ript 0.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. data/.gitignore +6 -0
  2. data/.rbenv-version +1 -0
  3. data/AUTHORS.md +16 -0
  4. data/CHANGELOG.md +93 -0
  5. data/Gemfile +4 -0
  6. data/Gemfile.lock +62 -0
  7. data/LICENCE +19 -0
  8. data/README.md +564 -0
  9. data/Rakefile +136 -0
  10. data/bin/rbenv-sudo +18 -0
  11. data/bin/ript +207 -0
  12. data/dist/init.d +48 -0
  13. data/examples/accept-multiple-from-and-to.rb +16 -0
  14. data/examples/accept-with-a-list-of-ports.rb +13 -0
  15. data/examples/accept-with-specific-port-and-interface.rb +14 -0
  16. data/examples/accept-without-specific-from.rb +11 -0
  17. data/examples/accept.rb +12 -0
  18. data/examples/basic.rb +4 -0
  19. data/examples/dash-in-partition-name.rb +2 -0
  20. data/examples/drop.rb +11 -0
  21. data/examples/duplicate-partition-names/foobar1.rb +2 -0
  22. data/examples/duplicate-partition-names/foobar2.rb +2 -0
  23. data/examples/errors-undefined-method-with-no-match.rb +12 -0
  24. data/examples/errors-undefined-method.rb +12 -0
  25. data/examples/forward-dnat-with-different-destination-port.rb +16 -0
  26. data/examples/forward-dnat-with-explicit-from-and-port-mappings.rb +11 -0
  27. data/examples/forward-dnat-with-explicit-from-and-ports.rb +11 -0
  28. data/examples/forward-dnat-with-explicit-from.rb +11 -0
  29. data/examples/forward-dnat-with-explicit-protocols.rb +15 -0
  30. data/examples/forward-dnat-with-multiple-froms.rb +13 -0
  31. data/examples/forward-dnat-with-multiple-ports.rb +10 -0
  32. data/examples/forward-dnat-with-multiple-sources.rb +15 -0
  33. data/examples/forward-dnat.rb +16 -0
  34. data/examples/forward-snat-with-explicit-from.rb +16 -0
  35. data/examples/forward-snat-with-multiple-sources.rb +13 -0
  36. data/examples/forward-snat.rb +9 -0
  37. data/examples/log-and-accept.rb +12 -0
  38. data/examples/log-and-drop.rb +11 -0
  39. data/examples/log-dnat.rb +10 -0
  40. data/examples/log-snat.rb +13 -0
  41. data/examples/log.rb +11 -0
  42. data/examples/missing-address-definition-in-destination.rb +15 -0
  43. data/examples/missing-address-definition-in-from.rb +15 -0
  44. data/examples/multiple-partitions-in-this-file.rb +14 -0
  45. data/examples/multiple-partitions/bar.rb +11 -0
  46. data/examples/multiple-partitions/foo.rb +17 -0
  47. data/examples/partition-name-exactly-20-characters.rb +2 -0
  48. data/examples/partition-name-longer-than-20-characters.rb +2 -0
  49. data/examples/postclean.rb +10 -0
  50. data/examples/preclean.rb +10 -0
  51. data/examples/raw-with-chain-deletion.rb +9 -0
  52. data/examples/raw-with-flush.rb +9 -0
  53. data/examples/raw.rb +50 -0
  54. data/examples/reject.rb +11 -0
  55. data/examples/space-in-partition-name.rb +2 -0
  56. data/features/cli.feature +115 -0
  57. data/features/dsl/errors.feature +107 -0
  58. data/features/dsl/filter.feature +187 -0
  59. data/features/dsl/logging.feature +114 -0
  60. data/features/dsl/nat.feature +271 -0
  61. data/features/dsl/raw.feature +28 -0
  62. data/features/setup.feature +58 -0
  63. data/features/step_definitions/cli_steps.rb +15 -0
  64. data/features/step_definitions/example_steps.rb +44 -0
  65. data/features/support/env.rb +25 -0
  66. data/lib/ript/bootstrap.rb +20 -0
  67. data/lib/ript/dsl.rb +14 -0
  68. data/lib/ript/dsl/primitives.rb +7 -0
  69. data/lib/ript/dsl/primitives/common.rb +78 -0
  70. data/lib/ript/dsl/primitives/filter.rb +145 -0
  71. data/lib/ript/dsl/primitives/nat.rb +206 -0
