netfilter-ruby 4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +2 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +63 -0
- data/Rakefile +5 -0
- data/lib/netfilter.rb +107 -0
- data/lib/netfilter/chain.rb +61 -0
- data/lib/netfilter/eb_tables.rb +18 -0
- data/lib/netfilter/filter.rb +52 -0
- data/lib/netfilter/ip6_tables.rb +5 -0
- data/lib/netfilter/ip_tables.rb +23 -0
- data/lib/netfilter/table.rb +62 -0
- data/lib/netfilter/tool.rb +132 -0
- data/lib/netfilter/version.rb +3 -0
- data/netfilter.gemspec +26 -0
- data/spec/netfilter/eb_tables_spec.rb +209 -0
- data/spec/netfilter/ip_tables_spec.rb +133 -0
- data/spec/netfilter/table_spec.rb +15 -0
- data/spec/netfilter/tool_spec.rb +123 -0
- data/spec/netfilter_spec.rb +82 -0
- data/spec/spec_helper.rb +18 -0
- metadata +143 -0
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
#encoding: utf-8
|
|
2
|
+
require 'spec_helper'
|
|
3
|
+
describe Netfilter::Table do
|
|
4
|
+
describe "Instance Methods" do
|
|
5
|
+
describe "chain" do
|
|
6
|
+
it "should not create a new chain if one with the same name already exists" do
|
|
7
|
+
tool = Netfilter::Tool.new
|
|
8
|
+
tool.table("filter").chain("test1")
|
|
9
|
+
tool.table("filter").chain("test2")
|
|
10
|
+
tool.table("filter").chain(:test1)
|
|
11
|
+
tool.table("filter").chains.count.should eq(2)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
#encoding: utf-8
|
|
2
|
+
require 'spec_helper'
|
|
3
|
+
describe Netfilter::Tool do
|
|
4
|
+
describe "Instance Methods" do
|
|
5
|
+
before do
|
|
6
|
+
@tool = Netfilter::Tool.new do |eb|
|
|
7
|
+
eb.table :filter do |t|
|
|
8
|
+
t.chain :input do |c|
|
|
9
|
+
c.filter :protocol => :tcp, :dport => 22, :jump => :text
|
|
10
|
+
c.insert :protocol => :udp, :dport => 53, :jump => :text
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
t.chain :text do |c|
|
|
14
|
+
c.filter :protocol => :udp, :dport => 80, :jump => :return
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
describe "commands" do
|
|
21
|
+
it "should return a list of system command to apply the rules to the system" do
|
|
22
|
+
@tool.commands.should eq [
|
|
23
|
+
"tool --table filter --new-chain text",
|
|
24
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump text",
|
|
25
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump text",
|
|
26
|
+
"tool --table filter --append text --protocol udp --dport 80 --jump RETURN",
|
|
27
|
+
]
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
it "should respect a set namespace" do
|
|
31
|
+
@tool.namespace = "bobby"
|
|
32
|
+
@tool.commands.should eq [
|
|
33
|
+
"tool --table filter --new-chain bobby-text",
|
|
34
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump bobby-text",
|
|
35
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump bobby-text",
|
|
36
|
+
"tool --table filter --append bobby-text --protocol udp --dport 80 --jump RETURN",
|
|
37
|
+
]
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
describe "up" do
|
|
42
|
+
it "should apply the rules to the system" do
|
|
43
|
+
executed = []
|
|
44
|
+
@tool.stub(:execute){ |command| executed << command }
|
|
45
|
+
@tool.up
|
|
46
|
+
executed.should eq [
|
|
47
|
+
"tool --table filter --new-chain text",
|
|
48
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump text",
|
|
49
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump text",
|
|
50
|
+
"tool --table filter --append text --protocol udp --dport 80 --jump RETURN",
|
|
51
|
+
]
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
it "should remove again all already applied rules in case applying the next rule fails" do
|
|
55
|
+
trigger = true
|
|
56
|
+
executed = []
|
|
57
|
+
@tool.stub(:execute) do |command|
|
|
58
|
+
if trigger && executed.count == 3
