ript 0.8.4

data/lib/ript/dsl/primitives/raw.rb

@@ -0,0 +1,45 @@
+#!/usr/bin/env ruby
+
+module Ript
+  module DSL
+    module Primitives
+      module Raw
+
+        def raw?
+          @raw
+        end
+
+        def raw(rules)
+          @raw = true
+          commands = rules.split("\n").reject {|l| l !~ /^\s*[^#]+$/}
+
+          commands.each do |command|
+            validate_destructiveness(command)
+
+            attributes = {:raw => command}
+
+            @table << Rule.new(attributes)
+          end
+        end
+
+        private
+        def validate_destructiveness(command)
+          if command =~ /(\-F|\-\-flush)/
+            puts "Error: partition #{@name} - you can't use raw rules that flush tables or chains!"
+            puts "Offending rule:\n\n  #{command}\n\n"
+            puts "Exiting."
+            exit 140
+          end
+
+          if command =~ /\s+(\-X|\-\-delete-chain)/
+            puts "Error: partition #{@name} - you can't use raw rules that delete chains!"
+            puts "Offending rule:\n\n  #{command}\n\n"
+            puts "Exiting."
+            exit 140
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/ript/exceptions.rb

@@ -0,0 +1,2 @@
+class LabelError < NameError
+end

data/lib/ript/partition.rb

@@ -0,0 +1,162 @@
+#!/usr/bin/env ruby
+
+$: << Pathname.new(__FILE__).dirname.parent.expand_path.to_s
+
+module Ript
+  class Partition
+    attr_reader :name, :filename, :line
+
+    include DSL::Primitives::Common
+    include DSL::Primitives::NAT
+    include DSL::Primitives::Filter
+    include DSL::Primitives::Raw
+
+    def initialize(name, block, options={})
+      @filename, @line = caller[2].split(':')[0..1]
+      @labels       = {}
+      @prerouting   = []
+      @postrouting  = []
+      @input        = []
+      @forward      = []
+      @table        = []
+      @name         = name
+      # TODO should we rename this to no_is or something since that is what it really means
+      if options[:rules]
+        @raw = true
+        @table = options[:rules]
+      end
+
+      # Even when suplying our own rules we need the placeholders below to know if anything changed
+      @setup = []
+      @setup << Rule.new("table" => "nat",    "new-chain" => "#{@name}-d")
+      @setup << Rule.new("table" => "nat",    "new-chain" => "#{@name}-s")
+      @setup << Rule.new("table" => "filter", "new-chain" => "#{@name}-a")
+
+      # Provide a label for the zero-address
+      label "all", :address => "0.0.0.0/0"
+
+      begin
+        instance_eval &block unless block.nil?
+      rescue NoMethodError => e
+        method = e.message[/`(.+)'/, 1]
+        filename, line = e.backtrace.first[/(.*):(\d)/].split(':')
+        if filename =~ /\/lib\/ript\//
+          puts "Looks like you found a bug in Ript around line #{line} in #{filename}"
+          puts "Specifically, this is the exception raised:"
+          puts
+          puts "  #{e.message}"
+          puts
+          puts "And here is the backtrace:"
+          puts
+          puts e.backtrace.map {|l| "  #{l}\n" }.join
+          puts
+          puts "Please report this bug at http://github.com/bulletproofnetworks/ript"
+          puts
+        else
+          puts "You tried using the '#{method}' method on line #{line} in #{filename}"
+          similar = self.class.instance_methods.grep(/#{method}/)
+          if similar.size > 0
+            puts "This method doesn't exist in the DSL. Did you mean:"
+            puts
+            self.class.instance_methods.grep(/#{method}/).each do |m|
+              puts " - #{m}"
+            end
+            puts
+          else
+            puts "This method doesn't exist in the DSL. There aren't any other methods with similar names. :-("
+          end
+        end
+        puts "Aborting."
+        exit 131
+      rescue LabelError => e
+        puts e.message
+        puts "Aborting."
+        exit 131
+      end
+    end
+
+    # FIXME: Maybe implement the concept of dirtiness?
+    def id
+      return @id if @id
+      joined = (@setup.map       {|rule| rule.to_iptables } +
+                @prerouting.map  {|rule| rule.to_iptables }.uniq +
+                @postrouting.map {|rule| rule.to_iptables }.uniq +
+                @input.map       {|rule| rule.to_iptables }.uniq +
+                @forward.map     {|rule| rule.to_iptables }.uniq +
+                @table.map       {|rule| rule.to_iptables }.uniq).join(' ')
+      @id = "#{Digest::MD5.hexdigest(joined)[0..5]}"
+    end
+
+    def update_id(object, key, id)
+      object.map { |rule|
+        rule[key] += "#{id}" unless rule[key] == "LOG"
+        rule.to_iptables
+      }
+    end
+
+    def to_iptables
+      if raw?
+        # TODO How do we clean up raw rules?
+        puts update_id(@setup,  "new-chain", id).uniq
+        puts @table.map {|rule| rule.to_iptables }
+        puts
+      else
+        puts update_id(@setup,  "new-chain", id).uniq
+        puts update_id(@table,     "append", id).uniq
+        puts update_id(@prerouting,  "jump", id).uniq
+        puts update_id(@postrouting, "jump", id).uniq
+        puts update_id(@input,       "jump", id).uniq
+        puts update_id(@forward,     "jump", id).uniq
+        puts
+      end
+    end
+  end
+end
+
+@partitions = []
+@filenames = []
+
+def partition(name, &block)
+  filename, line = caller.first.split(':')[0..1]
+
+  if c = @partitions.find {|c| c.name == name } then
+    puts "Error: Partition name '#{name}' is already defined!"
+    puts " - existing definition: #{c.filename}:#{c.line}"
+    puts " - new definition: #{filename}:#{line}"
+    puts "Aborting."
+    exit 140
+  end
+
+  if name =~ /\s+/
+    puts "Error: #{filename}:#{line}"
+    puts "Error: Partition name '#{name}' can't contain whitespace."
+    puts "Aborting."
+    exit 140
+  end
+
+  if name.count('-') > 0
+    puts "Error: #{filename}:#{line}"
+    puts "Error: Partition name '#{name}' can't contain dashes ('-')."
+    puts "Aborting."
+    exit 140
+  end
+
+  if name.length > 20
+    puts "Error: #{filename}:#{line}"
+    puts "Error: Partition name '#{name}' cannot be longer than 20 characters."
+    puts "Aborting."
+    exit 140
+  end
+
+  if @filenames.include?(filename)
+    puts "Error: #{filename}:#{line}"
+    puts "Error: Multiple partition definitions are not permitted in the same file."
+    puts "Aborting."
+    exit 140
+  else
+    @filenames << filename
+  end
+
+  partition = Ript::Partition.new(name, block)
+  @partitions << partition
+end

