From 66d80b8b4a6066cd22f83c7af4dfaaad3c5069e1 Mon Sep 17 00:00:00 2001 From: Roman Belousov Date: Sun, 12 Dec 2021 02:40:26 +0300 Subject: [PATCH] Improve compatibility with chef 13. Eliminate cloned resource warnings --- .foodcritic | 1 + .kitchen.yml | 6 +- metadata.rb | 4 ++ providers/policy.rb | 16 ----- providers/rule.rb | 65 ------------------ recipes/default.rb | 8 +-- recipes/redhat.rb | 4 +- resources/policy.rb | 20 ++++-- resources/rule.rb | 68 +++++++++++++++++-- .../default/serverspec/default_spec.rb | 21 +++--- .../ipv6_default/serverspec/default_spec.rb | 39 +++++------ .../serverspec/list_of_tables_spec.rb | 61 +++++++++-------- .../serverspec/list_of_tables_spec.rb | 32 +++++---- test/shared/spec_helper.rb | 12 ---- 14 files changed, 179 insertions(+), 178 deletions(-) create mode 100644 .foodcritic delete mode 100644 providers/policy.rb delete mode 100644 providers/rule.rb delete mode 100644 test/shared/spec_helper.rb diff --git a/.foodcritic b/.foodcritic new file mode 100644 index 0000000..074e05f --- /dev/null +++ b/.foodcritic @@ -0,0 +1 @@ +~FC014 diff --git a/.kitchen.yml b/.kitchen.yml index 05142cd..b58e849 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -4,10 +4,14 @@ driver: provisioner: name: chef_zero + require_chef_omnibus: '12' + deprecations_as_errors: true + client_rb: + chef_license: accept data_path: test/shared platforms: - - name: centos-6.5 + - name: centos-7 suites: - name: default diff --git a/metadata.rb b/metadata.rb index 90d1af0..57d0407 100644 --- a/metadata.rb +++ b/metadata.rb @@ -5,8 +5,12 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version "0.8.0" name "simple_iptables" +issues_url 'https://github.com/rtkwlf/cookbook-simple-iptables/issues' +source_url 'https://github.com/rtkwlf/cookbook-simple-iptables/' supports "debian", ">= 6.0" supports "centos", ">= 5.8" supports "redhat", ">= 5.8" supports "ubuntu", ">= 10.04" + +chef_version '> 12.5.0' diff --git a/providers/policy.rb b/providers/policy.rb deleted file mode 100644 index c8e82cc..0000000 --- a/providers/policy.rb +++ /dev/null @@ -1,16 +0,0 @@ -action :set do - updated = false - if [:ipv4, :both].include?(new_resource.ip_version) - updated |= handle_policy(new_resource, "ipv4") - end - if [:ipv6, :both].include?(new_resource.ip_version) - updated |= handle_policy(new_resource, "ipv6") - end - new_resource.updated_by_last_action(updated) -end - -def handle_policy(new_resource, ip_version) - Chef::Log.debug("[#{ip_version}] setting policy for #{new_resource.chain} to #{new_resource.policy}") - node.default["simple_iptables"][ip_version]["policy"][new_resource.table][new_resource.chain] = new_resource.policy - return true -end diff --git a/providers/rule.rb b/providers/rule.rb deleted file mode 100644 index 9789d67..0000000 --- a/providers/rule.rb +++ /dev/null @@ -1,65 +0,0 @@ -require 'chef/mixin/shell_out' -include Chef::Mixin::ShellOut - - -action :append do - updated = false - if [:ipv4, :both].include?(new_resource.ip_version) - updated |= handle_rule(new_resource, "ipv4") - end - if [:ipv6, :both].include?(new_resource.ip_version) - if new_resource.table == 'nat' && - Gem::Version.new(/\d+(\.\d+(.\d+)?)?/.match(node['kernel']['release'])[0]) < Gem::Version.new('3.7') - raise "NAT table cannot be used with IPv6 before Kernel 3.7" - end - updated |= handle_rule(new_resource, "ipv6") - end - new_resource.updated_by_last_action(updated) -end - -def handle_rule(new_resource, ip_version) - if new_resource.rule.kind_of?(String) - rules = [new_resource.rule] - elsif new_resource.rule.kind_of?(Array) - rules = new_resource.rule - else - rules = [''] - end - - unless node["simple_iptables"][ip_version]["rules"][new_resource.table].include?(new_resource.weight) - node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] = [] - end - unless node["simple_iptables"][ip_version]["chains"][new_resource.table].include?(new_resource.chain) - unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain) - node.default["simple_iptables"][ip_version]["chains"][new_resource.table] << new_resource.chain - end - unless new_resource.chain == new_resource.direction || new_resource.direction == :none - node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] << "-A #{new_resource.direction} #{new_resource.chain_condition} --jump #{new_resource.chain}" - end - end - - # Then apply the rules to the node - updated = false - rules.each do |rule| - new_rule = rule_string(new_resource, rule, false) - table_rules = node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] - - unless table_rules.include?