tablomat 1.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3acd84433060bbc3bf7e1502c05f0e9889694d3a32037e22e15f743ca01b5fc3
+  data.tar.gz: 9dd4eaab8169d4a12bc8d84de57913f35d8ffc0d90d9f716e12a801f2936e4aa
+SHA512:
+  metadata.gz: 25075f75a86af90044a997409afec220443610589c68bba8d22144586724288ae860b5dcfb191ba64afaf14b420c8cfc838bc6e7f3b887f21a07a2ac99862c7e
+  data.tar.gz: c8be92592b3fe8e3c67439db72aa7f1717da3c13ed32b412009a65ebeb4d9bdbbb291c3391a2dda28e684cefb758b9be79960f64d0bc7183e1279deebfbf62bc

data/lib/tablomat.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'tablomat/version'
+require 'tablomat/iptables'
+require 'tablomat/ipset'
+
+# # module Tablomat
+# module Tablomat
+# end

data/lib/tablomat/exec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'tempfile'
+require 'English'
+
+# Module defined in exec.rb File to execute Commands
+module Exec
+  def self.exec(cmd)
+    errfile = Tempfile.new('tablomat')
+    stdout = `#{cmd} 2> #{errfile.path}`
+    unless $CHILD_STATUS.success?
+      err = errfile.read
+      errfile.close
+      errfile.unlink
+      raise err.to_s
+    end
+    stdout
+  end
+end

data/lib/tablomat/ipset.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'tablomat/ipset/set'
+require 'tablomat/exec'
+
+module Tablomat
+  # Errorclass for IPSet-Errors
+  class IPSetError < StandardError; end
+
+  # The IPSet interface
+  class IPSet
+    extend Exec
+    attr_accessor :ipset_bin
+
+    def initialize
+      @ipset_bin = 'ipset'
+      @ipset_bin = "sudo #{@ipset_bin}" if Etc.getlogin != 'root'
+      @sets = {}
+    end
+
+    def matchset(flags:, option: '', negate: false, negate_option: false, set_name:)
+      set_set = "--match-set #{set_name} #{flags}"
+      set_set = "! #{set_set}" if negate
+      option = "! #{option}" if negate_option
+      "set #{set_set} #{option}"
+    end
+
+    def set(name, &block)
+      name = name.to_s.downcase
+      (@sets[name] || Set.new(self, name)).tap do |set|
+        @sets[name] = set
+        block&.call(set)
+      end
+      @sets[name]
+    end
+
+    def exec(cmd)
+      Exec.exec(cmd)
+    rescue StandardError => e
+      raise IPSetError.new, e.message
+    end
+
+    def destroy_all(really_all = false)
+      # destroys all sets created in this Instance unless really_all = true
+      if really_all
+        command = "#{@ipset_bin} destroy"
+        exec(command)
+      else
+        @sets.each do |_name, set|
+          set.destroy if set.active
+        end
+      end
+    end
+
+    def add(set_name:, entry_data:, add_options: '', exist: false)
+      set(set_name).add(entry_data: entry_data, add_options: add_options, exist: exist)
+    end
+
+    def create(set_name:, type:, create_options: '', rangefrom: '', rangeto: '')
+      set(set_name).create(type: type, create_options: create_options, rangefrom: rangefrom, rangeto: rangeto)
+    end
+
+    def del(set_name:, entry_data:, exist: false)
+      set(set_name).del(entry_data: entry_data, exist: exist)
+    end
+
+    def destroy(set_name:)
+      set(set_name).destroy
+    end
+  end
+end

data/lib/tablomat/ipset/entry.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Tablomat
+  class IPSet
+    # interface to manage the entrys inside the sets
+    class Entry
+      def initialize(set, description)
+        @system = set.system
+        @set = set
+        @description = description
+      end
+
+      def exists?
+        command = "#{@system.ipset_bin} del #{@set.name} #{@description}"
+        @system.exec command
+        command = "#{@system.ipset_bin} add #{@set.name} #{@description}"
+        @system.exec command
+        true
+      rescue IPSetError => e
+        raise unless e.message.include?("Element cannot be deleted from the set: it's not added")
+
+        false
+      end
+
+      def add(add_options, exist = false)
+        command = "#{@system.ipset_bin} add #{@set.name} #{@description} #{add_options}"
+        command = "#{command} -!" if exist
+        @system.exec command
+      end
+
+      def del(exist = false)
+        command = "#{@system.ipset_bin} del #{@set.name} #{@description}"
+        command = "#{command} -!" if exist
+        @system.exec command
+      end
+    end
+  end
+end