|
|
59
|
+
trigger = false
|
|
60
|
+
raise Netfilter::SystemError, "fake"
|
|
61
|
+
end
|
|
62
|
+
executed << command
|
|
63
|
+
end
|
|
64
|
+
lambda{ @tool.up }.should raise_error(Netfilter::SystemError, "fake")
|
|
65
|
+
executed.should eq [
|
|
66
|
+
"tool --table filter --new-chain text",
|
|
67
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump text",
|
|
68
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump text",
|
|
69
|
+
"tool --table filter --delete INPUT --protocol tcp --dport 22 --jump text",
|
|
70
|
+
"tool --table filter --delete INPUT --protocol udp --dport 53 --jump text",
|
|
71
|
+
"tool --table filter --delete-chain text",
|
|
72
|
+
]
|
|
73
|
+
end
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
describe "down" do
|
|
77
|
+
it "should remove the rules from the system" do
|
|
78
|
+
executed = []
|
|
79
|
+
@tool.stub(:execute){ |command| executed << command }
|
|
80
|
+
@tool.down
|
|
81
|
+
executed.should eq [
|
|
82
|
+
"tool --table filter --delete text --protocol udp --dport 80 --jump RETURN",
|
|
83
|
+
"tool --table filter --delete INPUT --protocol tcp --dport 22 --jump text",
|
|
84
|
+
"tool --table filter --delete INPUT --protocol udp --dport 53 --jump text",
|
|
85
|
+
"tool --table filter --delete-chain text",
|
|
86
|
+
]
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
it "should not delete individual rules if the whole chain gets deleted" do
|
|
90
|
+
pending "optimization not implemented yet"
|
|
91
|
+
# executed = []
|
|
92
|
+
# @tool.stub(:execute){ |command| executed << command }
|
|
93
|
+
# @tool.down
|
|
94
|
+
# executed.should eq [
|
|
95
|
+
# "tool --table filter --delete-chain text",
|
|
96
|
+
# "tool --table filter --delete INPUT --protocol tcp --dport 22 --jump text",
|
|
97
|
+
# ]
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
describe "export" do
|
|
102
|
+
it "should return a hash suitable for import" do
|
|
103
|
+
import = Netfilter::Tool.import(@tool.export)
|
|
104
|
+
@tool.commands.should eq(import.commands)
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
it "should return a hash suitable for json serialization and later import" do
|
|
108
|
+
import = Netfilter::Tool.import(JSON.parse(@tool.export.to_json))
|
|
109
|
+
@tool.commands.should eq(import.commands)
|
|
110
|
+
end
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
describe "table" do
|
|
114
|
+
it "should not create a new table if one with the same name already exists" do
|
|
115
|
+
tool = Netfilter::Tool.new
|
|
116
|
+
tool.table("filter")
|
|
117
|
+
tool.table(:filter)
|
|
118
|
+
tool.table("nat")
|
|
119
|
+
tool.tables.count.should eq(2)
|
|
120
|
+
end
|
|
121
|
+
end
|
|
122
|
+
end
|
|
123
|
+
end
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
#encoding: utf-8
|
|
2
|
+
require 'spec_helper'
|
|
3
|
+
describe Netfilter do
|
|
4
|
+
describe "Instance Methods" do
|
|
5
|
+
before do
|
|
6
|
+
@netfilter = Netfilter.new
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
describe "up" do
|
|
10
|
+
it "should apply the rules of all underlying tools" do
|
|
11
|
+
@netfilter.eb_tables.should_receive(:up).ordered
|
|
12
|
+
@netfilter.ip_tables.should_receive(:up).ordered
|
|
13
|
+
@netfilter.ip6_tables.should_receive(:up).ordered
|
|
14
|
+
@netfilter.up
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
it "should remove applied rules again if anything fails" do
|
|
18
|
+
@netfilter.eb_tables.should_receive(:up).ordered
|
|
19
|
+
@netfilter.ip_tables.should_receive(:up).ordered.and_return{ raise ArgumentError, "fake" }
|
|
20
|
+
@netfilter.eb_tables.should_receive(:down).ordered
|
|
21
|
+
lambda{ @netfilter.up }.should raise_error(ArgumentError, "fake")
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
