ript 0.8.4
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +6 -0
- data/.rbenv-version +1 -0
- data/AUTHORS.md +16 -0
- data/CHANGELOG.md +93 -0
- data/Gemfile +4 -0
- data/Gemfile.lock +62 -0
- data/LICENCE +19 -0
- data/README.md +564 -0
- data/Rakefile +136 -0
- data/bin/rbenv-sudo +18 -0
- data/bin/ript +207 -0
- data/dist/init.d +48 -0
- data/examples/accept-multiple-from-and-to.rb +16 -0
- data/examples/accept-with-a-list-of-ports.rb +13 -0
- data/examples/accept-with-specific-port-and-interface.rb +14 -0
- data/examples/accept-without-specific-from.rb +11 -0
- data/examples/accept.rb +12 -0
- data/examples/basic.rb +4 -0
- data/examples/dash-in-partition-name.rb +2 -0
- data/examples/drop.rb +11 -0
- data/examples/duplicate-partition-names/foobar1.rb +2 -0
- data/examples/duplicate-partition-names/foobar2.rb +2 -0
- data/examples/errors-undefined-method-with-no-match.rb +12 -0
- data/examples/errors-undefined-method.rb +12 -0
- data/examples/forward-dnat-with-different-destination-port.rb +16 -0
- data/examples/forward-dnat-with-explicit-from-and-port-mappings.rb +11 -0
- data/examples/forward-dnat-with-explicit-from-and-ports.rb +11 -0
- data/examples/forward-dnat-with-explicit-from.rb +11 -0
- data/examples/forward-dnat-with-explicit-protocols.rb +15 -0
- data/examples/forward-dnat-with-multiple-froms.rb +13 -0
- data/examples/forward-dnat-with-multiple-ports.rb +10 -0
- data/examples/forward-dnat-with-multiple-sources.rb +15 -0
- data/examples/forward-dnat.rb +16 -0
- data/examples/forward-snat-with-explicit-from.rb +16 -0
- data/examples/forward-snat-with-multiple-sources.rb +13 -0
- data/examples/forward-snat.rb +9 -0
- data/examples/log-and-accept.rb +12 -0
- data/examples/log-and-drop.rb +11 -0
- data/examples/log-dnat.rb +10 -0
- data/examples/log-snat.rb +13 -0
- data/examples/log.rb +11 -0
- data/examples/missing-address-definition-in-destination.rb +15 -0
- data/examples/missing-address-definition-in-from.rb +15 -0
- data/examples/multiple-partitions-in-this-file.rb +14 -0
- data/examples/multiple-partitions/bar.rb +11 -0
- data/examples/multiple-partitions/foo.rb +17 -0
- data/examples/partition-name-exactly-20-characters.rb +2 -0
- data/examples/partition-name-longer-than-20-characters.rb +2 -0
- data/examples/postclean.rb +10 -0
- data/examples/preclean.rb +10 -0
- data/examples/raw-with-chain-deletion.rb +9 -0
- data/examples/raw-with-flush.rb +9 -0
- data/examples/raw.rb +50 -0
- data/examples/reject.rb +11 -0
- data/examples/space-in-partition-name.rb +2 -0
- data/features/cli.feature +115 -0
- data/features/dsl/errors.feature +107 -0
- data/features/dsl/filter.feature +187 -0
- data/features/dsl/logging.feature +114 -0
- data/features/dsl/nat.feature +271 -0
- data/features/dsl/raw.feature +28 -0
- data/features/setup.feature +58 -0
- data/features/step_definitions/cli_steps.rb +15 -0
- data/features/step_definitions/example_steps.rb +44 -0
- data/features/support/env.rb +25 -0
- data/lib/ript/bootstrap.rb +20 -0
- data/lib/ript/dsl.rb +14 -0
- data/lib/ript/dsl/primitives.rb +7 -0
- data/lib/ript/dsl/primitives/common.rb +78 -0
- data/lib/ript/dsl/primitives/filter.rb +145 -0
- data/lib/ript/dsl/primitives/nat.rb +206 -0
- data/lib/ript/dsl/primitives/raw.rb +45 -0
- data/lib/ript/exceptions.rb +2 -0
- data/lib/ript/partition.rb +162 -0
- data/lib/ript/patches.rb +10 -0
- data/lib/ript/rule.rb +70 -0
- data/lib/ript/version.rb +3 -0
- data/ript.gemspec +33 -0
- metadata +232 -0
data/examples/accept.rb
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
partition "keepalived" do
|
|
2
|
+
label "primary lvs", :address => "172.16.0.216"
|
|
3
|
+
label "secondary lvs", :address => "172.16.0.217"
|
|
4
|
+
label "fw multicast", :address => "224.0.0.0/8"
|
|
5
|
+
|
|
6
|
+
accept "keepalive chatter on the fw multicast" do
|
|
7
|
+
protocols "vrrp"
|
|
8
|
+
from "primary lvs", "secondary lvs"
|
|
9
|
+
to "fw multicast"
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
data/examples/basic.rb
ADDED
data/examples/drop.rb
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
partition "keepalived" do
|
|
2
|
+
label "foobar-lvs-04", :address => "192.168.0.76"
|
|
3
|
+
label "util-01", :address => "172.16.0.246"
|
|
4
