ipscriptables 0.0.1

data/spec/fixtures/ip6tables-empty.txt

@@ -0,0 +1,7 @@
+# Generated by ip6tables-save v1.4.12 on Thu Feb 20 14:32:49 2014
+*filter
+:INPUT ACCEPT [128:11760]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [75:12168]
+COMMIT
+# Completed on Thu Feb 20 14:32:49 2014

data/spec/fixtures/only-docker-c.txt

@@ -0,0 +1,23 @@
+# Generated by iptables-save v1.4.12 on Wed Feb 19 13:37:35 2014
+*filter
+:INPUT ACCEPT [211:14626]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [122:11280]
+[1:2] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[1:2] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+[1:2] -A FORWARD -i docker0 -o docker0 -j ACCEPT
+COMMIT
+# Completed on Wed Feb 19 13:37:35 2014
+# Generated by iptables-save v1.4.12 on Wed Feb 19 13:37:35 2014
+*nat
+:PREROUTING ACCEPT [5:1208]
+:INPUT ACCEPT [5:1208]
+:OUTPUT ACCEPT [42:3215]
+:POSTROUTING ACCEPT [42:3215]
+:DOCKER - [0:0]
+[1:2] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+[1:2] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+[1:2] -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
+[1:2] -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
+COMMIT
+# Completed on Wed Feb 19 13:37:35 2014

data/spec/fixtures/only-docker.txt

@@ -0,0 +1,23 @@
+# Generated by iptables-save v1.4.12 on Wed Feb 19 13:37:35 2014
+*filter
+:INPUT ACCEPT [211:14626]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [122:11280]
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+COMMIT
+# Completed on Wed Feb 19 13:37:35 2014
+# Generated by iptables-save v1.4.12 on Wed Feb 19 13:37:35 2014
+*nat
+:PREROUTING ACCEPT [5:1208]
+:INPUT ACCEPT [5:1208]
+:OUTPUT ACCEPT [42:3215]
+:POSTROUTING ACCEPT [42:3215]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
+-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
+COMMIT
+# Completed on Wed Feb 19 13:37:35 2014

data/spec/fixtures/only_docker.rb

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+table :filter do
+  chain :FORWARD do
+    rule '-o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT'
+    rule '-i docker0 ! -o docker0 -j ACCEPT'
+    rule '-i docker0 -o docker0 -j ACCEPT'
+  end
+end
+
+table :nat do
+  chain :PREROUTING do
+    rule '-m addrtype --dst-type LOCAL -j DOCKER'
+  end
+  chain :OUTPUT do
+    rule '! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER'
+  end
+  chain :POSTROUTING do
+    rule '-s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE'
+    rule '-s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE'
+  end
+end

data/spec/fixtures/runtime.rb

@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+
+iptables do
+  table :filter do
+    inherit(:FORWARD) { |rule| rule[:i] == 'docker0' || rule[:o] == 'docker0' }
+  end
+end

data/spec/fixtures/runtime2.rb

@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+
+iptables do
+  table :nat do
+    chain :PREROUTING do
+      rule '-m addrtype --dst-type LOCAL -j DOCKER'
+    end
+    chain :OUTPUT do
+      rule '! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER'
+    end
+    chain :POSTROUTING do
+      rule '-s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE'
+      rule '-s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE'
+    end
+  end
+end

data/spec/ipscriptables/dsl_spec.rb

@@ -0,0 +1,74 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+module IPScriptables
+  describe 'Chain#rule' do
+    THREE_PORTS_RULES = <<EOF
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+EOF
+
+    def expect_three_ports_from(&block)
+      rs = Ruleset.new do
+        table :filter do
+          chain :INPUT do
+            instance_eval(&block)
+            rule '-j REJECT --reject-with icmp-port-unreachable'
+          end
+        end
+      end
+      expect { rs.render == THREE_PORTS_RULES }
+    end
+
+    it 'allows to describe rulesets' do
+      expect_three_ports_from do
+        rule '-p tcp -m tcp --dport 22 -j ACCEPT'
+        rule '-p tcp -m tcp --dport 80 -j ACCEPT'
+        rule '-p tcp -m tcp --dport 443 -j ACCEPT'
+      end
+    end
+
+    it 'Allows nesting for DRY' do
+      expect_three_ports_from do
+        rule '-p tcp -m tcp' do
+          rule '--dport 22 -j ACCEPT'
+          rule '--dport 80 -j ACCEPT'
+          rule '--dport 443 -j ACCEPT'
+        end
+      end
+    end
+
+    it 'accepts iterable of elements for iteration' do
+      expect_three_ports_from do
+        rule [
+          '-p tcp -m tcp --dport 22 -j ACCEPT',
+          '-p tcp -m tcp --dport 80 -j ACCEPT',
+          '-p tcp -m tcp --dport 443 -j ACCEPT'
+        ]
+      end
+    end
+
+    it 'accepts multiple of arguments and processes them as if nested' do
+      expect_three_ports_from do
+        rule '-p tcp -m tcp --dport', [22, 80, 443], '-j ACCEPT'
+      end
+    end
+
+    it 'understands parameters provided as hashes' do
+      expect_three_ports_from do
+        rule p: :tcp, m: :tcp, dport: [22, 80, 443], j: :ACCEPT
+      end
+
+      expect_three_ports_from do
+        rule '-p' => :tcp, '-m' => :tcp, '--dport' => [22, 80, 443], '-j' => :ACCEPT # rubocop:disable LineLength
+      end
+    end
+  end
+end

