feat(pillar.example,test/): add example and test for richrule ratelimit

Document and test the accept rate limiting of the rich rule.

Signed-off-by: Arnaud Patard <[email protected]>

pillar.example

@@ -126,6 +126,14 @@ firewalld:
             name: fail2ban-ssh
           reject:
             type: icmp-port-unreachable
+        - accept:
+            limit: "3/m"
+          log:
+            level: warning
+            limit: "3/m"
+            prefix: "http fw limit 3/m"
+          service: http
+
       ports:
         # {%- if grains['id'] == 'salt.example.com' %}
         - comment: salt-master

test/integration/default/controls/zones_spec.rb

@@ -37,6 +37,13 @@
             <source ipset="fail2ban-ssh" />
             <reject type="icmp-port-unreachable" />
           </rule>
+          <rule>
+            <service name="http" />
+            <log prefix="http fw limit 3/m" level="warning">
+              <limit value="3/m"/>
+            </log>
+            <accept> <limit value="3/m"/></accept>
+          </rule>
         </zone>
       ZONE_XML
     end

test/integration/default/files/_mapdata/amazonlinux-2.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/arch-base-latest.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/centos-7.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/centos-8.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/debian-10.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/debian-9.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/fedora-31.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/fedora-32.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/opensuse-15.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/ubuntu-16.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/ubuntu-18.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https

test/integration/default/files/_mapdata/ubuntu-20.yaml

@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https