netfilter-ruby 4.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +2 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +63 -0
- data/Rakefile +5 -0
- data/lib/netfilter.rb +107 -0
- data/lib/netfilter/chain.rb +61 -0
- data/lib/netfilter/eb_tables.rb +18 -0
- data/lib/netfilter/filter.rb +52 -0
- data/lib/netfilter/ip6_tables.rb +5 -0
- data/lib/netfilter/ip_tables.rb +23 -0
- data/lib/netfilter/table.rb +62 -0
- data/lib/netfilter/tool.rb +132 -0
- data/lib/netfilter/version.rb +3 -0
- data/netfilter.gemspec +26 -0
- data/spec/netfilter/eb_tables_spec.rb +209 -0
- data/spec/netfilter/ip_tables_spec.rb +133 -0
- data/spec/netfilter/table_spec.rb +15 -0
- data/spec/netfilter/tool_spec.rb +123 -0
- data/spec/netfilter_spec.rb +82 -0
- data/spec/spec_helper.rb +18 -0
- metadata +143 -0
@@ -0,0 +1,15 @@
|
|
1
|
+
#encoding: utf-8
|
2
|
+
require 'spec_helper'
|
3
|
+
describe Netfilter::Table do
|
4
|
+
describe "Instance Methods" do
|
5
|
+
describe "chain" do
|
6
|
+
it "should not create a new chain if one with the same name already exists" do
|
7
|
+
tool = Netfilter::Tool.new
|
8
|
+
tool.table("filter").chain("test1")
|
9
|
+
tool.table("filter").chain("test2")
|
10
|
+
tool.table("filter").chain(:test1)
|
11
|
+
tool.table("filter").chains.count.should eq(2)
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,123 @@
|
|
1
|
+
#encoding: utf-8
|
2
|
+
require 'spec_helper'
|
3
|
+
describe Netfilter::Tool do
|
4
|
+
describe "Instance Methods" do
|
5
|
+
before do
|
6
|
+
@tool = Netfilter::Tool.new do |eb|
|
7
|
+
eb.table :filter do |t|
|
8
|
+
t.chain :input do |c|
|
9
|
+
c.filter :protocol => :tcp, :dport => 22, :jump => :text
|
10
|
+
c.insert :protocol => :udp, :dport => 53, :jump => :text
|
11
|
+
end
|
12
|
+
|
13
|
+
t.chain :text do |c|
|
14
|
+
c.filter :protocol => :udp, :dport => 80, :jump => :return
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe "commands" do
|
21
|
+
it "should return a list of system command to apply the rules to the system" do
|
22
|
+
@tool.commands.should eq [
|
23
|
+
"tool --table filter --new-chain text",
|
24
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump text",
|
25
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump text",
|
26
|
+
"tool --table filter --append text --protocol udp --dport 80 --jump RETURN",
|
27
|
+
]
|
28
|
+
end
|
29
|
+
|
30
|
+
it "should respect a set namespace" do
|
31
|
+
@tool.namespace = "bobby"
|
32
|
+
@tool.commands.should eq [
|
33
|
+
"tool --table filter --new-chain bobby-text",
|
34
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump bobby-text",
|
35
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump bobby-text",
|
36
|
+
"tool --table filter --append bobby-text --protocol udp --dport 80 --jump RETURN",
|
37
|
+
]
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
describe "up" do
|
42
|
+
it "should apply the rules to the system" do
|
43
|
+
executed = []
|
44
|
+
@tool.stub(:execute){ |command| executed << command }
|
45
|
+
@tool.up
|
46
|
+
executed.should eq [
|
47
|
+
"tool --table filter --new-chain text",
|
48
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump text",
|
49
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump text",
|
50
|
+
"tool --table filter --append text --protocol udp --dport 80 --jump RETURN",
|
51
|
+
]
|
52
|
+
end
|
53
|
+
|
54
|
+
it "should remove again all already applied rules in case applying the next rule fails" do
|
55
|
+
trigger = true
|
56
|
+
executed = []
|
57
|
+
@tool.stub(:execute) do |command|
|
58
|
+
