ript 0.8.4

data/examples/raw-with-flush.rb

@@ -0,0 +1,9 @@
+partition "boilerplate" do
+  raw <<-RAW
+# Flush everything
+iptables -t filter -F
+iptables -t nat -F
+iptables -t mangle -F
+  RAW
+end
+

data/examples/raw.rb

@@ -0,0 +1,50 @@
+partition "setup" do
+  raw <<-RAW
+####################
+#      policy      #
+####################
+iptables --policy INPUT DROP
+iptables --policy OUTPUT DROP
+iptables --policy FORWARD DROP
+iptables --table mangle --policy PREROUTING ACCEPT
+iptables --table mangle --policy OUTPUT ACCEPT
+
+####################
+#      before      #
+####################
+# Clean all traffic by sending it through a "before" chain.
+iptables --new-chain before-a
+
+iptables --insert INPUT 1 --jump before-a
+iptables --insert OUTPUT 1 --jump before-a
+iptables --insert FORWARD 1 --jump before-a
+
+# ICMP cleaning
+iptables --append before-a --protocol ICMP --icmp-type echo-reply --jump ACCEPT
+iptables --append before-a --protocol ICMP --icmp-type destination-unreachable --jump ACCEPT
+iptables --append before-a --protocol ICMP --icmp-type source-quench --jump ACCEPT
+iptables --append before-a --protocol ICMP --icmp-type echo-request --jump ACCEPT
+iptables --append before-a --protocol ICMP --icmp-type time-exceeded --jump ACCEPT
+iptables --append before-a --protocol ICMP --icmp-type parameter-problem --jump ACCEPT
+iptables --append before-a --protocol ICMP --jump LOG --log-prefix "INVALID_ICMP " --log-level debug
+iptables --append before-a --protocol ICMP --jump DROP
+
+# State cleaning
+iptables --append before-a --match state --state INVALID --jump LOG --log-prefix "INVALID_STATE " --log-level debug
+iptables --append before-a --match state --state INVALID --jump DROP
+iptables --append before-a --protocol TCP --match state --state ESTABLISHED,RELATED --jump ACCEPT
+iptables --append before-a --protocol UDP --match state --state ESTABLISHED,RELATED --jump ACCEPT
+
+# Allow loopback
+iptables --insert before-a --protocol ALL --in-interface lo --jump ACCEPT
+iptables --insert before-a --protocol ALL --out-interface lo --jump ACCEPT
+
+####################
+#      after       #
+####################
+# Clean all traffic by sending it through an "after" chain.
+iptables --new-chain after-a
+iptables --append after-a --jump LOG --log-prefix "END_DROP " --log-level debug
+  RAW
+end
+

data/examples/reject.rb

@@ -0,0 +1,11 @@
+partition "bar" do
+  label "www.bar.com",    :address => "172.23.0.95"
+  label "barprod-web-01", :address => "192.168.19.2"
+  label "localhost",      :address => "127.0.0.1"
+
+  reject "localhost on www.bar.com" do
+    from "localhost"
+    to   "www.bar.com"
+  end
+end
+

