ript 0.8.4 → 0.8.8

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e8be9583d1347183f21a3d6fd027aa05a071f1b2
+  data.tar.gz: b1c113e7c5d266b1d8deaf94879abdba4164f4c6
+SHA512:
+  metadata.gz: a9c22e90daffccc7485dda9993b68451ef7da57bc2c22fbbbf080f3f357323144df7ba84b395683b72e1849c558188a3410351b30b0f198e361fe9e9d28dbc24
+  data.tar.gz: 35669bb525b1450409e94c5f70ff88257e2ffebaa82f4d75e54c227b9803857ccaca46fa7a0515c2a3eee8e3b80a58525303087d6df4b1026e144acc8b7bc675

data/.gitignore

@@ -4,3 +4,4 @@ pkg/
 *~
 vendor
 .bundle
+.vagrant

data/.ruby-version

@@ -0,0 +1 @@
+2.3.0

data/AUTHORS.md

@@ -8,9 +8,14 @@ Patches have been merged from:
 Arthur Barton (@arthurbarton)
 John Ferlito (@johnf)
 Jesse Reynolds (@jessereynolds)
+Michael Baker (@elmobp)
+Greg Cockburn (@gergnz)
 
 Inspiration given by:
 
 Matt Moor (@mattm0)
 
-Ript is copyright Bulletproof Networks 2011-2012, all rights reserved.
+Contact:
+foundation@bulletproof.net will send an email to the development team within Bulletproof Networks, any issues should be raised via Github.
+
+Ript is copyright Bulletproof Networks 2011-2016, all rights reserved.

data/CHANGELOG.md

@@ -1,6 +1,21 @@
 ## Changelog
 
-# 0.8.4 - 2012/08/121
+# 0.8.8 - 2016/12/02
+ - Bug: Support for an array of protocols (@elmobp)
+ - Bug: Support Ruby 2.0+ (@elmobp)
+ - Feature: Protocol validation using /etc/protocols, by adding this support in the validation ensures many other parts of the software performed correctly (@elmobp)
+ - Feature: Protocol validation whitelist (@elmobp)
+
+# 0.8.7 - 2013/06/23
+ - Bug: The I forgot to push to github release, just a version bump (@johnf)
+
+# 0.8.6 - 2013/06/23
+ - Feature: Add `ript rules flush` command to flush all rules (@johnf)
+
+# 0.8.5 - 2013/04/16
+ - Bug: Write the output of `ript diff` to a file and execute that, so sh doesn't choke on huge insertions #8
+
+# 0.8.4 - 2012/08/12
  - Bug: DNAT rules from one port to another were adding a filter rule for the
    source instead of destination port (@johnf)
 

data/Gemfile.lock

@@ -1,10 +1,10 @@
 PATH
   remote: .
   specs:
-    ript (0.8.4)
+    ript (0.8.9)
 
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
     arr-pm (0.0.7)
       cabin (> 0)
@@ -27,8 +27,7 @@ GEM
       json (>= 1.4.6)
       term-ansicolor (>= 1.0.6)
     diff-lcs (1.1.3)
-    ffi (1.0.7)
-      rake (>= 0.8.7)
+    ffi (1.0.11)
     fpm (0.4.5)
       arr-pm (~> 0.0.7)
       backports (= 2.3.0)
@@ -38,7 +37,7 @@ GEM
     gherkin (2.9.3)
       json (>= 1.4.6)
     json (1.6.6)
-    rake (0.8.7)
+    rake (10.1.0)
     rspec (2.5.0)
       rspec-core (~> 2.5.0)
       rspec-expectations (~> 2.5.0)
@@ -60,3 +59,6 @@ DEPENDENCIES
   rake
   ript!
   rspec
+
+BUNDLED WITH
+   1.13.6

data/{LICENCE → LICENSE}

@@ -1,4 +1,4 @@
-Copyright 2011-2012 Bulletproof Networks. All rights reserved.
+Copyright 2011-2012 Bulletproof Networks. 
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

data/README.md

@@ -9,7 +9,7 @@ Ript works with `iptables` on Linux, and is written in Ruby.
 Installing
 ----------
 
-Make sure you have Ruby 1.9.2 installed, and run:
+Make sure you have Ruby 1.9+ installed, and run:
 
 ``` bash
 gem install ript
@@ -24,6 +24,8 @@ sudo update-rc.d ript defaults
 sudo mkdir /var/lib/ript
 sudo chown root.adm /var/lib/ript
 sudo chmod 770 /var/lib/ript
+# Only If you are using Xenial
+sudo cp "$(dirname $(dirname $(dirname $(gem which ript/dsl.rb))))"/dist/ript.conf /etc/systemd/system/
 ```
 
 Applying rules
@@ -48,12 +50,12 @@ to your workflow.
 Developing
 ----------
 
-It is recommended to use a Ubuntu Lucid VM to develop Ript. If you develop on a machine without iptables some of the tests will fail.
+It is recommended to use a Ubuntu Xenial VM to develop Ript. If you develop on a machine without iptables some of the tests will fail.
 
