netfilter-ruby 4.2

data/lib/netfilter/tool.rb

@@ -0,0 +1,132 @@
+class Netfilter
+  class Tool
+    attr_accessor :tables, :namespace
+
+    def self.import(data)
+      data = data.symbolize_keys
+      new(data[:namespace]).tap do |tool|
+        data[:tables].each do |data|
+          table = Table.import(tool, data)
+          tool.tables[table.name.to_s.downcase] = table
+        end
+      end
+    end
+
+    def self.executable
+      name.demodulize.downcase
+    end
+
+    def self.execute(command)
+      # puts "Executing: #{command}"
+      stdout = `#{command} 2>&1`.strip
+      status = $?
+      if status.exitstatus == 0
+        stdout
+      else
+        raise SystemError, :command => command, :error => stdout
+      end
+    end
+
+    def self.delete_chain(name)
+      commands = []
+      parse.each do |table, chains|
+        chains.each do |chain, rules|
+          rules.each do |rule|
+            if rule.match("-j #{name}")
+              commands << "--table #{table} --delete #{chain} #{rule}"
+            end
+          end
+        end
+
+        chains.each do |chain, rules|
+          if chain.match(name)
+            commands << "--table #{table} --delete-chain #{chain}"
+          end
+        end
+      end
+      commands.each{ |command| execute("#{executable} #{command}") }
+    end
+
+    def initialize(namespace = nil)
+      self.namespace = namespace
+      self.tables = {}
+      yield(self) if block_given?
+    end
+
+    def table(name, &block)
+      key = name.to_s.downcase
+      (tables[key] || Table.new(self, name)).tap do |table|
+        tables[key] = table
+        block.call(table) if block
+      end
+    end
+
+    def pp
+      tables.values.sort_by(&:name).each do |table|
+        puts [table.name]*"\t"
+        table.chains.values.sort_by(&:name).each do |chain|
+          puts ["", chain.name_as_argument]*"\t"
+          chain.filters.each do |filter|
+            puts ["", "", filter]*"\t"
+          end
+        end
+      end
+    end
+
+    def commands
+      [].tap do |commands|
+        tables.values.each do |table|
+          table.commands.each do |command|
+            commands << command.unshift(executable)*" "
+          end
+        end
+      end
+    end
+
+    def up
+      @executed_commands = []
+      commands.each do |command|
+        execute(command)
+        @executed_commands << command
+      end
+    rescue SystemError => e
+      rollback
+      raise e
+    end
+
+    def down
+      @executed_commands = commands
+      rollback
+    end
+
+    def export
+      {
+        :namespace => namespace,
+        :tables => tables.values.map{ |table| table.export },
+      }
+    end
+
+    def executable
+      self.class.executable
+    end
+
+    private
+
+    def rollback
+      @executed_commands.reverse.each do |command|
+        command = argument_rename(command, "new-chain", "delete-chain")
+        command = argument_rename(command, "append", "delete")
+        command = argument_rename(command, "insert", "delete")
+        execute(command)
+      end
+    end
+
+    def argument_rename(command, old_name, new_name)
+      command.gsub(/--#{Regexp.escape(old_name)}(\s|$)/, "--#{new_name}\\1")
+    end
+
+    def execute(command)
+      self.class.execute(command)
+    end
+  end
+end

data/lib/netfilter/version.rb

@@ -0,0 +1,3 @@
+class Netfilter
+  VERSION = "4.2"
+end

data/netfilter.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'netfilter/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "netfilter-ruby"
+  gem.version       = Netfilter::VERSION
+  gem.authors       = ["Netskin GmbH", "Corin Langosch"]
+  gem.email         = ["info@netskin.com", "info@corinlangosch.com"]
+  gem.description   = %q{Awesome Netfilter management}
+  gem.summary       = %q{Awesome Netfilter (iptables & ebtables) management using ruby}
+  gem.homepage      = "http://github.com/netskin/netfilter-ruby"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency "activesupport", ">= 3.0.0"
+
+  gem.add_development_dependency "rspec", "~> 2.12"
+  gem.add_development_dependency "awesome_print"
+  gem.add_development_dependency "json"
+  gem.add_development_dependency "rake"
+end

