ipscriptables 0.0.1

data/ipscriptables.gemspec

@@ -0,0 +1,38 @@
+# -*- mode: ruby; coding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ipscriptables/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'ipscriptables'
+  spec.version       = IPScriptables::VERSION
+  spec.authors       = ['Maciej Pasternacki']
+  spec.email         = ['maciej@3ofcoins.net']
+  spec.description   = 'Ruby-driven IPTables'
+  spec.summary       = 'Ruby-driven IPTables'
+  spec.homepage      = 'https://github.com/3ofcoins/ipscriptables/'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(/^bin\//) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(/^(test|spec|features)\//)
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'docile'
+  spec.add_dependency 'hashie'
+  spec.add_dependency 'systemu'
+  spec.add_dependency 'ohai'
+  spec.add_dependency 'sigar'   # for OHAI's network_listeners plugin
+  spec.add_dependency 'ipaddr_extensions' # for OHAI's ip_scopes plugin
+  spec.add_dependency 'diffy'
+  spec.add_dependency 'clamp'
+
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'mocha'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'rake', '~> 10.1'
+  spec.add_development_dependency 'wrong', '~> 0.7'
+  spec.add_development_dependency 'fauxhai'
+  spec.add_development_dependency 'rubocop'
+end

data/lib/ipscriptables.rb

@@ -0,0 +1,14 @@
+# -*- coding: utf-8 -*-
+
+require 'docile'
+require 'hashie'
+
+require 'ipscriptables/version'
+
+require 'ipscriptables/ruleset'
+require 'ipscriptables/table'
+require 'ipscriptables/chain'
+require 'ipscriptables/rule'
+require 'ipscriptables/runtime'
+
+require 'ipscriptables/pretty_print'

data/lib/ipscriptables/chain.rb

@@ -0,0 +1,83 @@
+# -*- coding: utf-8 -*-
+
+module IPScriptables
+  class Chain
+    extend Forwardable
+    include Enumerable
+    attr_reader :name, :table, :rules, :counters
+    attr_accessor :policy
+    def_delegators :rules, :each, :clear, :<<, :empty?
+    def_delegators :table, :ruleset, :opts
+
+    def initialize(name, table, policy = '-', counters = [0, 0], &block)
+      @name = name
+      @table = table
+      @policy = policy
+      @counters = counters
+      @rules = []
+      @rule_stack = []
+      Docile.dsl_eval(self, &block) if block_given?
+    end
+
+    def original
+      table.original[name] if table.original
+    end
+
+    def alter(policy = nil, counters = nil, &block)
+      @policy = policy unless policy.nil?
+      @counters = counters unless counters.nil?
+      Docile.dsl_eval(self, &block) if block_given?
+    end
+
+    def rule(term, *rest, &block) # rubocop:disable CyclomaticComplexity, MethodLength, LineLength
+                                  # FIXME: ^^
+      case term
+      when Rule
+        @rules << term         # we trust here that term.chain is self
+      when Hash
+        # Explode hash into [switch, value, switch, value, ...] sequence
+        exploded = []
+        term.each do |key, val|
+          if key.is_a? Symbol
+            key = key.to_s
+            if key.length == 1
+              exploded << "-#{key}"
+            else
+              exploded << "--#{key.gsub('_', '-')}"
+            end
+          else
+            exploded << key.to_s
+          end
+          exploded << val
+        end
+        exploded.concat(rest)
+        rule(*exploded, &block)
+      when Enumerable
+        term.each do |term1|
+          rule(term1, *rest, &block)
+        end
+      else
+        begin
+          @rule_stack << term
+          if !rest.empty?
+            rule(*rest, &block)
+          elsif block_given?
+            yield
+          else
+            @rules << Rule.new(self, @rule_stack.map(&:to_s).join(' '))
+          end
+        ensure
+          @rule_stack.pop
+        end
+      end
+    end
+
+    def render_header
+      ":#{name} #{policy} [#{counters.join(':')}]"
+    end
+
+    def render_rules
+      rules.map(&:render).join("\n") unless rules.empty?
+    end
+  end
+end