  72. data/lib/ript/dsl/primitives/raw.rb +45 -0
  73. data/lib/ript/exceptions.rb +2 -0
  74. data/lib/ript/partition.rb +162 -0
  75. data/lib/ript/patches.rb +10 -0
  76. data/lib/ript/rule.rb +70 -0
  77. data/lib/ript/version.rb +3 -0
  78. data/ript.gemspec +33 -0
  79. metadata +232 -0
@@ -0,0 +1,11 @@
1
+ partition "joeblogsco" do
2
+
3
+ label "jbc.com", :address => "172.22.111.99"
4
+
5
+ accept "jbc.com web" do
6
+ ports 80, 443
7
+ to "jbc.com"
8
+ end
9
+
10
+ end
11
+
@@ -0,0 +1,12 @@
1
+ partition "keepalived" do
2
+ label "primary lvs", :address => "172.16.0.216"
3
+ label "secondary lvs", :address => "172.16.0.217"
4
+ label "fw multicast", :address => "224.0.0.0/8"
5
+
6
+ accept "keepalive chatter on the fw multicast" do
7
+ protocols "vrrp"
8
+ from "primary lvs", "secondary lvs"
9
+ to "fw multicast"
10
+ end
11
+ end
12
+
@@ -0,0 +1,4 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ partition "basic" do
4
+ end
@@ -0,0 +1,2 @@
1
+ partition "dash-in-my-name" do
2
+ end
@@ -0,0 +1,11 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+ label "localhost", :address => "127.0.0.1"
5
+
6
+ drop "localhost on www.bar.com" do
7
+ from "localhost"
8
+ to "www.bar.com"
9
+ end
10
+ end
11
+
@@ -0,0 +1,2 @@
1
+ partition "foobar" do
2
+ end
@@ -0,0 +1,2 @@
1
+ partition "foobar" do
2
+ end
@@ -0,0 +1,12 @@
1
+ partition "keepalived" do
2
+ label "foobar-lvs-04", :address => "192.168.0.76"
3
+ label "util-01", :address => "172.16.0.246"
4
+ label "util-02", :address => "172.16.0.247"
5
+
6
+ accept "ssh access between lvs/firewalls with incorrect invocation" do
7
+ blahblahblah 22
8
+ from "foobar-lvs-04", "util-01", "util-02"
9
+ to "foobar-lvs-04"
10
+ end
11
+ end
12
+
@@ -0,0 +1,12 @@
1
+ partition "keepalived" do
2
+ label "foobar-lvs-04", :address => "192.168.0.76"
3
+ label "util-01", :address => "172.16.0.246"
4
+ label "util-02", :address => "172.16.0.247"
5
+
6
+ accept "ssh access between lvs/firewalls with incorrect invocation" do
7
+ port 22
8
+ from "foobar-lvs-04", "util-01", "util-02"
9
+ to "foobar-lvs-04"
10
+ end
11
+ end
12
+
@@ -0,0 +1,16 @@
1
+ partition "foo" do
2
+ label "www.foo.com", :address => "172.23.0.88"
3
+ label "foo-web-01", :address => "192.168.38.1"
4
+ label "stage.foo.com", :address => "172.23.0.90"
5
+ label "foo-web-02", :address => "192.168.38.2"
6
+
7
+ rewrite "foo.com public website" do
8
+ ports 25, 80, 11, 22 => 9876, 443 => 4443
9
+ dnat "www.foo.com" => "foo-web-01"
10
+ end
11
+
12
+ rewrite "foo.com stage website" do
13
+ ports 22 => 9876, 443 => 4443
14
+ dnat "stage.foo.com" => "foo-web-02"
15
+ end
16
+ end
@@ -0,0 +1,11 @@
1
+ partition "bar" do
2
+ label :jamdev, :address => "192.168.23.70/27"
3
+ label "www.bar.com", :address => "172.23.0.95"
4
+ label "barprod-blackhole-01", :address => "192.168.27.66"
5
+
6
+ rewrite "bar" do
7
+ ports 139 => 2011
8
+ from :jamdev
9
+ dnat "www.bar.com" => "barprod-blackhole-01"
10
+ end
11
+ end
@@ -0,0 +1,11 @@
1
+ partition "bar" do
2
+ label :jamdev, :address => "192.168.23.70/27"
3
+ label "www.bar.com", :address => "172.23.0.95"
4
+ label "barprod-blackhole-01", :address => "192.168.27.66"
5
+
6
+ rewrite "bar" do
7
+ ports 82
8
+ from :jamdev
9
+ dnat "www.bar.com" => "barprod-blackhole-01"
10
+ end
11
+ end
@@ -0,0 +1,11 @@
1
+ partition "bar" do
2
+ label :jamdev, :address => "192.168.23.70/27"
3
+ label "www.bar.com", :address => "172.23.0.95"
4
+ label "barprod-blackhole-01", :address => "192.168.27.66"
5
+
6
+ rewrite "bar" do
7
+ ports 80