 It is also recommended that you use [rbenv](http://rbenv.org/).
 
 ``` bash
-rbenv install 1.9.2-p290
+rbenv install 2.3.0
 gem install bundler
 rbenv rehash
 ```

data/bin/ript

@@ -6,6 +6,7 @@ $: << Pathname.new(__FILE__).parent.parent.join('lib').expand_path.to_s
 $: << Pathname.new(__FILE__).parent.parent.expand_path.to_s
 $: << Dir.pwd
 require 'ript/dsl'
+require 'tempfile'
 
 if RUBY_VERSION =~ /^1.8/ then
   puts "Ript requires Ruby 1.9 to run. Exiting."
@@ -119,10 +120,40 @@ if ARGV[0] == 'rules'
   end
 
   if ARGV[1] == "apply" then
-    output = `#{$0} rules diff #{ARGV[2..-1].join(' ')} 2>&1`
+    output   = `#{$0} rules diff #{ARGV[2..-1].join(' ')} 2>&1`
+    tempfile = Tempfile.open("ript-apply-#{Time.now.to_i}") {|f| f << output}
     puts "#{output}"
-    system("bash -c '#{output}'")
+    system("sh -e #{tempfile.path}")
+    exit
+  end
 
+  if ARGV[1] == 'flush' then
+    output = <<-EOF
+  iptables --flush --table filter
+  iptables --delete-chain --table filter
+  iptables --table filter --policy INPUT ACCEPT
+  iptables --table filter --policy FORWARD ACCEPT
+  iptables --table filter --policy OUTPUT ACCEPT
+
+  # Clean NAT
+  iptables --flush --table nat
+  iptables --delete-chain --table nat
+  iptables --table nat --policy PREROUTING ACCEPT
+  iptables --table nat --policy POSTROUTING ACCEPT
+  iptables --table nat --policy OUTPUT ACCEPT
+
+  # Clean mangle
+  iptables --flush --table mangle
+  iptables --delete-chain --table mangle
+  iptables --table mangle --policy PREROUTING ACCEPT
+  iptables --table mangle --policy POSTROUTING ACCEPT
+  iptables --table mangle --policy INPUT ACCEPT
+  iptables --table mangle --policy FORWARD ACCEPT
+  iptables --table mangle --policy OUTPUT ACCEPT
+    EOF
+    tempfile = Tempfile.open("ript-apply-#{Time.now.to_i}") {|f| f << output}
+    puts "#{output}"
+    system("sh -e #{tempfile.path}")
     exit
   end
 
@@ -172,7 +203,7 @@ if ARGV[0] == "clean" then
         chains.uniq.each do |chain|
           table = types[type]
 
-          clean_command = `iptables-save --table #{table} 2>&1 | grep -- '-A partition-#{type}' | grep -- '-j #{chain}'`.split("\n") 
+          clean_command = `iptables-save --table #{table} 2>&1 | grep -- '-A partition-#{type}' | grep -- '-j #{chain}'`.split("\n")
           clean_command.map! {|line| "iptables --table #{table} #{line}" }
           clean_command.map! {|line| line.gsub(" -A", " --delete") }
           clean_command.map! {|line| line.gsub(" -s", " --source") }

data/dist/ript.conf

@@ -0,0 +1,9 @@
+[Unit]
+Description=Load ript rules on startup
+[Service]
+Type=oneshot
+ExecStart=/etc/init.d/ript start
+ExecStop=/etc/init.d/ript stop
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target

data/features/cli.feature

@@ -113,3 +113,32 @@ Feature: Ript cli utility
       :OUTPUT ACCEPT \[\d+:\d+\]
       COMMIT
       """
+
+  @sudo @timeout-10
+  Scenario: Flush rules
+    Given I have no iptables rules loaded
+    When I run `ript rules flush`
+    Then the output from "ript rules flush" should match:
+      """
+        iptables --flush --table filter
+        iptables --delete-chain --table filter
+        iptables --table filter --policy INPUT ACCEPT
+        iptables --table filter --policy FORWARD ACCEPT
+        iptables --table filter --policy OUTPUT ACCEPT
+
+        # Clean NAT
+        iptables --flush --table nat
+        iptables --delete-chain --table nat
+        iptables --table nat --policy PREROUTING ACCEPT
+        iptables --table nat --policy POSTROUTING ACCEPT
+        iptables --table nat --policy OUTPUT ACCEPT
+
+        # Clean mangle
+        iptables --flush --table mangle
+        iptables --delete-chain --table mangle
+        iptables --table mangle --policy PREROUTING ACCEPT
+        iptables --table mangle --policy POSTROUTING ACCEPT
+        iptables --table mangle --policy INPUT ACCEPT
+        iptables --table mangle --policy FORWARD ACCEPT
+        iptables --table mangle --policy OUTPUT ACCEPT
+      """