data/spec/ipscriptables/helpers_spec.rb

@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+module IPScriptables
+  describe 'Helpers.run_command' do
+    def mock_status(success = true)
+      rv = mock('Process::Status')
+      rv.expects(:success?).at_least(0).returns(success)
+      rv
+    end
+
+    it 'runs external command and returns its stdout' do
+      Helpers.expects('systemu').with(%w(echo foo))
+        .returns([mock_status, "foo\n", ''])
+      expect { Helpers.run_command('echo', 'foo') == "foo\n" }
+    end
+
+    it 'raises RuntimError on failure status' do
+      Helpers.expects('systemu').with(%w(false))
+        .returns([mock_status(false), '', ''])
+      expect { rescuing { Helpers.run_command('false') }.is_a?(RuntimeError) }
+    end
+
+    it 'prints command\'s stderr on stderr' do
+      Helpers.expects('systemu').with(%w(cmd))
+        .returns([mock_status, "bar\n", "foo\n"])
+      out, err = capture_io { @res = Helpers.run_command('cmd') }
+      expect { out == '' }
+      expect { err == "cmd: foo\n" }
+      expect { @res == "bar\n" }
+    end
+
+    it 'prints stdout on stderr in case of failure' do
+      Helpers.expects('systemu').with(%w(cmd))
+        .returns([mock_status(false), "foo\n", ''])
+      out, err = capture_io do
+        @rescued = rescuing { Helpers.run_command('cmd') }
+      end
+      expect { out == '' }
+      expect { err == "cmd: foo\n" }
+      expect { @rescued.is_a?(RuntimeError) }
+    end
+  end
+
+  describe 'Helpers.ohai' do
+    before { fauxhai! }
+
+    it 'returns a configured instance of Ohai' do
+      expect { Helpers.ohai['hostname'] == 'Fauxhai' }
+    end
+
+    it 'caches the ohai instance for better performance' do
+      ohai1 = Helpers.ohai
+      ohai2 = Helpers.ohai
+      expect { ohai1.object_id == ohai2.object_id }
+    end
+  end
+end

data/spec/ipscriptables/rule_spec.rb

@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+module IPScriptables
+  describe 'Rule' do
+    let(:chain) do
+      ch = mock(Chain.name)
+      ch.expects(:original).at_least_once.returns(nil)
+      ch.expects(:opts).at_least(0).returns({})
+      ch
+    end
+
+    let(:rule) do
+      Rule.new(chain, '-s 1.1.1.1/32 -p tcp -m tcp -m multiport --dports 4949,5666 -j ACCEPT') # rubocop:disable LineLength
+    end
+
+    it 'allows accessing individual switches by dict access' do
+      expect { rule['--dports'] == '4949,5666' }
+      expect { rule['dports'] == '4949,5666' }
+      expect { rule[:dports] == '4949,5666' }
+      expect { rule[:destination_ports] == '4949,5666' }
+      expect { rule[:j] == 'ACCEPT' }
+      expect { rule[:jump] == 'ACCEPT' }
+    end
+
+    it 'rolls multiple options into arrays' do
+      expect { rule[:m] == %w(tcp multiport) }
+    end
+
+    it 'has convenience aliases' do
+      expect { rule.match == %w(tcp multiport) }
+      expect { rule.proto == 'tcp' }
+      expect { rule.target == 'ACCEPT' }
+    end
+
+    it 'can be also matched by regexp' do
+      expect { rule =~ /multiport/ }
+      deny   { rule =~ /udp/ }
+    end
+  end
+end