data/lib/tablomat/ipset/set.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'tablomat/ipset/entry'
+
+module Tablomat
+  class IPSet
+    # Interface to manage ipsets
+    class Set
+      attr_reader :name, :system, :active
+
+      def initialize(system, name)
+        @system = system
+        @name = name
+        @entrys = {}
+        @active = false
+      end
+
+      def exists?
+        command = "#{@system.ipset_bin} list #{@name}"
+        @system.exec command
+        true
+      rescue IPSetError => e
+        raise unless e.message.include?('The set with the given name does not exist')
+
+        false
+      end
+
+      def type
+        command = "#{system.ipset_bin} list #{@name}"
+        stdout = `#{command} 2>&1`.strip << "\n"
+        if $CHILD_STATUS != 0
+          # throw error
+          puts "Invalid return value when calling #{command}"
+        end
+        stdout = stdout.split("\n").select { |s| s.include?('Type:') }[0]
+        stdout.split(/Type: /)[1]
+      rescue StandardError => e
+        puts "[error] #{e}"
+      end
+
+      def entry(data, &block)
+        data = data.to_s.downcase
+        (@entrys[data] || Entry.new(self, data)).tap do |entry|
+          @entrys[data] = entry
+          block&.call(entry)
+        end
+      end
+
+      def add(entry_data:, add_options: '', exist: false)
+        entry(entry_data).add(add_options, exist)
+      end
+
+      def del(entry_data:, exist: false)
+        entry(entry_data).del(exist)
+      end
+
+      def create(type:, create_options: '', rangefrom: '', rangeto: '')
+        create_options = "range #{rangefrom}-#{rangeto} #{create_options}" if type.include?('bitmap')
+        command = "#{@system.ipset_bin} create #{@name} #{type} #{create_options}"
+        @system.exec command
+        @active = true
+      end
+
+      def destroy
+        command = "#{@system.ipset_bin} destroy #{@name}"
+        @system.exec command
+        @active = false
+      end
+    end
+  end
+end