data/features/step_definitions/example_steps.rb

@@ -18,6 +18,7 @@ Then /^the created chain name in all tables should match$/ do
     next if line.size == 0
     next if line =~ /--(new-chain|jump) partition-/
     next if line =~ /--(new-chain|jump) ript_bootstrap-/
+    next if line =~ /^\(in \/.*\)$/ # Exclude rake output from clean_slate
 
     line.should match(%r{(^\# #{@chain_name})|(#{@chain_names.join('|')})}) if line !~ /LOG/
   end

data/lib/ript/bootstrap.rb

@@ -3,10 +3,10 @@ module Ript
     def self.partition
       rules = []
 
-      rules << Rule.new("table" => "filter",  "new-chain" => "partition-a")
-      rules << Rule.new("table" => "filter",  "insert" => "INPUT 1", "jump" => "partition-a")
-      rules << Rule.new("table" => "filter",  "insert" => "OUTPUT 1", "jump" => "partition-a")
-      rules << Rule.new("table" => "filter",  "insert" => "FORWARD 1", "jump" => "partition-a")
+      rules << Rule.new("table" => "filter", "new-chain" => "partition-a")
+      rules << Rule.new("table" => "filter", "insert" => "INPUT 1", "jump" => "partition-a")
+      rules << Rule.new("table" => "filter", "insert" => "OUTPUT 1", "jump" => "partition-a")
+      rules << Rule.new("table" => "filter", "insert" => "FORWARD 1", "jump" => "partition-a")
 
       rules << Rule.new("table" => "nat",  "new-chain" => "partition-d")
       rules << Rule.new("table" => "nat",  "insert" => "PREROUTING 1", "jump" => "partition-d")

data/lib/ript/dsl.rb

@@ -6,7 +6,6 @@ if RUBY_VERSION =~ /^1.8/ then
 end
 
 $: << Pathname.new(__FILE__).dirname.parent.expand_path.to_s
-
 require 'ript/dsl/primitives'
 require 'ript/rule'
 require 'ript/partition'

data/lib/ript/dsl/primitives/filter.rb

@@ -94,8 +94,7 @@ module Ript
                              "source"      => from_address,
                              "jump"        => jump
                            }
-              attributes.insert_before("destination", "in-interface" => @interface) if @interface
-
+              attributes.insert_before("destination", [ "in-interface", @interface ]) if @interface
               # Build up a list of arguments we need to build expanded rules.
               #
               # This allows us to expand shorthand definitions like:
@@ -122,24 +121,42 @@ module Ript
               # If we have arguments, iterate through them
               if arguments.size > 0
                 arguments.each do |options|
-                  options.each_pair do |key, value|
-                    attributes = attributes.dup # avoid overwriting existing hash values from previous iterations
-                    attributes.insert_before("destination", key => value)
-                  end
-
-                  @table << Rule.new(attributes.merge("jump" => "LOG")) if log
+                    options.each_pair do |key, value|
+                      supported_protocols = IO.readlines("/etc/protocols")
+                      ignored_values = %w(all tcp udp)
+                      supported_protocols.map! {|proto| proto.split("\t")[0] }
+                      if key == "protocol" and value.instance_of?(String) and !ignored_values.include? value.downcase and value != "" and !supported_protocols.include? value
+                              puts "Invalid protocol a) #{value} specified cannot continue"
+                              exit
+                      end 
+                      if value.is_a? Array
+                        value.each do |valueout|
+                          if !ignored_values.include? valueout.downcase and !supported_protocols.include? valueout
+                            puts "Invalid protocol b) #{valueout} specified cannot continue"
+                            exit 100 
+                          end 
+                          attributes = attributes.dup # avoid overwriting existing hash values from previous iterations
+                          attributes.insert_before("destination", [ key,  valueout ])
+                          @table << Rule.new(attributes.merge("jump" => "LOG")) if log 
+                          @table << Rule.new(attributes)
+                        end 
+                        return
+                      else
+                      attributes = attributes.dup # avoid overwriting existing hash values from previous iterations
+                      attributes.insert_before("destination", [ key,  value ])
+                    end 
+                  end 
+                  @table << Rule.new(attributes.merge("jump" => "LOG")) if log 
                   @table << Rule.new(attributes)
-                end
+                end 
               else
-                @table << Rule.new(attributes.merge("jump" => "LOG")) if log
+                @table << Rule.new(attributes.merge("jump" => "LOG")) if log 
                 @table << Rule.new(attributes)
               end # if
             end # @tos.each
           end # @froms.each
-
         end # def build_rule
       end
     end
   end
 end
-

data/lib/ript/dsl/primitives/nat.rb

@@ -57,7 +57,7 @@ module Ript
                             "jump"        => "ACCEPT" }
 
