in filter table' do
    ipv4 = shell_out('iptables -L -n')
    ipv4.stdout.must_include('Chain INPUT (policy ACCEPT)')
    ipv4.stdout.must_include('Chain OUTPUT (policy ACCEPT)')
    ipv4.stdout.must_include('Chain FORWARD (policy ACCEPT)')

    ipv6 = shell_out('ip6tables -L -n')
    ipv6.stdout.must_include('Chain INPUT (policy ACCEPT)')
    ipv6.stdout.must_include('Chain OUTPUT (policy ACCEPT)')
    ipv6.stdout.must_include('Chain FORWARD (policy ACCEPT)')
  end

  it 'should apply default policies in nat table' do
    ipv4 = shell_out('iptables -L -n -t nat')

    # RHEL uses a kernel <= 2.6.35, which doesn't have the INPUT chain in nat table
    ipv4.stdout.must_include('Chain INPUT (policy ACCEPT)') unless node['platform_family'] == 'rhel'
    ipv4.stdout.must_include('Chain OUTPUT (policy ACCEPT)')
    ipv4.stdout.must_include('Chain PREROUTING (policy ACCEPT)')
    ipv4.stdout.must_include('Chain POSTROUTING (policy ACCEPT)')
  end

  it 'should apply default policies in mangle table' do
    ipv4 = shell_out('iptables -L -n -t mangle')
    ipv4.stdout.must_include('Chain INPUT (policy ACCEPT)')
    ipv4.stdout.must_include('Chain OUTPUT (policy ACCEPT)')
    ipv4.stdout.must_include('Chain FORWARD (policy ACCEPT)')
    ipv4.stdout.must_include('Chain PREROUTING (policy ACCEPT)')
    ipv4.stdout.must_include('Chain POSTROUTING (policy ACCEPT)')

    ipv6 = shell_out('ip6tables -L -n -t mangle')
    ipv6.stdout.must_include('Chain INPUT (policy ACCEPT)')
    ipv6.stdout.must_include('Chain OUTPUT (policy ACCEPT)')
    ipv6.stdout.must_include('Chain FORWARD (policy ACCEPT)')
    ipv6.stdout.must_include('Chain PREROUTING (policy ACCEPT)')
    ipv6.stdout.must_include('Chain POSTROUTING (policy ACCEPT)')
  end

  it 'should apply default policies in raw table' do
    ipv4 = shell_out('iptables -L -n -t raw')
    ipv4.stdout.must_include('Chain OUTPUT (policy ACCEPT)')
    ipv4.stdout.must_include('Chain PREROUTING (policy ACCEPT)')

    ipv6 = shell_out('ip6tables -L -n -t raw')
    ipv6.stdout.must_include('Chain OUTPUT (policy ACCEPT)')
    ipv6.stdout.must_include('Chain PREROUTING (policy ACCEPT)')
  end


  it 'should enable iptables serices' do
    service(node['iptables-ng']['service_ipv4']).must_be_enabled if node['iptables-ng']['service_ipv4']
    service(node['iptables-ng']['service_ipv6']).must_be_enabled if node['iptables-ng']['service_ipv6']
  end
end
Back to Top