Merge pull request #148 from duritong/split-conntrack-mgmt

split conntrack management into dedicated classes

Merge pull request #148 from duritong/split-conntrack-mgmt
split conntrack management into dedicated classes
665a4827 · Tim Meusel · GitHub · 77503f49 · 9e42547b · 665a4827
Unverified Commit 665a4827 authored Sep 04, 2022 by Tim Meusel Committed by GitHub Sep 04, 2022
--- a/manifests/inet_filter.pp
+++ b/manifests/inet_filter.pp
@@ -57,14 +57,7 @@ class nftables::inet_filter inherits nftables {
    }
  }
  if $nftables::in_out_conntrack {
-    nftables::rule {
-      'INPUT-accept_established_related':
-        order   => '05',
-        content => 'ct state established,related accept';
-      'INPUT-drop_invalid':
-        order   => '06',
-        content => 'ct state invalid drop';
-    }
+    include nftables::inet_filter::in_out_conntrack
  }

  # inet-filter-chain-OUTPUT
@@ -93,14 +86,7 @@ class nftables::inet_filter inherits nftables {
    }
  }
  if $nftables::in_out_conntrack {
-    nftables::rule {
-      'OUTPUT-accept_established_related':
-        order   => '05',
-        content => 'ct state established,related accept';
-      'OUTPUT-drop_invalid':
-        order   => '06',
-        content => 'ct state invalid drop';
-    }
+    include nftables::inet_filter::in_out_conntrack
  }

  # inet-filter-chain-FORWARD
@@ -126,14 +112,7 @@ class nftables::inet_filter inherits nftables {
    }
  }
  if $nftables::fwd_conntrack {
-    nftables::rule {
-      'FORWARD-accept_established_related':
-        order   => '05',
-        content => 'ct state established,related accept';
-      'FORWARD-drop_invalid':
-        order   => '06',
-        content => 'ct state invalid drop';
-    }
+    include nftables::inet_filter::fwd_conntrack
  }

  # basic outgoing rules

--- a/manifests/inet_filter/fwd_conntrack.pp
+++ b/manifests/inet_filter/fwd_conntrack.pp
+# @summary enable conntrack for fwd
+class nftables::inet_filter::fwd_conntrack {
+  nftables::rule {
+    'FORWARD-accept_established_related':
+      order   => '05',
+      content => 'ct state established,related accept';
+    'FORWARD-drop_invalid':
+      order   => '06',
+      content => 'ct state invalid drop';
+  }
+}
--- a/manifests/inet_filter/in_out_conntrack.pp
+++ b/manifests/inet_filter/in_out_conntrack.pp
+# @summary manage input & output conntrack
+class nftables::inet_filter::in_out_conntrack {
+  nftables::rule {
+    'INPUT-accept_established_related':
+      order   => '05',
+      content => 'ct state established,related accept';
+    'INPUT-drop_invalid':
+      order   => '06',
+      content => 'ct state invalid drop';
+    'OUTPUT-accept_established_related':
+      order   => '05',
+      content => 'ct state established,related accept';
+    'OUTPUT-drop_invalid':
+      order   => '06',
+      content => 'ct state invalid drop';
+  }
+}
--- a/spec/classes/inet_filter/fwd_conntrack_spec.rb
+++ b/spec/classes/inet_filter/fwd_conntrack_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::inet_filter::fwd_conntrack' do
+  on_supported_os.each do |os, _os_facts|
+    context "on #{os}" do
+      it {
+        expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related').with(
+          target: 'nftables-inet-filter-chain-FORWARD',
+          content: %r{^  ct state established,related accept$},
+          order: '05-nftables-inet-filter-chain-FORWARD-rule-accept_established_related-b'
+        )
+      }
+
+      it {
+        expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid').with(
+          target: 'nftables-inet-filter-chain-FORWARD',
+          content: %r{^  ct state invalid drop$},
+          order: '06-nftables-inet-filter-chain-FORWARD-rule-drop_invalid-b'
+        )
+      }
+    end
+  end
+end
--- a/spec/classes/inet_filter/in_out_conntrack_spec.rb
+++ b/spec/classes/inet_filter/in_out_conntrack_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::inet_filter::in_out_conntrack' do
+  let(:pre_condition) { 'Exec{path => "/bin"}' }
+
+  on_supported_os.each do |os, _os_facts|
+    context "on #{os}" do
+      it {
+        expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related').with(
+          target: 'nftables-inet-filter-chain-INPUT',
+          content: %r{^  ct state established,related accept$},
+          order: '05-nftables-inet-filter-chain-INPUT-rule-accept_established_related-b'
+        )
+      }
+
+      it {
+        expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid').with(
+          target: 'nftables-inet-filter-chain-INPUT',
+          content: %r{^  ct state invalid drop$},
+          order: '06-nftables-inet-filter-chain-INPUT-rule-drop_invalid-b'
+        )
+      }
+
+      it {
+        expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related').with(
+          target: 'nftables-inet-filter-chain-OUTPUT',
+          content: %r{^  ct state established,related accept$},
+          order: '05-nftables-inet-filter-chain-OUTPUT-rule-accept_established_related-b'
+        )
+      }
+
+      it {
+        expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid').with(
+          target: 'nftables-inet-filter-chain-OUTPUT',
+          content: %r{^  ct state invalid drop$},
+          order: '06-nftables-inet-filter-chain-OUTPUT-rule-drop_invalid-b'
+        )
+      }
+    end
+  end
+end
--- a/spec/classes/inet_filter_spec.rb
+++ b/spec/classes/inet_filter_spec.rb
@@ -95,22 +95,6 @@ describe 'nftables' do
          )
        }