             @froms.map {|from| @labels[from][:address]}.each do |address|
-              attributes.insert_before("destination", "source" => address)
+              attributes.insert_before("destination", ["source", address])
             end
 
             @table << Rule.new(attributes.merge("jump" => "LOG")) if log
@@ -113,7 +113,7 @@ module Ript
                                       "dport"       => destination_port,
                                       "jump"        => "ACCEPT" }
 
-                      attributes.insert_before("destination", "source" => from_address) unless from_address == "0.0.0.0/0"
+                      attributes.insert_before("destination", ["source", from_address]) unless from_address == "0.0.0.0/0"
 
                       @table << Rule.new(attributes.merge("jump" => "LOG")) if log
                       @table << Rule.new(attributes)
@@ -136,7 +136,7 @@ module Ript
                                     "dport"       => port,
                                     "jump"        => "ACCEPT" }
 
-                    attributes.insert_before("destination", "source" => from_address) unless from_address == "0.0.0.0/0"
+                    attributes.insert_before("destination", ["source" , from_address]) unless from_address == "0.0.0.0/0"
 
                     @table << Rule.new(attributes.merge("jump" => "LOG")) if log
                     @table << Rule.new(attributes)

data/lib/ript/patches.rb

@@ -1,10 +1,12 @@
-#!/usr/bin/env ruby
-
 class Hash
-  def insert_before(key, opts={})
-    before = self.dup.take_while {|k, v| k != key }
-    after  = self.dup.drop_while {|k, v| k != key }
-    before << opts.to_a.flatten
-    self.clear.merge!(Hash[before]).merge!(Hash[after])
+  def insert_before(key, kvpair)
+    arr = to_a
+    pos = arr.index(arr.assoc(key))
+    if pos
+      arr.insert(pos, kvpair)
+    else
+      arr << kvpair
+    end
+    replace Hash[arr]
   end
 end

data/lib/ript/version.rb

@@ -1,3 +1,3 @@
 module Ript
-  VERSION = '0.8.4'
+  VERSION = '0.8.8'
 end

data/ript.gemspec

@@ -7,8 +7,8 @@ Gem::Specification.new do |s|
   s.name        = "ript"
   s.version     = Ript::VERSION
   s.platform    = Gem::Platform::RUBY
-  s.authors     = [ "Lindsay Holmwood" ]
-  s.email       = [ "lindsay@bulletproof.net" ]
+  s.authors     = [ "Bulletproof Group Ltd" ]
+  s.email       = [ "foundation@bulletproof.net" ]
   s.homepage    = "http://bulletproof.net/"
   s.summary     = %q{DSL for iptables, and tool for incrementally applying firewall rules}
   s.description = %q{Ript provides a clean Ruby DSL for describing firewall rules, and implements database migrations-like functionality for applying the rules}

metadata

@@ -1,134 +1,122 @@
 --- !ruby/object:Gem::Specification
 name: ript
 version: !ruby/object:Gem::Version
-  version: 0.8.4
-  prerelease: 
+  version: 0.8.8
 platform: ruby
 authors:
-- Lindsay Holmwood
+- Bulletproof Group Ltd
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-18 00:00:00.000000000 Z
+date: 2016-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.1.9
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.1.9
 - !ruby/object:Gem::Dependency
   name: aruba
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: colorize
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: fpm
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.4.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.4.5
 description: Ript provides a clean Ruby DSL for describing firewall rules, and implements
   database migrations-like functionality for applying the rules
 email:
-- lindsay@bulletproof.net
+- foundation@bulletproof.net
 executables:
 - rbenv-sudo
 - ript
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rbenv-version
+- ".gitignore"
+- ".ruby-version"
 - AUTHORS.md
 - CHANGELOG.md
 - Gemfile
 - Gemfile.lock
-- LICENCE
+- LICENSE
 - README.md
 - Rakefile
 - bin/rbenv-sudo
 - bin/ript
 - dist/init.d
+- dist/ript.conf
 - examples/accept-multiple-from-and-to.rb
 - examples/accept-with-a-list-of-ports.rb
 - examples/accept-with-specific-port-and-interface.rb
@@ -197,27 +185,26 @@ files:
 - ript.gemspec
 homepage: http://bulletproof.net/
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
 rubyforge_project: ript
-rubygems_version: 1.8.23
+rubygems_version: 2.5.1
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: DSL for iptables, and tool for incrementally applying firewall rules
 test_files:
 - features/cli.feature

data/.rbenv-version

@@ -1 +0,0 @@
-1.9.2-p290