describe "down" do
|
|
26
|
+
it "should remove the rules of all underlying tools" do
|
|
27
|
+
@netfilter.eb_tables.should_receive(:down).ordered
|
|
28
|
+
@netfilter.ip_tables.should_receive(:down).ordered
|
|
29
|
+
@netfilter.ip6_tables.should_receive(:down).ordered
|
|
30
|
+
@netfilter.down
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
it "should apply removed rules again if anything fails" do
|
|
34
|
+
@netfilter.eb_tables.should_receive(:down).ordered
|
|
35
|
+
@netfilter.ip_tables.should_receive(:down).ordered.and_return{ raise ArgumentError, "fake" }
|
|
36
|
+
@netfilter.eb_tables.should_receive(:up).ordered
|
|
37
|
+
lambda{ @netfilter.down }.should raise_error(ArgumentError, "fake")
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
describe "export" do
|
|
42
|
+
before do
|
|
43
|
+
@netfilter.ip_tables do |ip|
|
|
44
|
+
ip.table :filter do |t|
|
|
45
|
+
t.chain :input do |c|
|
|
46
|
+
c.filter :protocol => :udp, :jump => :drop
|
|
47
|
+
c.insert :protocol => :tcp, :jump => :drop
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
@netfilter.ip6_tables do |ip|
|
|
53
|
+
ip.table :filter do |t|
|
|
54
|
+
t.chain :input do |c|
|
|
55
|
+
c.filter :protocol => :tcp, :jump => :drop
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
@netfilter.eb_tables do |eb|
|
|
61
|
+
eb.table :filter do |t|
|
|
62
|
+
t.chain :input do |c|
|
|
63
|
+
c.filter :protocol => :arp, :jump => :drop
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
it "should return a hash suitable for import" do
|
|
70
|
+
export = @netfilter.export
|
|
71
|
+
import = Netfilter.import(export)
|
|
72
|
+
import.export.should == export
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
it "should return a hash suitable for json serialization and later import" do
|
|
76
|
+
export = @netfilter.export.to_json
|
|
77
|
+
import = Netfilter.import(JSON.parse(export))
|
|
78
|
+
import.export.to_json.should == export
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
end
|
data/spec/spec_helper.rb
ADDED
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
#encoding: utf-8
|
|
2
|
+
require "rubygems"
|
|
3
|
+
require "bundler/setup"
|
|
4
|
+
require "netfilter"
|
|
5
|
+
require "awesome_print"
|
|
6
|
+
require "json"
|
|
7
|
+
|
|
8
|
+
RSpec.configure do |config|
|
|
9
|
+
config.treat_symbols_as_metadata_keys_with_true_values = true
|
|
10
|
+
config.run_all_when_everything_filtered = true
|
|
11
|
+
config.filter_run :focus
|
|
12
|
+
|
|
13
|
+
# Run specs in random order to surface order dependencies. If you find an
|
|
14
|
+
# order dependency and want to debug it, you can fix the order by providing
|
|
15
|
+
# the seed, which is printed after each run.
|
|
16
|
+
# --seed 1234
|
|
17
|
+
config.order = "random"
|
|
18
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: netfilter-ruby
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: '4.2'
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Netskin GmbH
|
|
8
|
+
- Corin Langosch
|
|
9
|
+
autorequire:
|
|
10
|
+
bindir: bin
|
|
11
|
+
cert_chain: []
|
|
12
|
+
date: 2013-12-20 00:00:00.000000000 Z
|
|
13
|
+
dependencies:
|
|
14
|
+
- !ruby/object:Gem::Dependency
|
|
15
|
+
name: activesupport
|
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
|
17
|
+
requirements:
|
|
18
|
+
- - '>='
|
|
19
|
+
- !ruby/object:Gem::Version
|
|
20
|
+
version: 3.0.0
|
|
21
|
+
type: :runtime
|
|
22
|
+
prerelease: false
|
|
23
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
24
|
+
requirements:
|
|
25
|
+
- - '>='
|
|
26
|
+
- !ruby/object:Gem::Version
|
|
27
|
+
version: 3.0.0
|
|
28
|
+
- !ruby/object:Gem::Dependency
|
|
29
|
+
name: rspec
|
|
30
|
+
requirement: !ruby/object:Gem::Requirement
|
|
31
