ipscriptables 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +15 -0
- data/.gitignore +17 -0
- data/.rubocop.yml +15 -0
- data/.travis.yml +10 -0
- data/CHANGELOG.md +6 -0
- data/CONTRIBUTING.md +43 -0
- data/Gemfile +13 -0
- data/LICENSE +20 -0
- data/README.md +54 -0
- data/Rakefile +22 -0
- data/bin/ipscriptables +6 -0
- data/cookbook/.gitignore +2 -0
- data/cookbook/.kitchen.yml +28 -0
- data/cookbook/Berksfile +6 -0
- data/cookbook/README.md +53 -0
- data/cookbook/attributes/default.rb +3 -0
- data/cookbook/chefignore +96 -0
- data/cookbook/libraries/default.rb +35 -0
- data/cookbook/metadata.rb +9 -0
- data/cookbook/providers/rules.rb +21 -0
- data/cookbook/recipes/default.rb +10 -0
- data/cookbook/recipes/load.rb +8 -0
- data/cookbook/resources/rules.rb +17 -0
- data/cookbook/test/cookbooks/ipscriptables-test/#metadata.rb# +8 -0
- data/cookbook/test/cookbooks/ipscriptables-test/metadata.rb +11 -0
- data/cookbook/test/cookbooks/ipscriptables-test/recipes/default.rb +23 -0
- data/cookbook/test/cookbooks/ipscriptables-test/recipes/prepare.rb +5 -0
- data/cookbook/test/data/.gitignore +1 -0
- data/cookbook/test/integration/default/bats/default.bats +9 -0
- data/doc/iptables-switches.txt +342 -0
- data/ipscriptables.gemspec +38 -0
- data/lib/ipscriptables.rb +14 -0
- data/lib/ipscriptables/chain.rb +83 -0
- data/lib/ipscriptables/cli.rb +19 -0
- data/lib/ipscriptables/helpers.rb +39 -0
- data/lib/ipscriptables/pretty_print.rb +58 -0
- data/lib/ipscriptables/rule.rb +95 -0
- data/lib/ipscriptables/ruleset.rb +103 -0
- data/lib/ipscriptables/ruleset/class_methods.rb +67 -0
- data/lib/ipscriptables/runtime.rb +97 -0
- data/lib/ipscriptables/table.rb +77 -0
- data/lib/ipscriptables/version.rb +5 -0
- data/spec/fixtures/clyhq.txt +40 -0
- data/spec/fixtures/docker-plus.txt +31 -0
- data/spec/fixtures/drumknott.txt +67 -0
- data/spec/fixtures/falcor.txt +39 -0
- data/spec/fixtures/ghq.txt +102 -0
- data/spec/fixtures/ip6tables-empty.txt +7 -0
- data/spec/fixtures/only-docker-c.txt +23 -0
- data/spec/fixtures/only-docker.txt +23 -0
- data/spec/fixtures/only_docker.rb +22 -0
- data/spec/fixtures/runtime.rb +7 -0
- data/spec/fixtures/runtime2.rb +16 -0
- data/spec/ipscriptables/dsl_spec.rb +74 -0
- data/spec/ipscriptables/helpers_spec.rb +58 -0
- data/spec/ipscriptables/rule_spec.rb +41 -0
- data/spec/ipscriptables/ruleset/class_methods_spec.rb +52 -0
- data/spec/ipscriptables/ruleset_spec.rb +199 -0
- data/spec/ipscriptables/runtime_spec.rb +227 -0
- data/spec/ipscriptables/table_spec.rb +32 -0
- data/spec/ipscriptables/version_spec.rb +12 -0
- data/spec/spec_helper.rb +60 -0