|
+
label "util-02", :address => "172.16.0.247"
|
|
5
|
+
|
|
6
|
+
accept "ssh access between lvs/firewalls with incorrect invocation" do
|
|
7
|
+
blahblahblah 22
|
|
8
|
+
from "foobar-lvs-04", "util-01", "util-02"
|
|
9
|
+
to "foobar-lvs-04"
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
partition "keepalived" do
|
|
2
|
+
label "foobar-lvs-04", :address => "192.168.0.76"
|
|
3
|
+
label "util-01", :address => "172.16.0.246"
|
|
4
|
+
label "util-02", :address => "172.16.0.247"
|
|
5
|
+
|
|
6
|
+
accept "ssh access between lvs/firewalls with incorrect invocation" do
|
|
7
|
+
port 22
|
|
8
|
+
from "foobar-lvs-04", "util-01", "util-02"
|
|
9
|
+
to "foobar-lvs-04"
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
partition "foo" do
|
|
2
|
+
label "www.foo.com", :address => "172.23.0.88"
|
|
3
|
+
label "foo-web-01", :address => "192.168.38.1"
|
|
4
|
+
label "stage.foo.com", :address => "172.23.0.90"
|
|
5
|
+
label "foo-web-02", :address => "192.168.38.2"
|
|
6
|
+
|
|
7
|
+
rewrite "foo.com public website" do
|
|
8
|
+
ports 25, 80, 11, 22 => 9876, 443 => 4443
|
|
9
|
+
dnat "www.foo.com" => "foo-web-01"
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
rewrite "foo.com stage website" do
|
|
13
|
+
ports 22 => 9876, 443 => 4443
|
|
14
|
+
dnat "stage.foo.com" => "foo-web-02"
|
|
15
|
+
end
|
|
16
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
|
3
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
4
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
|
5
|
+
|
|
6
|
+
rewrite "bar" do
|
|
7
|
+
ports 139 => 2011
|
|
8
|
+
from :jamdev
|
|
9
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
|
3
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
4
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
|
5
|
+
|
|
6
|
+
rewrite "bar" do
|
|
7
|
+
ports 82
|
|
8
|
+
from :jamdev
|
|
9
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
|
3
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
4
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
|
5
|
+
|
|
6
|
+
rewrite "bar" do
|
|
7
|
+
ports 80
|
|
8
|
+
from :jamdev
|
|
9
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
partition 'cpm' do
|
|
2
|
+
|
|
3
|
+
label 'internal', :address => '192.168.0.133'
|
|
4
|
+
label 'external', :address => '172.18.88.33'
|
|
5
|
+
label 'office', :address => '172.19.4.55'
|
|
6
|
+
|
|
7
|
+
rewrite 'incoming dns' do
|
|
8
|
+
protocols 'udp', 'tcp'
|
|
9
|
+
ports 53
|
|
10
|
+
from 'office'
|
|
11
|
+
to 'external'
|
|
12
|
+
dnat 'external' => 'internal'
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
partition "joeblogsco" do
|
|
2
|
+
label :office1, :address => "1.2.3.4"
|
|
3
|
+
label :office2, :address => "4.5.6.7"
|
|
4
|
+
label :office3, :address => "7.8.9.10"
|
|
5
|
+
label "www.joeblogsco.com", :address => "172.19.10.99"
|
|
6
|
+
label "joeblogsco-app-01", :address => "192.168.27.66"
|
|
7
|
+
|
|
8
|
+
rewrite "bar" do
|
|
9
|
+
ports 80
|
|
10
|
+
from :office1, :office2, :office3
|
|
11
|
+
dnat "www.joeblogsco.com" => "joeblogsco-app-01"
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label :jamdev, :address => "192.168.23.70/27"
|
|
3
|
+
|
|
4
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
5
|
+
label "secure.bar.com", :address => "172.23.0.96"
|
|
6
|
+
label "static.bar.com", :address => "172.23.0.97"
|
|
7
|
+
label "barprod-proxy-01", :address => "192.168.27.88"
|
|
8
|
+
|
|
9
|
+
rewrite "bar" do
|
|
10
|
+
ports 80
|
|
11
|
+
dnat [ "www.bar.com",
|
|
12
|
+
"secure.bar.com",
|
|
13
|
+
"static.bar.com" ] => "barprod-proxy-01"
|
|
14
|
+
end
|
|
15
|
+
end
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
|
4
|
+
label "barprod-web-02", :address => "192.168.19.4"
|
|
5
|
+
|
|
6
|
+
rewrite "bar.com public website" do
|
|
7
|
+
ports 80
|
|
8
|
+
dnat "www.bar.com" => "barprod-web-01"
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
rewrite "bar.com public website" do
|
|
12
|
+
ports 22
|
|
13
|
+
dnat "www.bar.com" => "barprod-web-02"
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
3
|
+
label "api.bar.com", :address => "172.24.0.99"
|
|
4
|
+
label "barprod-api-01", :address => "10.55.0.45"
|
|
5
|
+
label "bar prod subnet", :address => "10.55.0.0/24"
