puffy 0.3.1 → 1.1.0.pre.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ccc93913a571a25b75f1984f53315be9df0001f27fd7d1062c274a8ae398a890
-  data.tar.gz: e39938f8393291ccdf37f4c9817abb1dd40c8816a67cadf9c5aea43d57b3969c
+  metadata.gz: 212bbb0b9badf3e5595984f60e85f1739c907434fa65b6498279803111499fd7
+  data.tar.gz: 148f4d57788cc7db0fdee92a6758be60c698a8d59f76e89804875f5424ab52e2
 SHA512:
-  metadata.gz: c701450c7f9fcd9417cde14b41e25381beeec5ef835931e8bfdc30ee10a539b951503b907866d7176064218bfa4120f1ddfc594a4ab461ccf4034221940fa2b4
-  data.tar.gz: 91c204a40f678eaf37ada1ed9f48a4a7ca08e012296df8f8cb2ed92d533a0044b5282ffe19d3ba9abdbb604a8bd12c2e425feca6a894215ec5d458f6b6d4d8a0
+  metadata.gz: 96a3238a90ebb5625ad18279b9b72ec1f122cde54463a6377238091a5e4a5ac8ebb6488fd0de0d176b2b73589e41991eecb53c824c26d5d62f8e7f5c17300d07
+  data.tar.gz: 97a3e613aa975b7e0828bc467f5d485b81eb24eef6771cc90927f3fa6dfdedfa3a142de61ac22c3952c8a042b41788b18270100df0639102de2fd4441a157c36

data/.github/dependabot.yml

@@ -0,0 +1,18 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Open PR for gem updates
+  - package-ecosystem: "bundler" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+
+  # Open PR for GitHub Actions updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

data/.github/workflows/ci.yml

@@ -14,7 +14,7 @@ jobs:
   rubocop:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -33,9 +33,10 @@ jobs:
           - "3.0"
           - "3.1"
           - "3.2"
+          - "3.3"
     name: Ruby ${{ matrix.ruby }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v6
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -44,12 +45,4 @@ jobs:
       - name: Generate the parser
         run: bundle exec rake gen_parser
       - name: Run tests without uploading code coverage
-        if: ${{ matrix.ruby != '3.0' }}
         run: bundle exec rake
-      - name: Run tests and upload coverage to Code Climate
-        if: ${{ matrix.ruby == '3.0' }}
-        uses: paambaati/codeclimate-action@v3.0.0
-        env:
-          CC_TEST_REPORTER_ID: ${{ secrets.CODECLIMATE_TOKEN }}
-        with:
-          coverageCommand: bundle exec rake

data/.rubocop.yml

@@ -7,6 +7,10 @@ AllCops:
     - tmp/**/*.rb
     - vendor/bundle/**/*
 
+plugins:
+  - rubocop-rake
+  - rubocop-rspec
+
 Layout/HashAlignment:
   EnforcedColonStyle: table
   EnforcedHashRocketStyle: table
@@ -26,6 +30,16 @@ Metrics/ModuleLength:
   Exclude:
     - spec/**/*.rb
 
+RSpec/ExampleLength:
+  Max: 50
+
+RSpec/MultipleExpectations:
+  Max: 10
+
+RSpec/SpecFilePathFormat:
+  Exclude:
+    - spec/core_ext_spec.rb
+
 Style/Documentation:
   Exclude:
     - features/support/env.rb

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [v1.0.0](https://github.com/opus-codium/puffy/tree/v1.0.0) (2024-04-09)
+
+[Full Changelog](https://github.com/opus-codium/puffy/compare/v0.3.1...v1.0.0)
+
+**Implemented enhancements:**
+
+- Setup dependabot [\#36](https://github.com/opus-codium/puffy/pull/36) ([smortex](https://github.com/smortex))
+- Add support for Ruby 3.3 [\#33](https://github.com/opus-codium/puffy/pull/33) ([smortex](https://github.com/smortex))
+
 ## [v0.3.1](https://github.com/opus-codium/puffy/tree/v0.3.1) (2023-11-22)
 