data/lib/tablomat/iptables.rb

@@ -0,0 +1,202 @@
+# frozen_string_literal: true
+
+require 'English'
+require 'tablomat/iptables/table'
+require 'digest'
+require 'tempfile'
+require 'tablomat/exec'
+
+module Tablomat
+  # The IPTables interface
+  class IPTables
+    extend Exec
+    attr_accessor :iptables_bin
+    attr_reader :active, :builtin_chains, :tmp_chain
+
+    def initialize
+      # iptables must be in PATH
+      @iptables_bin = 'iptables'
+      @iptables_bin = "sudo #{@iptables_bin}" if Etc.getlogin != 'root'
+
+      # get random value for rule creation hack, iptables limits name to 28 characters
+      @tmp_chain_prefix = 'tablomat'
+
+      @builtin_chains = { filter: %w[INPUT FORWARD OUTPUT], nat: %w[PREROUTING INPUT OUTPUT POSTROUTING], mangle: %w[PREROUTING INPUT FORWARD OUTPUT POSTROUTING] }
+      @tables = {}
+
+      @active = true
+      synchronize
+    end
+
+    def exec(cmd)
+      Exec.exec(cmd)
+    end
+
+    def synchronize
+      # called regularly by normalize
+      command = "#{@iptables_bin}-save"
+      stdout = `#{command} 2>&1`.strip << "\n"
+      if $CHILD_STATUS != 0
+        # throw error
+        puts "Invalid return value when calling #{command}"
+      end
+      parse_output stdout
+    rescue StandardError => e
+      puts "[error] #{e}"
+    end
+
+    # rubocop:disable Metrics/AbcSize
+    def parse_output(stdout)
+      stdout = stdout.split("\n").reject { |s| s[0] == '#' }.join("\n")
+      data = {}
+      stdout.split(/^\*/).reject { |s| s == '' }.each do |ruleset|
+        table, rule = ruleset.match(/(.+?)\n(.*)/m).to_a[1..-1]
+        data[table] = {}
+
+        raise "Empty ruleset in table #{table}" if table.nil?
+
+        rule.scan(/^:(.+?)\s+/).each do |match|
+          data[table][match[0]] = []
+        end
+
+        rule.scan(/^-A (.+?) (.+?)\n/).each do |match|
+          data[table][match[0]] << match[1]
+        end
+      end
+      parse_data(data)
+    end
+    # rubocop:enable Metrics/AbcSize
+
+    def parse_data(data)
+      data.each do |table, chains|
+        t = self.table(table, false)
+        t.activate true
+        parse_table(t, chains)
+      end
+    end
+
+    def parse_table(table, chains)
+      chains.each do |chain, rules|
+        c = table.chain(chain, false)
+        c.activate true
+        parse_chain(c, rules)
+      end
+    end
+
+    def parse_chain(chain, rules)
+      rules.each do |rule|
+        r = chain.rule(rule, false)
+        r.activate true
+      end
+    end
+
+    def table(name, owned = true, &block)
+      name = name.to_s.downcase
+      (@tables[name] || Table.new(self, name, owned)).tap do |table|
+        @tables[name] = table
+        block&.call(table)
+      end
+    end
+
+    # converts any given rule to the iptables internal description format by using a temporary table
+    # rubocop:disable Metrics/AbcSize
+    def normalize(data, table = 'filter')
+      synchronize
+      tmp_chain = "#{@tmp_chain_prefix}#{Digest::SHA256.hexdigest Random.rand(1024).to_s}"[0, 28]
+      self.table(table).chain(tmp_chain).activate
+      self.table(table).append(tmp_chain, data)
+      synchronize
+      normalized = data
+      self.table(table).chain(tmp_chain).rules.select { |_k, r| r.owned == false }.each do |_k, r|
+        normalized = r.description
+      end
+      self.table(table).delete(tmp_chain, data)
+      self.table(table).chain(tmp_chain).deactivate
+      self.table(table).chain(tmp_chain).apply_delete
+      normalized
+    end
+    # rubocop:enable Metrics/AbcSize
+
+    # rubocop:disable Metrics/AbcSize
+    def exists(table_name, chain_name, data = nil)
+      if data.nil?
+        table(table_name).chain_exists(chain_name) && table(table_name).chain(chain_name).active
+      else
+        data = normalize data, table_name
+        table(table_name).chain(chain_name).rules.count { |_k, v| normalize(v.description, table_name) == data && v.active } >= 1
+      end
+    end
+    # rubocop:enable Metrics/AbcSize
+
+    def insert(table_name, chain_name, data, pos)
+      data = normalize data, table_name
+      table(table_name).insert(chain_name, data, pos)
+    end
+
+    def append(table_name, chain_name, data)
+      data = normalize data, table_name
+      table(table_name).append(chain_name, data)
+    end
+
+    def delete(table_name, chain_name, data)
+      data = normalize data, table_name
+      table(table_name).delete(chain_name, data)
+    end
+
+    def activate
+      @active = true
+      @tables.each do |_name, table|
+        table.activate
+      end
+    end
+
+    def deactivate
+      @active = false
+      tables.each do |_name, table|
+        table.deactivate
+      end
+    end
+
+    # rubocop:disable Metrics/AbcSize
+    def get_active_rules(table = 'nat', chain = 'PREROUTING')
+      rrgx = /(?<key>--?[[:alpha:]-]+) (?<value>[[:alnum:]:\.]+)/.freeze
+      switch_map = { '-s' => :source, '--source' => :source,
+                     '-d' => :destination, '--destination' => :destination,
+                     '--dport' => :dport, '--to-destination' => :to_dest,
+                     '-p' => :protocol, '--protocol' => :protocol,
+                     '-j' => :jump, '--jump' => :jump,
+                     '--match-set' => :match }
+
+      table(table).chain(chain).rules.filter { |_, r| r.active }.map do |_, rule|
+        rule.description.to_enum(:scan, rrgx)
+            .map { Regexp.last_match }
+            .map { |m| [switch_map[m[:key]], m[:value]] }
+            .filter { |m| m[0] }.to_h
+      end
+    end
+
+    # used to easily switch rules from one src ip to another
+    def switch_sources(old_src, new_src)
+      @tables.to_a.each do |_kt, tbl|
+        tbl.chains.to_a.each do |_kc, chn|
+          next if chn.name.include? 'tablomat'
+
+          chn.rules.to_a.each do |_key, rule|
+            next unless rule.description.include? "-s #{old_src}"
+
+            new_data = normalize(rule.description, tbl.name).sub "-s #{old_src}", "-s #{new_src}"
+            pos = rule.position + 1
+            delete(tbl.name, chn.name, rule.description)
+            insert(tbl.name, chn.name, new_data, pos)
+          end
+        end
+      end
+    end
+    # rubocop:enable Metrics/AbcSize
+
+    def print
+      require 'pp'
+      pp self
+    end
+  end
+end