|
+
requirements:
|
|
32
|
+
- - ~>
|
|
33
|
+
- !ruby/object:Gem::Version
|
|
34
|
+
version: '2.12'
|
|
35
|
+
type: :development
|
|
36
|
+
prerelease: false
|
|
37
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
38
|
+
requirements:
|
|
39
|
+
- - ~>
|
|
40
|
+
- !ruby/object:Gem::Version
|
|
41
|
+
version: '2.12'
|
|
42
|
+
- !ruby/object:Gem::Dependency
|
|
43
|
+
name: awesome_print
|
|
44
|
+
requirement: !ruby/object:Gem::Requirement
|
|
45
|
+
requirements:
|
|
46
|
+
- - '>='
|
|
47
|
+
- !ruby/object:Gem::Version
|
|
48
|
+
version: '0'
|
|
49
|
+
type: :development
|
|
50
|
+
prerelease: false
|
|
51
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
52
|
+
requirements:
|
|
53
|
+
- - '>='
|
|
54
|
+
- !ruby/object:Gem::Version
|
|
55
|
+
version: '0'
|
|
56
|
+
- !ruby/object:Gem::Dependency
|
|
57
|
+
name: json
|
|
58
|
+
requirement: !ruby/object:Gem::Requirement
|
|
59
|
+
requirements:
|
|
60
|
+
- - '>='
|
|
61
|
+
- !ruby/object:Gem::Version
|
|
62
|
+
version: '0'
|
|
63
|
+
type: :development
|
|
64
|
+
prerelease: false
|
|
65
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
66
|
+
requirements:
|
|
67
|
+
- - '>='
|
|
68
|
+
- !ruby/object:Gem::Version
|
|
69
|
+
version: '0'
|
|
70
|
+
- !ruby/object:Gem::Dependency
|
|
71
|
+
name: rake
|
|
72
|
+
requirement: !ruby/object:Gem::Requirement
|
|
73
|
+
requirements:
|
|
74
|
+
- - '>='
|
|
75
|
+
- !ruby/object:Gem::Version
|
|
76
|
+
version: '0'
|
|
77
|
+
type: :development
|
|
78
|
+
prerelease: false
|
|
79
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
80
|
+
requirements:
|
|
81
|
+
- - '>='
|
|
82
|
+
- !ruby/object:Gem::Version
|
|
83
|
+
version: '0'
|
|
84
|
+
description: Awesome Netfilter management
|
|
85
|
+
email:
|
|
86
|
+
- info@netskin.com
|
|
87
|
+
- info@corinlangosch.com
|
|
88
|
+
executables: []
|
|
89
|
+
extensions: []
|
|
90
|
+
extra_rdoc_files: []
|
|
91
|
+
files:
|
|
92
|
+
- .gitignore
|
|
93
|
+
- .rspec
|
|
94
|
+
- Gemfile
|
|
95
|
+
- LICENSE.txt
|
|
96
|
+
- README.md
|
|
97
|
+
- Rakefile
|
|
98
|
+
- lib/netfilter.rb
|
|
99
|
+
- lib/netfilter/chain.rb
|
|
100
|
+
- lib/netfilter/eb_tables.rb
|
|
101
|
+
- lib/netfilter/filter.rb
|
|
102
|
+
- lib/netfilter/ip6_tables.rb
|
|
103
|
+
- lib/netfilter/ip_tables.rb
|
|
104
|
+
- lib/netfilter/table.rb
|
|
105
|
+
- lib/netfilter/tool.rb
|
|
106
|
+
- lib/netfilter/version.rb
|
|
107
|
+
- netfilter.gemspec
|
|
108
|
+
- spec/netfilter/eb_tables_spec.rb
|
|
109
|
+
- spec/netfilter/ip_tables_spec.rb
|
|
110
|
+
- spec/netfilter/table_spec.rb
|
|
111
|
+
- spec/netfilter/tool_spec.rb
|
|
112
|
+
- spec/netfilter_spec.rb
|
|
113
|
+
- spec/spec_helper.rb
|
|
114
|
+
homepage: http://github.com/netskin/netfilter-ruby
|
|
115
|
+
licenses: []
|
|
116
|
+
metadata: {}
|
|
117
|
+
post_install_message:
|
|
118
|
+
rdoc_options: []
|
|
119
|
+
require_paths:
|
|
120
|
+
- lib
|
|
121
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
122
|
+
requirements:
|
|
123
|
+
- - '>='
|
|
124
|
+
- !ruby/object:Gem::Version
|
|
125
|
+
version: '0'
|
|
126
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
127
|
+
requirements:
|
|
128
|
+
- - '>='
|
|
129
|
+
- !ruby/object:Gem::Version
|
|
130
|
+
version: '0'
|
|
131
|
+
requirements: []
|
|
132
|
+
rubyforge_project:
|
|
133
|
+
rubygems_version: 2.1.11
|
|
134
|
+
signing_key:
|
|
135
|
+
specification_version: 4
|
|
136
|
+
summary: Awesome Netfilter (iptables & ebtables) management using ruby
|
|
137
|
+
test_files:
|
|
138
|
+
- spec/netfilter/eb_tables_spec.rb
|
|
139
|
+
- spec/netfilter/ip_tables_spec.rb
|
|
140
|
+
- spec/netfilter/table_spec.rb
|
|
141
|
+
- spec/netfilter/tool_spec.rb
|
|
142
|
+
- spec/netfilter_spec.rb
|
|
143
|
+
- spec/spec_helper.rb
|