if trigger && executed.count == 3
|
59
|
+
trigger = false
|
60
|
+
raise Netfilter::SystemError, "fake"
|
61
|
+
end
|
62
|
+
executed << command
|
63
|
+
end
|
64
|
+
lambda{ @tool.up }.should raise_error(Netfilter::SystemError, "fake")
|
65
|
+
executed.should eq [
|
66
|
+
"tool --table filter --new-chain text",
|
67
|
+
"tool --table filter --append INPUT --protocol udp --dport 53 --jump text",
|
68
|
+
"tool --table filter --append INPUT --protocol tcp --dport 22 --jump text",
|
69
|
+
"tool --table filter --delete INPUT --protocol tcp --dport 22 --jump text",
|
70
|
+
"tool --table filter --delete INPUT --protocol udp --dport 53 --jump text",
|
71
|
+
"tool --table filter --delete-chain text",
|
72
|
+
]
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
describe "down" do
|
77
|
+
it "should remove the rules from the system" do
|
78
|
+
executed = []
|
79
|
+
@tool.stub(:execute){ |command| executed << command }
|
80
|
+
@tool.down
|
81
|
+
executed.should eq [
|
82
|
+
"tool --table filter --delete text --protocol udp --dport 80 --jump RETURN",
|
83
|
+
"tool --table filter --delete INPUT --protocol tcp --dport 22 --jump text",
|
84
|
+
"tool --table filter --delete INPUT --protocol udp --dport 53 --jump text",
|
85
|
+
"tool --table filter --delete-chain text",
|
86
|
+
]
|
87
|
+
end
|
88
|
+
|
89
|
+
it "should not delete individual rules if the whole chain gets deleted" do
|
90
|
+
pending "optimization not implemented yet"
|
91
|
+
# executed = []
|
92
|
+
# @tool.stub(:execute){ |command| executed << command }
|
93
|
+
# @tool.down
|
94
|
+
# executed.should eq [
|
95
|
+
# "tool --table filter --delete-chain text",
|
96
|
+
# "tool --table filter --delete INPUT --protocol tcp --dport 22 --jump text",
|
97
|
+
# ]
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
describe "export" do
|
102
|
+
it "should return a hash suitable for import" do
|
103
|
+
import = Netfilter::Tool.import(@tool.export)
|
104
|
+
@tool.commands.should eq(import.commands)
|
105
|
+
end
|
106
|
+
|
107
|
+
it "should return a hash suitable for json serialization and later import" do
|
108
|
+
import = Netfilter::Tool.import(JSON.parse(@tool.export.to_json))
|
109
|
+
@tool.commands.should eq(import.commands)
|
110
|
+
end
|
111
|
+
end
|
112
|
+
|
113
|
+
describe "table" do
|
114
|
+
it "should not create a new table if one with the same name already exists" do
|
115
|
+
tool = Netfilter::Tool.new
|
116
|
+
tool.table("filter")
|
117
|
+
tool.table(:filter)
|
118
|
+
tool.table("nat")
|
119
|
+
tool.tables.count.should eq(2)
|
120
|
+
end
|
121
|
+
end
|
122
|
+
end
|
123
|
+
end
|
@@ -0,0 +1,82 @@
|
|
1
|
+
#encoding: utf-8
|
2
|
+
require 'spec_helper'
|
3
|
+
describe Netfilter do
|
4
|
+
describe "Instance Methods" do
|
5
|
+
before do
|
6
|
+
@netfilter = Netfilter.new
|
7
|
+
end
|
8
|
+
|
9
|
+
describe "up" do
|
10
|
+
it "should apply the rules of all underlying tools" do
|
11
|
+
@netfilter.eb_tables.should_receive(:up).ordered
|
12
|
+
@netfilter.ip_tables.should_receive(:up).ordered
|
13
|
+
@netfilter.ip6_tables.should_receive(:up).ordered
|
14
|
+
@netfilter.up
|
15
|
+
end
|
16
|
+
|
17
|
+
it "should remove applied rules again if anything fails" do
|
18
|
+
@netfilter.eb_tables.should_receive(:up).ordered
|
19
|
+
@netfilter.ip_tables.should_receive(:up).ordered.and_return{ raise ArgumentError, "fake" }
|
20
|
+
@netfilter.eb_tables.should_receive(:down).ordered
|
21
|
+
lambda{ @netfilter.up }.should raise_error(ArgumentError, "fake")
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
