ript 0.8.4

data/features/step_definitions/cli_steps.rb

@@ -0,0 +1,15 @@
+Before("@timeout-10") do
+  @aruba_timeout_seconds = 10
+end
+
+Then /^the output from "([^"]*)" should match:$/ do |cmd, partial_output|
+  output_from(cmd).should =~ /#{partial_output}/
+end
+
+Then /^the output from "([^"]*)" should contain exactly:$/ do |cmd, exact_output|
+  output_from(cmd).should == exact_output
+end
+
+Given /^I have no iptables rules loaded$/ do
+  run_simple("rake clean_slate")
+end

data/features/step_definitions/example_steps.rb

@@ -0,0 +1,44 @@
+Before do
+  rules_src  = File.join(File.dirname(__FILE__), '..', '..', 'examples', '.')
+  rules_dest = File.join(current_dir, 'examples')
+  FileUtils.mkdir_p(rules_dest)
+  FileUtils.cp_r(rules_src, rules_dest)
+end
+
+Then /^the created chain name in all tables should match$/ do
+  lines = all_output.split("\n")
+
+  lines.each do |line|
+    @chain_names ||= []
+    if line =~ /^# /
+      @chain_name = line[2..-1]
+      @chain_names = ['s', 'd', 'a'].map { |table| client, hash = @chain_name.split(/-/); "#{client}-#{table}#{hash}" }
+    end
+
+    next if line.size == 0
+    next if line =~ /--(new-chain|jump) partition-/
+    next if line =~ /--(new-chain|jump) ript_bootstrap-/
+
+    line.should match(%r{(^\# #{@chain_name})|(#{@chain_names.join('|')})}) if line !~ /LOG/
+  end
+end
+
+When /^I generate rules for packet filtering$/ do
+  examples_path = Pathname.new(__FILE__).parent.parent.parent.join('examples')
+
+  examples = Dir.glob("#{examples_path}/{accept,drop,reject,log}*.rb")
+  examples.each do |example|
+    run_simple("ript rules generate #{example}")
+    commands = all_output.split("\n").find_all {|line| line =~ /^iptables/ }
+
+    @all_outputs ||= []
+    @all_outputs += commands
+  end
+end
+
+Then /^I should see a protocol specified when a port is specified$/ do
+  dports = @all_outputs.find_all {|line| line =~ /dport/}
+  dports.each do |command|
+    command.should =~ / --protocol /
+  end
+end

data/features/support/env.rb

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'bundler/setup'
+require 'aruba/cucumber'
+require 'colorize'
+
+if Process.uid != 0
+  puts "You need to be root to run these tests!"
+  abort
+end
+
+def clean_slate_after_2_minutes
+  root    = Pathname.new(__FILE__).parent.parent.parent
+  path    = ENV['PATH']
+
+  clean_command = "export PATH=#{path} && echo 'cd #{root} && rake clean_slate'"
+  at_command    = "at 'now + 2 minutes' >/dev/null 2>&1"
+  command       = "#{clean_command} | #{at_command}"
+
+  puts "If these tests lock you out, all iptables rules will be flushed in 2 minutes.\n".yellow
+  system(command)
+end
+
+clean_slate_after_2_minutes

data/lib/ript/bootstrap.rb

@@ -0,0 +1,20 @@
+module Ript
+  class Bootstrap
+    def self.partition
+      rules = []
+
+      rules << Rule.new("table" => "filter",  "new-chain" => "partition-a")
+      rules << Rule.new("table" => "filter",  "insert" => "INPUT 1", "jump" => "partition-a")
+      rules << Rule.new("table" => "filter",  "insert" => "OUTPUT 1", "jump" => "partition-a")
+      rules << Rule.new("table" => "filter",  "insert" => "FORWARD 1", "jump" => "partition-a")
+
+      rules << Rule.new("table" => "nat",  "new-chain" => "partition-d")
+      rules << Rule.new("table" => "nat",  "insert" => "PREROUTING 1", "jump" => "partition-d")
+
+      rules << Rule.new("table" => "nat",  "new-chain" => "partition-s")
+      rules << Rule.new("table" => "nat",  "insert" => "POSTROUTING 1", "jump" => "partition-s")
+
+      Partition.new('ript_bootstrap', nil, :rules => rules)
+    end
+  end
+end

data/lib/ript/dsl.rb

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+if RUBY_VERSION =~ /^1.8/ then
+  puts "Ript requires Ruby 1.9 to run. Exiting."
+  exit 2
+end
+
+$: << Pathname.new(__FILE__).dirname.parent.expand_path.to_s
+
+require 'ript/dsl/primitives'
+require 'ript/rule'
+require 'ript/partition'
+require 'ript/exceptions'
+require 'ript/patches'