data/spec/netfilter/eb_tables_spec.rb

@@ -0,0 +1,209 @@
+#encoding: utf-8
+require 'spec_helper'
+describe Netfilter::EbTables do
+  describe "Class Methods" do
+    describe "parse" do
+      it "should not crash when there are no rules" do
+        Netfilter::EbTables.stub(:execute).and_return <<EOT
+Bridge table: filter
+
+Bridge chain: INPUT, entries: 0, policy: ACCEPT
+
+Bridge chain: FORWARD, entries: 0, policy: ACCEPT
+
+Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
+EOT
+
+        Netfilter::EbTables.parse.should eq(
+          "filter" => {
+            "INPUT" => [
+            ],
+            "FORWARD" => [
+            ],
+            "OUTPUT" => [
+            ],
+          },
+        )
+      end
+
+      it "should properly parse the current system's iptables" do
+        Netfilter::EbTables.stub(:execute).and_return <<EOT
+Bridge table: filter
+
+Bridge chain: INPUT, entries: 3, policy: ACCEPT
+-i tap15866 -j guest15865-1-o
+-i tap19266 -j guest19265-1-o
+-i tap592992 -j guest592991-1-o
+
+Bridge chain: FORWARD, entries: 6, policy: ACCEPT
+-i tap15866 -j guest15865-1-o
+-o tap15866 -j guest15865-1-i
+-i tap19266 -j guest19265-1-o
+-o tap19266 -j guest19265-1-i
+-i tap592992 -j guest592991-1-o
+-o tap592992 -j guest592991-1-i
+
+Bridge chain: OUTPUT, entries: 3, policy: ACCEPT
+-o tap15866 -j guest15865-1-i
+-o tap19266 -j guest19265-1-i
+-o tap592992 -j guest592991-1-i
+
+Bridge chain: guest15865-1-o, entries: 14, policy: ACCEPT
+-s ! 2:1a:83:13:5d:26 -j DROP
+-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
+-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
+-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
+-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
+-p IPv4 --ip-src 185.14.157.11 -j RETURN
+-p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
+-p IPv4 --ip-src 185.14.157.12 -j RETURN
+-p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
+-p IPv4 --ip-src 185.14.157.13 -j RETURN
+-p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN
+-p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN
+-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
+-j DROP
+
+Bridge chain: guest15865-1-i, entries: 8, policy: ACCEPT
+-p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN
+-p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN
+-p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN
+-p ARP --arp-op Request -j DROP
+-d 2:1a:83:13:5d:26 -j RETURN
+-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
+-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
+-j DROP
+
+Bridge chain: guest19265-1-o, entries: 10, policy: ACCEPT
+-s ! 2:bd:7f:46:96:e -j DROP
+-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
+-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
+-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
+-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
+-p IPv4 --ip-src 185.14.157.109 -j RETURN
+-p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN
+-p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN
+-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
+-j DROP
+
+Bridge chain: guest19265-1-i, entries: 6, policy: ACCEPT
+-p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN
+-p ARP --arp-op Request -j DROP
+-d 2:bd:7f:46:96:e -j RETURN
+-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
+-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
+-j DROP
+
+Bridge chain: guest592991-1-o, entries: 10, policy: ACCEPT
+-s ! 2:23:6c:ab:41:c5 -j DROP
+-p IPv4 --ip-dst 10.0.0.0/8 -j DROP
+-p IPv4 --ip-dst 169.254.0.0/16 -j DROP
+-p IPv4 --ip-dst 172.16.0.0/12 -j DROP
+-p IPv4 --ip-dst 192.168.0.0/16 -j DROP
+-p IPv4 --ip-src 185.14.157.123 -j RETURN
+-p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN
+-p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN
+-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN
+-j DROP
+
+Bridge chain: guest592991-1-i, entries: 6, policy: ACCEPT
+-p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN
+-p ARP --arp-op Request -j DROP
+-d 2:23:6c:ab:41:c5 -j RETURN
+-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN
+-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN
+-j DROP
+EOT
+
+        Netfilter::EbTables.parse.should eq(
+          "filter" => {
+            "INPUT" => [
+              "-i tap15866 -j guest15865-1-o",
+              "-i tap19266 -j guest19265-1-o",
+              "-i tap592992 -j guest592991-1-o"