data/lib/ipscriptables/cli.rb

@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+require 'clamp'
+require 'ipscriptables'
+
+module IPScriptables
+  class CLI < Clamp::Command
+    option '--apply', :flag, 'Apply changes to iptables/ip6tables'
+    option '--quiet', :flag, 'Don\'t print diff'
+
+    parameter 'SCRIPT ...', 'Ruby DSL spec(s) to evaluate',
+              attribute_name: :scripts
+
+    def execute
+      runtime = IPScriptables::Runtime.new(apply: apply?, quiet: quiet?)
+      scripts.each { |script| runtime.load_file(script) }
+      runtime.execute!
+    end
+  end
+end

data/lib/ipscriptables/helpers.rb

@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+
+require 'ohai'
+require 'systemu'
+
+module IPScriptables
+  module Helpers
+    extend Forwardable
+    def_delegators IPScriptables::Helpers, :ohai, :run_command
+
+    class << self
+      def run_command(*argv)
+        status, stdout, stderr = systemu(argv)
+        unless status.success?
+          $stderr.puts stdout.gsub(/^/, "#{argv.first}: ") unless stdout.empty?
+          fail "#{status}: #{stderr}"
+        end
+        $stderr.puts stderr.gsub(/^/, "#{argv.first}: ") unless stderr.empty?
+        stdout
+      end
+
+      def ohai
+        @ohai ||= setup_ohai
+      end
+
+      private
+
+      def setup_ohai
+        require 'ohai'
+        ohai = Ohai::System.new
+        %w(os platform kernel hostname network ip_scopes network_listeners
+           cloud).each do |plugin|
+          ohai.require_plugin plugin
+        end
+        ohai
+      end
+    end
+  end
+end

data/lib/ipscriptables/pretty_print.rb

@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+
+module IPScriptables
+  class Ruleset
+    def inspect
+      "#<#{self.class} [#{map(&:inspect).join(', ')}]>"
+    end
+
+    def pretty_print(q)
+      q.object_address_group(self) do
+        q.group(2) do
+          q.breakable
+          q.seplist(self, -> { q.breakable }) { |v| q.pp v }
+        end
+      end
+    end
+  end
+
+  class Table
+    def inspect
+      "#<#{self.class} #{name} [#{map(&:inspect).join(', ')}]>"
+    end
+
+    def pretty_print(q)
+      q.group(2, "*#{name} {", '}') do
+        unless @chains.empty?
+          q.breakable
+          q.seplist(self, -> { q.breakable }) { |v| q.pp v }
+        end
+      end
+    end
+  end
+
+  class Chain
+    def inspect
+      "#<#{self.class} #{name} [#{map(&:inspect).join(', ')}]>"
+    end
+
+    def pretty_print(q)
+      q.group(2, "#{render_header} {", '}') do
+        unless rules.empty?
+          q.breakable
+          q.seplist(rules, -> { q.breakable ' ; ' }) { |v| q.pp(v) }
+        end
+      end
+    end
+  end
+
+  class Rule
+    def inspect
+      "#<#{self.class} #{render_counters}#{rule}>"
+    end
+
+    def pretty_print(q)
+      q.text("#{render_counters}#{rule}")
+    end
+  end
+end