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
# FIXME: should things with a netmask be inserted lower into the chain?
|
|
9
|
+
rewrite "bar" do
|
|
10
|
+
snat "barprod-api-01" => "api.bar.com"
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
rewrite "bar prod outbound" do
|
|
14
|
+
snat "bar prod subnet" => "www.bar.com"
|
|
15
|
+
end
|
|
16
|
+
end
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "bar uat subnet", :address => "10.33.0.0/24"
|
|
3
|
+
label "bar stage subnet", :address => "10.44.0.0/24"
|
|
4
|
+
label "bar prod subnet", :address => "10.55.0.0/24"
|
|
5
|
+
|
|
6
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
7
|
+
|
|
8
|
+
rewrite "bar" do
|
|
9
|
+
snat [ "bar uat subnet",
|
|
10
|
+
"bar stage subnet",
|
|
11
|
+
"bar prod subnet" ] => "www.bar.com"
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
partition "keepalived" do
|
|
2
|
+
label "primary lvs", :address => "172.16.0.216"
|
|
3
|
+
label "secondary lvs", :address => "172.16.0.217"
|
|
4
|
+
label "fw multicast", :address => "224.0.0.0/8"
|
|
5
|
+
|
|
6
|
+
accept "keepalive chatter on the fw multicast", :log => true do
|
|
7
|
+
protocols "vrrp"
|
|
8
|
+
from "primary lvs", "secondary lvs"
|
|
9
|
+
to "fw multicast"
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
|
4
|
+
label "localhost", :address => "127.0.0.1"
|
|
5
|
+
|
|
6
|
+
drop "localhost on www.bar.com", :log => true do
|
|
7
|
+
from "localhost"
|
|
8
|
+
to "www.bar.com"
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "bar uat subnet", :address => "10.33.0.0/24"
|
|
3
|
+
label "bar stage subnet", :address => "10.44.0.0/24"
|
|
4
|
+
label "bar prod subnet", :address => "10.55.0.0/24"
|
|
5
|
+
|
|
6
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
7
|
+
|
|
8
|
+
rewrite "bar", :log => true do
|
|
9
|
+
snat [ "bar uat subnet",
|
|
10
|
+
"bar stage subnet",
|
|
11
|
+
"bar prod subnet" ] => "www.bar.com"
|
|
12
|
+
end
|
|
13
|
+
end
|
data/examples/log.rb
ADDED
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
|
4
|
+
|
|
5
|
+
rewrite "bar.com public website" do
|
|
6
|
+
ports 80
|
|
7
|
+
dnat "www.bar.com" => "barprod-web-01"
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
rewrite "bar.com public website" do
|
|
11
|
+
ports 22
|
|
12
|
+
dnat "www.bar.com" => "barprod-web-02"
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
|
4
|
+
|
|
5
|
+
rewrite "bar.com public website" do
|
|
6
|
+
ports 80
|
|
7
|
+
dnat "www.bar.com" => "barprod-web-01"
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
drop "bad guy" do
|
|
11
|
+
from "bad guy"
|
|
12
|
+
to "www.bar.com"
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
%w(bar foo blum frub).each do |name|
|
|
2
|
+
partition(name) do
|
|
3
|
+
label :jamdev, :address => "192.168.23.70/27"
|
|
4
|
+
label "www.bar.com", :address => "172.23.0.95"
|
|
5
|
+
label "barprod-blackhole-01", :address => "192.168.27.66"
|
|
6
|
+
|
|
7
|
+
rewrite "bar" do
|
|
8
|
+
ports 80
|
|
9
|
+
from :jamdev
|
|
10
|
+
dnat "www.bar.com" => "barprod-blackhole-01"
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
partition "bar" do
|
|
2
|
+
label "www.bar.com", :address => "172.23.0.95", :interface => "vlan44"
|
|
3
|
+
label "barprod-web-01", :address => "192.168.19.2"
|
|
4
|
+
label "localhost", :address => "127.0.0.1"
|
|
5
|
+
|
|
6
|
+
drop "localhost on www.bar.com" do
|
|
7
|
+
from "localhost"
|
|
8
|
+
to "www.bar.com"
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
partition "foo" do
|
|
2
|
+
label "www.foo.com", :address => "172.23.0.88", :interface => "vlan44"
|
|
3
|
+
label "foo-web-01", :address => "192.168.38.1"
|
|
4
|
+
label "stage.foo.com", :address => "172.23.0.90", :interface => "vlan44"
|
|
5
|
+
label "foo-web-02", :address => "192.168.38.2"
|
|
6
|
+
|
|
7
|
+
rewrite "foo.com public website" do
|
|
8
|
+
ports 25, 80, 11, 22 => 9876, 443 => 4443
|
|
9
|
+
dnat "www.foo.com" => "foo-web-01"
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
rewrite "foo.com stage website" do
|
|
13
|
+
ports 22 => 9876, 443 => 4443
|
|
14
|
+
dnat "stage.foo.com" => "foo-web-02"
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|