 [Full Changelog](https://github.com/opus-codium/puffy/compare/v0.3.0...v0.3.1)

data/README.md

@@ -25,6 +25,13 @@ Rules must appear in either a *node* or *service* definition, *services* being
 reusable blocks of related rules:
 
 ~~~
+policy block in all
+policy block out log all
+
+service dns do
+  pass proto {tcp udp} to port domain
+end
+
 service ntp do
   pass proto udp to port ntp
 end
@@ -42,6 +49,7 @@ service www do
 end
 
 service base do
+  client dns
   client ntp
   server ssh
 end

data/Rakefile

@@ -14,7 +14,7 @@ Cucumber::Rake::Task.new(:features)
 GitHubChangelogGenerator::RakeTask.new :changelog do |config|
   config.user = 'opus-codium'
   config.project = 'puffy'
-  config.exclude_labels = ['skip-changelog']
+  config.exclude_labels = %w[dependencies skip-changelog]
   config.future_release = "v#{Puffy::VERSION}"
 end
 
@@ -22,11 +22,15 @@ task test: %i[spec features]
 
 task default: :test
 
+# rubocop:disable Rake/Desc
+task feature: :gen_parser
 task build: :gen_parser
+task spec: :gen_parser
+# rubocop:enable Rake/Desc
 
 desc 'Generate the puffy language parser'
 task gen_parser: 'lib/puffy/parser.tab.rb'
 
 file 'lib/puffy/parser.tab.rb' => 'lib/puffy/parser.y' do
-  `racc -S lib/puffy/parser.y`
+  `racc --embedded --frozen --output-status lib/puffy/parser.y`
 end

data/lib/core_ext.rb

@@ -59,15 +59,13 @@ end
 
 class Array # :nodoc:
   def deep_dup
-    array = []
-    each do |value|
-      array << if value.respond_to?(:deep_dup)
-                 value.deep_dup
-               else
-                 value.dup
-               end
+    map do |value|
+      if value.respond_to?(:deep_dup)
+        value.deep_dup
+      else
+        value.dup
+      end
     end
-    array
   end
 end
 

data/lib/puffy/cli.rb

@@ -49,10 +49,10 @@ module Puffy
         run do |opts, args|
           parser = cli.load_network(args[:network])
           rules = parser.ruleset_for(args[:hostname])
-          policy = parser.policy_for(args[:hostname])
+          policies = parser.policies_for(args[:hostname])
 
           formatter = Object.const_get("Puffy::Formatters::#{opts[:formatter]}::Ruleset").new
-          puts formatter.emit_ruleset(rules, policy)
+          puts formatter.emit_ruleset(rules, policies)
         end
       end
 

data/lib/puffy/formatters/base.rb

@@ -34,12 +34,12 @@ module Puffy
           ["# Generated by puffy v#{Puffy::VERSION} on #{Time.now.strftime('%c')}"]
         end
 
-        # Returns a String representation of the provided +rules+ Array of Puffy::Rule with the +policy+ policy.
+        # Returns a String representation of the provided +rules+ Array of Puffy::Rule with the +policies+ policies.
         #
         # @param rules [Array<Puffy::Rule>] array of Puffy::Rule.
-        # @param _policy [Symbol] ruleset policy.
+        # @param _policies [Symbol] ruleset policies.
         # @return [String]
-        def emit_ruleset(rules, _policy = nil)
+        def emit_ruleset(rules, _policies = nil)
           rules.collect { |rule| @rule_formatter.emit_rule(rule) }.join("\n")
         end
 

data/lib/puffy/formatters/iptables.rb

@@ -27,13 +27,13 @@ module Puffy
           }
         end
 
-        # Returns a Iptables String representation of the provided +rules+ Array of Puffy::Rule with the +policy+ policy.
-        def emit_ruleset(rules, policy = :block)
+        # Returns a Iptables String representation of the provided +rules+ Array of Puffy::Rule with the +policies+ policies.
+        def emit_ruleset(rules, policies)
           parts = []
           parts << emit_header
           parts << raw_ruleset(raw_rules(rules))
           parts << nat_ruleset(nat_rules(rules))
-          parts << filter_ruleset(filter_rules(rules), policy)