data/lib/ipscriptables/rule.rb

@@ -0,0 +1,95 @@
+# -*- coding: utf-8 -*-
+require 'shellwords'
+
+module IPScriptables
+  class Rule
+    OPTION_SYNONYMS = Hashie::Mash[
+      :p => :protocol,
+      :s => :source,
+      :d => :destination,
+      :j => :jump,
+      :g => :goto,
+      :i => :in_interface,
+      :o => :out_interface,
+      :f => :fragment,
+      :m => :match,
+      :sport => :source_port,
+      :dport => :destination_port,
+      :sports => :source_ports,
+      :dports => :destination_ports
+    ].freeze
+
+    extend Forwardable
+    attr_reader :chain, :rule, :counters
+    def_delegators :chain, :opts
+
+    def initialize(chain, rule, counters = nil) # rubocop:disable MethodLength
+      @chain, @rule, @counters = chain, rule, counters
+      @parsed = Hashie::Mash.new
+
+      @counters ||= original.counters if original
+      @counters ||= [0, 0] if opts[:counters]
+
+      key = nil
+      Shellwords.shellsplit(rule).each do |word|
+        case word
+        when /^-+(.*)$/
+          self[key] = true if key
+          key = Regexp.last_match[1].gsub('-', '_')
+        else
+          self[key] = word
+          key = nil
+        end
+      end
+    end
+
+    def original
+      chain.original.find { |rule| rule == self } if chain.original
+    end
+
+    def ==(other)
+      other = other.rule if other.respond_to?(:rule)
+      rule == other
+    end
+
+    def [](k)
+      k = k.to_s.sub(/^-+/, '').gsub('-', '_')
+      @parsed[OPTION_SYNONYMS.fetch(k, k)]
+    end
+
+    def proto
+      self[:protocol]
+    end
+
+    def match
+      Array(self[:m])
+    end
+
+    def target
+      self[:jump]
+    end
+
+    def =~(other)
+      rule =~ other
+    end
+
+    def render
+      "#{render_counters}-A #{chain.name} #{rule}"
+    end
+
+    def render_counters
+      "[#{counters.join(':')}] " if counters
+    end
+
+    private
+
+    def []=(k, v)
+      k = OPTION_SYNONYMS.fetch(k, k)
+      if @parsed.key?(k)
+        @parsed[k] = Array(@parsed[k]) << v
+      else
+        @parsed[k] = v
+      end
+    end
+  end
+end

data/lib/ipscriptables/ruleset.rb

@@ -0,0 +1,103 @@
+# -*- coding: utf-8 -*-
+
+require 'diffy'
+
+require 'ipscriptables/helpers'
+require 'ipscriptables/ruleset/class_methods'
+
+module IPScriptables
+  class Ruleset
+    include Helpers
+
+    attr_reader :opts
+    extend Forwardable
+    include Enumerable
+    def_delegators :@tables, :[]=, :[]
+    def_delegators :to_ary, :each
+    def_delegators :opts, :original
+
+    def initialize(opts = {}, &block)
+      @tables = Hashie::Mash.new
+      @opts = Hashie::Mash[opts]
+      dsl_eval(&block) if block_given?
+    end
+
+    def dsl_eval(&block)
+      Docile.dsl_eval(self, &block)
+    end
+
+    def load_file(path)
+      dsl_eval { instance_eval(File.read(path), path) }
+    end
+
+    def respond_to?(meth)
+      super || @opts.respond_to?(meth)
+    end
+
+    def method_missing(meth, *args, &block)
+      if @opts.respond_to?(meth)
+        @opts.send(meth, *args, &block)
+      else
+        super
+      end
+    end
+
+    def bud(opts = {}, &block)
+      opts = opts.merge skip_builtin_chains: true, original: self
+      opts[:family] = self.opts.family if self.opts.family?
+      child = self.class.new(opts)
+      each do |table|
+        child_table = child.table(table.name)
+        table.each do |chain|
+          child_table.chain chain.name, chain.policy, chain.counters
+        end
+      end
+      Docile.dsl_eval(child, &block) if block_given?
+      child
+    end
+
+    def to_ary
+      @tables.values
+    end
+
+    def table(name, &block)
+      if @tables.key?(name)
+        Docile.dsl_eval(@tables[name], &block)
+      else
+        self[name] = Table.new(name, self, &block)
+      end
+    end
+
+    def inherit(table, *names, &block)
+      self[table].inherit(*names, &block)
+    end
+
+    def render
+      map(&:render).join("\n") << "\n"
+    end
+
+    def diff(from = nil)
+      from ||= original
+      fail 'Need something to diff against' unless from
+      Diffy::Diff.new(from.render, render)
+    end
+
+    def restore!
+      IO.popen(restore_command, 'w') do |restore|
+        restore.write(render)
+      end
+      unless $?.success?
+        fail "Failure in #{restore_command.join(' ').inspect}: #{$?}"
+      end
+    end
+
+    def restore_command
+      case opts[:family]
+      when :inet  then %w(iptables-restore  -c)
+      when :inet6 then %w(ip6tables-restore -c)
+      else fail NotImplementedError,
+                "Unsupported family #{opts[:family].inspect}"
+      end
+    end
+  end
+end