8
+ from :jamdev
9
+ dnat "www.bar.com" => "barprod-blackhole-01"
10
+ end
11
+ end
@@ -0,0 +1,15 @@
1
+ partition 'cpm' do
2
+
3
+ label 'internal', :address => '192.168.0.133'
4
+ label 'external', :address => '172.18.88.33'
5
+ label 'office', :address => '172.19.4.55'
6
+
7
+ rewrite 'incoming dns' do
8
+ protocols 'udp', 'tcp'
9
+ ports 53
10
+ from 'office'
11
+ to 'external'
12
+ dnat 'external' => 'internal'
13
+ end
14
+
15
+ end
@@ -0,0 +1,13 @@
1
+ partition "joeblogsco" do
2
+ label :office1, :address => "1.2.3.4"
3
+ label :office2, :address => "4.5.6.7"
4
+ label :office3, :address => "7.8.9.10"
5
+ label "www.joeblogsco.com", :address => "172.19.10.99"
6
+ label "joeblogsco-app-01", :address => "192.168.27.66"
7
+
8
+ rewrite "bar" do
9
+ ports 80
10
+ from :office1, :office2, :office3
11
+ dnat "www.joeblogsco.com" => "joeblogsco-app-01"
12
+ end
13
+ end
@@ -0,0 +1,10 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+
5
+ rewrite "bar.com public website" do
6
+ ports 80, 22
7
+ dnat "www.bar.com" => "barprod-web-01"
8
+ end
9
+ end
10
+
@@ -0,0 +1,15 @@
1
+ partition "bar" do
2
+ label :jamdev, :address => "192.168.23.70/27"
3
+
4
+ label "www.bar.com", :address => "172.23.0.95"
5
+ label "secure.bar.com", :address => "172.23.0.96"
6
+ label "static.bar.com", :address => "172.23.0.97"
7
+ label "barprod-proxy-01", :address => "192.168.27.88"
8
+
9
+ rewrite "bar" do
10
+ ports 80
11
+ dnat [ "www.bar.com",
12
+ "secure.bar.com",
13
+ "static.bar.com" ] => "barprod-proxy-01"
14
+ end
15
+ end
@@ -0,0 +1,16 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+ label "barprod-web-02", :address => "192.168.19.4"
5
+
6
+ rewrite "bar.com public website" do
7
+ ports 80
8
+ dnat "www.bar.com" => "barprod-web-01"
9
+ end
10
+
11
+ rewrite "bar.com public website" do
12
+ ports 22
13
+ dnat "www.bar.com" => "barprod-web-02"
14
+ end
15
+ end
16
+
@@ -0,0 +1,16 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "api.bar.com", :address => "172.24.0.99"
4
+ label "barprod-api-01", :address => "10.55.0.45"
5
+ label "bar prod subnet", :address => "10.55.0.0/24"
6
+
7
+
8
+ # FIXME: should things with a netmask be inserted lower into the chain?
9
+ rewrite "bar" do
10
+ snat "barprod-api-01" => "api.bar.com"
11
+ end
12
+
13
+ rewrite "bar prod outbound" do
14
+ snat "bar prod subnet" => "www.bar.com"
15
+ end
16
+ end
@@ -0,0 +1,13 @@
1
+ partition "bar" do
2
+ label "bar uat subnet", :address => "10.33.0.0/24"
3
+ label "bar stage subnet", :address => "10.44.0.0/24"
4
+ label "bar prod subnet", :address => "10.55.0.0/24"
5
+
6
+ label "www.bar.com", :address => "172.23.0.95"
7
+
8
+ rewrite "bar" do
9
+ snat [ "bar uat subnet",
10
+ "bar stage subnet",
11
+ "bar prod subnet" ] => "www.bar.com"
12
+ end
13
+ end
@@ -0,0 +1,9 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "bar subnet", :address => "10.30.0.0/24"
4
+
5
+ rewrite "bar.com public website" do
6
+ snat "bar subnet" => "www.bar.com"
7
+ end
8
+ end
9
+
@@ -0,0 +1,12 @@
1
+ partition "keepalived" do
2
+ label "primary lvs", :address => "172.16.0.216"
3
+ label "secondary lvs", :address => "172.16.0.217"
4
+ label "fw multicast", :address => "224.0.0.0/8"
5
+
6
+ accept "keepalive chatter on the fw multicast", :log => true do
7
+ protocols "vrrp"
8
+ from "primary lvs", "secondary lvs"
9
+ to "fw multicast"
10
+ end
11
+ end
12
+
@@ -0,0 +1,11 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+ label "localhost", :address => "127.0.0.1"
5
+
6