data/lib/ript/patches.rb

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+class Hash
+  def insert_before(key, opts={})
+    before = self.dup.take_while {|k, v| k != key }
+    after  = self.dup.drop_while {|k, v| k != key }
+    before << opts.to_a.flatten
+    self.clear.merge!(Hash[before]).merge!(Hash[after])
+  end
+end

data/lib/ript/rule.rb

@@ -0,0 +1,70 @@
+#!/usr/bin/env ruby
+
+$: << Pathname.new(__FILE__).dirname.parent.expand_path.to_s
+
+require 'digest/md5'
+
+module Ript
+  class Rule
+    def initialize(opts={})
+      @comment = opts.delete(:comment)
+      @raw     = opts.delete(:raw)
+      @args    = []
+      @opts    = opts
+    end
+
+    def [](key)
+      @opts[key]
+    end
+
+    def []=(key, value)
+      @opts[key] = value
+    end
+
+    def add_option(argument, parameter)
+      @args << "--#{argument} #{parameter}"
+    end
+
+    def to_iptables
+      @args.clear
+      @opts.each_pair do |argument, parameter|
+        add_option(argument, parameter)
+      end
+
+      if comment?
+        "#{self.to_command} #{self.comment}"
+      else
+        self.to_command
+      end
+    end
+
+    def raw?
+      @raw
+    end
+
+    def to_command
+      if raw?
+        @raw
+      else
+        "iptables #{@args.join(' ')}"
+      end
+    end
+
+    def comment
+      "--match comment --comment '#{id}'"
+    end
+
+    def id
+      Digest::MD5.hexdigest(self.to_command)
+    end
+
+    def comment?
+      @comment
+    end
+
+    # Display the rule in iptables form, perferably before an update_id has been run
+    def to_s
+      %("#{to_command}")
+    end
+  end
+end

data/lib/ript/version.rb

@@ -0,0 +1,3 @@
+module Ript
+  VERSION = '0.8.4'
+end

data/ript.gemspec

@@ -0,0 +1,33 @@
+#
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "ript/version"
+
+Gem::Specification.new do |s|
+  s.name        = "ript"
+  s.version     = Ript::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = [ "Lindsay Holmwood" ]
+  s.email       = [ "lindsay@bulletproof.net" ]
+  s.homepage    = "http://bulletproof.net/"
+  s.summary     = %q{DSL for iptables, and tool for incrementally applying firewall rules}
+  s.description = %q{Ript provides a clean Ruby DSL for describing firewall rules, and implements database migrations-like functionality for applying the rules}
+
+  s.rubyforge_project = "ript"
+
+  s.required_ruby_version     = ">= 1.9.2"
+  s.required_rubygems_version = ">= 1.3.6"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  #s.add_runtime_dependency     "colorize",  ">= 0"
+  s.add_development_dependency "rake",      ">= 0"
+  s.add_development_dependency "rspec",     ">= 0"
+  s.add_development_dependency "cucumber",  ">= 1.1.9"
+  s.add_development_dependency "aruba",     ">= 0"
+  s.add_development_dependency "colorize",  ">= 0"
+  s.add_development_dependency "fpm",       ">= 0.4.5"
+end