- metadata +350 -0
checksums.yaml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
!binary "U0hBMQ==":
|
3
|
+
metadata.gz: !binary |-
|
4
|
+
MTE1NjBhZDBmYmIxNTU5YjdiNjBkNGJmNDBhZWJkODA1ZDBmYmZiYw==
|
5
|
+
data.tar.gz: !binary |-
|
6
|
+
OGU0OTA1MzA1MDQ3ODhhYzNjZGZlYmFlZDNlMDZhOTFlZjY1NzlkZQ==
|
7
|
+
SHA512:
|
8
|
+
metadata.gz: !binary |-
|
9
|
+
ZTIzOTU5Y2JmZDIwYWRhMzVjZDlhMDFjNDVjMjcwOGJjZjlhZTRkZjRlNGFi
|
10
|
+
NGMyMTI2YWNkNmU0OWU0MmZjMDJlYzEyNmYyOWY0MjAzMDNlZTQ0MGY4NmEy
|
11
|
+
OGJiMWE1ZmZlMDc2MjcyMDA0ZTRlYTc3MWNiZDk4NmI2MWFkNTY=
|
12
|
+
data.tar.gz: !binary |-
|
13
|
+
ZWFkOTcwOWEzNGYzMjJjYjNjYjhlYzkzMGI5MjkwZjViMjA3ODI0MjY1YTll
|
14
|
+
ZThhMDFhNjQwY2YxOGFkMDc2YWM0YjYwZmNlMGY0ZTU3ZDNhYzc2YWY1N2Nh
|
15
|
+
NzJlOTQxM2M3NWU2YjRhYWQwNmI4MTQ3ZmUxZDNkOWRhZjhkOGE=
|
data/.gitignore
ADDED
data/.rubocop.yml
ADDED
data/.travis.yml
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
bundler_args: --without developer_workstation
|
2
|
+
rvm:
|
3
|
+
- 1.9.3
|
4
|
+
- 2.0.0
|
5
|
+
- 2.1.0
|
6
|
+
# - jruby-1.7.10
|
7
|
+
# - rbx
|
8
|
+
notifications:
|
9
|
+
hipchat:
|
10
|
+
secure: "bds8WNPnAmnj2ommhDk2JNclAY1Ei/bGeWONRhhKNv1zwrqMvZ7B6M5UapEZ\n6K8z70vFMrdIDEJjzuf+ATYS0BVWKnXCYaofiIfJ7V2hiBm7/xNZ15m2bIrM\nQFIMR/Lrkd+wFA0O8z6SaPjvdEgZC6im4zAAuRq7LpH3NTy6qaA="
|
data/CHANGELOG.md
ADDED
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,43 @@
|
|
1
|
+
# Contributing
|
2
|
+
|
3
|
+
## Developing
|
4
|
+
|
5
|
+
1. Fork the repository on GitHub
|
6
|
+
2. Create your feature branch (`git checkout -b feature/awesomeness`)
|
7
|
+
3. Create your changes.
|
8
|
+
* Add test cases in `spec/`. It's best if you first write a failing
|
9
|
+
test case, commit it, and then fix it in next commit - this makes
|
10
|
+
the whole change easier to review.
|
11
|
+
* Document your changes.
|
12
|
+
4. Commit your changes (`git commit -am 'Add more awesomeness'`)
|
13
|
+
5. Push to the branch (`git push -u origin feature/awesomeness`)
|
14
|
+
6. Create new Pull Request on GitHub
|
15
|
+
|
16
|
+
## Testing
|
17
|
+
|
18
|
+
### Install what's needed
|
19
|
+
|
20
|
+
Make sure you have [http://gembundler.com/](Gem Bundler) version 1.3
|
21
|
+
or greater installed. If in doubt, just use [http://rvm.io/](RVM) or
|
22
|
+
[http://rbenv.org/](rbenv).
|
23
|
+
|
24
|
+
$ gem install bundler
|
25
|
+
|
26
|
+
Clone the project:
|
27
|
+
|
28
|
+
$ git clone git://github.com/3ofcoins/ipscriptables.git
|
29
|
+
|
30
|
+
Then, run:
|
31
|
+
|
32
|
+
$ cd ipscriptables
|
33
|
+
$ bundle install
|
34
|
+
|
35
|
+
Bundler will install all the needed gems and their dependencies.