(new_rule) - table_rules << new_rule - updated = true - Chef::Log.debug("[#{ip_version}] added rule '#{new_rule}'") - else - Chef::Log.debug("[#{ip_version}] ignoring duplicate simple_iptables_rule '#{new_rule}'") - end - end - updated -end - -def rule_string(new_resource, rule, include_table) - jump = new_resource.jump ? "--jump #{new_resource.jump} " : "" - table = include_table ? "--table #{new_resource.table} " : "" - comment = %Q{ -m comment --comment "#{new_resource.comment || new_resource.name}"} - rule = "#{table}-A #{new_resource.chain} #{jump}#{rule}#{comment}" - rule -end - diff --git a/recipes/default.rb b/recipes/default.rb index 87091dc..ed8f972 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -38,12 +38,12 @@ node.rm_normal("simple_iptables", "ipv6") # Then run all the simple_iptables_* resources run_context.resource_collection.each do |resource| - if resource.kind_of?(Chef::Resource::SimpleIptablesRule) + if resource.resource_name == :simple_iptables_rule Chef::Log.debug("about to run simple_iptables_rule[#{resource.chain}]") - resource.run_action(resource.action) - elsif resource.kind_of?(Chef::Resource::SimpleIptablesPolicy) + resource.run_action(resource.action.first) + elsif resource.resource_name == :simple_iptables_policy Chef::Log.debug("about to run simple_iptables_policy[#{resource.chain}]") - resource.run_action(resource.action) + resource.run_action(resource.action.first) end end diff --git a/recipes/redhat.rb b/recipes/redhat.rb index 8f92a22..34fb160 100644 --- a/recipes/redhat.rb +++ b/recipes/redhat.rb @@ -38,7 +38,7 @@ ip_version :ipv4 end -simple_iptables_rule "reject" do +simple_iptables_rule "reject_input" do chain "INPUT" rule "" jump "REJECT --reject-with icmp-host-prohibited" @@ -46,7 +46,7 @@ ip_version :ipv4 end -simple_iptables_rule "reject" do +simple_iptables_rule "reject_forward" do direction "FORWARD" chain "FORWARD" rule "" diff --git a/resources/policy.rb b/resources/policy.rb index cca880c..078514f 100644 --- a/resources/policy.rb +++ b/resources/policy.rb @@ -1,13 +1,25 @@ -actions :set +provides :simple_iptables_policy attribute :chain, :name_attribute => true, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"] attribute :table, :equal_to => ["filter", "nat", "mangle", "raw"], :default => "filter" attribute :policy, :equal_to => ["ACCEPT", "DROP"], :required => true attribute :ip_version, :equal_to => [:ipv4, :ipv6, :both], :default => :ipv4 +default_action :set -def initialize(*args) - super - @action = :set +def handle_policy(new_resource, ip_version) + Chef::Log.debug("[#{ip_version}] setting policy for #{new_resource.chain} to #{new_resource.policy}") + node.default["simple_iptables"][ip_version]["policy"][new_resource.table][new_resource.chain] = new_resource.policy + return true end +action :set do + updated = false + if [:ipv4, :both].include?(new_resource.ip_version) + updated |= handle_policy(new_resource, "ipv4") + end + if [:ipv6, :both].include?(new_resource.ip_version) + updated |= handle_policy(new_resource, "ipv6") + end + new_resource.updated_by_last_action(updated) +end diff --git a/resources/rule.rb b/resources/rule.rb index a5908d5..eb3b7e0 100644 --- a/resources/rule.rb +++ b/resources/rule.rb @@ -1,4 +1,7 @@ -actions :append +require 'chef/mixin/shell_out' +include Chef::Mixin::ShellOut + +provides :simple_iptables_rule attribute :chain, :name_attribute => true, :kind_of => String attribute :table, :equal_to => ["filter", "nat", "mangle", "raw"], :default => "filter" @@ -10,8 +13,65 @@ attribute :comment, :kind_of => String attribute :ip_version, :equal_to => [:ipv4, :ipv6, :both], :default => :ipv4 -def initialize(*args) - super - @action = :append +default_action :append + +def handle_rule(new_resource, ip_version) + if new_resource.rule.kind_of?(String) + rules = [new_resource.rule] + elsif new_resource.rule.kind_of?(Array) + rules = new_resource.rule + else + rules = [''] + end + + unless node["simple_iptables"][ip_version]["rules"][new_resource.table].include?(new_resource.weight) + node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] = [] + end + unless node["simple_iptables"][ip_version]["chains"][new_resource.table].include?(new_resource.chain) + unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain) + node.default["simple_iptables"][ip_version]["chains"][new_resource.table] << new_resource.chain + end + unless new_resource.chain == new_resource.direction || new_resource.direction == :none + node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] << "-A #{new_resource.direction} #{new_resource.chain_condition} --jump #{new_resource.chain}" + end + end + + # Then apply the rules to the node + updated = false + rules.each do |rule| + new_rule = rule_string(new_resource, rule, false) + table_rules = node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] + + unless table_rules.include?