ipscriptables 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (63) hide show
  1. checksums.yaml +15 -0
  2. data/.gitignore +17 -0
  3. data/.rubocop.yml +15 -0
  4. data/.travis.yml +10 -0
  5. data/CHANGELOG.md +6 -0
  6. data/CONTRIBUTING.md +43 -0
  7. data/Gemfile +13 -0
  8. data/LICENSE +20 -0
  9. data/README.md +54 -0
  10. data/Rakefile +22 -0
  11. data/bin/ipscriptables +6 -0
  12. data/cookbook/.gitignore +2 -0
  13. data/cookbook/.kitchen.yml +28 -0
  14. data/cookbook/Berksfile +6 -0
  15. data/cookbook/README.md +53 -0
  16. data/cookbook/attributes/default.rb +3 -0
  17. data/cookbook/chefignore +96 -0
  18. data/cookbook/libraries/default.rb +35 -0
  19. data/cookbook/metadata.rb +9 -0
  20. data/cookbook/providers/rules.rb +21 -0
  21. data/cookbook/recipes/default.rb +10 -0
  22. data/cookbook/recipes/load.rb +8 -0
  23. data/cookbook/resources/rules.rb +17 -0
  24. data/cookbook/test/cookbooks/ipscriptables-test/#metadata.rb# +8 -0
  25. data/cookbook/test/cookbooks/ipscriptables-test/metadata.rb +11 -0
  26. data/cookbook/test/cookbooks/ipscriptables-test/recipes/default.rb +23 -0
  27. data/cookbook/test/cookbooks/ipscriptables-test/recipes/prepare.rb +5 -0
  28. data/cookbook/test/data/.gitignore +1 -0
  29. data/cookbook/test/integration/default/bats/default.bats +9 -0
  30. data/doc/iptables-switches.txt +342 -0
  31. data/ipscriptables.gemspec +38 -0
  32. data/lib/ipscriptables.rb +14 -0
  33. data/lib/ipscriptables/chain.rb +83 -0
  34. data/lib/ipscriptables/cli.rb +19 -0
  35. data/lib/ipscriptables/helpers.rb +39 -0
  36. data/lib/ipscriptables/pretty_print.rb +58 -0
  37. data/lib/ipscriptables/rule.rb +95 -0
  38. data/lib/ipscriptables/ruleset.rb +103 -0
  39. data/lib/ipscriptables/ruleset/class_methods.rb +67 -0
  40. data/lib/ipscriptables/runtime.rb +97 -0
  41. data/lib/ipscriptables/table.rb +77 -0
  42. data/lib/ipscriptables/version.rb +5 -0
  43. data/spec/fixtures/clyhq.txt +40 -0
  44. data/spec/fixtures/docker-plus.txt +31 -0
  45. data/spec/fixtures/drumknott.txt +67 -0
  46. data/spec/fixtures/falcor.txt +39 -0
  47. data/spec/fixtures/ghq.txt +102 -0
  48. data/spec/fixtures/ip6tables-empty.txt +7 -0
  49. data/spec/fixtures/only-docker-c.txt +23 -0
  50. data/spec/fixtures/only-docker.txt +23 -0
  51. data/spec/fixtures/only_docker.rb +22 -0
  52. data/spec/fixtures/runtime.rb +7 -0