data/spec/ipscriptables/ruleset/class_methods_spec.rb

@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+require 'spec_helper'
+
+module IPScriptables
+  describe 'Ruleset.from_file, .from_s' do
+    Dir[fixture('**/*.txt')].each do |fixture|
+      it "parses #{File.basename(fixture)} and renders it back" do
+        fixture_text = File.open(fixture).lines.grep(/^[^#]/).join
+        expect { Ruleset.from_file(fixture).render == fixture_text }
+        expect { Ruleset.from_s(File.read(fixture)).render == fixture_text }
+      end
+    end
+
+    it 'fails on invalid input' do
+      expect { rescuing { Ruleset.from_s('Invalid!') }.is_a?(RuntimeError) }
+    end
+  end
+
+  describe 'Ruleset.from_command' do
+    let(:fixture_content) { File.read(fixture('ghq.txt')) }
+    let(:fixture_text) { fixture_content.lines.grep(/^[^#]/).join }
+
+    it 'executes external command and parses its output as ruleset' do
+      Helpers.expects(:run_command)
+        .with('a', 'command', 'with', 'arguments')
+        .returns(fixture_content)
+      rs = Ruleset.from_command('a', 'command', 'with', 'arguments')
+      expect { rs.render == fixture_text }
+      expect { rs.command == %w(a command with arguments) }
+    end
+
+    it 'has a convenience alias .from_iptables' do
+      Helpers.expects(:run_command)
+        .with('iptables-save', '-c')
+        .returns(fixture_content)
+      rs = Ruleset.from_iptables
+      expect { rs.render == fixture_text }
+      expect { rs.command == %w(iptables-save -c) }
+      expect { rs.family == :inet }
+    end
+
+    it 'has a convenience alias .from_ip6tables' do
+      Helpers.expects(:run_command)
+        .with('ip6tables-save', '-c')
+        .returns(fixture_content)
+      rs = Ruleset.from_ip6tables
+      expect { rs.render == fixture_text }
+      expect { rs.command == %w(ip6tables-save -c) }
+      expect { rs.family == :inet6 }
+    end
+  end
+end

