puffy 1.0.0 → 1.1.0.pre.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b05f6a865607d5ece6a83d81f3ef925decf281b4fa0fc54daf7aaa2213135831
-  data.tar.gz: 9ac1891cb02cf876b0ac64fc19dc857996c1e3dfa3141e5b339c82f98603ced9
+  metadata.gz: 212bbb0b9badf3e5595984f60e85f1739c907434fa65b6498279803111499fd7
+  data.tar.gz: 148f4d57788cc7db0fdee92a6758be60c698a8d59f76e89804875f5424ab52e2
 SHA512:
-  metadata.gz: 73c1d65f67292e4e3d2452978ad21bc2bca7001cce5304472686a8a843bf742e635b11c86606f43a1af1024cb30bf63faf7f1444cc4b380ee7f589300086bb2b
-  data.tar.gz: f93e5ffc88eda099624f28ce13997dbe0a9222955eb76aa6e5e725d77be3a313da0b38ccddf3f10a550f60418cb44e39bb3724e2a02aab952c2a6b643ec7d28c
+  metadata.gz: 96a3238a90ebb5625ad18279b9b72ec1f122cde54463a6377238091a5e4a5ac8ebb6488fd0de0d176b2b73589e41991eecb53c824c26d5d62f8e7f5c17300d07
+  data.tar.gz: 97a3e613aa975b7e0828bc467f5d485b81eb24eef6771cc90927f3fa6dfdedfa3a142de61ac22c3952c8a042b41788b18270100df0639102de2fd4441a157c36

data/.github/workflows/ci.yml

@@ -14,7 +14,7 @@ jobs:
   rubocop:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -36,7 +36,7 @@ jobs:
           - "3.3"
     name: Ruby ${{ matrix.ruby }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Setup ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -45,12 +45,4 @@ jobs:
       - name: Generate the parser
         run: bundle exec rake gen_parser
       - name: Run tests without uploading code coverage
-        if: ${{ matrix.ruby != '3.0' }}
         run: bundle exec rake
-      - name: Run tests and upload coverage to Code Climate
-        if: ${{ matrix.ruby == '3.0' }}
-        uses: paambaati/codeclimate-action@v5.0.0
-        env:
-          CC_TEST_REPORTER_ID: ${{ secrets.CODECLIMATE_TOKEN }}
-        with:
-          coverageCommand: bundle exec rake

data/.rubocop.yml

@@ -7,6 +7,10 @@ AllCops:
     - tmp/**/*.rb
     - vendor/bundle/**/*
 
+plugins:
+  - rubocop-rake
+  - rubocop-rspec
+
 Layout/HashAlignment:
   EnforcedColonStyle: table
   EnforcedHashRocketStyle: table
@@ -26,6 +30,16 @@ Metrics/ModuleLength:
   Exclude:
     - spec/**/*.rb
 
+RSpec/ExampleLength:
+  Max: 50
+
+RSpec/MultipleExpectations:
+  Max: 10
+
+RSpec/SpecFilePathFormat:
+  Exclude:
+    - spec/core_ext_spec.rb
+
 Style/Documentation:
   Exclude:
     - features/support/env.rb