data/lib/tablomat/iptables/chain.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require 'tablomat/iptables/rule'
+
+module Tablomat
+  class IPTables
+    # The IPTables class is the interface to the iptables command
+    class Chain
+      attr_accessor :owned
+      attr_reader :table, :name, :active, :rules
+
+      def initialize(table, name, owned = true)
+        @system = table.system
+        @table = table
+        @name = name
+        @policy = 'ACCEPT'
+        @rules = {}
+        @rules_sorted = []
+        @owned = owned
+        @active = false
+        activate if @table.active
+      end
+
+      def policy(action)
+        # set policy as the last rule of the chain
+        raise 'Unable to assign policy to non builtin chains, TODO: implement handling' unless builtin?
+
+        @policy = action
+        return unless @active
+
+        command = "#{@table.system.iptables_bin} -t #{@table.name} -P #{@name} #{@policy}"
+        @system.exec command
+      end
+
+      def rule(name, owned = true, &block)
+        if name.is_a? Hash
+          name = sethandling(name) if name.key?(:set)
+          name = name.map { |k, v| "--#{k} #{v}" }.join(' ')
+        end
+        key = name.to_s.downcase
+        (@rules[key] || Rule.new(self, name, owned)).tap do |rule|
+          @rules[key] = rule
+          block&.call(rule)
+        end
+      end
+
+      def sethandling(name)
+        trash = {}
+        name.each do |k, v|
+          trash[k] = v
+          trash[:match] = trash.delete :set if trash.key?(:set)
+        end
+        trash
+      end
+
+      def insert(data, pos)
+        rule(data) do |rule|
+          rule.method = 'INSERT'
+          rule.position = pos
+          @rules_sorted.insert(pos - 1, rule)
+          update_rules_position
+          rule.activate if @active
+        end
+      end
+
+      def append(data)
+        rule(data) do |rule|
+          @rules_sorted << rule
+          rule.activate if @active
+        end
+      end
+
+      def update_rules_position
+        @rules_sorted = @rules_sorted.compact
+        @rules_sorted.select(&:active).each_with_index do |rule, index|
+          rule.position = index + 1 if (rule.position != 0) && (rule.position != (index + 1))
+        end
+      end
+
+      def delete(data)
+        rule = if data.is_a? Rule
+                 data
+               else
+                 self.rule(data)
+               end
+        rule.deactivate if rule.active
+
+        @rules_sorted.delete(rule)
+        @rules.delete_if { |_k, v| v.description == rule.description }
+      end
+
+      def activate(override = false)
+        return unless @owned || override
+        return if @active
+
+        @active = true
+        return if override
+
+        apply_create
+        activate_all_rules
+      end
+
+      def deactivate(override = false)
+        return unless @owned || override
+        return unless @active
+
+        @active = false
+        return if override
+
+        deactivate_all_rules
+        @active = false
+      end
+
+      def apply_create
+        unless exists?
+          begin
+            command = "#{@system.iptables_bin} -t #{@table.name} -N #{@name}"
+            @system.exec command
+          rescue StandardError
+            puts "Error: #{$ERROR_INFO}"
+          end
+        end
+        # apply policy if builtin chain
+        return unless builtin?
+
+        command = "#{@system.iptables_bin} -t #{@table.name} -P #{@name} #{@policy}"
+        @system.exec command
+      end
+
+      def apply_delete
+        return unless exists? && !builtin?
+
+        begin
+          command = "#{@system.iptables_bin} -t #{@table.name} -F #{@name}"
+          @system.exec command
+          command = "#{@system.iptables_bin} -t #{@table.name} -X #{@name}"
+          @system.exec command
+        rescue StandardError
+          puts "Error removing chain #{command}, message: #{$ERROR_INFO}"
+        end
+      end
+
+      def exists?
+        command = "#{@system.iptables_bin} -t #{@table.name} -nL #{@name}"
+        @system.exec command
+        true
+      rescue StandardError
+        false
+      end
+
+      def builtin?
+        @table.system.builtin_chains.key?(@table.name.to_sym) && @table.system.builtin_chains[@table.name.to_sym].include?(@name)
+      end
+
+      private
+
+      def activate_all_rules
+        @rules_sorted.each do |rule|
+          rule.activate if !rule.nil? && !rule.active
+        end
+      end
+
+      def deactivate_all_rules
+        @rules_sorted.each do |rule|
+          rule.deactivate if !rule.nil? && rule.active
+        end
+      end
+    end
+  end
+end

data/lib/tablomat/iptables/rule.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Tablomat
+  class IPTables
+    # IPTables are made of Rules
+    class Rule
+      attr_accessor :owned, :active, :method, :position
+      attr_reader :chain, :description
+
+      def initialize(chain, description, owned = true)
+        @system = chain.table.system
+        @chain = chain
+        @description = description
+        @items = {}
+        @owned = owned
+        @active = false
+        @method = 'APPEND'
+        @position = 0
+        activate if @chain.active
+      end
+
+      def activate(override = false)
+        return unless @owned || override
+        return if @active
+
+        @active = true
+        return if override
+
+        @chain.activate unless @chain.active
+        apply_create
+      end
+
+      def deactivate(override = false)
+        return unless @owned || override
+        return unless @active
+
+        self.active = false
+        return if override
+
+        apply_delete
+      end
+
+      def apply_create
+        return unless @owned
+
+        method = if @method == 'APPEND'
+                   "-A #{@chain.name}"
+                 else
+                   "-I #{@chain.name} #{@position}"
+                 end
+        command = "#{@system.iptables_bin} -t #{@chain.table.name} #{method} #{@description}"
+        @system.exec command
+      end
+
+      def apply_delete
+        return unless @owned
+
+        command = "#{@system.iptables_bin} -t #{@chain.table.name} -D #{@chain.name} #{@description}"
+        @system.exec command
+      end
+    end
+  end
+end