data/examples/space-in-partition-name.rb

@@ -0,0 +1,2 @@
+partition "space in my name" do
+end

data/features/cli.feature

@@ -0,0 +1,115 @@
+Feature: Ript cli utility
+
+  @sudo @timeout-10
+  Scenario: Check rules to apply
+    Given I have no iptables rules loaded
+    When I run `ript rules diff examples/basic.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain basic-d\w+
+      iptables --table nat --new-chain basic-s\w+
+      iptables --table filter --new-chain basic-a\w+
+      """
+    Then the created chain name in all tables should match
+
+  @sudo @timeout-10
+  Scenario: Apply rules
+    Given I have no iptables rules loaded
+    When I run `ript rules diff examples/basic.rb`
+    Then the output from "ript rules diff examples/basic.rb" should match:
+      """
+      iptables --table nat --new-chain basic-d\w+
+      iptables --table nat --new-chain basic-s\w+
+      iptables --table filter --new-chain basic-a\w+
+      """
+    When I run `ript rules apply examples/basic.rb`
+    Then the output from "ript rules diff examples/basic.rb" should match:
+      """
+      iptables --table nat --new-chain basic-d\w+
+      iptables --table nat --new-chain basic-s\w+
+      iptables --table filter --new-chain basic-a\w+
+      """
+    When I run `ript rules diff examples/basic.rb `
+    Then the output from "ript rules diff examples/basic.rb " should contain exactly:
+      """
+      """
+    Then the created chain name in all tables should match
+
+  @sudo @timeout-10
+  Scenario: Clean rules
+    Given I have no iptables rules loaded
+    When I run `ript rules apply examples/preclean.rb`
+    Then the output from "ript rules apply examples/preclean.rb" should match:
+      """
+      iptables --table filter --new-chain partition-a
+      iptables --table filter --insert INPUT 1 --jump partition-a
+      iptables --table filter --insert OUTPUT 1 --jump partition-a
+      iptables --table filter --insert FORWARD 1 --jump partition-a
+      iptables --table nat --new-chain partition-d
+      iptables --table nat --insert PREROUTING 1 --jump partition-d
+      iptables --table nat --new-chain partition-s
+      iptables --table nat --insert POSTROUTING 1 --jump partition-s
+
+
+      # supercow-\w+
+      iptables --table nat --new-chain supercow-d\w+
+      iptables --table nat --new-chain supercow-s\w+
+      iptables --table filter --new-chain supercow-a\w+
+      iptables --table filter --append supercow-a\w+ --protocol TCP --destination 172.29.2.2 --source 172.27.1.1 --jump ACCEPT
+      iptables --table filter --insert partition-a --destination 172.29.2.2 --jump supercow-a\w+
+      """
+    When I run `ript rules apply examples/postclean.rb`
+    Then the output from "ript rules apply examples/postclean.rb" should match:
+      """
+      # supercow-\w+
+      iptables --table nat --new-chain supercow-d\w+
+      iptables --table nat --new-chain supercow-s\w+
+      iptables --table filter --new-chain supercow-a\w+
+      iptables --table filter --append supercow-a\w+ --protocol TCP --destination 172.29.2.3 --source 172.27.1.2 --jump ACCEPT
+      iptables --table filter --insert partition-a --destination 172.29.2.3 --jump supercow-a\w+
+      """
+    When I run `ript rules diff examples/postclean.rb`
+    Then the output from "ript rules diff examples/postclean.rb" should contain exactly:
+      """
+      """
+    When I run `ript clean apply examples/postclean.rb `
+    Then the output from "ript clean apply examples/postclean.rb " should match:
+      """
+      iptables --table filter --delete partition-a --destination 172.29.2.2/32 --jump supercow-a\w+
+      iptables --table filter --flush supercow-a\w+
+      iptables --table filter --delete-chain supercow-a\w+
+      iptables --table nat --flush supercow-d\w+
+      iptables --table nat --delete-chain supercow-d\w+
+      iptables --table nat --flush supercow-s\w+
+      iptables --table nat --delete-chain supercow-s\w+
+      """
+   When I run `ript clean diff examples/postclean.rb`
+   Then the output from "ript clean diff examples/postclean.rb" should contain exactly:
+      """
+      """
+
+  @sudo @timeout-10
+  Scenario: raw rules should only apply once
+    Given I have no iptables rules loaded
+    When I run `ript rules apply examples/raw.rb`
+    Then the output from "ript rules apply examples/raw.rb" should match:
+      """
+      iptables --new-chain before-a
+      """
+    When I run `ript rules diff examples/raw.rb`
+    Then the output from "ript rules diff examples/raw.rb" should contain exactly:
+      """
+      """
+
+  @sudo @timeout-10
+  Scenario: Rule saving works
+    Given I have no iptables rules loaded
+    When I run `ript rules save`
+    Then the output from "ript rules save" should match:
+      """
+      \*filter
+      :INPUT ACCEPT \[\d+:\d+\]
+      :FORWARD ACCEPT \[\d+:\d+\]
+      :OUTPUT ACCEPT \[\d+:\d+\]
+      COMMIT
+      """

