puffy 0.1.0

data/lib/puffy/puppet.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+
+module Puffy
+  # Manage nodes rulesets as a tree of rules to serve via Puppet
+  class Puppet
+    # Setup an environment to store firewall rules to disk
+    #
+    # @param path [String] Root directory of the tree of firewall rules
+    # @param parser [Puffy::Parser] A parser with nodes and rules
+    def initialize(path, parser)
+      @path = path
+      @parser = parser
+
+      @formatters = [
+        Puffy::Formatters::Pf::Ruleset.new,
+        Puffy::Formatters::Netfilter4::Ruleset.new,
+        Puffy::Formatters::Netfilter6::Ruleset.new,
+      ]
+    end
+
+    # Saves rules to disk
+    #
+    # @return [void]
+    def save
+      each_fragment do |fragment_name, fragment_content|
+        FileUtils.mkdir_p(File.dirname(fragment_name))
+
+        next unless fragment_changed?(fragment_name, fragment_content)
+
+        File.open(fragment_name, 'w') do |f|
+          f.write(fragment_content)
+        end
+      end
+    end
+
+    # Show differences between saved and generated rules
+    #
+    # @return [void]
+    def diff
+      each_fragment do |fragment_name, fragment_content|
+        human_fragment_name = fragment_name.delete_prefix(@path).delete_prefix('/')
+        IO.popen("diff -u1 -N --unidirectional-new-file --ignore-matching-lines='^#' --label a/#{human_fragment_name} #{fragment_name} --label b/#{human_fragment_name} -", 'r+') do |io|
+          io.write(fragment_content)
+          io.close_write
+          out = io.read
+          $stdout.write out
+        end
+      end
+    end
+
+    private
+
+    def each_fragment
+      @parser.nodes.each do |hostname|
+        rules = @parser.ruleset_for(hostname)
+        policy = @parser.policy_for(hostname)
+
+        @formatters.each do |formatter|
+          filename = File.join(@path, hostname, formatter.filename_fragment)
+          yield filename, formatter.emit_ruleset(rules, policy)
+        end
+      end
+    end
+
+    def fragment_changed?(fragment_name, fragment_content)
+      return true unless File.exist?(fragment_name)
+
+      File.read(fragment_name).split("\n").reject { |l| l =~ /^#/ } != fragment_content.split("\n").reject { |l| l =~ /^#/ }
+    end
+  end
+end

data/lib/puffy/resolver.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require 'resolv'
+require 'singleton'
+
+module Puffy
+  # DNS resolution class.
+  class Resolver
+    include Singleton
+
+    # Resolve +hostname+ and return an Array of IPAddr.
+    #
+    # @example
+    #   Resolver.instance.resolv('localhost')
+    #   #=> [#<IPAddr:[::1]>, #<IPAddr:127.0.0.1>]
+    #   Resolver.instance.resolv('localhost', :inet)
+    #   #=> [#<IPAddr:127.0.0.1>]
+    #   Resolver.instance.resolv('localhost', :inet6)
+    #   #=> [#<IPAddr:[::1]>]
+    #
+    # @param hostname [String] The hostname to resolve
+    # @param address_family [Symbol] if set, limit search to +address_family+, +:inet+ or +:inet6+
+    # @return [Array<IPAddr>]
+    def resolv(hostname, address_family = nil)
+      if hostname.is_a?(IPAddr)
+        resolv_ipaddress(hostname, address_family)
+      else
+        resolv_hostname(hostname, address_family)
+      end
+    end
+
+    private
+
+    def resolv_ipaddress(address, address_family)
+      filter_af(address, address_family)
+    end
+
+    def filter_af(address, address_family)
+      return [] if address_family && !match_af?(address, address_family)
+
+      [address]
+    end
+
+    def match_af?(address, address_family)
+      (address.ipv6? && address_family == :inet6) ||
+        (address.ipv4? && address_family == :inet)
+    end
+
+    def resolv_hostname(hostname, address_family)
+      result = []
+      result += resolv_hostname_ipv6(hostname) if address_family.nil? || address_family == :inet6
+      result += resolv_hostname_ipv4(hostname) if address_family.nil? || address_family == :inet
+      raise "\"#{hostname}\" does not resolve to any valid IP#{@af_str[address_family]} address." if result.empty?
+
+      result
+    end
+
+    def resolv_hostname_ipv6(hostname)
+      resolv_hostname_record(hostname, Resolv::DNS::Resource::IN::AAAA)
+    end
+
+    def resolv_hostname_ipv4(hostname)
+      resolv_hostname_record(hostname, Resolv::DNS::Resource::IN::A)
+    end
+
+    def resolv_hostname_record(hostname, record)
+      @dns.getresources(hostname, record).collect { |r| IPAddr.new(r.address.to_s) }.sort
+    end
+
+    def initialize # :nodoc:
+      config = nil
+      @dns = Resolv::DNS.open(config)
+      @af_str = { inet: 'v4', inet6: 'v6' }
+    end
+  end
+end