data/lib/tablomat/iptables/table.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require 'tablomat/iptables/chain'
+
+module Tablomat
+  class IPTables
+    # Puts the Table in IPTables
+    class Table
+      attr_accessor :owned
+      attr_reader :name, :system, :active, :chains
+
+      def initialize(system, name, owned = true)
+        @system = system
+        @name = name
+        @chains = {}
+        # whether this table is owned/created by us or external
+        @owned = owned
+        @active = false
+        activate if @system.active
+      end
+
+      def get_key(name)
+        name.to_s.downcase[0, 28]
+      end
+
+      def chain(name, owned = true, &block)
+        key = get_key name
+        (@chains[key] || Chain.new(self, name, owned)).tap do |chain|
+          @chains[key] = chain
+          block&.call(chain)
+        end
+      end
+
+      def chain_exists(name)
+        key = get_key name
+        return true if @chains.key? key
+
+        false
+      end
+
+      def insert(chain_name, data, pos)
+        chain chain_name do |chain|
+          chain.insert(data, pos)
+        end
+      end
+
+      def append(chain_name, data)
+        chain(chain_name).append(data)
+      end
+
+      def delete(chain_name, data)
+        chain chain_name do |chain|
+          chain.delete(data)
+        end
+      end
+
+      def activate(override = false)
+        return unless @owned || override
+
+        @active = true
+        return if override
+
+        @chains.each do |_name, chain|
+          chain.activate
+        end
+      end
+
+      def deactivate(override = false)
+        return unless @owned || override
+
+        @active = false
+        return if override
+
+        @chains.each do |_name, chain|
+          chain.deactivate
+        end
+      end
+
+      def print
+        require 'pp'
+        pp self
+      end
+    end
+  end
+end

data/lib/tablomat/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Tablomat
+  VERSION = '1.2.1'
+end

data/spec/ipset_spec.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'etc'
+
+describe Tablomat::IPSet do
+  describe 'Initialize module' do
+    @ipset = Tablomat::IPSet.new
+  end
+
+  before(:all) do
+    @command = 'ipset'
+    @command = "sudo #{@command}" if Etc.getlogin != 'root'
+    @ipset = Tablomat::IPSet.new
+  end
+
+  before(:each) do
+    @ipset.destroy_all(true)
+  end
+
+  after(:all) do
+    # destroy all sets
+    @ipset.destroy_all(true)
+  end
+
+  it 'creates new sets of type hash:ip' do
+    @ipset.create(set_name: 'test1', type: 'hash:ip')
+    expect(@ipset.set('test1').exists?).to be_truthy
+  end
+
+  it 'can destroy existing sets' do
+    @ipset.create(set_name: 'test2', type: 'hash:ip')
+    expect(@ipset.set('test2').exists?).to be_truthy
+    @ipset.destroy(set_name: 'test2')
+    expect(@ipset.set('test2').exists?).to be_falsey
+  end
+
+  it 'set() returns instance of Set' do
+    expect(@ipset.set('test2').exists?).to be_falsey
+    set_set = @ipset.set('test2')
+    set_set.create(type: 'hash:ip')
+    expect(@ipset.set('test2').exists?).to be_truthy
+  end
+
+  it 'checks if set exists' do
+    # check precondition
+    expect(@ipset.set('test3').exists?).to be_falsy
+
+    # check existing
+    @ipset.create(set_name: 'test3', type: 'hash:ip')
+    expect(@ipset.set('test3').exists?).to be_truthy
+
+    # check missing
+    @ipset.destroy(set_name: 'test3')
+    expect(@ipset.set('test3').exists?).to be_falsy
+  end
+
+  it 'can not create set if set with same name already exists' do
+    @ipset.create(set_name: 'test4', type: 'hash:ip')
+    expect(@ipset.set('test4').exists?).to be_truthy
+    expect { @ipset.create(set_name: 'test4', type: 'hash:port') }.to raise_error(Tablomat::IPSetError)
