ript 0.8.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +6 -0
- data/.rbenv-version +1 -0
- data/AUTHORS.md +16 -0
- data/CHANGELOG.md +93 -0
- data/Gemfile +4 -0
- data/Gemfile.lock +62 -0
- data/LICENCE +19 -0
- data/README.md +564 -0
- data/Rakefile +136 -0
- data/bin/rbenv-sudo +18 -0
- data/bin/ript +207 -0
- data/dist/init.d +48 -0
- data/examples/accept-multiple-from-and-to.rb +16 -0
- data/examples/accept-with-a-list-of-ports.rb +13 -0
- data/examples/accept-with-specific-port-and-interface.rb +14 -0
- data/examples/accept-without-specific-from.rb +11 -0
- data/examples/accept.rb +12 -0
- data/examples/basic.rb +4 -0
- data/examples/dash-in-partition-name.rb +2 -0
- data/examples/drop.rb +11 -0
- data/examples/duplicate-partition-names/foobar1.rb +2 -0
- data/examples/duplicate-partition-names/foobar2.rb +2 -0
- data/examples/errors-undefined-method-with-no-match.rb +12 -0
- data/examples/errors-undefined-method.rb +12 -0
- data/examples/forward-dnat-with-different-destination-port.rb +16 -0
- data/examples/forward-dnat-with-explicit-from-and-port-mappings.rb +11 -0
- data/examples/forward-dnat-with-explicit-from-and-ports.rb +11 -0
- data/examples/forward-dnat-with-explicit-from.rb +11 -0
- data/examples/forward-dnat-with-explicit-protocols.rb +15 -0
- data/examples/forward-dnat-with-multiple-froms.rb +13 -0
- data/examples/forward-dnat-with-multiple-ports.rb +10 -0
- data/examples/forward-dnat-with-multiple-sources.rb +15 -0
- data/examples/forward-dnat.rb +16 -0
- data/examples/forward-snat-with-explicit-from.rb +16 -0
- data/examples/forward-snat-with-multiple-sources.rb +13 -0
- data/examples/forward-snat.rb +9 -0
- data/examples/log-and-accept.rb +12 -0
- data/examples/log-and-drop.rb +11 -0
- data/examples/log-dnat.rb +10 -0
- data/examples/log-snat.rb +13 -0
- data/examples/log.rb +11 -0
- data/examples/missing-address-definition-in-destination.rb +15 -0
- data/examples/missing-address-definition-in-from.rb +15 -0
- data/examples/multiple-partitions-in-this-file.rb +14 -0
- data/examples/multiple-partitions/bar.rb +11 -0
- data/examples/multiple-partitions/foo.rb +17 -0
- data/examples/partition-name-exactly-20-characters.rb +2 -0
- data/examples/partition-name-longer-than-20-characters.rb +2 -0
- data/examples/postclean.rb +10 -0
- data/examples/preclean.rb +10 -0
- data/examples/raw-with-chain-deletion.rb +9 -0
- data/examples/raw-with-flush.rb +9 -0
- data/examples/raw.rb +50 -0
- data/examples/reject.rb +11 -0
- data/examples/space-in-partition-name.rb +2 -0
- data/features/cli.feature +115 -0
- data/features/dsl/errors.feature +107 -0
- data/features/dsl/filter.feature +187 -0
- data/features/dsl/logging.feature +114 -0
- data/features/dsl/nat.feature +271 -0
- data/features/dsl/raw.feature +28 -0
- data/features/setup.feature +58 -0