  53. data/spec/fixtures/runtime2.rb +16 -0
  54. data/spec/ipscriptables/dsl_spec.rb +74 -0
  55. data/spec/ipscriptables/helpers_spec.rb +58 -0
  56. data/spec/ipscriptables/rule_spec.rb +41 -0
  57. data/spec/ipscriptables/ruleset/class_methods_spec.rb +52 -0
  58. data/spec/ipscriptables/ruleset_spec.rb +199 -0
  59. data/spec/ipscriptables/runtime_spec.rb +227 -0
  60. data/spec/ipscriptables/table_spec.rb +32 -0
  61. data/spec/ipscriptables/version_spec.rb +12 -0
  62. data/spec/spec_helper.rb +60 -0
  63. metadata +350 -0
@@ -0,0 +1,15 @@
1
+ ---
2
+ !binary "U0hBMQ==":
3
+ metadata.gz: !binary |-
4
+ MTE1NjBhZDBmYmIxNTU5YjdiNjBkNGJmNDBhZWJkODA1ZDBmYmZiYw==
5
+ data.tar.gz: !binary |-
6
+ OGU0OTA1MzA1MDQ3ODhhYzNjZGZlYmFlZDNlMDZhOTFlZjY1NzlkZQ==
7
+ SHA512:
8
+ metadata.gz: !binary |-
9
+ ZTIzOTU5Y2JmZDIwYWRhMzVjZDlhMDFjNDVjMjcwOGJjZjlhZTRkZjRlNGFi
10
+ NGMyMTI2YWNkNmU0OWU0MmZjMDJlYzEyNmYyOWY0MjAzMDNlZTQ0MGY4NmEy
11
+ OGJiMWE1ZmZlMDc2MjcyMDA0ZTRlYTc3MWNiZDk4NmI2MWFkNTY=
12
+ data.tar.gz: !binary |-
13
+ ZWFkOTcwOWEzNGYzMjJjYjNjYjhlYzkzMGI5MjkwZjViMjA3ODI0MjY1YTll
14
+ ZThhMDFhNjQwY2YxOGFkMDc2YWM0YjYwZmNlMGY0ZTU3ZDNhYzc2YWY1N2Nh
15
+ NzJlOTQxM2M3NWU2YjRhYWQwNmI4MTQ3ZmUxZDNkOWRhZjhkOGE=
@@ -0,0 +1,17 @@
1
+ *.gem
2
+ *.rbc
3
+ *~
4
+ .*.swp
5
+ .DS_Store
6
+ /.bundle
7
+ /.config
8
+ /.yardoc
9
+ /Gemfile.lock
10
+ /InstalledFiles
11
+ /coverage
12
+ /doc/public
13
+ /lib/bundler/man
14
+ /pkg
15
+ /spec/reports
16
+ /tmp
17
+ /vendor/cache
@@ -0,0 +1,15 @@
1
+ AllCops:
2
+ Exclude:
3
+ - tmp/**
4
+
5
+ PerlBackrefs:
6
+ Enabled: false
7
+
8
+ SpecialGlobalVars:
9
+ Enabled: false
10
+
11
+ Documentation:
12
+ Enabled: false
13
+
14
+ HashSyntax:
15
+ Enabled: false
@@ -0,0 +1,10 @@
1
+ bundler_args: --without developer_workstation
2
+ rvm:
3
+ - 1.9.3
4
+ - 2.0.0
5
+ - 2.1.0
6
+ # - jruby-1.7.10
7
+ # - rbx
8
+ notifications:
9
+ hipchat:
10
+ secure: "bds8WNPnAmnj2ommhDk2JNclAY1Ei/bGeWONRhhKNv1zwrqMvZ7B6M5UapEZ\n6K8z70vFMrdIDEJjzuf+ATYS0BVWKnXCYaofiIfJ7V2hiBm7/xNZ15m2bIrM\nQFIMR/Lrkd+wFA0O8z6SaPjvdEgZC6im4zAAuRq7LpH3NTy6qaA="
@@ -0,0 +1,6 @@
1
+ # Changes
2
+
3
+ ## 0.0.1
4
+
5
+ * Initial release
6
+ * Created on Tuesday, 2014-02-18
@@ -0,0 +1,43 @@
1
+ # Contributing
2
+
3
+ ## Developing
4
+
5
+ 1. Fork the repository on GitHub
6
+ 2. Create your feature branch (`git checkout -b feature/awesomeness`)
7
+ 3. Create your changes.
