puppetlabs · underscorgan · Oct 20, 2014 · Oct 20, 2014
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -1,4 +1,4 @@
-Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :iptables do
+Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :ip6tables do
   @doc = "Ip6tables type provider"
 
   has_feature :iptables

diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb
@@ -29,7 +29,10 @@ class { 'firewall': }
     end
   end
 
-  context('chain purge') do
+  context('ipv4 chain purge') do
+    after(:all) do
+      iptables_flush_all_tables
+    end
     before(:each) do
       iptables_flush_all_tables
 
@@ -127,4 +130,109 @@ class { 'firewall': }
       expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
     end
   end
+  context('ipv6 chain purge') do
+    after(:all) do
+      ip6tables_flush_all_tables
+    end
+    before(:each) do
+      ip6tables_flush_all_tables
+
+      shell('ip6tables -A INPUT -p tcp -s 1::42')
+      shell('ip6tables -A INPUT -p udp -s 1::42')
+      shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
+    end
+
+    it 'purges only the specified chain' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv6':
+          purge => true,
+        }
+      EOS
+
+      apply_manifest(pp, :expect_changes => true)
+
+      shell('ip6tables-save') do |r|
+        expect(r.stdout).to match(/010 output-1::50/)
+        expect(r.stdout).to_not match(/1::42/)
+        expect(r.stderr).to eq("")
+      end
+    end
+
+    it 'ignores managed rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'OUTPUT:filter:IPv6':
+          purge => true,
+        }
+        firewall { '010 output-1::50':
+          chain  => 'OUTPUT',
+          proto  => 'all',
+          source => '1::50',
+        }
+      EOS
+
+      unless fact('selinux') == 'true'
+        apply_manifest(pp, :catch_changes => true)
+      end
+    end
+
+    it 'ignores specified rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv6':
+          purge => true,
+          ignore => [
+            '-s 1::42',
+          ],
+        }
+      EOS
+
+      if fact('selinux') == 'true'
+        apply_manifest(pp, :catch_failures => true)
+      else
+        apply_manifest(pp, :catch_changes => true)
+      end
+    end
+
+    it 'adds managed rules with ignored rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv6':
+          purge => true,
+          ignore => [
+            '-s 1::42',
+          ],
+        }
+        firewall { '014 input-1::46':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::46',
+          provider => 'ip6tables',
+        }
+        -> firewall { '013 input-1::45':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::45',
+          provider => 'ip6tables',
+        }
+        -> firewall { '012 input-1::44':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::44',
+          provider => 'ip6tables',
+        }
+        -> firewall { '011 input-1::43':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::43',
+          provider => 'ip6tables',
+        }
+      EOS
+
+      apply_manifest(pp, :catch_failures => true)
+
+      expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/)
+    end
+  end
 end