+          parts << filter_ruleset(filter_rules(rules), policies)
           ruleset = parts.flatten.compact.join("\n")
           "#{ruleset}\n"
         end
@@ -61,14 +61,14 @@ module Puffy
           parts
         end
 
-        def filter_ruleset(rules, policy)
+        def filter_ruleset(rules, policies)
           return unless rules.any?
 
           parts = ['*filter']
-          parts << emit_chain_policies(input: policy, forward: policy, output: policy)
-          parts << input_filter_ruleset(rules)
-          parts << forward_filter_ruleset(rules)
-          parts << output_filter_rulset(rules)
+          parts << emit_chain_policies(input: policies.dig(:in, :action), forward: policies.dig(:in, :action), output: policies.dig(:out, :action))
+          parts << input_filter_ruleset(rules, policies)
+          parts << forward_filter_ruleset(rules, policies)
+          parts << output_filter_rulset(rules, policies)
           parts << 'COMMIT'
           parts
         end
@@ -77,20 +77,32 @@ module Puffy
           policies.map { |chain, action| ":#{chain.upcase} #{Puffy::Formatters::Iptables.iptables_action(action)} [0:0]" }
         end
 
-        def input_filter_ruleset(rules)
-          parts = ['-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT']
+        def input_filter_ruleset(rules, policies)
+          parts = [
+            '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT',
+            '-A INPUT -m conntrack --ctstate INVALID -j DROP',
+          ]
           parts << input_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(rule) }
+          parts << '-A INPUT -j LOG' if policies.dig(:in, :log)
+          parts
         end
 
-        def forward_filter_ruleset(rules)
-          parts = ['-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT']
-          parts << rules.select(&:fwd?).map { |rule| @rule_formatter.emit_rule(rule) }
-          parts << rules.select { |r| r.rdr? && !Puffy::Formatters::Base.loopback_addresses.include?(r.rdr_to_host) }.map { |rule| @rule_formatter.emit_rule(Puffy::Rule.fwd_rule(rule)) }
+        def forward_filter_ruleset(rules, policies)
+          parts = [
+            '-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT',
+            '-A FORWARD -m conntrack --ctstate INVALID -j DROP',
+          ]
+          parts << fwd_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(rule) }
+          parts << rdr_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(Puffy::Rule.fwd_rule(rule)) }
+          parts << '-A FORWARD -j LOG' if policies.dig(:in, :log)
+          parts
         end
 
-        def output_filter_rulset(rules)
+        def output_filter_rulset(rules, policies)
           parts = ['-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT']
           parts << output_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(rule) }
+          parts << '-A OUTPUT -j LOG' if policies.dig(:out, :log)
+          parts
         end
 
         def raw_rules(rules)
@@ -113,6 +125,14 @@ module Puffy
           end
         end
 
+        def fwd_filter_rules(rules)
+          rules.select(&:fwd?)
+        end
+
+        def rdr_filter_rules(rules)
+          rules.select { |r| r.rdr? && !Puffy::Formatters::Base.loopback_addresses.include?(r.rdr_to_host) }
+        end
+
         def output_filter_rules(rules)
           rules.select { |r| r.filter? && r.out? }.map do |rule|
             dup = rule.dup

data/lib/puffy/formatters/iptables4.rb

@@ -5,9 +5,9 @@ module Puffy
     module Iptables4 # :nodoc:
       # IPv4 Iptables implementation of a Puffy Ruleset formatter.
       class Ruleset < Puffy::Formatters::Iptables::Ruleset # :nodoc:
-        # Return an IPv4 Iptables String representation of the provided +rules+ Puffy::Rule with the +policy+ policy.