|
36
|
+
|
37
|
+
### Running tests
|
38
|
+
|
39
|
+
$ bundle exec thor spec
|
40
|
+
|
41
|
+
To generate test coverage report, tell it to Thor
|
42
|
+
|
43
|
+
$ bundle exec thor spec --coverage
|
data/Gemfile
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
source 'https://rubygems.org'
|
2
|
+
|
3
|
+
gemspec
|
4
|
+
|
5
|
+
# Helpers used with development, but not needed in runtime, build
|
6
|
+
# time, or for tests.
|
7
|
+
group :developer_workstation do
|
8
|
+
gem 'awesome_print'
|
9
|
+
gem 'pry'
|
10
|
+
gem 'pry-debugger'
|
11
|
+
gem 'pry-rescue'
|
12
|
+
gem 'pry-stack_explorer'
|
13
|
+
end
|
data/LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (C) 2014 Maciej Pasternacki <maciej@3ofcoins.net>
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,54 @@
|
|
1
|
+
# Ipscriptables
|
2
|
+
|
3
|
+
Ruby-driven IPTables
|
4
|
+
|
5
|
+
## Installation
|
6
|
+
|
7
|
+
Add this line to your application's Gemfile:
|
8
|
+
|
9
|
+
gem 'ipscriptables'
|
10
|
+
|
11
|
+
And then execute:
|
12
|
+
|
13
|
+
$ bundle
|
14
|
+
|
15
|
+
Or install it yourself as:
|
16
|
+
|
17
|
+
$ gem install ipscriptables
|
18
|
+
|
19
|
+
## Usage
|
20
|
+
|
21
|
+
TODO: write real instructions.
|
22
|
+
|
23
|
+
Write a script a bit like this (ip6tables work too):
|
24
|
+
|
25
|
+
```ruby
|
26
|
+
family :inet do
|
27
|
+
table :nat do
|
28
|
+
inherit(:DOCKER)
|
29
|
+
inherit(:PREROUTING, :OUTPUT) { |rule| rule.target == 'DOCKER' }
|
30
|
+
inherit(:POSTROUTING) { |rule| rule.target == 'MASQUERADE' }
|
31
|
+
end
|
32
|
+
|
33
|
+
table :filter do
|
34
|
+
inherit(:INPUT) { |rule| rule.target == 'FWR' || rule.target == 'LXC' }
|
35
|
+
inherit(:FORWARD) { |rule| rule[:i] == 'docker0' || rule[:o] == 'docker0' }
|
36
|
+
inherit(:LXC)
|
37
|
+
chain :FWR do
|
38
|
+
rule :i => ['lo', 'docker0'], :j => 'ACCEPT'
|
39
|
+
rule '-m state --state RELATED,ESTABLISHED -j ACCEPT'
|
40
|
+
rule '-p icmp -j ACCEPT'
|
41
|
+
rule '-p tcp -m tcp --dport', [22, 80, 443], '-j ACCEPT'
|
42
|
+
rule '-p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable'
|
43
|
+
rule '-p udp -j REJECT --reject-with icmp-port-unreachable'
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
```
|
48
|
+
|
49
|
+
Run `ipscriptables path/to/script.rb`, review diff, run `ipscriptables
|
50
|
+
--apply path/to/script.rb`.
|
51
|
+
|
52
|
+
## Contributing
|
53
|
+
|
54
|
+
See the [CONTRIBUTING.md](CONTRIBUTING.md) file
|
data/Rakefile
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
# -*- coding: utf-8 -*-
|
2
|
+
|
3
|
+
require 'rubygems'
|
4
|
+
require 'bundler/setup'
|
5
|
+
require 'rake/testtask'
|
6
|
+
require 'rubocop/rake_task'
|
7
|
+
|
8
|
+
namespace(:gem) { Bundler::GemHelper.install_tasks }
|
9
|
+
|
10
|
+
Rake::TestTask.new :spec do |task|
|
11
|
+
task.libs << 'spec'
|
12
|
+
task.options = '--verbose' if ENV['VERBOSE']
|
13
|
+
task.test_files = FileList['spec/**/*_spec.rb']
|
14
|
+
end
|
15
|
+
|
16
|
+
desc 'Run Rubocop'
|
17
|
+
Rubocop::RakeTask.new(:rubocop) do |t|
|
18
|
+
t.fail_on_error = true
|
19
|
+
t.patterns = %w(Rakefile bin/* lib/**/*.rb spec/**/*.rb)
|
20
|
+
end
|
21
|
+
|
22
|
+
task :default => [:rubocop, :spec]
|
data/bin/ipscriptables
ADDED
data/cookbook/.gitignore
ADDED
@@ -0,0 +1,28 @@
|
|
1
|
+
---
|
2
|
+
driver:
|
3
|
+
name: vagrant
|
4
|
+
pre_create_command: |
|
5
|
+
set -e -x
|
6
|
+
dir=`pwd`/test/data
|
7
|
+
rm -fv $dir/*.gem
|
8
|
+
cd ..