data/features/dsl/errors.feature

@@ -0,0 +1,107 @@
+Feature: Error handling
+  To ensure that rules apply cleanly
+  Ript should validate user input
+  And fail gracefully
+
+  @errors @name
+  Scenario: Name errors - undefined method
+    # should verify no spaces or dashes
+    When I run `ript rules generate examples/errors-undefined-method.rb`
+    Then the output should match:
+      """
+      You tried using the '.+' method on line \d+ in .+/errors-undefined-method.rb
+      This method doesn't exist in the DSL. Did you mean:
+
+       - ports
+
+      Aborting.
+      """
+    When I run `ript rules generate examples/errors-undefined-method-with-no-match.rb`
+    Then the output should match:
+      """
+      You tried using the '.+' method on line \d+ in .+/errors-undefined-method-with-no-match.rb
+      This method doesn't exist in the DSL. There aren't any other methods with similar names. :-\(
+      Aborting.
+      """
+
+  @errors @parse @duplicate
+  Scenario: Parse errors - duplicate partition name
+    # should verify no spaces or dashes
+    When I run `ript rules generate examples/duplicate-partition-names/`
+    Then the output should match:
+      """
+      Error: Partition name '\w+' is already defined!
+      """
+
+  @errors @parse
+  Scenario: Parse errors - bad characters in partition name
+    # should verify no spaces or dashes
+    When I run `ript rules generate examples/space-in-partition-name.rb`
+    Then the output should match:
+      """
+      Error: Partition name '.+' can't contain whitespace.
+      """
+    When I run `ript rules generate examples/dash-in-partition-name.rb`
+    Then the output should match:
+      """
+      Error: Partition name '.+' can't contain dashes
+      """
+
+  @errors @parse
+  Scenario: Parse errors - partition name longer than  characters
+    When I run `ript rules generate examples/partition-name-longer-than-20-characters.rb`
+    Then the output should match:
+      """
+      Error: Partition name '.+' cannot be longer than 20 characters.
+      """
+    When I run `ript rules generate examples/partition-name-exactly-20-characters.rb`
+    Then the output should match:
+      """
+      name_exactly_20_char
+      """
+
+
+  @errors @parse
+  Scenario: Parse errors - spaces and dashes
+    When I run `ript rules generate examples/space-in-partition-name.rb`
+    Then the output should contain:
+      """
+      Partition name 'space in my name' can't contain whitespace
+      """
+    When I run `ript rules generate examples/dash-in-partition-name.rb`
+    Then the output should contain:
+      """
+       Partition name 'dash-in-my-name' can't contain dashes ('-')
+      """
+
+  @errors @parse
+  Scenario: Parse errors - missing address definition
+    When I run `ript rules generate examples/missing-address-definition-in-destination.rb`
+    Then the output should contain:
+      """
+      Address 'barprod-web-02' (a destination) isn't defined
+      """
+
+  @errors
+  Scenario: Parse errors - missing address definition
+    When I run `ript rules generate examples/missing-address-definition-in-from.rb`
+    Then the output should contain:
+      """
+      Address 'bad guy' (a from) isn't defined
+      """
+
+  @errors
+  Scenario: Load errors - missing rule file
+    When I run `ript rules generate examples/non-existent-lalalalala.rb`
+    Then the output should match:
+      """
+      The specified rule file or directory 'examples/non-existent-lalalalala.rb' does not exist
+      """
+
+  @errors @parse
+  Scenario: Multiple partition definitions in the same file
+    When I run `ript rules generate examples/multiple-partitions-in-this-file.rb`
+    Then the output should match:
+      """
+      Multiple partition definitions are not permitted in the same file.
+      """