describe "down" do
|
26
|
+
it "should remove the rules of all underlying tools" do
|
27
|
+
@netfilter.eb_tables.should_receive(:down).ordered
|
28
|
+
@netfilter.ip_tables.should_receive(:down).ordered
|
29
|
+
@netfilter.ip6_tables.should_receive(:down).ordered
|
30
|
+
@netfilter.down
|
31
|
+
end
|
32
|
+
|
33
|
+
it "should apply removed rules again if anything fails" do
|
34
|
+
@netfilter.eb_tables.should_receive(:down).ordered
|
35
|
+
@netfilter.ip_tables.should_receive(:down).ordered.and_return{ raise ArgumentError, "fake" }
|
36
|
+
@netfilter.eb_tables.should_receive(:up).ordered
|
37
|
+
lambda{ @netfilter.down }.should raise_error(ArgumentError, "fake")
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
describe "export" do
|
42
|
+
before do
|
43
|
+
@netfilter.ip_tables do |ip|
|
44
|
+
ip.table :filter do |t|
|
45
|
+
t.chain :input do |c|
|
46
|
+
c.filter :protocol => :udp, :jump => :drop
|
47
|
+
c.insert :protocol => :tcp, :jump => :drop
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
@netfilter.ip6_tables do |ip|
|
53
|
+
ip.table :filter do |t|
|
54
|
+
t.chain :input do |c|
|
55
|
+
c.filter :protocol => :tcp, :jump => :drop
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
|
60
|
+
@netfilter.eb_tables do |eb|
|
61
|
+
eb.table :filter do |t|
|
62
|
+
t.chain :input do |c|
|
63
|
+
c.filter :protocol => :arp, :jump => :drop
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
it "should return a hash suitable for import" do
|
70
|
+
export = @netfilter.export
|
71
|
+
import = Netfilter.import(export)
|
72
|
+
import.export.should == export
|
73
|
+
end
|
74
|
+
|
75
|
+
it "should return a hash suitable for json serialization and later import" do
|
76
|
+
export = @netfilter.export.to_json
|
77
|
+
import = Netfilter.import(JSON.parse(export))
|
78
|
+
import.export.to_json.should == export
|
79
|
+
end
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
#encoding: utf-8
|
2
|
+
require "rubygems"
|
3
|
+
require "bundler/setup"
|
4
|
+
require "netfilter"
|
5
|
+
require "awesome_print"
|
6
|
+
require "json"
|
7
|
+
|
8
|
+
RSpec.configure do |config|
|
9
|
+
config.treat_symbols_as_metadata_keys_with_true_values = true
|
10
|
+
config.run_all_when_everything_filtered = true
|
11
|
+
config.filter_run :focus
|
12
|
+
|
13
|
+
# Run specs in random order to surface order dependencies. If you find an
|
14
|
+
# order dependency and want to debug it, you can fix the order by providing
|
15
|
+
# the seed, which is printed after each run.
|
16
|
+
# --seed 1234
|
17
|
+
config.order = "random"
|
18
|
+
end
|
metadata
ADDED
@@ -0,0 +1,143 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: netfilter-ruby
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: '4.2'
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Netskin GmbH
|
8
|
+
- Corin Langosch
|
9
|
+
autorequire:
|
10
|
+
bindir: bin
|
11
|
+
cert_chain: []
|
12
|
+
date: 2013-12-20 00:00:00.000000000 Z
|
13
|
+
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
15
|
+
name: activesupport
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
17
|
+
requirements:
|
18
|
+
- - '>='
|
19
|
+
- !ruby/object:Gem::Version
|
20
|
+
version: 3.0.0
|
21
|
+
type: :runtime
|
22
|
+
prerelease: false
|
23
|
+
version_requirements: !ruby/object:Gem::Requirement
|
24
|
+
requirements:
|
25
|
+
- - '>='
|
26
|
+
- !ruby/object:Gem::Version
|
27
|
+
version: 3.0.0
|
28
|
+
- !ruby/object:Gem::Dependency
|
29
|
+
name: rspec
|
30
|
+
requirement: !ruby/object:Gem::Requirement
|
31