8
+ * Add test cases in `spec/`. It's best if you first write a failing
9
+ test case, commit it, and then fix it in next commit - this makes
10
+ the whole change easier to review.
11
+ * Document your changes.
12
+ 4. Commit your changes (`git commit -am 'Add more awesomeness'`)
13
+ 5. Push to the branch (`git push -u origin feature/awesomeness`)
14
+ 6. Create new Pull Request on GitHub
15
+
16
+ ## Testing
17
+
18
+ ### Install what's needed
19
+
20
+ Make sure you have [http://gembundler.com/](Gem Bundler) version 1.3
21
+ or greater installed. If in doubt, just use [http://rvm.io/](RVM) or
22
+ [http://rbenv.org/](rbenv).
23
+
24
+ $ gem install bundler
25
+
26
+ Clone the project:
27
+
28
+ $ git clone git://github.com/3ofcoins/ipscriptables.git
29
+
30
+ Then, run:
31
+
32
+ $ cd ipscriptables
33
+ $ bundle install
34
+
35
+ Bundler will install all the needed gems and their dependencies.
36
+
37
+ ### Running tests
38
+
39
+ $ bundle exec thor spec
40
+
41
+ To generate test coverage report, tell it to Thor
42
+
43
+ $ bundle exec thor spec --coverage
data/Gemfile ADDED
@@ -0,0 +1,13 @@
1
+ source 'https://rubygems.org'
2
+
3
+ gemspec
4
+
5
+ # Helpers used with development, but not needed in runtime, build
6
+ # time, or for tests.
7
+ group :developer_workstation do
8
+ gem 'awesome_print'
9
+ gem 'pry'
10
+ gem 'pry-debugger'
11
+ gem 'pry-rescue'
12
+ gem 'pry-stack_explorer'
13
+ end
data/LICENSE ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (C) 2014 Maciej Pasternacki <maciej@3ofcoins.net>
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,54 @@
1
+ # Ipscriptables
2
+
3
+ Ruby-driven IPTables
4
+
5
+ ## Installation
6
+
7
+ Add this line to your application's Gemfile:
8
+
9
+ gem 'ipscriptables'
10
+
11
+ And then execute:
12
+
13
+ $ bundle
14
+
15
+ Or install it yourself as:
16
+
17
+ $ gem install ipscriptables
18
+
19
+ ## Usage
20
+
21
+ TODO: write real instructions.
22
+
23
+ Write a script a bit like this (ip6tables work too):
24
+
25
+ ```ruby
26
+ family :inet do
27
+ table :nat do
28
+ inherit(:DOCKER)
29
+ inherit(:PREROUTING, :OUTPUT) { |rule| rule.target == 'DOCKER' }
30
+ inherit(:POSTROUTING) { |rule| rule.target == 'MASQUERADE' }
31
+ end
32
+
33
+ table :filter do
34
+ inherit(:INPUT) { |rule| rule.target == 'FWR' || rule.target == 'LXC' }
35
+ inherit(:FORWARD) { |rule| rule[:i] == 'docker0' || rule[:o] == 'docker0' }
36
+ inherit(:LXC)
37
+ chain :FWR do
38
+ rule :i => ['lo', 'docker0'], :j => 'ACCEPT'
39
+ rule '-m state --state RELATED,ESTABLISHED -j ACCEPT'
40
+ rule '-p icmp -j ACCEPT'
41
+ rule '-p tcp -m tcp --dport', [22, 80, 443], '-j ACCEPT'
42
+ rule '-p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable'
43
+ rule '-p udp -j REJECT --reject-with icmp-port-unreachable'
44
+ end
45
+ end
46
+ end
47
+ ```
48
+
49
+ Run `ipscriptables path/to/script.rb`, review diff, run `ipscriptables
50
+ --apply path/to/script.rb`.
