ript 0.8.4

data/Rakefile

@@ -0,0 +1,136 @@
+#!/usr/bin/env ruby
+
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'bundler/setup'
+require 'cucumber'
+require 'cucumber/rake/task'
+require 'colorize'
+require 'pathname'
+$: << Pathname.new(__FILE__).join('lib').expand_path.to_s
+require 'ript/version'
+
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "features --format pretty"
+end
+
+desc "Build packages for various platforms"
+#task :build => [ 'build:gem', 'build:deb' ]
+task :build => [ :verify, 'build:gem', 'build:deb' ]
+
+namespace :build do
+  desc "Build RubyGem"
+  task :gem do
+    build_output = `gem build ript.gemspec`
+    puts build_output
+
+    gem_filename = build_output[/File: (.*)/,1]
+    pkg_path = "pkg"
+    FileUtils.mkdir_p(pkg_path)
+    FileUtils.mv(gem_filename, pkg_path)
+
+    puts "Gem built at #{pkg_path}/#{gem_filename}".green
+  end
+
+  desc "Build a deb for Ubuntu"
+  task :deb => :gem do
+    gem_filename = "pkg/ript-#{Ript::VERSION}.gem"
+    deb_filename = "pkg/ript-#{Ript::VERSION}.deb"
+    system("rm -f #{deb_filename}")
+    build_output = `fpm -s gem -t deb -p #{deb_filename} #{gem_filename}`
+
+    require 'json'
+    json = build_output[/({.+})$/, 1]
+    data = JSON.parse(json)
+    if path = data["path"]
+      puts "Deb built at #{path}".green
+    end
+  end
+end
+
+namespace :verify do
+  desc "Verify the CHANGELOG is in order for a release"
+  task :changelog do
+    changelog_filename = "CHANGELOG.md"
+    version = Ript::VERSION
+    command = "grep '^# #{version}' #{changelog_filename} 2>&1 >/dev/null"
+
+    if not system(command)
+      puts "#{changelog_filename} doesn't have an entry for the version (#{version}) you are about to build.".red
+      exit 1
+    end
+  end
+
+  desc "Verify there are no uncommitted files"
+  task :uncommitted do
+    uncommitted = `git ls-files -m`.split("\n")
+    if uncommitted.size > 0
+      puts "The following files are uncommitted:".red
+      uncommitted.each do |filename|
+        puts " - #{filename}".red
+      end
+      exit 1
+    end
+  end
+
+  desc "Verify no requires of RubyGems have snuck in"
+  task :no_rubygems do
+    requires = `grep rubygems lib/ bin/ -rn |grep require`.split("\n")
+    if requires.size > 0
+      puts "The following files use RubyGems:".red
+      requires.each do |filename|
+        puts " - #{filename}".red
+      end
+      exit 1
+    end
+  end
+
+  task :all => [ :changelog, :uncommitted, :no_rubygems ]
+end
+
+task :verify => 'verify:all'
+
+
+
+desc "Clean out the state of iptables"
+task :clean_slate do
+  # Clean filter
+  system("sudo iptables --flush --table filter")
+  system("sudo iptables --delete-chain --table filter")
+  system("sudo iptables --table filter --policy INPUT ACCEPT")
+  system("sudo iptables --table filter --policy FORWARD ACCEPT")
+  system("sudo iptables --table filter --policy OUTPUT ACCEPT")
+
+  # Clean NAT
+  system("sudo iptables --flush --table nat")
+  system("sudo iptables --delete-chain --table nat")
+  system("sudo iptables --table nat --policy PREROUTING ACCEPT")
+  system("sudo iptables --table nat --policy POSTROUTING ACCEPT")
+  system("sudo iptables --table nat --policy OUTPUT ACCEPT")
+
+  # Clean mangle
+  system("sudo iptables --flush --table mangle")
+  system("sudo iptables --delete-chain --table mangle")
+  system("sudo iptables --table mangle --policy PREROUTING ACCEPT")
+  system("sudo iptables --table mangle --policy POSTROUTING ACCEPT")
+  system("sudo iptables --table mangle --policy INPUT ACCEPT")
+  system("sudo iptables --table mangle --policy FORWARD ACCEPT")
+  system("sudo iptables --table mangle --policy OUTPUT ACCEPT")
+
+  # Verify
+  puts "### FILTER ###"
+  system("sudo iptables --list --table filter")
+  puts
+
+  puts "### NAT ###"
+  system("sudo iptables --list --table nat")
+  puts
+
+  puts "### MANGLE ###"
+  system("sudo iptables --list --table mangle")
+  puts
+end
+
+
+

data/bin/rbenv-sudo

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+if [ "$(whoami)" != "root" ]; then
+  echo "You must be root to run this!"
+  exit 1
+fi
+
+if [ -d "$HOME/.rbenv" ]; then
+  export PATH="$HOME/.rbenv/bin:$PATH"
+fi
+if [ -d "/opt/rbenv" ]; then
+  export PATH="/opt/rbenv/bin:$PATH"
+  export RBENV_ROOT="/opt/rbenv"
+fi
+
+eval "$(rbenv init -)"
+
+$@