|
+
requirements:
|
32
|
+
- - ~>
|
33
|
+
- !ruby/object:Gem::Version
|
34
|
+
version: '2.12'
|
35
|
+
type: :development
|
36
|
+
prerelease: false
|
37
|
+
version_requirements: !ruby/object:Gem::Requirement
|
38
|
+
requirements:
|
39
|
+
- - ~>
|
40
|
+
- !ruby/object:Gem::Version
|
41
|
+
version: '2.12'
|
42
|
+
- !ruby/object:Gem::Dependency
|
43
|
+
name: awesome_print
|
44
|
+
requirement: !ruby/object:Gem::Requirement
|
45
|
+
requirements:
|
46
|
+
- - '>='
|
47
|
+
- !ruby/object:Gem::Version
|
48
|
+
version: '0'
|
49
|
+
type: :development
|
50
|
+
prerelease: false
|
51
|
+
version_requirements: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - '>='
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '0'
|
56
|
+
- !ruby/object:Gem::Dependency
|
57
|
+
name: json
|
58
|
+
requirement: !ruby/object:Gem::Requirement
|
59
|
+
requirements:
|
60
|
+
- - '>='
|
61
|
+
- !ruby/object:Gem::Version
|
62
|
+
version: '0'
|
63
|
+
type: :development
|
64
|
+
prerelease: false
|
65
|
+
version_requirements: !ruby/object:Gem::Requirement
|
66
|
+
requirements:
|
67
|
+
- - '>='
|
68
|
+
- !ruby/object:Gem::Version
|
69
|
+
version: '0'
|
70
|
+
- !ruby/object:Gem::Dependency
|
71
|
+
name: rake
|
72
|
+
requirement: !ruby/object:Gem::Requirement
|
73
|
+
requirements:
|
74
|
+
- - '>='
|
75
|
+
- !ruby/object:Gem::Version
|
76
|
+
version: '0'
|
77
|
+
type: :development
|
78
|
+
prerelease: false
|
79
|
+
version_requirements: !ruby/object:Gem::Requirement
|
80
|
+
requirements:
|
81
|
+
- - '>='
|
82
|
+
- !ruby/object:Gem::Version
|
83
|
+
version: '0'
|
84
|
+
description: Awesome Netfilter management
|
85
|
+
email:
|
86
|
+
- info@netskin.com
|
87
|
+
- info@corinlangosch.com
|
88
|
+
executables: []
|
89
|
+
extensions: []
|
90
|
+
extra_rdoc_files: []
|
91
|
+
files:
|
92
|
+
- .gitignore
|
93
|
+
- .rspec
|
94
|
+
- Gemfile
|
95
|
+
- LICENSE.txt
|
96
|
+
- README.md
|
97
|
+
- Rakefile
|
98
|
+
- lib/netfilter.rb
|
99
|
+
- lib/netfilter/chain.rb
|
100
|
+
- lib/netfilter/eb_tables.rb
|
101
|
+
- lib/netfilter/filter.rb
|
102
|
+
- lib/netfilter/ip6_tables.rb
|
103
|
+
- lib/netfilter/ip_tables.rb
|
104
|
+
- lib/netfilter/table.rb
|
105
|
+
- lib/netfilter/tool.rb
|
106
|
+
- lib/netfilter/version.rb
|
107
|
+
- netfilter.gemspec
|
108
|
+
- spec/netfilter/eb_tables_spec.rb
|
109
|
+
- spec/netfilter/ip_tables_spec.rb
|
110
|
+
- spec/netfilter/table_spec.rb
|
111
|
+
- spec/netfilter/tool_spec.rb
|
112
|
+
- spec/netfilter_spec.rb
|
113
|
+
- spec/spec_helper.rb
|
114
|
+
homepage: http://github.com/netskin/netfilter-ruby
|
115
|
+
licenses: []
|
116
|
+
metadata: {}
|
117
|
+
post_install_message:
|
118
|
+
rdoc_options: []
|
119
|
+
require_paths:
|
120
|
+
- lib
|
121
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
122
|
+
requirements:
|
123
|
+
- - '>='
|
124
|
+
- !ruby/object:Gem::Version
|
125
|
+
version: '0'
|
126
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
127
|
+
requirements:
|
128
|
+
- - '>='
|
129
|
+
- !ruby/object:Gem::Version
|
130
|
+
version: '0'
|
131
|
+
requirements: []
|
132
|
+
rubyforge_project:
|
133
|
+
rubygems_version: 2.1.11
|
134
|
+
signing_key:
|
135
|
+
specification_version: 4
|
136
|
+
summary: Awesome Netfilter (iptables & ebtables) management using ruby
|
137
|
+
test_files:
|
138
|
+
- spec/netfilter/eb_tables_spec.rb
|
139
|
+
- spec/netfilter/ip_tables_spec.rb
|
140
|
+
- spec/netfilter/table_spec.rb
|
141
|
+
- spec/netfilter/tool_spec.rb
|
142
|
+
- spec/netfilter_spec.rb
|
143
|
+
- spec/spec_helper.rb
|