|
9
|
+
gem build ipscriptables.gemspec
|
10
|
+
mv -v ipscriptables-*.gem $dir
|
11
|
+
|
12
|
+
provisioner:
|
13
|
+
name: chef_solo
|
14
|
+
data_path: test/data
|
15
|
+
|
16
|
+
platforms:
|
17
|
+
- name: ubuntu-12.04
|
18
|
+
driver_config:
|
19
|
+
box: opscode_ubuntu-12.04_provisionerless
|
20
|
+
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
|
21
|
+
|
22
|
+
suites:
|
23
|
+
- name: default
|
24
|
+
run_list:
|
25
|
+
- recipe[ipscriptables-test]
|
26
|
+
attributes:
|
27
|
+
ipscriptables:
|
28
|
+
version: null
|
data/cookbook/Berksfile
ADDED
data/cookbook/README.md
ADDED
@@ -0,0 +1,53 @@
|
|
1
|
+
The IPScriptables Cookbook
|
2
|
+
==========================
|
3
|
+
|
4
|
+
This cookbook installs
|
5
|
+
[IPScriptables](https://github.com/3ofcoins/ipscriptables/) as a Chef
|
6
|
+
gem and adds an `ipscriptables` call to recipe DSL to easily configure
|
7
|
+
your firewall.
|
8
|
+
|
9
|
+
Usage
|
10
|
+
-----
|
11
|
+
|
12
|
+
Add `ipscriptables` cookbook to your cookbook's dependencies (or
|
13
|
+
`recipe[ipscriptables::load]`, or (currently empty)
|
14
|
+
`recipe[ipscriptables]` to your run list). Then, in recipe code, you
|
15
|
+
can use following call:
|
16
|
+
|
17
|
+
```ruby
|
18
|
+
ipscriptables do
|
19
|
+
# …IPScriptables DSL…
|
20
|
+
end
|
21
|
+
```
|
22
|
+
|
23
|
+
If you need low-level access to an underlying resource, you can call
|
24
|
+
it directly and add some layers of syntactic cruft:
|
25
|
+
|
26
|
+
```ruby
|
27
|
+
ipscriptables_rules "useless name" do
|
28
|
+
rules do
|
29
|
+
# …IPScriptables DSL…
|
30
|
+
end
|
31
|
+
end
|
32
|
+
```
|
33
|
+
|
34
|
+
The LWRP does not execute the rules as it goes, but evaluates them at
|
35
|
+
converge time in a single IPScriptables runtime (like one
|
36
|
+
IPScriptables CLI call evaluating multiple files). It installs
|
37
|
+
a report handler that, at the end of a successful Chef run, applies
|
38
|
+
the rules (in whyrun mode it's a dry run).
|
39
|
+
|
40
|
+
Attributes
|
41
|
+
----------
|
42
|
+
|
43
|
+
- `node['ipscriptables']['gem_version']` (default: `"latest"`) --
|
44
|
+
version of the IPScriptables gem to install. If left as *latest*,
|
45
|
+
the gem is upgraded to newest available version (`:upgrade`
|
46
|
+
action). If set to `nil` or `false`, the gem is `:install`ed at
|
47
|
+
newest version, but not upgraded if it has already been installed.
|
48
|
+
|
49
|
+
Outstanding Issues
|
50
|
+
------------------
|
51
|
+
|
52
|
+
- [ ] The cookbook should install init script and save rules to be
|
53
|
+
applied on reboot.
|
data/cookbook/chefignore
ADDED
@@ -0,0 +1,96 @@
|
|
1
|
+
# Put files/directories that should be ignored in this file when uploading
|
2
|
+
# or sharing to the community site.
|
3
|
+
# Lines that start with '# ' are comments.
|
4
|
+
|
5
|
+
# OS generated files #
|
6
|
+
######################
|
7
|
+
.DS_Store
|
8
|
+
Icon?