data/bin/ript

@@ -0,0 +1,207 @@
+#!/usr/bin/env ruby
+
+require 'pathname'
+$: << Pathname.new(__FILE__).parent.parent.join('lib').expand_path.to_s
+# so rules/ can be loaded
+$: << Pathname.new(__FILE__).parent.parent.expand_path.to_s
+$: << Dir.pwd
+require 'ript/dsl'
+
+if RUBY_VERSION =~ /^1.8/ then
+  puts "Ript requires Ruby 1.9 to run. Exiting."
+  exit
+end
+
+if Process.uid != 0 then
+  puts "You must run this as root!"
+  exit 1
+end
+
+if not ARGV[0]
+  puts "Usage: #{$0} <rulefile|directory>"
+  exit! 1
+end
+
+def types
+  {
+    :a => 'filter',
+    :d => 'nat',
+    :s => 'nat',
+  }
+end
+
+def current_chain_names_by_partition
+  # Collect the full iptables output
+  output = {}
+  types.each_pair do |type, table|
+    output[type] =  `iptables --table #{table} --list partition-#{type} --numeric 2>&1 | grep -v 'No chain/target/match by that name'`.split("\n")
+  end
+
+
+  blacklist  = %w(PREROUTING POSTROUTING OUTPUT INPUT FORWARD Chain target before-a after-a partition-a partition-d partition-s)
+  chains = {}
+
+  types.keys.each do |type|
+    chains[type] = {}
+    output[type].each do |line|
+      chain_name = line.split(/ /).first
+      next if blacklist.include? chain_name
+      partition = chain_name.split(/-/).first
+      chains[type][partition] ||= []
+      chains[type][partition] << chain_name
+    end
+  end
+
+  # Add the chains that aren't referenced anywhere to the end
+  ['nat', 'filter'].each do |table|
+    unlisted = `iptables --table #{table} --list --numeric 2>&1 | grep 'Chain'`.split("\n")
+    unlisted = unlisted.map {|l| l.split(/ /)[1]} - blacklist
+    unlisted.each do |chain_name|
+      partition, type = chain_name.split(/-/)
+      type = type[0].to_sym
+      chains[type][partition] ||= []
+      unless chains[type][partition].include? chain_name
+        chains[type][partition] << chain_name
+      end
+    end
+  end
+  chains
+end
+
+if ARGV[0] == 'rules'
+  if ARGV[1] == "generate" or ARGV[1] == "diff" then
+    path = Pathname.new(ARGV[2])
+
+    case
+    when path.directory?
+      path = (path + "**/*.rb").to_s
+      files = Pathname.glob(path)
+      files.each do |file|
+        require "#{file}"
+      end
+    when path.exist?
+      begin
+        require "#{path}"
+      rescue LoadError
+        puts "The specified rule file '#{path}' does not exist"
+        exit 160
+      end
+    else
+      puts "The specified rule file or directory '#{path}' does not exist"
+      exit 160
+    end
+
+    if `iptables --list partition-a --numeric 2>&1 | grep Chain` !~ /^Chain/
+      require 'ript/bootstrap'
+      puts "# bootstrap"
+      puts Ript::Bootstrap.partition.to_iptables
+    end
+
+    if ARGV[1] == "generate"
+      @partitions.each do |partition|
+        puts "# #{partition.name}-#{partition.id}"
+        puts partition.to_iptables
+      end
+    end
+
+    if ARGV[1] == "diff"
+      @partitions.each do |partition|
+        # We assume here that if a partition has a partition-a chain it will have all the others
+        chain_name = "#{partition.name}-#{partition.id.split('-').first}".sub(/-/, '-a')
+        unless current_chain_names_by_partition[:a].has_key?(partition.name) && current_chain_names_by_partition[:a][partition.name].include?(chain_name)
+          puts "# #{partition.name}-#{partition.id}"
+          puts partition.to_iptables
+        end
+      end
+    end
+
+    exit
+  end
+
+  if ARGV[1] == "apply" then
+    output = `#{$0} rules diff #{ARGV[2..-1].join(' ')} 2>&1`
+    puts "#{output}"
+    system("bash -c '#{output}'")
+
+    exit
+  end
+
+  if ARGV[1] == 'save' then
+    system('/sbin/iptables-save')
+    exit
+  end
+
+  puts "Usage: #{$0} <rules> <generate|diff|apply|save> <rulefile|directory>"
+  exit! 1
+end
+
+if ARGV[0] == "clean" then
+  if ARGV[1] == "diff" then
+    path = Pathname.new(ARGV[2])
+
+    case
+    when path.directory?
+      path = (path + "**/*.rb").to_s
+      files = Pathname.glob(path)
+      files.each do |file|
+        require "#{file}"
+      end
+    when path.exist?
+      begin
+        require "#{path}"
+      rescue LoadError => e
+        puts e
+        puts "The specified rule file '#{path}' does not exist"
+        exit 160
+      end
+    else
+      puts "The specified rule file or directory '#{path}' does not exist"
+      exit 160
+    end
+
+    current_chain_names_by_partition.each_pair do |type, partitions|
+      partitions.each_pair do |partition, chains|
+        # If we are in file mode don't remove other partitions
+        next if File.file?(path) && ! @partitions.map(&:name).include?(partition)
+        partition_obj = @partitions.find {|c| c.name == partition }
+        unless partition_obj.nil?
+          chain_name = "#{partition_obj.name}-#{type}#{partition_obj.id.split('-').first}"
+          chains = chains - [chain_name]
+        end
+
+        chains.uniq.each do |chain|
+          table = types[type]
+
+          clean_command = `iptables-save --table #{table} 2>&1 | grep -- '-A partition-#{type}' | grep -- '-j #{chain}'`.split("\n") 
+          clean_command.map! {|line| "iptables --table #{table} #{line}" }
+          clean_command.map! {|line| line.gsub(" -A", " --delete") }
+          clean_command.map! {|line| line.gsub(" -s", " --source") }
+          clean_command.map! {|line| line.gsub(" -d", " --destination") }
+          clean_command.map! {|line| line.gsub(" -j", " --jump") }
+          clean_command.map! {|line| line.strip }
+          puts clean_command
+
+          puts "iptables --table #{table} --flush #{chain}"
+          puts "iptables --table #{table} --delete-chain #{chain}"
+
+        end
+      end
+    end
+    exit
+  end
+
+  if ARGV[1] == "apply" then
+    output = `#{$0} clean diff #{ARGV[2..-1].join(' ')} 2>&1`
+    puts "#{output}"
+    system("bash -c '#{output}'")
+
+    exit
+  end
+
+  puts "Usage: #{$0} <clean> <diff|apply> <rulefile|directory>"
+  exit! 1
+end
+
+
+puts "Usage: #{$0} <rules|clean|save> <generate|diff|apply> <rulefile|directory>"
+exit! 1