+            ],
+            "FORWARD" => [
+              "-i tap15866 -j guest15865-1-o",
+              "-o tap15866 -j guest15865-1-i",
+              "-i tap19266 -j guest19265-1-o",
+              "-o tap19266 -j guest19265-1-i",
+              "-i tap592992 -j guest592991-1-o",
+              "-o tap592992 -j guest592991-1-i"
+            ],
+            "OUTPUT" => [
+              "-o tap15866 -j guest15865-1-i",
+              "-o tap19266 -j guest19265-1-i",
+              "-o tap592992 -j guest592991-1-i"
+            ],
+            "guest15865-1-o" => [
+              "-s ! 2:1a:83:13:5d:26 -j DROP",
+              "-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
+              "-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
+              "-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
+              "-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
+              "-p IPv4 --ip-src 185.14.157.11 -j RETURN",
+              "-p ARP --arp-ip-src 185.14.157.11 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
+              "-p IPv4 --ip-src 185.14.157.12 -j RETURN",
+              "-p ARP --arp-ip-src 185.14.157.12 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
+              "-p IPv4 --ip-src 185.14.157.13 -j RETURN",
+              "-p ARP --arp-ip-src 185.14.157.13 --arp-mac-src 2:1a:83:13:5d:26 -j RETURN",
+              "-p IPv6 --ip6-src 2a03:b240:101:4f::/ffff:ffff:ffff:ffff:: -j RETURN",
+              "-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
+              "-j DROP"
+            ],
+            "guest15865-1-i" => [
+              "-p ARP --arp-op Request --arp-ip-dst 185.14.157.11 -j RETURN",
+              "-p ARP --arp-op Request --arp-ip-dst 185.14.157.12 -j RETURN",
+              "-p ARP --arp-op Request --arp-ip-dst 185.14.157.13 -j RETURN",
+              "-p ARP --arp-op Request -j DROP",
+              "-d 2:1a:83:13:5d:26 -j RETURN",
+              "-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
+              "-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
+              "-j DROP"
+            ],
+            "guest19265-1-o" => [
+              "-s ! 2:bd:7f:46:96:e -j DROP",
+              "-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
+              "-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
+              "-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
+              "-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
+              "-p IPv4 --ip-src 185.14.157.109 -j RETURN",
+              "-p ARP --arp-ip-src 185.14.157.109 --arp-mac-src 2:bd:7f:46:96:e -j RETURN",
+              "-p IPv6 --ip6-src 2a03:b240:101:16::/ffff:ffff:ffff:ffff:: -j RETURN",
+              "-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
+              "-j DROP"
+            ],
+            "guest19265-1-i" => [
+              "-p ARP --arp-op Request --arp-ip-dst 185.14.157.109 -j RETURN",
+              "-p ARP --arp-op Request -j DROP",
+              "-d 2:bd:7f:46:96:e -j RETURN",
+              "-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
+              "-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
+              "-j DROP"
+            ],
+            "guest592991-1-o" => [
+              "-s ! 2:23:6c:ab:41:c5 -j DROP",
+              "-p IPv4 --ip-dst 10.0.0.0/8 -j DROP",
+              "-p IPv4 --ip-dst 169.254.0.0/16 -j DROP",
+              "-p IPv4 --ip-dst 172.16.0.0/12 -j DROP",
+              "-p IPv4 --ip-dst 192.168.0.0/16 -j DROP",
+              "-p IPv4 --ip-src 185.14.157.123 -j RETURN",
+              "-p ARP --arp-ip-src 185.14.157.123 --arp-mac-src 2:23:6c:ab:41:c5 -j RETURN",
+              "-p IPv6 --ip6-src 2a03:b240:101:14::/ffff:ffff:ffff:ffff:: -j RETURN",
+              "-p IPv4 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j RETURN",
+              "-j DROP"
+            ],
+            "guest592991-1-i" => [
+              "-p ARP --arp-op Request --arp-ip-dst 185.14.157.123 -j RETURN",
+              "-p ARP --arp-op Request -j DROP",
+              "-d 2:23:6c:ab:41:c5 -j RETURN",
+              "-d 33:33:0:0:0:0/ff:ff:0:0:0:0 -j RETURN",
+              "-p IPv4 -s 0:16:3e:d6:1:4 -d Broadcast --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 67 --ip-dport 68 -j RETURN",
+              "-j DROP"
+            ],
+          },
+        )
+      end
+    end
+  end
+end