|
9
|
+
nohup.out
|
10
|
+
ehthumbs.db
|
11
|
+
Thumbs.db
|
12
|
+
|
13
|
+
# SASS #
|
14
|
+
########
|
15
|
+
.sass-cache
|
16
|
+
|
17
|
+
# EDITORS #
|
18
|
+
###########
|
19
|
+
\#*
|
20
|
+
.#*
|
21
|
+
*~
|
22
|
+
*.sw[a-z]
|
23
|
+
*.bak
|
24
|
+
REVISION
|
25
|
+
TAGS*
|
26
|
+
tmtags
|
27
|
+
*_flymake.*
|
28
|
+
*_flymake
|
29
|
+
*.tmproj
|
30
|
+
.project
|
31
|
+
.settings
|
32
|
+
mkmf.log
|
33
|
+
|
34
|
+
## COMPILED ##
|
35
|
+
##############
|
36
|
+
a.out
|
37
|
+
*.o
|
38
|
+
*.pyc
|
39
|
+
*.so
|
40
|
+
*.com
|
41
|
+
*.class
|
42
|
+
*.dll
|
43
|
+
*.exe
|
44
|
+
*/rdoc/
|
45
|
+
|
46
|
+
# Testing #
|
47
|
+
###########
|
48
|
+
.watchr
|
49
|
+
.rspec
|
50
|
+
spec/*
|
51
|
+
spec/fixtures/*
|
52
|
+
test/*
|
53
|
+
features/*
|
54
|
+
Guardfile
|
55
|
+
Procfile
|
56
|
+
|
57
|
+
# SCM #
|
58
|
+
#######
|
59
|
+
.git
|
60
|
+
*/.git
|
61
|
+
.gitignore
|
62
|
+
.gitmodules
|
63
|
+
.gitconfig
|
64
|
+
.gitattributes
|
65
|
+
.svn
|
66
|
+
*/.bzr/*
|
67
|
+
*/.hg/*
|
68
|
+
*/.svn/*
|
69
|
+
|
70
|
+
# Berkshelf #
|
71
|
+
#############
|
72
|
+
Berksfile
|
73
|
+
Berksfile.lock
|
74
|
+
cookbooks/*
|
75
|
+
tmp
|
76
|
+
|
77
|
+
# Cookbooks #
|
78
|
+
#############
|
79
|
+
CONTRIBUTING
|
80
|
+
CHANGELOG*
|
81
|
+
|
82
|
+
# Strainer #
|
83
|
+
############
|
84
|
+
Colanderfile
|
85
|
+
Strainerfile
|
86
|
+
.colander
|
87
|
+
.strainer
|
88
|
+
|
89
|
+
# Vagrant #
|
90
|
+
###########
|
91
|
+
.vagrant
|
92
|
+
Vagrantfile
|
93
|
+
|
94
|
+
# Travis #
|
95
|
+
##########
|
96
|
+
.travis.yml
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# -*- coding: utf-8 -*-
|
2
|
+
|
3
|
+
module IPScriptables
|
4
|
+
class ChefHandler < Chef::Handler
|
5
|
+
def report
|
6
|
+
runtime.execute! if runtime
|
7
|
+
end
|
8
|
+
|
9
|
+
private
|
10
|
+
|
11
|
+
def runtime
|
12
|
+
node.run_state['ipscriptables_runtime']
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
module ChefRecipeDSL
|
17
|
+
def ipscriptables(name = nil, &block)
|
18
|
+
name ||= "#{cookbook_name}::#{recipe_name}::#{_ipscriptables_counter}"
|
19
|
+
ipscriptables_rules(name) { rules(&block) }
|
20
|
+
end
|
21
|
+
|
22
|
+
private
|
23
|
+
|
24
|
+
def _ipscriptables_counter
|
25
|
+
@ipscriptables_counter ||= 0
|
26
|
+
@ipscriptables_counter += 1
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
class Chef
|
32
|
+
class Recipe
|
33
|
+
include IPScriptables::ChefRecipeDSL
|
34
|
+
end
|
35
|
+
end
|