- data/features/step_definitions/cli_steps.rb +15 -0
- data/features/step_definitions/example_steps.rb +44 -0
- data/features/support/env.rb +25 -0
- data/lib/ript/bootstrap.rb +20 -0
- data/lib/ript/dsl.rb +14 -0
- data/lib/ript/dsl/primitives.rb +7 -0
- data/lib/ript/dsl/primitives/common.rb +78 -0
- data/lib/ript/dsl/primitives/filter.rb +145 -0
- data/lib/ript/dsl/primitives/nat.rb +206 -0
- data/lib/ript/dsl/primitives/raw.rb +45 -0
- data/lib/ript/exceptions.rb +2 -0
- data/lib/ript/partition.rb +162 -0
- data/lib/ript/patches.rb +10 -0
- data/lib/ript/rule.rb +70 -0
- data/lib/ript/version.rb +3 -0
- data/ript.gemspec +33 -0
- metadata +232 -0
data/examples/accept.rb
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
partition "keepalived" do
|
2
|
+
label "primary lvs", :address => "172.16.0.216"
|
3
|
+
label "secondary lvs", :address => "172.16.0.217"
|
4
|
+
label "fw multicast", :address => "224.0.0.0/8"
|
5
|
+
|
6
|
+
accept "keepalive chatter on the fw multicast" do
|
7
|
+
protocols "vrrp"
|
8
|
+
from "primary lvs", "secondary lvs"
|
9
|
+
to "fw multicast"
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
data/examples/basic.rb
ADDED
data/examples/drop.rb
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
partition "keepalived" do
|
2
|
+
label "foobar-lvs-04", :address => "192.168.0.76"
|
3
|
+
label "util-01", :address => "172.16.0.246"
|
4
|
+
label "util-02", :address => "172.16.0.247"
|
5
|
+
|
6
|
+
accept "ssh access between lvs/firewalls with incorrect invocation" do
|
7
|
+
blahblahblah 22
|
8
|
+
from "foobar-lvs-04", "util-01", "util-02"
|
9
|
+
to "foobar-lvs-04"
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
@@ -0,0 +1,12 @@
|
|
1
|
+
partition "keepalived" do
|
2
|
+
label "foobar-lvs-04", :address => "192.168.0.76"
|
3
|
+
label "util-01", :address => "172.16.0.246"
|
4
|
+
label "util-02", :address => "172.16.0.247"
|
5
|
+
|
6
|
+
accept "ssh access between lvs/firewalls with incorrect invocation" do
|
7
|
+
port 22
|
8
|
+
from "foobar-lvs-04", "util-01", "util-02"
|
9
|
+
to "foobar-lvs-04"
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
@@ -0,0 +1,16 @@
|
|
1
|
+
partition "foo" do
|
2
|
+
label "www.foo.com", :address => "172.23.0.88"
|
3
|
+
label "foo-web-01", :address => "192.168.38.1"
|
4
|
+
label "stage.foo.com", :address => "172.23.0.90"
|
5
|
+
label "foo-web-02", :address => "192.168.38.2"
|
6
|
+
|
7
|
+
rewrite "foo.com public website" do
|
8
|
+
ports 25, 80, 11, 22 => 9876, 443 => 4443
|
9
|
+
dnat "www.foo.com" => "foo-web-01"
|
10
|
+
end
|
11
|
+
|
12
|
+
rewrite "foo.com stage website" do
|
13
|
+
ports 22 => 9876, 443 => 4443
|
14
|
+
dnat "stage.foo.com" => "foo-web-02"
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
3
|
+
label "www.bar.com", :address => "172.23.0.95"
|
4
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