51
+
52
+ ## Contributing
53
+
54
+ See the [CONTRIBUTING.md](CONTRIBUTING.md) file
@@ -0,0 +1,22 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ require 'rubygems'
4
+ require 'bundler/setup'
5
+ require 'rake/testtask'
6
+ require 'rubocop/rake_task'
7
+
8
+ namespace(:gem) { Bundler::GemHelper.install_tasks }
9
+
10
+ Rake::TestTask.new :spec do |task|
11
+ task.libs << 'spec'
12
+ task.options = '--verbose' if ENV['VERBOSE']
13
+ task.test_files = FileList['spec/**/*_spec.rb']
14
+ end
15
+
16
+ desc 'Run Rubocop'
17
+ Rubocop::RakeTask.new(:rubocop) do |t|
18
+ t.fail_on_error = true
19
+ t.patterns = %w(Rakefile bin/* lib/**/*.rb spec/**/*.rb)
20
+ end
21
+
22
+ task :default => [:rubocop, :spec]
@@ -0,0 +1,6 @@
1
+ #!/usr/bin/env ruby
2
+ # -*- coding: utf-8 -*-
3
+ require 'rubygems'
4
+ require 'ipscriptables/cli'
5
+
6
+ exit IPScriptables::CLI.run
@@ -0,0 +1,2 @@
1
+ /.kitchen
2
+ /Berksfile.lock
@@ -0,0 +1,28 @@
1
+ ---
2
+ driver:
3
+ name: vagrant
4
+ pre_create_command: |
5
+ set -e -x
6
+ dir=`pwd`/test/data
7
+ rm -fv $dir/*.gem
8
+ cd ..
9
+ gem build ipscriptables.gemspec
10
+ mv -v ipscriptables-*.gem $dir
11
+
12
+ provisioner:
13
+ name: chef_solo
14
+ data_path: test/data
15
+
16
+ platforms:
17
+ - name: ubuntu-12.04
18
+ driver_config:
19
+ box: opscode_ubuntu-12.04_provisionerless
20
+ box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
21
+
22
+ suites:
23
+ - name: default
24
+ run_list:
25
+ - recipe[ipscriptables-test]
26
+ attributes:
27
+ ipscriptables:
28
+ version: null
@@ -0,0 +1,6 @@
1
+ source "https://api.berkshelf.com"
2
+
3
+ metadata
4
+
5
+ cookbook 'ipscriptables-test',
6
+ path: 'test/cookbooks/ipscriptables-test'
@@ -0,0 +1,53 @@
1
+ The IPScriptables Cookbook
2
+ ==========================
3
+
4
+ This cookbook installs
5
+ [IPScriptables](https://github.com/3ofcoins/ipscriptables/) as a Chef
6
+ gem and adds an `ipscriptables` call to recipe DSL to easily configure
7
+ your firewall.
8
+
9
+ Usage
10
+ -----
11
+
12
+ Add `ipscriptables` cookbook to your cookbook's dependencies (or
13
+ `recipe[ipscriptables::load]`, or (currently empty)
14
+ `recipe[ipscriptables]` to your run list). Then, in recipe code, you
15
+ can use following call:
16
+
17
+ ```ruby
18
+ ipscriptables do
19
+ # …IPScriptables DSL…
20
+ end
21
+ ```
22
+
23
+ If you need low-level access to an underlying resource, you can call
24
+ it directly and add some layers of syntactic cruft:
25
+
26
+ ```ruby
27
+ ipscriptables_rules "useless name" do
28
+ rules do
29
+ # …IPScriptables DSL…
30
+ end
31
+ end
32
+ ```
33
+
34
+ The LWRP does not execute the rules as it goes, but evaluates them at
35
+ converge time in a single IPScriptables runtime (like one
36
+ IPScriptables CLI call evaluating multiple files). It installs
37
+ a report handler that, at the end of a successful Chef run, applies
38
+ the rules (in whyrun mode it's a dry run).