data/lib/puffy/rule.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+
+module Puffy
+  class AddressFamilyConflict < RuntimeError
+  end
+
+  # Abstract firewall rule.
+  class Rule
+    # @!attribute action
+    #   The action to perform when the rule apply (+:accept+ or +:block+).
+    #   @return [Symbol] Action
+    # @!attribute return
+    #   Whether blocked packets must be returned to sender instead of being silently dropped.
+    #   @return [Boolean] Return flag
+    # @!attribute dir
+    #   The direction of the rule (+:in+ or +:out+).
+    #   @return [Symbol] Direction
+    # @!attribute proto
+    #   The protocol the Puffy::Rule applies to (+:tcp+, +:udp+, etc).
+    #   @return [Symbol] Protocol
+    # @!attribute af
+    #   The address family of the rule (+:inet6+ or +:inet+)
+    #   @return [Symbol] Address family
+    # @!attribute on
+    #   The interface the rule applies to.
+    #   @return [String] Interface
+    # @!attribute in
+    #   The interface packets must arrive on for the rule to apply in a forwarding context.
+    #   @return [String] Interface
+    # @!attribute out
+    #   The interface packets must be sent to for the rule to apply in a forwarding context.
+    #   @return [String] Interface
+    # @!attribute from
+    #   The packet source as a Hash for the rule to apply.
+    #
+    #   :host:: address of the source host or network the rule apply to
+    #   :port:: source port the rule apply to
+    #   @return [Hash] Source
+    # @!attribute to
+    #   The packet destination as a Hash for the rule to apply.
+    #
+    #   :host:: address of the destination host or network the rule apply to
+    #   :port:: destination port the rule apply to
+    #   @return [Hash] Destination
+    # @!attribute nat_to
+    #   The packet destination when peforming NAT.
+    #   @return [IPAddr] IP Adress
+    # @!attribute rdr_to
+    #   The destination as a Hash for redirections.
+    #
+    #   :host:: address of the destination host or network the rule apply to
+    #   :port:: destination port the rule apply to
+    #   @return [Hash] Destination
+    # @!attribute no_quick
+    #   Prevent the rule from being a quick one.
+    #   @return [Boolean] Quick flag
+    attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick
+
+    # Instanciate a firewall Puffy::Rule.
+    #
+    # +options+ is a Hash of the Puffy::Rule class attributes
+    #
+    #   Rule.new({ action: :accept, dir: :in, proto: :tcp, to: { port: 80 } })
+    def initialize(options = {})
+      send_options(options)
+
+      @af = detect_af unless af
+
+      raise "unsupported action `#{options[:action]}'" unless valid_action?
+      raise 'if from_port or to_port is specified, the protocol must also be given' if port_without_protocol?
+    end
+
+    # Instanciate a forward Puffy::Rule.
+    #
+    # @param rule [Puffy::Rule] a NAT rule
+    #
+    # @return [Puffy::Rule]
+    def self.fwd_rule(rule)
+      res = rule.dup
+      res.on_to_in_out!
+      res.to.merge!(res.rdr_to.compact)
+      res.rdr_to = nil
+      res.dir = :fwd
+      res
+    end
+
+    # Return true if the rule is valid in an IPv4 context.
+    def ipv4?
+      af.nil? || af == :inet
+    end
+
+    # Return true if the rule has an IPv4 source or destination.
+    def implicit_ipv4?
+      from_ipv4? || to_ipv4? || rdr_to_ipv4? || (rdr_to && af == :inet)
+    end
+
+    # Return true if the rule is valid in an IPv6 context.
+    def ipv6?
+      af.nil? || af == :inet6
+    end
+
+    # Return true if the rule has an IPv6 source or destination.
+    def implicit_ipv6?
+      from_ipv6? || to_ipv6? || rdr_to_ipv6? || (rdr_to && af == :inet6)
+    end
+
+    # Return true if the rule is a filter rule.
+    def filter?
+      !nat? && !rdr?
+    end
+
+    # Returns whether the rule applies to incomming packets.
+    def in?
+      dir.nil? || dir == :in
+    end
+
+    # Returns whether the rule applies to outgoing packets.
+    def out?
+      dir.nil? || dir == :out
+    end
+
+    # Returns whether the rule performs Network Address Translation.
+    def nat?
+      nat_to
+    end
+
+    # Returns whether the rule is a redirection.
+    def rdr?
+      rdr_to_host || rdr_to_port
+    end
+
+    # Returns whether the rule performs forwarding.
+    def fwd?
+      dir == :fwd
+    end
+
+    # @!method from_host
+    #   Returns the source host of the Puffy::Rule.
+    # @!method from_port
+    #   Returns the source port of the Puffy::Rule.
+    # @!method to_host
+    #   Returns the destination host of the Puffy::Rule.
+    # @!method to_port
+    #   Returns the destination port of the Puffy::Rule.
+    # @!method rdr_to_host
+    #   Returns the redirect destination host of the Puffy::Rule.
+    # @!method rdr_to_port
+    #   Returns the redirect destination port of the Puffy::Rule.
+    %i[from to rdr_to].each do |destination|
+      %i[host port].each do |param|
+        define_method("#{destination}_#{param}") do
+          res = public_send(destination)
+          res && res[param]
+        end
+      end
+    end
+
+    # Setsthe #in / #out to #on depending on #dir.
+    #
+    # @return [void]
+    def on_to_in_out!
+      if dir == :in
+        self.in ||= on
+      else
+        self.out ||= on
+      end
+      self.on = nil
+    end
+
+    private
+
+    def valid_action?
+      [nil, :pass, :block].include?(action)
+    end
+
+    def port_without_protocol?
+      (from_port || to_port) && proto.nil?
+    end
+
+    def send_options(options)
+      options.each do |k, v|
+        send("#{k}=", v)
+      end
+    end
+
+    def detect_af
+      afs = collect_afs
+      return nil if afs.empty?
+      return afs.first if afs.one?
+
+      raise AddressFamilyConflict, "Incompatible address famlilies: #{afs}"
+    end
+
+    def collect_afs
+      %i[from_host to_host rdr_to_host].map do |method|
+        res = send(method)
+        if res.nil? then nil
+        elsif res.ipv4? then :inet
+        elsif res.ipv6? then :inet6
+        else raise 'Fail'
+        end
+      end.uniq.compact
+    end
+
+    # @!method from_ipv4?
+    # @!method from_ipv6?
+    # @!method to_ipv4?
+    # @!method to_ipv6?
+    # @!method rdr_to_ipv4?
+    # @!method rdr_to_ipv6?
+    %i[from to rdr_to].each do |destination|
+      %i[ipv4 ipv6].each do |ip_version|
+        define_method("#{destination}_#{ip_version}?") do
+          res = public_send("#{destination}_host")
+          res&.public_send("#{ip_version}?")
+        end
+      end
+    end
+  end
+end