data/README.md

@@ -25,6 +25,13 @@ Rules must appear in either a *node* or *service* definition, *services* being
 reusable blocks of related rules:
 
 ~~~
+policy block in all
+policy block out log all
+
+service dns do
+  pass proto {tcp udp} to port domain
+end
+
 service ntp do
   pass proto udp to port ntp
 end
@@ -42,6 +49,7 @@ service www do
 end
 
 service base do
+  client dns
   client ntp
   server ssh
 end

data/Rakefile

@@ -22,7 +22,11 @@ task test: %i[spec features]
 
 task default: :test
 
+# rubocop:disable Rake/Desc
+task feature: :gen_parser
 task build: :gen_parser
+task spec: :gen_parser
+# rubocop:enable Rake/Desc
 
 desc 'Generate the puffy language parser'
 task gen_parser: 'lib/puffy/parser.tab.rb'

data/lib/puffy/cli.rb

@@ -49,10 +49,10 @@ module Puffy
         run do |opts, args|
           parser = cli.load_network(args[:network])
           rules = parser.ruleset_for(args[:hostname])
-          policy = parser.policy_for(args[:hostname])
+          policies = parser.policies_for(args[:hostname])
 
           formatter = Object.const_get("Puffy::Formatters::#{opts[:formatter]}::Ruleset").new
-          puts formatter.emit_ruleset(rules, policy)
+          puts formatter.emit_ruleset(rules, policies)
         end
       end
 

data/lib/puffy/formatters/base.rb

@@ -34,12 +34,12 @@ module Puffy
           ["# Generated by puffy v#{Puffy::VERSION} on #{Time.now.strftime('%c')}"]
         end
 
-        # Returns a String representation of the provided +rules+ Array of Puffy::Rule with the +policy+ policy.
+        # Returns a String representation of the provided +rules+ Array of Puffy::Rule with the +policies+ policies.
         #
         # @param rules [Array<Puffy::Rule>] array of Puffy::Rule.
-        # @param _policy [Symbol] ruleset policy.
+        # @param _policies [Symbol] ruleset policies.
         # @return [String]
-        def emit_ruleset(rules, _policy = nil)
+        def emit_ruleset(rules, _policies = nil)
           rules.collect { |rule| @rule_formatter.emit_rule(rule) }.join("\n")
         end
 

data/lib/puffy/formatters/iptables.rb

@@ -27,13 +27,13 @@ module Puffy
           }
         end
 
-        # Returns a Iptables String representation of the provided +rules+ Array of Puffy::Rule with the +policy+ policy.
-        def emit_ruleset(rules, policy = :block)
+        # Returns a Iptables String representation of the provided +rules+ Array of Puffy::Rule with the +policies+ policies.
+        def emit_ruleset(rules, policies)
           parts = []
           parts << emit_header
           parts << raw_ruleset(raw_rules(rules))
           parts << nat_ruleset(nat_rules(rules))
-          parts << filter_ruleset(filter_rules(rules), policy)
+          parts << filter_ruleset(filter_rules(rules), policies)
           ruleset = parts.flatten.compact.join("\n")
           "#{ruleset}\n"
         end
@@ -61,14 +61,14 @@ module Puffy
           parts
         end
 
-        def filter_ruleset(rules, policy)
+        def filter_ruleset(rules, policies)
           return unless rules.any?
 
           parts = ['*filter']
-          parts << emit_chain_policies(input: policy, forward: policy, output: policy)
-          parts << input_filter_ruleset(rules)
-          parts << forward_filter_ruleset(rules)
-          parts << output_filter_rulset(rules)
+          parts << emit_chain_policies(input: policies.dig(:in, :action), forward: policies.dig(:in, :action), output: policies.dig(:out, :action))
+          parts << input_filter_ruleset(rules, policies)
+          parts << forward_filter_ruleset(rules, policies)
+          parts << output_filter_rulset(rules, policies)
           parts << 'COMMIT'
           parts
         end
@@ -77,20 +77,32 @@ module Puffy
           policies.map { |chain, action| ":#{chain.upcase} #{Puffy::Formatters::Iptables.iptables_action(action)} [0:0]" }
         end
 
-        def input_filter_ruleset(rules)
-          parts = ['-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT']
+        def input_filter_ruleset(rules, policies)
+          parts = [
+            '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT',
+            '-A INPUT -m conntrack --ctstate INVALID -j DROP',
+          ]
           parts << input_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(rule) }
+          parts << '-A INPUT -j LOG' if policies.dig(:in, :log)
+          parts
         end
 
-        def forward_filter_ruleset(rules)
-          parts = ['-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT']
-          parts << rules.select(&:fwd?).map { |rule| @rule_formatter.emit_rule(rule) }