data/spec/ipscriptables/ruleset_spec.rb

@@ -0,0 +1,199 @@
+# -*- coding: utf-8 -*-
+# rubocop:disable LineLength
+require 'spec_helper'
+
+module IPScriptables
+  describe 'Ruleset#method_missing' do
+    let(:rs) { Ruleset.new(foo: 23) }
+    it 'forwards calls to ruleset\'s options' do
+      expect { rs.foo == 23 }
+      expect { rs.respond_to? :foo }
+    end
+
+    it 'rejects methods that are not in options' do
+      expect { rescuing { rs.bar }.is_a?(NoMethodError) }
+      deny   { rs.respond_to? :bar }
+    end
+  end
+
+  describe 'Ruleset#bud' do
+    let(:drumknott) { Ruleset.from_file(fixture('drumknott.txt')) }
+    let(:ghq)       { Ruleset.from_file(fixture('ghq.txt')) }
+
+    it 'creates a child ruleset with identical tables and chains, but no rules' do
+      expected_rules = <<-EOF
+*mangle
+:PREROUTING ACCEPT [9070264:2761485141]
+:INPUT ACCEPT [5794:541194]
+:FORWARD ACCEPT [9064470:2760943947]
+:OUTPUT ACCEPT [4447:1027385]
+:POSTROUTING ACCEPT [9068917:2761971332]
+COMMIT
+*nat
+:PREROUTING ACCEPT [936831:58138468]
+:INPUT ACCEPT [383149:28442596]
+:OUTPUT ACCEPT [188115:19311882]
+:POSTROUTING ACCEPT [88176135:5298607741]
+:DOCKER - [0:0]
+COMMIT
+*filter
+:INPUT ACCEPT [419:18560]
+:FORWARD ACCEPT [5802508472:1613710597740]
+:OUTPUT ACCEPT [2072879:485657573]
+:FWR - [0:0]
+COMMIT
+        EOF
+      child = drumknott.bud
+      expect { child.render == expected_rules }
+      expect { child.original == drumknott }
+    end
+
+    it 'allows chain inheritance' do
+      child = drumknott.bud do
+        inherit :nat, :DOCKER
+      end
+      expected_rules = <<-EOF
+*mangle
+:PREROUTING ACCEPT [9070264:2761485141]
+:INPUT ACCEPT [5794:541194]
+:FORWARD ACCEPT [9064470:2760943947]
+:OUTPUT ACCEPT [4447:1027385]
+:POSTROUTING ACCEPT [9068917:2761971332]
+COMMIT
+*nat
+:PREROUTING ACCEPT [936831:58138468]
+:INPUT ACCEPT [383149:28442596]
+:OUTPUT ACCEPT [188115:19311882]
+:POSTROUTING ACCEPT [88176135:5298607741]
+:DOCKER - [0:0]
+-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6379 -j DNAT --to-destination 172.17.0.2:6379
+COMMIT
+*filter
+:INPUT ACCEPT [419:18560]
+:FORWARD ACCEPT [5802508472:1613710597740]
+:OUTPUT ACCEPT [2072879:485657573]
+:FWR - [0:0]
+COMMIT
+        EOF
+      expect { child.render == expected_rules }
+    end
+
+    it 'allows filtering inherited chains' do
+      child = drumknott.bud do
+        inherit(:filter, :FWR) { |rule| !rule[:source] }
+      end
+      expected_rules = <<-EOF
+*mangle
+:PREROUTING ACCEPT [9070264:2761485141]
+:INPUT ACCEPT [5794:541194]
+:FORWARD ACCEPT [9064470:2760943947]
+:OUTPUT ACCEPT [4447:1027385]
+:POSTROUTING ACCEPT [9068917:2761971332]
+COMMIT
+*nat
+:PREROUTING ACCEPT [936831:58138468]
+:INPUT ACCEPT [383149:28442596]
+:OUTPUT ACCEPT [188115:19311882]
+:POSTROUTING ACCEPT [88176135:5298607741]
+:DOCKER - [0:0]
+COMMIT
+*filter
+:INPUT ACCEPT [419:18560]
+:FORWARD ACCEPT [5802508472:1613710597740]
+:OUTPUT ACCEPT [2072879:485657573]
+:FWR - [0:0]
+-A FWR -i lo -j ACCEPT
+-A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FWR -p icmp -j ACCEPT
+-A FWR -i docker+ -j ACCEPT
+-A FWR -p tcp -m tcp --dport 22 -j ACCEPT
+-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
+-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+        EOF
+      expect { child.render == expected_rules }
+      expect { drumknott.render =~ /^-A FWR -s 1\.1\.1\.1/ }
+    end
+
+    it 'copies original\'s chain with counters' do
+      child = ghq.bud do
+        inherit(:nat, :DOCKER)
+        table :filter do
+          chain :INPUT do
+            rule '-j FWR'
+          end
+          chain :FWR do
+            rule '-i lo -j ACCEPT'
+          end
+        end
+      end
+
+      expected_rules = <<-EOF
+*nat
+:PREROUTING ACCEPT [732601:44001989]
+:INPUT ACCEPT [376018:22538408]
+:OUTPUT ACCEPT [3131507:229597576]
+:POSTROUTING ACCEPT [20476198:1943580383]
+:DOCKER - [0:0]
+[2:120] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 2003 -j DNAT --to-destination 172.17.0.4:2003
+[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 2004 -j DNAT --to-destination 172.17.0.4:2004
+[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 49153 -j DNAT --to-destination 172.17.0.8:9000
+[95:5580] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.5:5000
+[0:0] -A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 49154 -j DNAT --to-destination 172.17.0.9:8080
+[17011603:1693997647] -A DOCKER ! -i docker0 -p udp -m udp --dport 8125 -j DNAT --to-destination 172.17.0.10:8125
+[0:0] -A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 49155 -j DNAT --to-destination 172.17.0.10:8126
+COMMIT
+*filter
+:INPUT ACCEPT [1602:65593]
+:FORWARD ACCEPT [79892700:14079015733]
+:OUTPUT ACCEPT [173177551:46244981637]
+:FWR - [0:0]
+[162824485:36484450187] -A INPUT -j FWR
+[104747465:21902005069] -A FWR -i lo -j ACCEPT
+COMMIT
+      EOF
+
+      expect { child.render == expected_rules }
+    end
+  end
+
+  describe 'Ruleset#diff' do
+    it 'returns a Diffy::Diff from the original ruleset' do
+      child = Ruleset.from_file(fixture('only-docker.txt')).bud
+
+      expect { child.diff.to_s.each_line.grep(/^\S/).length == 7 }
+
+      child.dsl_eval do
+        inherit :filter, :FORWARD
+      end
+
+      expect { child.diff.to_s.each_line.grep(/^\S/).length == 4 }
+
+      child.dsl_eval do
+        table :nat do
+          chain :PREROUTING do
+            rule '-m addrtype --dst-type LOCAL -j DOCKER'
+          end
+          chain :OUTPUT do
+            rule '! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER'
+          end
+          chain :POSTROUTING do
+            rule '-s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE'
+            rule '-s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE'
+          end
+        end
+      end
+
+      expect { child.diff.to_s.empty? }
+    end
+  end
+
+  describe 'Ruleset#load_file' do
+    it 'Loads a ruleset from file' do
+      child = Ruleset.from_file(fixture('only-docker.txt')).bud
+      deny { child.diff.to_s.empty? }
+      child.load_file fixture('only_docker.rb')
+      expect { child.diff.to_s.empty? }
+    end
+  end
+end