data/spec/netfilter/ip_tables_spec.rb

@@ -0,0 +1,133 @@
+#encoding: utf-8
+require 'spec_helper'
+describe Netfilter::IpTables do
+  describe "Class Methods" do
+    describe "parse" do
+      it "should not crash when there are no rules" do
+        Netfilter::IpTables.stub(:execute).and_return <<EOT
+# Generated by iptables-save v1.4.12 on Wed Sep 18 22:10:46 2013
+*filter
+:INPUT ACCEPT [482594:85187003]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [481491:61131132]
+COMMIT
+# Completed on Wed Sep 18 22:10:46 2013
+EOT
+
+        Netfilter::IpTables.parse.should eq(
+          "filter" => {
+            "INPUT" => [
+            ],
+            "FORWARD" => [
+            ],
+            "OUTPUT" => [
+            ],
+          },
+        )
+      end
+
+
+      it "should properly parse the current system's iptables" do
+        Netfilter::IpTables.stub(:execute).and_return <<EOT
+# Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
+*nat
+:PREROUTING ACCEPT [920364:135062514]
+:INPUT ACCEPT [62393:3917616]
+:OUTPUT ACCEPT [59623:4116943]
+:POSTROUTING ACCEPT [640454:41456220]
+-A PREROUTING -d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921
+-A PREROUTING -d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923
+COMMIT
+# Completed on Wed Sep 18 14:15:43 2013
+# Generated by iptables-save v1.4.12 on Wed Sep 18 14:15:43 2013
+*filter
+:INPUT DROP [5647:1842222]
+:FORWARD ACCEPT [267259:341060431]
+:OUTPUT ACCEPT [3936250:18401515934]
+:guest15865-1-i - [0:0]
+:guest19265-1-i - [0:0]
+:guest592991-1-i - [0:0]
+-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP
+-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
+-A INPUT -d 127.0.0.0/8 -i lo -j ACCEPT
+-A INPUT -s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT
+-A INPUT -d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT
+-A FORWARD -m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i
+-A FORWARD -m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i
+-A FORWARD -m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i
+-A guest15865-1-i -j RETURN
+-A guest19265-1-i -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
+-A guest19265-1-i -p tcp -m tcp --dport 80 -j RETURN
+-A guest19265-1-i -p tcp -m tcp --dport 22 -j RETURN
+-A guest19265-1-i -p tcp -m tcp --dport 443 -j RETURN
+-A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN
+-A guest19265-1-i -s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN
+-A guest19265-1-i -p tcp -j DROP
+-A guest19265-1-i -p udp -j DROP
+-A guest19265-1-i -j RETURN
+-A guest592991-1-i -j RETURN
+COMMIT
+# Completed on Wed Sep 18 14:15:43 2013
+EOT
+
+        Netfilter::IpTables.parse.should eq(
+          "nat" => {
+            "PREROUTING" => [
+              "-d 185.14.157.109/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5921",
+              "-d 185.14.157.123/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.8:5923"
+            ],
+            "INPUT" => [
+            ],
+            "OUTPUT" => [
+            ],
+            "POSTROUTING" => [
+            ],
+          },
+          "filter" => {
+            "INPUT" => [
+              "-d 10.0.0.8/32 -p tcp -m tcp --dport 5920 -j DROP",
+              "-s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT",
+              "-d 127.0.0.0/8 -i lo -j ACCEPT",
+              "-s 212.224.87.102/32 -p tcp -m tcp --dport 4949 -j ACCEPT",
+              "-p tcp -m tcp --dport 22 -j ACCEPT",
+              "-p icmp -j ACCEPT",
+              "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
+              "-m conntrack --ctstate INVALID -j DROP",
+              "-d 10.0.0.8/32 -p tcp -m tcp --dport 5921 -j ACCEPT",
+              "-d 10.0.0.8/32 -p tcp -m tcp --dport 5923 -j ACCEPT"
+            ],
+            "FORWARD" => [
+              "-m physdev --physdev-out tap15866 --physdev-is-bridged -j guest15865-1-i",
+              "-m physdev --physdev-out tap19266 --physdev-is-bridged -j guest19265-1-i",
+              "-m physdev --physdev-out tap592992 --physdev-is-bridged -j guest592991-1-i"
+            ],
+            "OUTPUT" => [
+            ],
+            "guest15865-1-i" => [
+              "-j RETURN"
+            ],
+            "guest19265-1-i" => [
+              "-m conntrack --ctstate RELATED,ESTABLISHED -j RETURN",
+              "-p tcp -m tcp --dport 80 -j RETURN",
+              "-p tcp -m tcp --dport 22 -j RETURN",
+              "-p tcp -m tcp --dport 443 -j RETURN",
+              "-s 185.14.157.0/24 -p udp -m udp --dport 67 -j RETURN",
+              "-s 185.14.157.0/24 -p udp -m udp --dport 68 -j RETURN",
+              "-p tcp -j DROP",
+              "-p udp -j DROP",
+              "-j RETURN"
+            ],
+            "guest592991-1-i" => [
+              "-j RETURN"
+            ],
+          },
+        )
+      end
+    end
+  end
+end