+  end
+
+  it 'can not delete set if the set does not exist' do
+    expect(@ipset.set('test6').exists?).to be_falsey
+    expect { @ipset.destroy(set_name: 'test6') }.to raise_error(Tablomat::IPSetError)
+  end
+
+  it 'appends entrys to set in ipset' do
+    @ipset.create(set_name: 'test6', type: 'hash:ip')
+    expect(@ipset.set('test6').entry('192.0.2.42').exists?).to be_falsy
+    @ipset.add(set_name: 'test6', entry_data: '192.0.2.42')
+    expect(@ipset.set('test6').entry('192.0.2.42').exists?).to be_truthy
+  end
+
+  it 'appends entrys to set in set' do
+    @ipset.create(set_name: 'test6', type: 'hash:ip')
+    expect(@ipset.set('test6').entry('192.0.2.52').exists?).to be_falsy
+    @ipset.set('test6').add(entry_data: '192.0.2.52')
+    expect(@ipset.set('test6').entry('192.0.2.52').exists?).to be_truthy
+  end
+
+  it 'can delete entrys in sets in ipset' do
+    @ipset.create(set_name: 'test7', type: 'hash:ip')
+    @ipset.add(set_name: 'test7', entry_data: '192.0.2.42')
+    expect(@ipset.set('test7').entry('192.0.2.42').exists?).to be_truthy
+    @ipset.del(set_name: 'test7', entry_data: '192.0.2.42')
+    expect(@ipset.set('test7').entry('192.0.2.42').exists?).to be_falsy
+  end
+
+  it 'can delete entrys in sets in set' do
+    @ipset.create(set_name: 'test7', type: 'hash:ip')
+    @ipset.set('test7').add(entry_data: '192.0.2.42')
+    expect(@ipset.set('test7').entry('192.0.2.42').exists?).to be_truthy
+    @ipset.set('test7').del(entry_data: '192.0.2.42')
+    expect(@ipset.set('test7').entry('192.0.2.42').exists?).to be_falsy
+  end
+
+  it 'creates set with type bitmap:port' do
+    @ipset.create(set_name: 'test8', type: 'bitmap:port', rangefrom: 500_00, rangeto: 600_00)
+    expect(@ipset.set('test8').exists?).to be_truthy
+    expect(@ipset.set('test8').type == 'bitmap:port').to be_truthy
+  end
+
+  it 'creates set with type hash:ip,port' do
+    @ipset.create(set_name: 'test9', type: 'hash:ip,port')
+    expect(@ipset.set('test9').exists?).to be_truthy
+    expect(@ipset.set('test9').type == 'hash:ip,port').to be_truthy
+  end
+
+  it 'can destroy created in one instance' do
+    # creating sets in an instance
+    @ipset.create(set_name: 'test10', type: 'bitmap:port', rangefrom: 500_00, rangeto: 600_00)
+    expect(@ipset.set('test10').exists?).to be_truthy
+    @ipset.create(set_name: 'test11', type: 'hash:mac')
+    expect(@ipset.set('test11').exists?).to be_truthy
+    # creating sets in another instance
+    ipsetnext = Tablomat::IPSet.new
+    ipsetnext.create(set_name: 'test12', type: 'bitmap:port', rangefrom: 500_00, rangeto: 600_00)
+    expect(@ipset.set('test12').exists?).to be_truthy
+    ipsetnext.create(set_name: 'test13', type: 'hash:ip,port')
+    expect(@ipset.set('test13').exists?).to be_truthy
+    ipsetnext.create(set_name: 'test14', type: 'hash:net')
+    expect(@ipset.set('test14').exists?).to be_truthy
+    # destroy sets created with ipsetnext
+    ipsetnext.destroy_all
+    expect(@ipset.set('test10').exists?).to be_truthy
+    expect(@ipset.set('test11').exists?).to be_truthy
+    expect(@ipset.set('test12').exists?).to be_falsey
+    expect(@ipset.set('test13').exists?).to be_falsey
+    expect(@ipset.set('test14').exists?).to be_falsey
+  end
+
+  it 'can destroy all sets' do
+    # creating sets in another instance
+    ipsetnext = Tablomat::IPSet.new
+    ipsetnext.create(set_name: 'test14', type: 'hash:net')
+    expect(@ipset.set('test14').exists?).to be_truthy
+    ipsetnext.destroy_all(true)
+    expect(@ipset.set('test10').exists?).to be_falsey
+    expect(@ipset.set('test11').exists?).to be_falsey
+    expect(@ipset.set('test14').exists?).to be_falsey
+  end
+end