+ drop "localhost on www.bar.com", :log => true do
7
+ from "localhost"
8
+ to "www.bar.com"
9
+ end
10
+ end
11
+
@@ -0,0 +1,10 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+
5
+ rewrite "bar.com public website", :log => true do
6
+ ports 80, 22
7
+ dnat "www.bar.com" => "barprod-web-01"
8
+ end
9
+ end
10
+
@@ -0,0 +1,13 @@
1
+ partition "bar" do
2
+ label "bar uat subnet", :address => "10.33.0.0/24"
3
+ label "bar stage subnet", :address => "10.44.0.0/24"
4
+ label "bar prod subnet", :address => "10.55.0.0/24"
5
+
6
+ label "www.bar.com", :address => "172.23.0.95"
7
+
8
+ rewrite "bar", :log => true do
9
+ snat [ "bar uat subnet",
10
+ "bar stage subnet",
11
+ "bar prod subnet" ] => "www.bar.com"
12
+ end
13
+ end
@@ -0,0 +1,11 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+ label "localhost", :address => "127.0.0.1"
5
+
6
+ log "localhost on www.bar.com" do
7
+ from "localhost"
8
+ to "www.bar.com"
9
+ end
10
+ end
11
+
@@ -0,0 +1,15 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+
5
+ rewrite "bar.com public website" do
6
+ ports 80
7
+ dnat "www.bar.com" => "barprod-web-01"
8
+ end
9
+
10
+ rewrite "bar.com public website" do
11
+ ports 22
12
+ dnat "www.bar.com" => "barprod-web-02"
13
+ end
14
+ end
15
+
@@ -0,0 +1,15 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+
5
+ rewrite "bar.com public website" do
6
+ ports 80
7
+ dnat "www.bar.com" => "barprod-web-01"
8
+ end
9
+
10
+ drop "bad guy" do
11
+ from "bad guy"
12
+ to "www.bar.com"
13
+ end
14
+ end
15
+
@@ -0,0 +1,14 @@
1
+ %w(bar foo blum frub).each do |name|
2
+ partition(name) do
3
+ label :jamdev, :address => "192.168.23.70/27"
4
+ label "www.bar.com", :address => "172.23.0.95"
5
+ label "barprod-blackhole-01", :address => "192.168.27.66"
6
+
7
+ rewrite "bar" do
8
+ ports 80
9
+ from :jamdev
10
+ dnat "www.bar.com" => "barprod-blackhole-01"
11
+ end
12
+ end
13
+ end
14
+
@@ -0,0 +1,11 @@
1
+ partition "bar" do
2
+ label "www.bar.com", :address => "172.23.0.95", :interface => "vlan44"
3
+ label "barprod-web-01", :address => "192.168.19.2"
4
+ label "localhost", :address => "127.0.0.1"
5
+
6
+ drop "localhost on www.bar.com" do
7
+ from "localhost"
8
+ to "www.bar.com"
9
+ end
10
+ end
11
+
@@ -0,0 +1,17 @@
1
+ partition "foo" do
2
+ label "www.foo.com", :address => "172.23.0.88", :interface => "vlan44"
3
+ label "foo-web-01", :address => "192.168.38.1"
4
+ label "stage.foo.com", :address => "172.23.0.90", :interface => "vlan44"
5
+ label "foo-web-02", :address => "192.168.38.2"
6
+
7
+ rewrite "foo.com public website" do
8
+ ports 25, 80, 11, 22 => 9876, 443 => 4443
9
+ dnat "www.foo.com" => "foo-web-01"
10
+ end
11
+
12
+ rewrite "foo.com stage website" do
13
+ ports 22 => 9876, 443 => 4443
14
+ dnat "stage.foo.com" => "foo-web-02"
15
+ end
16
+ end
17
+
@@ -0,0 +1,2 @@
1
+ partition "name_exactly_20_char" do
2
+ end
@@ -0,0 +1,2 @@
1
+ partition "name_longer_than_21_characters" do
2
+ end
@@ -0,0 +1,10 @@
1
+ partition "supercow" do
2
+ label "cow", :address => "172.27.1.2"
3
+ label "person", :address => "172.29.2.3"
4
+
5
+ accept "moo" do
6
+ from "cow"
7
+ to "person"
8
+ end
9
+ end
10
+
@@ -0,0 +1,10 @@
1
+ partition "supercow" do
2
+ label "cow", :address => "172.27.1.1"
3
+ label "person", :address => "172.29.2.2"
4
+
5
+ accept "moo" do
6
+ from "cow"
7
+ to "person"
8
+ end
9
+ end
10
+
@@ -0,0 +1,9 @@
1
+ partition "boilerplate" do
2
+ raw <<-RAW
3
+ # Delete created chains
4
+ iptables -X
5
+ iptables -t nat -X
6
+ iptables -t mangle -X
7
+ RAW
8
+ end
9
+