data/lib/puffy/rule_factory.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module Puffy
+  # Puffy::Rule factory
+  class RuleFactory
+    # Initialize a Puffy::Rule factory.
+    def initialize
+      @af = nil
+      @resolver = Resolver.instance
+      load_services
+    end
+
+    # Limit the scope of a set of rules to IPv4 only.
+    def ipv4
+      raise 'Address familly already scopped' if @af
+
+      @af = :inet
+      yield
+      @af = nil
+    end
+
+    # Limit the scope of a set of rules to IPv6 only.
+    def ipv6
+      raise 'Address familly already scopped' if @af
+
+      @af = :inet6
+      yield
+      @af = nil
+    end
+
+    # Return an Array of Puffy::Rule for the provided +options+.
+    # @param [Hash] options
+    # @return [Array<Puffy::Rule>]
+    def build(options = {})
+      return [] if options == {}
+
+      options = { action: nil, return: false, dir: nil, af: nil, proto: nil, on: nil, from: { host: nil, port: nil }, to: { host: nil, port: nil }, nat_to: nil, rdr_to: { host: nil, port: nil } }.merge(options)
+
+      options = resolv_hostnames_and_ports(options)
+      instanciate_rules(options)
+    end
+
+    private
+
+    def resolv_hostnames_and_ports(options)
+      %i[from to rdr_to].each do |endpoint|
+        options[endpoint][:host] = host_lookup(options[endpoint][:host])
+        options[endpoint][:port] = port_lookup(options[endpoint][:port])
+      end
+      options[:nat_to] = host_lookup(options[:nat_to])
+      options
+    end
+
+    def instanciate_rules(options)
+      options.expand.map do |hash|
+        rule = Rule.new(hash)
+        rule if af_match_policy?(rule.af)
+      rescue AddressFamilyConflict
+        nil
+      end.compact
+    end
+
+    def load_services
+      @services = {}
+      File.readlines('/etc/services').each do |line|
+        line.sub!(/#.*/, '')
+        pieces = line.split
+        next if pieces.count < 2
+
+        port = pieces.delete_at(1).to_i
+        pieces.each do |piece|
+          @services[piece] = port
+        end
+      end
+    end
+
+    def af_match_policy?(af)
+      @af.nil? || af.nil? || af == @af
+    end
+
+    def host_lookup(host)
+      case host
+      when nil    then nil
+      when IPAddr then host
+      when String then @resolver.resolv(host)
+      when Array  then host.map { |x| @resolver.resolv(x) }.flatten
+      else
+        raise "Unexpected #{host.class.name}"
+      end
+    end
+
+    def port_lookup(port)
+      case port
+      when nil then nil
+      when Integer, Range then port
+      when String         then real_port_lookup(port)
+      when Array          then port.map { |x| port_lookup(x) }
+      else
+        raise "Unexpected #{port.class.name}"
+      end
+    end
+
+    def real_port_lookup(port)
+      res = port_is_a_number(port) || @services[port]
+
+      raise "unknown service \"#{port}\"" unless res
+
+      res
+    end
+
+    def port_is_a_number(port)
+      Integer(port)
+    rescue ArgumentError
+      nil
+    end
+  end
+end