-          parts << rules.select { |r| r.rdr? && !Puffy::Formatters::Base.loopback_addresses.include?(r.rdr_to_host) }.map { |rule| @rule_formatter.emit_rule(Puffy::Rule.fwd_rule(rule)) }
+        def forward_filter_ruleset(rules, policies)
+          parts = [
+            '-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT',
+            '-A FORWARD -m conntrack --ctstate INVALID -j DROP',
+          ]
+          parts << fwd_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(rule) }
+          parts << rdr_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(Puffy::Rule.fwd_rule(rule)) }
+          parts << '-A FORWARD -j LOG' if policies.dig(:in, :log)
+          parts
         end
 
-        def output_filter_rulset(rules)
+        def output_filter_rulset(rules, policies)
           parts = ['-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT']
           parts << output_filter_rules(rules).map { |rule| @rule_formatter.emit_rule(rule) }
+          parts << '-A OUTPUT -j LOG' if policies.dig(:out, :log)
+          parts
         end
 
         def raw_rules(rules)
@@ -113,6 +125,14 @@ module Puffy
           end
         end
 
+        def fwd_filter_rules(rules)
+          rules.select(&:fwd?)
+        end
+
+        def rdr_filter_rules(rules)
+          rules.select { |r| r.rdr? && !Puffy::Formatters::Base.loopback_addresses.include?(r.rdr_to_host) }
+        end
+
         def output_filter_rules(rules)
           rules.select { |r| r.filter? && r.out? }.map do |rule|
             dup = rule.dup

data/lib/puffy/formatters/iptables4.rb

@@ -5,9 +5,9 @@ module Puffy
     module Iptables4 # :nodoc:
       # IPv4 Iptables implementation of a Puffy Ruleset formatter.
       class Ruleset < Puffy::Formatters::Iptables::Ruleset # :nodoc:
-        # Return an IPv4 Iptables String representation of the provided +rules+ Puffy::Rule with the +policy+ policy.
-        def emit_ruleset(rules, policy = :block)
-          super(rules.select(&:ipv4?), policy)
+        # Return an IPv4 Iptables String representation of the provided +rules+ Puffy::Rule with the +policies+ policies.
+        def emit_ruleset(rules, policies)
+          super(rules.select(&:ipv4?), policies)
         end
 
         def filename_fragment

data/lib/puffy/formatters/iptables6.rb

@@ -5,9 +5,9 @@ module Puffy
     module Iptables6 # :nodoc:
       # IPv6 Iptables implementation of a Puffy Ruleset formatter.
       class Ruleset < Puffy::Formatters::Iptables::Ruleset # :nodoc:
-        # Return an IPv6 Iptables String representation of the provided +rules+ Puffy::Rule with the +policy+ policy.
-        def emit_ruleset(rules, policy = :block)
-          super(rules.select(&:ipv6?), policy)
+        # Return an IPv6 Iptables String representation of the provided +rules+ Puffy::Rule with the +policies+ policies.
+        def emit_ruleset(rules, policies)
+          super(rules.select(&:ipv6?), policies)
         end
 
         def filename_fragment

data/lib/puffy/formatters/pf.rb

@@ -6,10 +6,10 @@ module Puffy
       # Pf implementation of a Puffy Ruleset formatter.
       class Ruleset < Puffy::Formatters::Base::Ruleset # :nodoc:
         # Returns a Pf String representation of the provided +rules+ Array of Puffy::Rule.
-        def emit_ruleset(rules, policy = :block)
+        def emit_ruleset(rules, policies)
           parts = []
 
-          parts << emit_header(policy)
+          parts << emit_header(policies)
 
           parts << super(rules.select(&:nat?))
           parts << super(rules.select(&:rdr?))
@@ -23,12 +23,14 @@ module Puffy
           ['pf', 'pf.conf']
         end
 
-        def emit_header(policy)
+        def emit_header(policies)
           parts = super()
           parts << 'match in all scrub (no-df)'
           parts << 'set skip on lo'
-          parts << @rule_formatter.emit_rule(Puffy::Rule.new(action: policy, dir: :in, no_quick: true))
-          parts << @rule_formatter.emit_rule(Puffy::Rule.new(action: policy, dir: :out, no_quick: true))
+          %i[in out].each do |direction|
+            policy = policies[direction]
+            parts << @rule_formatter.emit_rule(Puffy::Rule.new(action: policy[:action], log: policy[:log], dir: direction, no_quick: true))
+          end
           parts
         end
       end
@@ -40,6 +42,7 @@ module Puffy
           parts = []
           parts << emit_action(rule)
           parts << emit_direction(rule)
+          parts << emit_log(rule)
           parts << emit_quick(rule)
           parts << emit_on(rule)
           parts << emit_what(rule)
@@ -62,6 +65,10 @@ module Puffy
           'quick' unless rule.no_quick
         end
 
+        def emit_log(rule)
+          'log' if rule.log
+        end
+
         def emit_on(rule)
           "on #{rule.on.gsub('!', '! ')}" if rule.on
         end