5
|
+
|
6
|
+
rewrite "bar" do
|
7
|
+
ports 139 => 2011
|
8
|
+
from :jamdev
|
9
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
10
|
+
end
|
11
|
+
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
3
|
+
label "www.bar.com", :address => "172.23.0.95"
|
4
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
5
|
+
|
6
|
+
rewrite "bar" do
|
7
|
+
ports 82
|
8
|
+
from :jamdev
|
9
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
10
|
+
end
|
11
|
+
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
3
|
+
label "www.bar.com", :address => "172.23.0.95"
|
4
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
5
|
+
|
6
|
+
rewrite "bar" do
|
7
|
+
ports 80
|
8
|
+
from :jamdev
|
9
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
10
|
+
end
|
11
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
partition 'cpm' do
|
2
|
+
|
3
|
+
label 'internal', :address => '192.168.0.133'
|
4
|
+
label 'external', :address => '172.18.88.33'
|
5
|
+
label 'office', :address => '172.19.4.55'
|
6
|
+
|
7
|
+
rewrite 'incoming dns' do
|
8
|
+
protocols 'udp', 'tcp'
|
9
|
+
ports 53
|
10
|
+
from 'office'
|
11
|
+
to 'external'
|
12
|
+
dnat 'external' => 'internal'
|
13
|
+
end
|
14
|
+
|
15
|
+
end
|
@@ -0,0 +1,13 @@
|
|
1
|
+
partition "joeblogsco" do
|
2
|
+
label :office1, :address => "1.2.3.4"
|
3
|
+
label :office2, :address => "4.5.6.7"
|
4
|
+
label :office3, :address => "7.8.9.10"
|
5
|
+
label "www.joeblogsco.com", :address => "172.19.10.99"
|
6
|
+
label "joeblogsco-app-01", :address => "192.168.27.66"
|
7
|
+
|
8
|
+
rewrite "bar" do
|
9
|
+
ports 80
|
10
|
+
from :office1, :office2, :office3
|
11
|
+
dnat "www.joeblogsco.com" => "joeblogsco-app-01"
|
12
|
+
end
|
13
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
3
|
+
|
4
|
+
label "www.bar.com", :address => "172.23.0.95"
|
5
|
+
label "secure.bar.com", :address => "172.23.0.96"
|
6
|
+
label "static.bar.com", :address => "172.23.0.97"
|
7
|
+
label "barprod-proxy-01", :address => "192.168.27.88"
|
8
|
+
|
9
|
+
rewrite "bar" do
|
10
|
+
ports 80
|
11
|
+
dnat [ "www.bar.com",
|
12
|
+
"secure.bar.com",
|
13
|
+
"static.bar.com" ] => "barprod-proxy-01"
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
4
|
+
label "barprod-web-02", :address => "192.168.19.4"
|
5
|
+
|
6
|
+
rewrite "bar.com public website" do
|
7
|
+
ports 80
|
8
|
+
dnat "www.bar.com" => "barprod-web-01"
|
9
|
+
end
|
10
|
+
|
11
|
+
rewrite "bar.com public website" do
|
12
|
+
ports 22
|
13
|
+
dnat "www.bar.com" => "barprod-web-02"
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
@@ -0,0 +1,16 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
3
|
+
label "api.bar.com", :address => "172.24.0.99"
|
4
|
+
label "barprod-api-01", :address => "10.55.0.45"
|
5
|
+
label "bar prod subnet", :address => "10.55.0.0/24"
