mirror of
https://github.com/inspec/inspec
synced 2024-11-27 23:20:33 +00:00
Merge pull request #442 from chef/sr/fix-420
Fix iptables on CentOS6 + more tests for iptables (plus small code improvements)
This commit is contained in:
commit
575953b00c
6 changed files with 56 additions and 15 deletions
|
@ -31,8 +31,8 @@ class IpTables < Inspec.resource(1)
|
|||
"
|
||||
|
||||
def initialize(params = {})
|
||||
@table = params[:table] || nil
|
||||
@chain = params[:chain] || nil
|
||||
@table = params[:table]
|
||||
@chain = params[:chain]
|
||||
|
||||
# we're done if we are on linux
|
||||
return if inspec.os.linux?
|
||||
|
@ -43,29 +43,26 @@ class IpTables < Inspec.resource(1)
|
|||
end
|
||||
|
||||
def has_rule?(rule = nil, _table = nil, _chain = nil)
|
||||
found = false
|
||||
retrieve_rules.each { |line|
|
||||
# checks if the rule is part of the ruleset
|
||||
# for now, we expect an excact match
|
||||
found = true if line.casecmp(rule) == 0
|
||||
}
|
||||
found
|
||||
# checks if the rule is part of the ruleset
|
||||
# for now, we expect an exact match
|
||||
retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
|
||||
end
|
||||
|
||||
def retrieve_rules
|
||||
return @iptables_cache if defined?(@iptables_cache)
|
||||
|
||||
# construct iptables command to read all rules
|
||||
@table.nil? ? table_cmd = '' : table_cmd = " -t #{@table} "
|
||||
@chain.nil? ? chain_cmd = '' : chain_cmd = " #{@chain}"
|
||||
cmd = inspec.command(format('iptables %s -S %s', table_cmd, chain_cmd).strip)
|
||||
table_cmd = "-t #{@table}" if @table
|
||||
iptables_cmd = format('iptables %s -S %s', table_cmd, @chain).strip
|
||||
|
||||
cmd = inspec.command(iptables_cmd)
|
||||
return [] if cmd.exit_status.to_i != 0
|
||||
|
||||
# split rules, returns array or rules
|
||||
@iptables_cache = cmd.stdout.chomp.split("\n")
|
||||
@iptables_cache = cmd.stdout.split("\n").map(&:strip)
|
||||
end
|
||||
|
||||
def to_s
|
||||
format('Iptables %s %s', @table.nil? ? '' : "table: #{@table}", @chain.nil? ? '' : "chain: #{@chain}").strip
|
||||
format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
|
||||
end
|
||||
end
|
||||
|
|
|
@ -11,6 +11,7 @@ include_recipe('os_prepare::mount')
|
|||
include_recipe('os_prepare::service')
|
||||
include_recipe('os_prepare::package')
|
||||
include_recipe('os_prepare::registry_key')
|
||||
include_recipe('os_prepare::iptables')
|
||||
|
||||
# configure repos, eg. nginx
|
||||
include_recipe('os_prepare::apt')
|
||||
|
|
13
test/integration/cookbooks/os_prepare/recipes/iptables.rb
Normal file
13
test/integration/cookbooks/os_prepare/recipes/iptables.rb
Normal file
|
@ -0,0 +1,13 @@
|
|||
# encoding: utf-8
|
||||
# author: Stephan Renatus
|
||||
|
||||
case node['platform']
|
||||
when 'ubuntu', 'rhel', 'centos', 'fedora'
|
||||
execute 'iptables -A INPUT -i eth0 -p tcp -m tcp '\
|
||||
'--dport 80 -m state --state NEW -m comment '\
|
||||
'--comment "http on 80" -j ACCEPT'
|
||||
execute 'iptables -N derby-cognos-web'
|
||||
execute 'iptables -A INPUT -j derby-cognos-web'
|
||||
execute 'iptables -A derby-cognos-web -p tcp -m tcp --dport 80 '\
|
||||
'-m comment --comment "derby-cognos-web" -j ACCEPT'
|
||||
end
|
25
test/integration/test/integration/default/iptables_spec.rb
Normal file
25
test/integration/test/integration/default/iptables_spec.rb
Normal file
|
@ -0,0 +1,25 @@
|
|||
# encoding: utf-8
|
||||
|
||||
case os[:family]
|
||||
when 'ubuntu', 'fedora'
|
||||
describe iptables do
|
||||
it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') }
|
||||
it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') }
|
||||
|
||||
# single-word comments have their quotes dropped
|
||||
it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') }
|
||||
end
|
||||
when 'rhel', 'centos'
|
||||
describe iptables do
|
||||
it { should have_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http on 80" -j ACCEPT') }
|
||||
it { should_not have_rule('-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT') }
|
||||
end
|
||||
|
||||
describe iptables do
|
||||
it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') }
|
||||
end if os[:release] == 6
|
||||
|
||||
describe iptables do
|
||||
it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment derby-cognos-web -j ACCEPT') }
|
||||
end if os[:release] == 7
|
||||
end
|
|
@ -3,4 +3,4 @@
|
|||
-P OUTPUT ACCEPT
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
|
||||
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
|
||||
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT
|
||||
|
|
|
@ -14,6 +14,11 @@ describe 'Inspec::Resources::Iptables' do
|
|||
_(resource.has_rule?('-P OUTPUT DROP')).must_equal false
|
||||
end
|
||||
|
||||
it 'verify iptables with comments on ubuntu' do
|
||||
resource = MockLoader.new(:ubuntu1404).load_resource('iptables')
|
||||
_(resource.has_rule?('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT')).must_equal true
|
||||
end
|
||||
|
||||
it 'verify iptables on windows' do
|
||||
resource = MockLoader.new(:windows).load_resource('iptables')
|
||||
_(resource.has_rule?('-P OUTPUT ACCEPT')).must_equal false
|
||||
|
|
Loading…
Reference in a new issue