data/lib/ript/dsl/primitives.rb

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+$: << Pathname.new(__FILE__).dirname.parent.parent.expand_path.to_s
+
+require 'ript/dsl/primitives/common'
+require 'ript/dsl/primitives/nat'
+require 'ript/dsl/primitives/filter'
+require 'ript/dsl/primitives/raw'

data/lib/ript/dsl/primitives/common.rb

@@ -0,0 +1,78 @@
+#!/usr/bin/env ruby
+
+module Ript
+  module DSL
+    module Primitives
+      module Common
+        def label(label, opts={})
+          @labels[label] = opts
+        end
+
+        def interface(arg)
+          @interface = arg
+        end
+
+        def ports(*args)
+          if args.class == Array
+            args.each do |port|
+              if port.class == Range
+                @ports << "#{port.begin}:#{port.end}"
+              else
+                @ports << port
+              end
+            end
+          else
+            port = args
+            @ports << port
+          end
+        end
+
+        def from(*label)
+          label.flatten!(2)
+          if label.is_a?(Array)
+            label.each do |l|
+              @froms << l
+            end
+          else
+            @froms << label
+          end
+        end
+
+        def to(*label)
+          label.flatten!(2)
+          if label.is_a?(Array)
+            label.each do |l|
+              @tos << l
+            end
+          else
+            @tos << label
+          end
+        end
+
+        def protocols(*args)
+          # FIXME: refactor to just use flatten!
+          if args.class == Array
+            args.each do |protocol|
+              @protocols << protocol
+            end
+          else
+            protocol = args
+            @protocols << protocol
+          end
+        end
+
+        def validate(opts={})
+          opts.each_pair do |type, label|
+            if not label_exists?(label)
+              raise LabelError, "Address '#{label}' (a #{type}) isn't defined"
+            end
+          end
+        end
+
+        def label_exists?(label)
+          @labels.has_key?(label)
+        end
+      end
+    end
+  end
+end

data/lib/ript/dsl/primitives/filter.rb

@@ -0,0 +1,145 @@
+#!/usr/bin/env ruby
+
+module Ript
+  module DSL
+    module Primitives
+      module Filter
+        # Accept traffic to/from a destination/source.
+        #
+        # This allows traffic for a particular port/protocol to be passed into
+        # userland on the local machine.
+        def accept(name, opts={}, &block)
+          opts.merge!(:jump => "ACCEPT")
+          build_rule(name, block, opts)
+        end
+
+        # Reject traffic to/from a destination/source.
+        #
+        # Send an error packet back for traffic that matches.
+        def reject(name, opts={}, &block)
+          opts.merge!(:jump => "REJECT")
+          build_rule(name, block, opts)
+        end
+
+        # Drop traffic to/from a destination/source.
+        #
+        # Silently drop packets that match.
+        def drop(name, opts={}, &block)
+          opts.merge!(:jump => "DROP")
+          build_rule(name, block, opts)
+        end
+
+        # Log traffic to/from a destination/source.
+        #
+        # Log packets that match via the kernel log (read with dmesg or syslog).
+        def log(name, opts={}, &block)
+          opts.merge!(:jump => "LOG")
+          build_rule(name, block, opts)
+        end
+
+        private
+        # Construct a rule to be applied to the `filter` table.
+        #
+        # This method is used to construct simple rules on the filter table to
+        # accept/reject/drop/log traffic to and from various addresses.
+        #
+        # Accepts a block of the actual rule definition to evaluate, and
+        # appends the generated rule to the @table instance variable on the
+        # partition instance.
+        #
+        # This method returns nothing.
+        #
+        def build_rule(name, block, opts={})
+          @froms     = []
+          @tos       = []
+          @ports     = []
+          @protocols = []
+          insert     = opts[:insert] || "partition-a"
+          jump       = opts[:jump]   || "DROP"
+          log        = opts[:log]
+
+          # Evaluate the block.
+          instance_eval &block
+
+          # Default all rules to apply to TCP packets if no protocol is specified
+          @protocols << 'TCP' if @protocols.size == 0
+
+          @protocols.map! {|protocol| {"protocol" => protocol} }
+          @ports.map!     {|port| {"dport" => port} }
+
+          # Provide a default from address, so the @ports => @protocols => @froms
+          # nested iteration below works.
+          @froms << 'all' if @froms.size == 0
+
+          @froms.each do |from|
+            @tos.each do |to|
+              validate(:from => from, :to => to)
+
+              from_address  = @labels[from][:address]
+              to_address    = @labels[to][:address]
+
+              attributes = {
+                             "table"       => "filter",
+                             "insert"      => insert,
+                             "destination" => to_address,
+                             "jump"        => "#{@name}-a",
+                           }
+              @input << Rule.new(attributes)
+              @input << Rule.new(attributes.merge("jump" => "LOG")) if log
+
+              attributes = {
+                             "table"       => "filter",
+                             "append"      => "#{@name}-a",
+                             "destination" => to_address,
+                             "source"      => from_address,
+                             "jump"        => jump
+                           }
+              attributes.insert_before("destination", "in-interface" => @interface) if @interface
+
+              # Build up a list of arguments we need to build expanded rules.
+              #
+              # This allows us to expand shorthand definitions like:
+              #
+              #   accept "multiple rules in one" do
+              #     from "foo", "bar", "baz"
+              #     to   "spoons"
+              #   end
+              #
+              # ... into multiple rules, one ACCEPT rule for foo, bar, baz.
+              #
+              case
+              when @ports.size > 0 && @protocols.size > 0
+                # build the rules based on the arguments supplied
+                arguments = @protocols.product(@ports).map {|ary| ary.inject(:merge) }
+              when @ports.size == 0 && @protocols.size > 0
+                arguments = @protocols
+              when @protocols.size == 0 && @ports.size > 0
+                arguments = @ports
+              else
+                arguments = []
+              end
+
+              # If we have arguments, iterate through them
+              if arguments.size > 0
+                arguments.each do |options|
+                  options.each_pair do |key, value|
+                    attributes = attributes.dup # avoid overwriting existing hash values from previous iterations
+                    attributes.insert_before("destination", key => value)
+                  end
+
+                  @table << Rule.new(attributes.merge("jump" => "LOG")) if log
+                  @table << Rule.new(attributes)
+                end
+              else
+                @table << Rule.new(attributes.merge("jump" => "LOG")) if log
+                @table << Rule.new(attributes)
+              end # if
+            end # @tos.each
+          end # @froms.each
+
+        end # def build_rule
+      end
+    end
+  end
+end
+