|
6
|
+
|
7
|
+
|
8
|
+
# FIXME: should things with a netmask be inserted lower into the chain?
|
9
|
+
rewrite "bar" do
|
10
|
+
snat "barprod-api-01" => "api.bar.com"
|
11
|
+
end
|
12
|
+
|
13
|
+
rewrite "bar prod outbound" do
|
14
|
+
snat "bar prod subnet" => "www.bar.com"
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,13 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "bar uat subnet", :address => "10.33.0.0/24"
|
3
|
+
label "bar stage subnet", :address => "10.44.0.0/24"
|
4
|
+
label "bar prod subnet", :address => "10.55.0.0/24"
|
5
|
+
|
6
|
+
label "www.bar.com", :address => "172.23.0.95"
|
7
|
+
|
8
|
+
rewrite "bar" do
|
9
|
+
snat [ "bar uat subnet",
|
10
|
+
"bar stage subnet",
|
11
|
+
"bar prod subnet" ] => "www.bar.com"
|
12
|
+
end
|
13
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
partition "keepalived" do
|
2
|
+
label "primary lvs", :address => "172.16.0.216"
|
3
|
+
label "secondary lvs", :address => "172.16.0.217"
|
4
|
+
label "fw multicast", :address => "224.0.0.0/8"
|
5
|
+
|
6
|
+
accept "keepalive chatter on the fw multicast", :log => true do
|
7
|
+
protocols "vrrp"
|
8
|
+
from "primary lvs", "secondary lvs"
|
9
|
+
to "fw multicast"
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
@@ -0,0 +1,11 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
4
|
+
label "localhost", :address => "127.0.0.1"
|
5
|
+
|
6
|
+
drop "localhost on www.bar.com", :log => true do
|
7
|
+
from "localhost"
|
8
|
+
to "www.bar.com"
|
9
|
+
end
|
10
|
+
end
|
11
|
+
|
@@ -0,0 +1,13 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "bar uat subnet", :address => "10.33.0.0/24"
|
3
|
+
label "bar stage subnet", :address => "10.44.0.0/24"
|
4
|
+
label "bar prod subnet", :address => "10.55.0.0/24"
|
5
|
+
|
6
|
+
label "www.bar.com", :address => "172.23.0.95"
|
7
|
+
|
8
|
+
rewrite "bar", :log => true do
|
9
|
+
snat [ "bar uat subnet",
|
10
|
+
"bar stage subnet",
|
11
|
+
"bar prod subnet" ] => "www.bar.com"
|
12
|
+
end
|
13
|
+
end
|
data/examples/log.rb
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
4
|
+
|
5
|
+
rewrite "bar.com public website" do
|
6
|
+
ports 80
|
7
|
+
dnat "www.bar.com" => "barprod-web-01"
|
8
|
+
end
|
9
|
+
|
10
|
+
rewrite "bar.com public website" do
|
11
|
+
ports 22
|
12
|
+
dnat "www.bar.com" => "barprod-web-02"
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
@@ -0,0 +1,15 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
4
|
+
|
5
|
+
rewrite "bar.com public website" do
|
6
|
+
ports 80
|
7
|
+
dnat "www.bar.com" => "barprod-web-01"
|
8
|
+
end
|
9
|
+
|
10
|
+
drop "bad guy" do
|
11
|
+
from "bad guy"
|
12
|
+
to "www.bar.com"
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
@@ -0,0 +1,14 @@
|
|
1
|
+
%w(bar foo blum frub).each do |name|
|
2
|
+
partition(name) do
|
3
|
+
label :jamdev, :address => "192.168.23.70/27"
|
4
|
+
label "www.bar.com", :address => "172.23.0.95"
|
5
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
6
|
+
|
7
|
+
rewrite "bar" do
|
8
|
+
ports 80
|
9
|
+
from :jamdev
|
10
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
@@ -0,0 +1,11 @@
|
|
1
|
+
partition "bar" do
|
2
|
+
label "www.bar.com", :address => "172.23.0.95", :interface => "vlan44"
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
4
|
+
label "localhost", :address => "127.0.0.1"
|
5
|
+
|
6
|
+
drop "localhost on www.bar.com" do
|
7
|
+
from "localhost"
|
8
|
+
to "www.bar.com"
|
9
|
+
end
|
10
|
+
end
|
11
|
+
|
@@ -0,0 +1,17 @@
|
|
1
|
+
partition "foo" do
|
2
|
+
label "www.foo.com", :address => "172.23.0.88", :interface => "vlan44"
|
3
|
+
label "foo-web-01", :address => "192.168.38.1"
|
4
|
+
label "stage.foo.com", :address => "172.23.0.90", :interface => "vlan44"
|
5
|
+
label "foo-web-02", :address => "192.168.38.2"
|
6
|
+
|
7
|
+
rewrite "foo.com public website" do
|
8
|
+
ports 25, 80, 11, 22 => 9876, 443 => 4443
|
9
|
+
dnat "www.foo.com" => "foo-web-01"
|
10
|
+
end
|
11
|
+
|
12
|
+
rewrite "foo.com stage website" do
|
13
|
+
ports 22 => 9876, 443 => 4443
|
14
|
+
dnat "stage.foo.com" => "foo-web-02"
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|