data/dist/init.d

@@ -0,0 +1,48 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          ript
+# Required-Start:
+# Required-Stop:
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: start and stop ript firewall
+# Description:       Start, stop and save ript firewall
+### END INIT INFO
+
+# Author: John Ferlito <johnf@bulletproof.net>
+
+PATH=/sbin:/bin
+DESC="Restore ript firewall"
+NAME=ript
+IPTABLES_RESTORE=/sbin/iptables-restore
+IPTABLES_STATE=/var/lib/ript/iptables.state
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$IPTABLES_RESTORE" ] || exit 0
+
+# Exit if no rules
+[ -f "$IPTABLES_STATE" ] || exit 0
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+case "$1" in
+  start|restart|force-reload)
+    log_daemon_msg "Starting $DESC" "$NAME"
+    $IPTABLES_RESTORE < $IPTABLES_STATE
+    case "$?" in
+      0|1) log_end_msg 0 ;;
+      2) log_end_msg 1 ;;
+    esac
+    ;;
+  *)
+    echo "Usage: $SCRIPTNAME {start|restart|force-reload}" >&2
+    exit 3
+    ;;
+esac

data/examples/accept-multiple-from-and-to.rb

@@ -0,0 +1,16 @@
+partition "tootyfruity" do
+  label "apple",      :address => "192.168.0.1"
+  label "blueberry",  :address => "192.168.0.2"
+  label "cranberry",  :address => "192.168.0.3"
+  label "eggplant",   :address => "192.168.0.4"
+  label "fennel",     :address => "192.168.0.5"
+  label "grapefruit", :address => "192.168.0.6"
+
+  accept "fruits of the forrest" do
+    protocols "tcp"
+    ports     22
+    from      %w(apple blueberry cranberry eggplant fennel grapefruit)
+    to        %w(apple blueberry cranberry eggplant fennel grapefruit)
+  end
+end
+

data/examples/accept-with-a-list-of-ports.rb

@@ -0,0 +1,13 @@
+partition "keepalived" do
+  label "primary lvs",   :address => "172.16.0.216"
+  label "secondary lvs", :address => "172.16.0.217"
+  label "fw multicast",  :address => "224.0.0.0/8"
+
+  accept "keepalive chatter on the fw multicast" do
+    protocols "tcp"
+    ports     80, 8600..8900
+    from      "primary lvs", "secondary lvs"
+    to        "fw multicast"
+  end
+end
+

data/examples/accept-with-specific-port-and-interface.rb

@@ -0,0 +1,14 @@
+partition "keepalived" do
+  label "foobar-lvs-04", :address => "192.168.0.76"
+  label "util-01",       :address => "172.16.0.246"
+  label "util-02",       :address => "172.16.0.247"
+
+  accept "ssh access between lvs/firewalls" do
+    interface "vlan+"
+    protocols "tcp"
+    ports     22
+    from      "foobar-lvs-04", "util-01", "util-02"
+    to        "foobar-lvs-04"
+  end
+end
+