data/features/dsl/filter.feature

@@ -0,0 +1,187 @@
+Feature: Ript DSL
+
+  Scenario: Basic partition
+    When I run `ript rules generate examples/basic.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain basic-d\w+
+      iptables --table nat --new-chain basic-s\w+
+      iptables --table filter --new-chain basic-a\w+
+      """
+    Then the created chain name in all tables should match
+
+  @filter @drop
+  Scenario: Drop someone
+    When I run `ript rules generate examples/drop.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain bar-d\w+
+      iptables --table nat --new-chain bar-s\w+
+      iptables --table filter --new-chain bar-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 172.23.0.95 --jump bar-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append bar-a\w+ --protocol TCP --destination 172.23.0.95 --source 127.0.0.1 --jump DROP
+      """
+    Then the created chain name in all tables should match
+
+  @filter @accept
+  Scenario: Accept someone
+    When I run `ript rules generate examples/accept.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain keepalived-d\w+
+      iptables --table nat --new-chain keepalived-s\w+
+      iptables --table filter --new-chain keepalived-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 224.0.0.0/8 --jump keepalived-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append keepalived-a\w+ --protocol vrrp --destination 224.0.0.0/8 --source 172.16.0.216 --jump ACCEPT
+      iptables --table filter --append keepalived-a\w+ --protocol vrrp --destination 224.0.0.0/8 --source 172.16.0.217 --jump ACCEPT
+      """
+    Then the created chain name in all tables should match
+
+  @filter @accept
+  Scenario: Accept someone with a specific port and interface
+    When I run `ript rules generate examples/accept-with-specific-port-and-interface.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain keepalived-d\w+
+      iptables --table nat --new-chain keepalived-s\w+
+      iptables --table filter --new-chain keepalived-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 192.168.0.76 --jump keepalived-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append keepalived-a\w+ --in-interface vlan\+ --protocol tcp --dport 22 --destination 192.168.0.76 --source 192.168.0.76 --jump ACCEPT
+      """
+    Then the created chain name in all tables should match
+
+  @filter @reject
+  Scenario: Reject someone
+    When I run `ript rules generate examples/reject.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain bar-d\w+
+      iptables --table nat --new-chain bar-s\w+
+      iptables --table filter --new-chain bar-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 172.23.0.95 --jump bar-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append bar-a\w+ --protocol TCP --destination 172.23.0.95 --source 127.0.0.1 --jump REJECT
+      """
+    Then the created chain name in all tables should match
+
+  @filter @log
+  Scenario: Log someone
+    When I run `ript rules generate examples/log.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain bar-d\w+
+      iptables --table nat --new-chain bar-s\w+
+      iptables --table filter --new-chain bar-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 172.23.0.95 --jump bar-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append bar-a\w+ --protocol TCP --destination 172.23.0.95 --source 127.0.0.1 --jump LOG
+      """
+    Then the created chain name in all tables should match
+
+  @filter @accept @port-range
+  Scenario: Accept a list of ports
+    When I run `ript rules generate examples/accept-with-a-list-of-ports.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain keepalived-d\w+
+      iptables --table nat --new-chain keepalived-s\w+
+      iptables --table filter --new-chain keepalived-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 224.0.0.0/8 --jump keepalived-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append keepalived-a\w+ --protocol tcp --dport 80 --destination 224.0.0.0/8 --source 172.16.0.216 --jump ACCEPT
+      iptables --table filter --append keepalived-a\w+ --protocol tcp --dport 8600:8900 --destination 224.0.0.0/8 --source 172.16.0.216 --jump ACCEPT
+      """
+    Then the created chain name in all tables should match
+
+  @filter @accept @multiple
+  Scenario: Accept multiple from and to
+    When I run `ript rules generate examples/accept-multiple-from-and-to.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain tootyfruity-d\w+
+      iptables --table nat --new-chain tootyfruity-s\w+
+      iptables --table filter --new-chain tootyfruity-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 192.168.0.1 --jump tootyfruity-a\w+
+      iptables --table filter --insert partition-a --destination 192.168.0.2 --jump tootyfruity-a\w+
+      iptables --table filter --insert partition-a --destination 192.168.0.3 --jump tootyfruity-a\w+
+      iptables --table filter --insert partition-a --destination 192.168.0.4 --jump tootyfruity-a\w+
+      iptables --table filter --insert partition-a --destination 192.168.0.5 --jump tootyfruity-a\w+
+      iptables --table filter --insert partition-a --destination 192.168.0.6 --jump tootyfruity-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.1 --source 192.168.0.1 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.2 --source 192.168.0.1 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.3 --source 192.168.0.1 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.4 --source 192.168.0.1 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.5 --source 192.168.0.1 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.6 --source 192.168.0.1 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.1 --source 192.168.0.2 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.2 --source 192.168.0.2 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.3 --source 192.168.0.2 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.4 --source 192.168.0.2 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.5 --source 192.168.0.2 --jump ACCEPT
+      iptables --table filter --append tootyfruity-a\w+ --protocol tcp --dport 22 --destination 192.168.0.6 --source 192.168.0.2 --jump ACCEPT
+      """
+    Then the created chain name in all tables should match
+
+  @filter @accept @regression
+  Scenario: Accept someone without a specific from
+    When I run `ript rules generate examples/accept-without-specific-from.rb`
+    Then the output should match:
+      """
+      iptables --table nat --new-chain joeblogsco-d\w+
+      iptables --table nat --new-chain joeblogsco-s\w+
+      iptables --table filter --new-chain joeblogsco-a\w+
+      """
+    Then the output should match:
+      """
+      iptables --table filter --append joeblogsco-a\w+ --protocol TCP --dport 80 --destination 172.22.111.99 --source 0.0.0.0/0 --jump ACCEPT
+      iptables --table filter --append joeblogsco-a\w+ --protocol TCP --dport 443 --destination 172.22.111.99 --source 0.0.0.0/0 --jump ACCEPT
+      """
+    Then the output should match:
+      """
+      iptables --table filter --insert partition-a --destination 172.22.111.99 --jump joeblogsco-a\w+
+      """
+    Then the created chain name in all tables should match
+
+  @filter @regression
+  Scenario: Always include protocol when specifying port
+    When I generate rules for packet filtering
+    Then I should see a protocol specified when a port is specified