(new_rule) + table_rules << new_rule + updated = true + Chef::Log.debug("[#{ip_version}] added rule '#{new_rule}'") + else + Chef::Log.debug("[#{ip_version}] ignoring duplicate simple_iptables_rule '#{new_rule}'") + end + end + updated +end + +def rule_string(new_resource, rule, include_table) + jump = new_resource.jump ? "--jump #{new_resource.jump} " : "" + table = include_table ? "--table #{new_resource.table} " : "" + comment = %Q{ -m comment --comment "#{new_resource.comment || new_resource.name}"} + rule = "#{table}-A #{new_resource.chain} #{jump}#{rule}#{comment}" + rule end +action :append do + updated = false + if [:ipv4, :both].include?(new_resource.ip_version) + updated |= handle_rule(new_resource, "ipv4") + end + if [:ipv6, :both].include?(new_resource.ip_version) + if new_resource.table == 'nat' && + Gem::Version.new(/\d+(\.\d+(.\d+)?)?/.match(node['kernel']['release'])[0]) < Gem::Version.new('3.7') + raise "NAT table cannot be used with IPv6 before Kernel 3.7" + end + updated |= handle_rule(new_resource, "ipv6") + end + new_resource.updated_by_last_action(updated) +end diff --git a/test/integration/default/serverspec/default_spec.rb b/test/integration/default/serverspec/default_spec.rb index 1489196..361aa9d 100644 --- a/test/integration/default/serverspec/default_spec.rb +++ b/test/integration/default/serverspec/default_spec.rb @@ -1,13 +1,14 @@ -require_relative '../../../kitchen/data/spec_helper' +require 'serverspec' +set :backend, :exec describe iptables do - it { should have_rule('-A INPUT -j simple_rule') } - it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') } - it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') } - it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') } - it { should have_rule('-A INPUT -m state --state NEW -j jump_with_rule') } - it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') } - it { should have_rule('-A INPUT -j array_of_rules') } + it { should have_rule('-A INPUT.* -j simple_rule') } + it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') } + it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') } + it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') } + it { should have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') } + it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') } + it { should have_rule('-A INPUT.* -j array_of_rules') } end \ No newline at end of file diff --git a/test/integration/ipv6_default/serverspec/default_spec.rb b/test/integration/ipv6_default/serverspec/default_spec.rb index 35c0967..ae8fe02 100644 --- a/test/integration/ipv6_default/serverspec/default_spec.rb +++ b/test/integration/ipv6_default/serverspec/default_spec.rb @@ -1,25 +1,26 @@ -require_relative '../../../kitchen/data/spec_helper' +require 'serverspec' +set :backend, :exec describe iptables do - it { should have_rule('-A INPUT -j simple_rule') } - it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') } - it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') } - it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') } - it { should have_rule('-A INPUT -m state --state NEW -j jump_with_rule') } - it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') } - it { should have_rule('-A INPUT -j array_of_rules') } + it { should have_rule('-A INPUT.* -j simple_rule') } + it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') } + it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') } + it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') } + it { should have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') } + it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') } + it { should have_rule('-A INPUT.* -j array_of_rules') } end describe ip6tables do - it { should have_rule('-A INPUT -j simple_rule') } - it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') } - it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') } - it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') } - it { should_not have_rule('-A INPUT -m state --state NEW -j jump_with_rule') } - it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') } - it { should have_rule('-A INPUT -j array_of_rules') } + it { should have_rule('-A INPUT.* -j simple_rule') } + it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') } + it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') } + it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') } + it { should_not have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') } + it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') } + it { should have_rule('-A INPUT.