-        it {
-          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related').with(
-            target: 'nftables-inet-filter-chain-INPUT',
-            content: %r{^  ct state established,related accept$},
-            order: '05-nftables-inet-filter-chain-INPUT-rule-accept_established_related-b'
-          )
-        }
-
-        it {
-          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid').with(
-            target: 'nftables-inet-filter-chain-INPUT',
-            content: %r{^  ct state invalid drop$},
-            order: '06-nftables-inet-filter-chain-INPUT-rule-drop_invalid-b'
-          )
-        }
-
        it {
          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
            target: 'nftables-inet-filter-chain-INPUT',
@@ -233,22 +217,6 @@ describe 'nftables' do
          )
        }

-        it {
-          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related').with(
-            target: 'nftables-inet-filter-chain-OUTPUT',
-            content: %r{^  ct state established,related accept$},
-            order: '05-nftables-inet-filter-chain-OUTPUT-rule-accept_established_related-b'
-          )
-        }
-
-        it {
-          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid').with(
-            target: 'nftables-inet-filter-chain-OUTPUT',
-            content: %r{^  ct state invalid drop$},
-            order: '06-nftables-inet-filter-chain-OUTPUT-rule-drop_invalid-b'
-          )
-        }
-
        it {
          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
            target: 'nftables-inet-filter-chain-OUTPUT',
@@ -396,11 +364,7 @@ describe 'nftables' do
        }

        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
-        }
-
-        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
+          expect(subject).not_to contain_class('nftables::inet_filter::fwd_conntrack')
        }

        it {
@@ -685,27 +649,23 @@ describe 'nftables' do
        end

        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related')
-        }
-
-        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid')
-        }
-
-        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related')
+          expect(subject).not_to contain_class('nftables::inet_filter::in_out_conntrack')
        }

        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid')
+          expect(subject).not_to contain_class('nftables::inet_filter::fwd_conntrack')
        }
+      end

-        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
-        }
+      context 'with fwd conntrack rules' do
+        let(:params) do
+          {
+            'fwd_conntrack' => true,
+          }
+        end

        it {
-          expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
+          expect(subject).to contain_class('nftables::inet_filter::fwd_conntrack')
        }
      end