metadata

@@ -0,0 +1,232 @@
+--- !ruby/object:Gem::Specification
+name: ript
+version: !ruby/object:Gem::Version
+  version: 0.8.4
+  prerelease: 
+platform: ruby
+authors:
+- Lindsay Holmwood
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-11-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.1.9
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.1.9
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fpm
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.4.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.4.5
+description: Ript provides a clean Ruby DSL for describing firewall rules, and implements
+  database migrations-like functionality for applying the rules
+email:
+- lindsay@bulletproof.net
+executables:
+- rbenv-sudo
+- ript
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rbenv-version
+- AUTHORS.md
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENCE
+- README.md
+- Rakefile
+- bin/rbenv-sudo
+- bin/ript
+- dist/init.d
+- examples/accept-multiple-from-and-to.rb
+- examples/accept-with-a-list-of-ports.rb
+- examples/accept-with-specific-port-and-interface.rb
+- examples/accept-without-specific-from.rb
+- examples/accept.rb
+- examples/basic.rb
+- examples/dash-in-partition-name.rb
+- examples/drop.rb
+- examples/duplicate-partition-names/foobar1.rb
+- examples/duplicate-partition-names/foobar2.rb
+- examples/errors-undefined-method-with-no-match.rb
+- examples/errors-undefined-method.rb
+- examples/forward-dnat-with-different-destination-port.rb
+- examples/forward-dnat-with-explicit-from-and-port-mappings.rb
+- examples/forward-dnat-with-explicit-from-and-ports.rb
+- examples/forward-dnat-with-explicit-from.rb
+- examples/forward-dnat-with-explicit-protocols.rb
+- examples/forward-dnat-with-multiple-froms.rb
+- examples/forward-dnat-with-multiple-ports.rb
+- examples/forward-dnat-with-multiple-sources.rb
+- examples/forward-dnat.rb
+- examples/forward-snat-with-explicit-from.rb
+- examples/forward-snat-with-multiple-sources.rb
+- examples/forward-snat.rb
+- examples/log-and-accept.rb
+- examples/log-and-drop.rb
+- examples/log-dnat.rb
+- examples/log-snat.rb
+- examples/log.rb
+- examples/missing-address-definition-in-destination.rb
+- examples/missing-address-definition-in-from.rb
+- examples/multiple-partitions-in-this-file.rb
+- examples/multiple-partitions/bar.rb
+- examples/multiple-partitions/foo.rb
+- examples/partition-name-exactly-20-characters.rb
+- examples/partition-name-longer-than-20-characters.rb
+- examples/postclean.rb
+- examples/preclean.rb
+- examples/raw-with-chain-deletion.rb
+- examples/raw-with-flush.rb
+- examples/raw.rb
+- examples/reject.rb
+- examples/space-in-partition-name.rb
+- features/cli.feature
+- features/dsl/errors.feature
+- features/dsl/filter.feature
+- features/dsl/logging.feature
+- features/dsl/nat.feature
+- features/dsl/raw.feature
+- features/setup.feature
+- features/step_definitions/cli_steps.rb
+- features/step_definitions/example_steps.rb
+- features/support/env.rb
+- lib/ript/bootstrap.rb
+- lib/ript/dsl.rb
+- lib/ript/dsl/primitives.rb
+- lib/ript/dsl/primitives/common.rb
+- lib/ript/dsl/primitives/filter.rb
+- lib/ript/dsl/primitives/nat.rb
+- lib/ript/dsl/primitives/raw.rb
+- lib/ript/exceptions.rb
+- lib/ript/partition.rb
+- lib/ript/patches.rb
+- lib/ript/rule.rb
+- lib/ript/version.rb
+- ript.gemspec
+homepage: http://bulletproof.net/
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 1.9.2
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 1.3.6
+requirements: []
+rubyforge_project: ript
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: DSL for iptables, and tool for incrementally applying firewall rules
+test_files:
+- features/cli.feature
+- features/dsl/errors.feature
+- features/dsl/filter.feature
+- features/dsl/logging.feature
+- features/dsl/nat.feature
+- features/dsl/raw.feature
+- features/setup.feature
+- features/step_definitions/cli_steps.rb
+- features/step_definitions/example_steps.rb
+- features/support/env.rb