39
+
40
+ Attributes
41
+ ----------
42
+
43
+ - `node['ipscriptables']['gem_version']` (default: `"latest"`) --
44
+ version of the IPScriptables gem to install. If left as *latest*,
45
+ the gem is upgraded to newest available version (`:upgrade`
46
+ action). If set to `nil` or `false`, the gem is `:install`ed at
47
+ newest version, but not upgraded if it has already been installed.
48
+
49
+ Outstanding Issues
50
+ ------------------
51
+
52
+ - [ ] The cookbook should install init script and save rules to be
53
+ applied on reboot.
@@ -0,0 +1,3 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ default['ipscriptables']['gem_version'] = 'latest'
@@ -0,0 +1,96 @@
1
+ # Put files/directories that should be ignored in this file when uploading
2
+ # or sharing to the community site.
3
+ # Lines that start with '# ' are comments.
4
+
5
+ # OS generated files #
6
+ ######################
7
+ .DS_Store
8
+ Icon?
9
+ nohup.out
10
+ ehthumbs.db
11
+ Thumbs.db
12
+
13
+ # SASS #
14
+ ########
15
+ .sass-cache
16
+
17
+ # EDITORS #
18
+ ###########
19
+ \#*
20
+ .#*
21
+ *~
22
+ *.sw[a-z]
23
+ *.bak
24
+ REVISION
25
+ TAGS*
26
+ tmtags
27
+ *_flymake.*
28
+ *_flymake
29
+ *.tmproj
30
+ .project
31
+ .settings
32
+ mkmf.log
33
+
34
+ ## COMPILED ##
35
+ ##############
36
+ a.out
37
+ *.o
38
+ *.pyc
39
+ *.so
40
+ *.com
41
+ *.class
42
+ *.dll
43
+ *.exe
44
+ */rdoc/
45
+
46
+ # Testing #
47
+ ###########
48
+ .watchr
49
+ .rspec
50
+ spec/*
51
+ spec/fixtures/*
52
+ test/*
53
+ features/*
54
+ Guardfile
55
+ Procfile
56
+
57
+ # SCM #
58
+ #######
59
+ .git
60
+ */.git
61
+ .gitignore
62
+ .gitmodules
63
+ .gitconfig
64
+ .gitattributes
65
+ .svn
66
+ */.bzr/*
67
+ */.hg/*
68
+ */.svn/*
69
+
70
+ # Berkshelf #
71
+ #############
72
+ Berksfile
73
+ Berksfile.lock
74
+ cookbooks/*
75
+ tmp
76
+
77
+ # Cookbooks #
78
+ #############
79
+ CONTRIBUTING
80
+ CHANGELOG*
81
+
82
+ # Strainer #
83
+ ############
84
+ Colanderfile
85
+ Strainerfile
86
+ .colander
87
+ .strainer
88
+
89
+ # Vagrant #
90
+ ###########
91
+ .vagrant
92
+ Vagrantfile
93
+
94
+ # Travis #
95
+ ##########
96
+ .travis.yml
@@ -0,0 +1,35 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module IPScriptables
4
+ class ChefHandler < Chef::Handler
5
+ def report
6
+ runtime.execute! if runtime
7
+ end
8
+
9
+ private
10
+
11
+ def runtime
12
+ node.run_state['ipscriptables_runtime']
13
+ end
14
+ end
15
+
16
+ module ChefRecipeDSL
17
+ def ipscriptables(name = nil, &block)
18
+ name ||= "#{cookbook_name}::#{recipe_name}::#{_ipscriptables_counter}"
19
+ ipscriptables_rules(name) { rules(&block) }
20
+ end
21
+
22
+ private
23
+
24
+ def _ipscriptables_counter
25
+ @ipscriptables_counter ||= 0
26
+ @ipscriptables_counter += 1
27
+ end
28
+ end
29
+ end
30
+
31
+ class Chef
32
+ class Recipe
33
+ include IPScriptables::ChefRecipeDSL
34
+ end
35
+ end