data/lib/ript/dsl/primitives/nat.rb

@@ -0,0 +1,206 @@
+#!/usr/bin/env ruby
+
+module Ript
+  module DSL
+    module Primitives
+      module NAT
+        def rewrite(name, opts={}, &block)
+          # Reset these so parameters don't leak between calls to forward.
+          @sources      = []
+          @destinations = []
+          @ports        = []
+          @protocols    = []
+          @tos          = []
+          @froms        = []
+          log           = opts[:log]
+
+          @snat_sources      = []
+          @snat_destinations = []
+
+          # Evaluate the block.
+          instance_eval &block
+
+          # Default all rules to apply to TCP packets if no protocol is specified
+          @protocols << 'TCP' if @protocols.size == 0
+
+          @snat_sources.zip(@snat_destinations) do |source, destination|
+            validate(:source => source, :destination => destination)
+
+            source_address      = @labels[source][:address]
+            destination_address = @labels[destination][:address]
+
+            attributes = { "table"  => "nat",
+                           "insert" => "partition-s",
+                           "source" => source_address,
+                           "jump"   => "#{@name}-s" }
+
+            fattributes = { "table"  => "filter",
+                            "insert" => "partition-a",
+                            "source" => source_address,
+                            "jump"   => "#{@name}-a" }
+
+            @postrouting << Rule.new(attributes)
+            @postrouting << Rule.new(attributes.merge("jump" => "LOG")) if log
+            @input << Rule.new(fattributes)
+            @input << Rule.new(fattributes.merge("jump" => "LOG")) if log
+
+
+            attributes = { "table"     => "nat",
+                           "append"    => "#{@name}-s",
+                           "source"    => source_address,
+                           "jump"      => "SNAT",
+                           "to-source" => destination_address }
+
+            fattributes = { "table"       => "filter",
+                            "append"      => "#{@name}-a",
+                            "source"      => source_address,
+                            "jump"        => "ACCEPT" }
+
+            @froms.map {|from| @labels[from][:address]}.each do |address|
+              attributes.insert_before("destination", "source" => address)
+            end
+
+            @table << Rule.new(attributes.merge("jump" => "LOG")) if log
+            @table << Rule.new(attributes)
+            @table << Rule.new(fattributes.merge("jump" => "LOG")) if log
+            @table << Rule.new(fattributes)
+          end
+
+
+          # Provide a default from address, so the @ports => @protocols => @froms
+          # nested iteration below works.
+          @froms << 'all' if @froms.size == 0
+
+          # Build up rules based on evaluation.
+          @sources.zip(@destinations).each do |source, destination|
+            validate(:source => source, :destination => destination)
+
+            source_address      = @labels[source][:address]
+            destination_address = @labels[destination][:address]
+
+            attributes = { "table"       => "nat",
+                           "insert"      => "partition-d",
+                           "destination" => source_address,
+                           "jump"        => "#{@name}-d" }
+
+            fattributes = { "table"       => "filter",
+                            "insert"      => "partition-a",
+                            "destination" => destination_address,
+                            "jump"        => "#{@name}-a" }
+
+            @prerouting << Rule.new(attributes)
+            @prerouting << Rule.new(attributes.merge("jump" => "LOG")) if log
+            @input << Rule.new(fattributes)
+            @input << Rule.new(fattributes.merge("jump" => "LOG")) if log
+
+            @ports.each do |port|
+              @protocols.each do |protocol|
+                @froms.map {|from| @labels[from][:address]}.each do |from_address|
+                  if port.class == Hash
+                    port.each_pair do |source_port, destination_port|
+                      attributes = { "table"          => "nat",
+                                     "append"         => "#{@name}-d",
+                                     "protocol"       => protocol,