* -j array_of_rules') } end diff --git a/test/integration/ipv6_list_of_tables/serverspec/list_of_tables_spec.rb b/test/integration/ipv6_list_of_tables/serverspec/list_of_tables_spec.rb index ca6fc31..1340742 100644 --- a/test/integration/ipv6_list_of_tables/serverspec/list_of_tables_spec.rb +++ b/test/integration/ipv6_list_of_tables/serverspec/list_of_tables_spec.rb @@ -1,33 +1,40 @@ -require_relative '../../../kitchen/data/spec_helper' +require 'serverspec' +set :backend, :exec describe iptables do - it { should have_rule('-A INPUT -j simple_rule') } - it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') } - it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') } - it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') } - it { should have_rule('-A INPUT -m state --state NEW -j jump_with_rule') } - it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') } - it { should have_rule('-A INPUT -j array_of_rules') } - it { should_not have_rule('*nat') } - it { should have_rule('*mangle') } - it { should have_rule('*filter') } - it { should_not have_rule('*raw') } + it { should have_rule('-A INPUT.* -j simple_rule') } + it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') } + it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') } + it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') } + it { should have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') } + it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') } + it { should have_rule('-A INPUT.* -j array_of_rules') } +end + +describe file('/etc/sysconfig/iptables') do + its(:content) { should_not match /\*nat/ } + its(:content) { should match /\*mangle/ } + its(:content) { should match /\*filter/ } + its(:content) { should_not match /\*raw/ } end describe ip6tables do - it { should have_rule('-A INPUT -j simple_rule') } - it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') } - it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') } - it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') } - it { should_not have_rule('-A INPUT -m state --state NEW -j jump_with_rule') } - it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') } - it { should have_rule('-A INPUT -j array_of_rules') } - it { should_not have_rule('*nat') } - it { should have_rule('*mangle') } - it { should have_rule('*filter') } - it { should_not have_rule('*raw') } + it { should have_rule('-A INPUT.* -j simple_rule') } + it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') } + it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') } + it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') } + it { should_not have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') } + it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') } + it { should have_rule('-A INPUT.* -j array_of_rules') } +end + +describe file('/etc/sysconfig/ip6tables') do + its(:content) { should_not match /\*nat/ } + its(:content) { should match /\*mangle/ } + its(:content) { should match /\*filter/ } + its(:content) { should_not match /\*raw/ } end diff --git a/test/integration/list_of_tables/serverspec/list_of_tables_spec.rb b/test/integration/list_of_tables/serverspec/list_of_tables_spec.rb index e82e9f6..944f115 100644 --- a/test/integration/list_of_tables/serverspec/list_of_tables_spec.rb +++ b/test/integration/list_of_tables/serverspec/list_of_tables_spec.rb @@ -1,17 +1,21 @@ -require_relative '../../../kitchen/data/spec_helper' +require 'serverspec' +set :backend, :exec describe iptables do - it { should have_rule('-A INPUT -j simple_rule') } - it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') } - it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') } - it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') } - it { should have_rule('-A INPUT -m state --state NEW -j jump_with_rule') } - it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') } - it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') } - it { should have_rule('-A INPUT -j array_of_rules') } - it { should_not have_rule('*nat') } - it { should have_rule('*mangle') } - it { should have_rule('*filter') } - it { should_not have_rule('*raw') } + it { should have_rule('-A INPUT.* -j simple_rule') } + it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') } + it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') } + it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') } + it { should have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') } + it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') } + it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') } + it { should have_rule('-A INPUT.* -j array_of_rules') } +end + +describe file('/etc/sysconfig/iptables') do + its(:content) { should_not match /\*nat/ } + its(:content) { should match /\*mangle/ } + its(:content) { should match /\*filter/ } + its(:content) { should_not match /\*raw/ } end diff --git a/test/shared/spec_helper.rb b/test/shared/spec_helper.rb deleted file mode 100644 index 0280a3e..0000000 --- a/test/shared/spec_helper.rb +++ /dev/null @@ -1,12 +0,0 @@ -require 'serverspec' -include Serverspec::Helper::Exec -include Serverspec::Helper::DetectOS - -# Require support files -Dir[File.expand_path('../support/**/*.rb', __FILE__)].each { |file| require_relative(file) } - -RSpec.configure do |config| - config.before(:all) do - config.os = backend(Serverspec::Commands::Base).check_os - end -end