data/lib/puffy/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Puffy # :nodoc:
+  VERSION = '0.1.0'
+end

data/lib/puffy.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'core_ext'
+
+require 'puffy/parser.tab'
+require 'puffy/formatters/base'
+require 'puffy/formatters/netfilter'
+require 'puffy/formatters/netfilter4'
+require 'puffy/formatters/netfilter6'
+require 'puffy/formatters/pf'
+require 'puffy/puppet'
+require 'puffy/resolver'
+require 'puffy/rule'
+require 'puffy/rule_factory'
+require 'puffy/version'
+
+module Puffy
+  class PuffyError < RuntimeError
+    def initialize(message, token)
+      super(message)
+      @token = token
+    end
+
+    def filename
+      @token[:filename]
+    end
+
+    def lineno
+      @token[:lineno]
+    end
+
+    def line
+      @token[:line]
+    end
+
+    def position
+      @token[:position]
+    end
+
+    def length
+      @token.fetch(:length, 1)
+    end
+
+    def extra
+      '~' * (length - 1)
+    end
+
+    def to_s
+      <<~MESSAGE
+        #{filename}:#{lineno}:#{position + 1}: #{super}
+        #{line}
+        #{' ' * position}^#{extra}
+      MESSAGE
+    end
+  end
+
+  class ParseError < PuffyError
+  end
+
+  class SyntaxError < PuffyError
+  end
+end

data/puffy.gemspec

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative 'lib/puffy/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'puffy'
+  spec.version       = Puffy::VERSION
+  spec.authors       = ['Romain Tartière']
+  spec.email         = ['romain@blogreen.org']
+
+  spec.summary       = 'Network firewall rules made easy!'
+  spec.homepage      = 'https://github.com/opus-codium/puffy'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
+
+  spec.metadata['allowed_push_host'] = 'https://rubygems.org/'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = spec.homepage
+  spec.metadata['changelog_uri'] = spec.homepage
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) } -
+      ['lib/puffy/parser.y'] +
+      ['lib/puffy/parser.tab.rb']
+  end
+  spec.bindir        = 'bin'
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'cri'
+  spec.add_runtime_dependency 'deep_merge'
+
+  spec.add_development_dependency 'aruba'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'cucumber'
+  spec.add_development_dependency 'racc'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-rake'
+  spec.add_development_dependency 'rubocop-rspec'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'timecop'
+end