data/spec/ipsetiptables_spec.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'etc'
+
+describe Tablomat::IPTables, Tablomat::IPSet do
+  describe 'Initialize module' do
+    @ipset = Tablomat::IPSet.new
+    @iptables = Tablomat::IPTables.new
+  end
+
+  before(:all) do
+    @command = 'ipset'
+    @command = "sudo #{@command}" if Etc.getlogin != 'root'
+    @ipset = Tablomat::IPSet.new
+    @iptables = Tablomat::IPTables.new
+    @iptables.activate
+  end
+
+  after(:all) do
+    # cleanup table and ipsets
+    @iptables.table('mangle').chain('custom', &:apply_delete)
+    @ipset.destroy_all
+  end
+
+  it 'can create and delete rules using ipsets if set exists' do
+    #  initialize ipset and create set
+    @ipset.create(set_name: 'testset1', type: 'hash:ip')
+    #  create rule
+    @iptables.append('mangle', 'custom', set: @ipset.matchset(set_name: 'testset1', flags: 'src'), protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', set: @ipset.matchset(set_name: 'testset1', flags: 'src'), protocol: :tcp, sport: 123)).to be_truthy
+    @iptables.delete('mangle', 'custom', set: @ipset.matchset(set_name: 'testset1', flags: 'src'), protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', set: @ipset.matchset(set_name: 'testset1', flags: 'src'), protocol: :tcp, sport: 123)).to be_falsey
+  end
+
+  it 'can create and delete rules using ipsets with Options' do
+    @iptables.append('mangle', 'custom', match: @ipset.matchset(set_name: 'testset1', flags: 'src', option: '--update-subcounters', negate_option: true, negate: true), protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', match: @ipset.matchset(set_name: 'testset1', flags: 'src', option: '--update-subcounters', negate_option: true, negate: true), protocol: :tcp, sport: 123)).to be_truthy
+    @iptables.delete('mangle', 'custom', match: @ipset.matchset(set_name: 'testset1', flags: 'src', option: '--update-subcounters', negate_option: true, negate: true), protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', match: @ipset.matchset(set_name: 'testset1', flags: 'src', option: '--update-subcounters', negate_option: true, negate: true), protocol: :tcp, sport: 123)).to be_falsey
+  end
+
+  it 'can not create rules using a set if the set does not exist' do
+    expect(@ipset.set('testset2').exists?).to be_falsey
+    expect { @iptables.append('mangle', 'custom', match: @ipset.matchset(set_name: 'testset', flags: 'src'), protocol: :tcp, sport: 123) }.to raise_error(RuntimeError)
+  end
+
+  it 'can not destroy a set if a rule is using it' do
+    @ipset.create(set_name: 'testset3', type: 'hash:ip')
+    @iptables.append('mangle', 'custom', match: @ipset.matchset(set_name: 'testset3', flags: 'src'), protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', match: @ipset.matchset(set_name: 'testset3', flags: 'src'), protocol: :tcp, sport: 123)).to be_truthy
+    expect { @ipset.destroy(set_name: 'testset3') }.to raise_error(Tablomat::IPSetError)
+    @iptables.delete('mangle', 'custom', match: @ipset.matchset(set_name: 'testset3', flags: 'src'), protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', match: @ipset.matchset(set_name: 'testset3', flags: 'src'), protocol: :tcp, sport: 123)).to be_falsey
+    @ipset.destroy(set_name: 'testset3')
+  end
+
+  it 'lists the set in active rules, if a set is given' do
+    @ipset.create(set_name: 'testset4', type: 'hash:ip')
+    @iptables.append('mangle', 'custom', match: @ipset.matchset(set_name: 'testset4', flags: 'src'), protocol: :tcp, sport: 123)
+    active_rules = @iptables.get_active_rules('mangle', 'custom')
+    expect(active_rules[-1][:match]).to eq('testset4')
+    @iptables.delete('mangle', 'custom', match: @ipset.matchset(set_name: 'testset4', flags: 'src'), protocol: :tcp, sport: 123)
+    @ipset.destroy(set_name: 'testset4')
+  end
+
+  it 'does not list a set in active rules, if no set is given' do
+    @ipset.create(set_name: 'testset5', type: 'hash:ip')
+    @iptables.append('mangle', 'custom', source: '10.0.0.1', protocol: :tcp, sport: 123)
+    active_rules = @iptables.get_active_rules('mangle', 'custom')
+    expect(active_rules[-1].key?(:match)).to be_falsey
+    @iptables.delete('mangle', 'custom', source: '10.0.0.1', protocol: :tcp, sport: 123)
+    @ipset.destroy(set_name: 'testset5')
+  end
+end