-        def emit_ruleset(rules, policy = :block)
-          super(rules.select(&:ipv4?), policy)
+        # Return an IPv4 Iptables String representation of the provided +rules+ Puffy::Rule with the +policies+ policies.
+        def emit_ruleset(rules, policies)
+          super(rules.select(&:ipv4?), policies)
         end
 
         def filename_fragment

data/lib/puffy/formatters/iptables6.rb

@@ -5,9 +5,9 @@ module Puffy
     module Iptables6 # :nodoc:
       # IPv6 Iptables implementation of a Puffy Ruleset formatter.
       class Ruleset < Puffy::Formatters::Iptables::Ruleset # :nodoc:
-        # Return an IPv6 Iptables String representation of the provided +rules+ Puffy::Rule with the +policy+ policy.
-        def emit_ruleset(rules, policy = :block)
-          super(rules.select(&:ipv6?), policy)
+        # Return an IPv6 Iptables String representation of the provided +rules+ Puffy::Rule with the +policies+ policies.
+        def emit_ruleset(rules, policies)
+          super(rules.select(&:ipv6?), policies)
         end
 
         def filename_fragment

data/lib/puffy/formatters/pf.rb

@@ -6,10 +6,10 @@ module Puffy
       # Pf implementation of a Puffy Ruleset formatter.
       class Ruleset < Puffy::Formatters::Base::Ruleset # :nodoc:
         # Returns a Pf String representation of the provided +rules+ Array of Puffy::Rule.
-        def emit_ruleset(rules, policy = :block)
+        def emit_ruleset(rules, policies)
           parts = []
 
-          parts << emit_header(policy)
+          parts << emit_header(policies)
 
           parts << super(rules.select(&:nat?))
           parts << super(rules.select(&:rdr?))
@@ -23,12 +23,14 @@ module Puffy
           ['pf', 'pf.conf']
         end
 
-        def emit_header(policy)
+        def emit_header(policies)
           parts = super()
           parts << 'match in all scrub (no-df)'
           parts << 'set skip on lo'
-          parts << @rule_formatter.emit_rule(Puffy::Rule.new(action: policy, dir: :in, no_quick: true))
-          parts << @rule_formatter.emit_rule(Puffy::Rule.new(action: policy, dir: :out, no_quick: true))
+          %i[in out].each do |direction|
+            policy = policies[direction]
+            parts << @rule_formatter.emit_rule(Puffy::Rule.new(action: policy[:action], log: policy[:log], dir: direction, no_quick: true))
+          end
           parts
         end
       end
@@ -40,6 +42,7 @@ module Puffy
           parts = []
           parts << emit_action(rule)
           parts << emit_direction(rule)
+          parts << emit_log(rule)
           parts << emit_quick(rule)
           parts << emit_on(rule)
           parts << emit_what(rule)
@@ -62,6 +65,10 @@ module Puffy
           'quick' unless rule.no_quick
         end
 
+        def emit_log(rule)
+          'log' if rule.log
+        end
+
         def emit_on(rule)
           "on #{rule.on.gsub('!', '! ')}" if rule.on
         end
@@ -116,13 +123,21 @@ module Puffy
         def emit_rdr_to(rule)
           return unless rule.rdr?
 
-          keyword = Puffy::Formatters::Base.loopback_addresses.include?(rule.rdr_to_host) ? 'divert-to' : 'rdr-to'
+          keyword = rdr_to_keyword(rule)
           destination = rule.rdr_to_host || loopback_address(rule.af)
           raise 'Unspecified address family' if destination.nil?
 
           emit_endpoint_specification(keyword, destination, rule.rdr_to_port)
         end
 
+        def rdr_to_keyword(rule)
+          if Puffy::Formatters::Base.loopback_addresses.include?(rule.rdr_to_host)
+            'divert-to'
+          else
+            'rdr-to'
+          end
+        end
+
         def emit_nat_to(rule)
           "nat-to #{emit_address(rule.nat_to)}" if rule.nat_to
         end