+                                     "destination"    => source_address,
+                                     "dport"          => source_port,
+                                     "jump"           => "DNAT",
+                                     "to-destination" => destination_address + ":#{destination_port}" }
+
+                      fattributes = { "table"       => "filter",
+                                      "append"      => "#{@name}-a",
+                                      "protocol"    => protocol,
+                                      "destination" => destination_address,
+                                      "dport"       => destination_port,
+                                      "jump"        => "ACCEPT" }
+
+                      attributes.insert_before("destination", "source" => from_address) unless from_address == "0.0.0.0/0"
+
+                      @table << Rule.new(attributes.merge("jump" => "LOG")) if log
+                      @table << Rule.new(attributes)
+                      @table << Rule.new(fattributes.merge("jump" => "LOG")) if log
+                      @table << Rule.new(fattributes)
+                    end
+                  else
+                    attributes = { "table"          => "nat",
+                                   "append"         => "#{@name}-d",
+                                   "protocol"       => protocol,
+                                   "destination"    => source_address,
+                                   "dport"          => port,
+                                   "jump"           => "DNAT",
+                                   "to-destination" => destination_address }
+
+                    fattributes = { "table"       => "filter",
+                                    "append"      => "#{@name}-a",
+                                    "protocol"    => protocol,
+                                    "destination" => destination_address,
+                                    "dport"       => port,
+                                    "jump"        => "ACCEPT" }
+
+                    attributes.insert_before("destination", "source" => from_address) unless from_address == "0.0.0.0/0"
+
+                    @table << Rule.new(attributes.merge("jump" => "LOG")) if log
+                    @table << Rule.new(attributes)
+                    @table << Rule.new(fattributes.merge("jump" => "LOG")) if log
+                    @table << Rule.new(fattributes)
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        def dnat(opts={})
+          opts.each_pair do |source, destination|
+            # If the source argument to dnat is an Array:
+            #
+            #     dnat  [ "www.bar.com",
+            #             "secure.bar.com",
+            #             "static.bar.com"  ] => "barprod-proxy-01"
+            #
+            # loop through each source, and create the associated destination.
+            if source.is_a?(Array)
+              source.each do |s|
+                @sources << s
+                @destinations << destination
+              end
+            # If the source is just a plain label:
+            #
+            #     dnat  "www.bar.com" => "barprod-proxy-01"
+            #
+            # simply add it and the destination to the collection.
+            else
+              @sources << source
+              @destinations << destination
+            end
+          end
+        end
+
+        def snat(opts={})
+          opts.each_pair do |source, destination|
+            # If the source argument to snat is an Array:
+            #
+            #     snat  [ "www.bar.com",
+            #             "secure.bar.com",
+            #             "static.bar.com"  ] => "barprod-proxy-01"
+            #
+            # loop through each source, and create the associated destination.
+            if source.is_a?(Array)
+              source.each do |s|
+                @snat_sources << s
+                @snat_destinations << destination
+              end
+            # If the source is just a plain label:
+            #
+            #     snat  "www.bar.com" => "barprod-proxy-01"
+            #
+            # simply add it and the destination to the collection.
+            else
+              @snat_sources << source
+              @snat_destinations << destination
+            end
+          end
+        end
+      end
+    end
+  end
+end