data/spec/iptables_spec.rb

@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'etc'
+
+describe Tablomat::IPTables do
+  describe 'Initialize module' do
+    @iptables = Tablomat::IPTables.new
+  end
+
+  before(:all) do
+    @command = 'iptables'
+    @command = "sudo #{@command}" if Etc.getlogin != 'root'
+
+    @iptables = Tablomat::IPTables.new
+    @iptables.activate
+  end
+
+  after(:all) do
+    # cleanup tables
+    @iptables.table('mangle').chain('test', &:apply_delete)
+    @iptables.table('mangle').chain('custom', &:apply_delete)
+    @iptables.table('filter').chain('rspec', &:apply_delete)
+    @iptables.table('nat').chain('rspec', &:apply_delete)
+  end
+
+  it 'does raise an error when getting an invalid ruleset' do
+    output = <<~IPTABLE
+      *nat
+      *mangle
+      :PREROUTING ACCEPT [57:17363]
+      :INPUT ACCEPT [57:17363]
+      :FORWARD ACCEPT [0:0]
+      :OUTPUT ACCEPT [60:16575]
+      :POSTROUTING ACCEPT [60:16575]
+      COMMIT
+      *filter
+    IPTABLE
+    expect { @iptables.parse_output(output) }.to raise_error(StandardError)
+  end
+
+  it 'converts rules to iptables-save format via tmp chain' do
+    expect(@iptables.normalize(protocol: :tcp, sport: 123, source: '1.2.3.4')).to eq('-s 1.2.3.4/32 -p tcp -m tcp --sport 123')
+    expect(@iptables.normalize('-s 1.2.3.4/32 -p tcp -m tcp --sport 123')).to eq('-s 1.2.3.4/32 -p tcp -m tcp --sport 123')
+    expect(@iptables.normalize('-s 1.2.3.4/32 -m tcp --sport 123 -p tcp')).to eq('-s 1.2.3.4/32 -p tcp -m tcp --sport 123')
+  end
+
+  it 'gets current ruleset' do
+    # remove all existing rules in mangle FORWARD (hurts running host rules during test)
+    `#{@command}-save > /tmp/iptables.save`
+    `#{@command} -t mangle -F FORWARD`
+    `#{@command} -t mangle -A FORWARD -p tcp -j ACCEPT`
+    @iptables.synchronize
+
+    `#{@command}-restore < /tmp/iptables.save`
+    # @iptables.print
+
+    # check that filter:INPUT is not owned!
+    expect(@iptables.table('filter').chain('INPUT').owned).to be_falsey
+
+    expect(@iptables.table('mangle').chain('FORWARD').rule(@iptables.normalize(protocol: :tcp, jump: :ACCEPT)).owned).to be_falsey
+    expect(@iptables.table('mangle').chain('FORWARD').rule(@iptables.normalize(protocol: :tcp, jump: :ACCEPT)).active).to be_truthy
+  end
+
+  it 'creates new chain in table mangle' do
+    @iptables.table('mangle').chain('custom').activate
+    expect(@iptables.table('mangle').chain('custom').active).to be_truthy
+  end
+
+  it 'allows to retrieve active rules' do
+    @iptables.append('nat', 'PREROUTING', source: '127.0.0.2',
+                                          destination: '127.0.0.3',
+                                          protocol: :tcp,
+                                          dport: 8080,
+                                          jump: 'DNAT', to: '127.0.0.4:9090')
+    target_hash = { source: '127.0.0.2', destination: '127.0.0.3', dport: '8080', jump: 'DNAT', protocol: 'tcp', to_dest: '127.0.0.4:9090' }
+    rules = @iptables.get_active_rules
+    expect(rules.length).to eq(2)
+    expect(rules.pop).to eq(target_hash)
+    @iptables.delete('nat', 'PREROUTING', source: '127.0.0.2',
+                                          destination: '127.0.0.3',
+                                          protocol: :tcp,
+                                          dport: 8080,
+                                          jump: 'DNAT', to: '127.0.0.4:9090')
+  end
+
+  it 'is not possible to set policy for non builtin chains' do
+    expect do
+      @iptables.table('mangle').chain('custom') do |chain|
+        chain.policy 'RETURN'
+        chain.apply
+      end
+    end.to raise_error('Unable to assign policy to non builtin chains, TODO: implement handling')
+  end
+
+  #  it "can set policy for builtin chains" do
+  #    @iptables.table("mangle").chain("INPUT") do | chain |
+  #      chain.set_policy "ACCEPT"
+  #    end
+  #    @iptables.activate
+  #  end
+
+  it 'can remove chains' do
+    # create chain
+    @iptables.table('mangle').chain('test').activate
+    expect(@iptables.exists('mangle', 'test')).to be_truthy
+    @iptables.table('mangle').chain('test').deactivate
+    expect(@iptables.exists('mangle', 'test')).to be_falsey
+  end
+
+  it 'checks if rule already exists' do
+    # check precondition
+    expect(@iptables.exists('mangle', 'custom', protocol: :tcp, sport: 123)).to be_falsy
+
+    # check existing
+    @iptables.append('mangle', 'custom', protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', protocol: :tcp, sport: 123)).to be_truthy
+    expect(@iptables.table('mangle').chain('FORWARD').rule(@iptables.normalize(protocol: :tcp, jump: :ACCEPT)).active).to be_truthy
+
+    # check missing
+    @iptables.delete('mangle', 'custom', protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', protocol: :tcp, sport: 123)).to be_falsy
+  end
+
+  it 'appends new rule via system' do
+    expect(@iptables.exists('mangle', 'custom', protocol: :tcp, sport: 123)).to be_falsy
+    @iptables.append('mangle', 'custom', protocol: :tcp, sport: 123)
+    expect(@iptables.table('mangle').chain('FORWARD').rule(@iptables.normalize(protocol: :tcp, jump: :ACCEPT)).owned).to be_falsey
+    expect(@iptables.table('mangle').chain('FORWARD').rule(@iptables.normalize(protocol: :tcp, jump: :ACCEPT)).active).to be_truthy
+  end
+
+  it 'can remove rules via system' do
+    expect(@iptables.exists('mangle', 'custom', protocol: :tcp, sport: 123)).to be_truthy
+    @iptables.delete('mangle', 'custom', protocol: :tcp, sport: 123)
+    expect(@iptables.exists('mangle', 'custom', protocol: :tcp, sport: 123)).to be_falsey
+  end
+
+  it 'changes all rules for a specific source address to another source address' do
+    @iptables.append('filter', 'rspec', protocol: :tcp, sport: 123, source: '1.2.3.5')
+    @iptables.switch_sources('1.2.3.5', '5.3.2.1')
+    expect(@iptables.exists('filter', 'rspec', source: '5.3.2.1', protocol: :tcp, sport: 123)).to be_truthy
+    expect(@iptables.exists('filter', 'rspec', source: '1.2.3.5', protocol: :tcp, sport: 123)).to be_falsey
+    @iptables.append('nat', 'rspec', protocol: :tcp, sport: 123, source: '1.2.3.5', jump: :DNAT, 'to-destination': '127.0.0.1:123')
+    @iptables.switch_sources('1.2.3.5', '5.3.2.1')
+    expect(@iptables.exists('nat', 'rspec', source: '5.3.2.1', protocol: :tcp, sport: 123, jump: :DNAT, 'to-destination': '127.0.0.1:123')).to be_truthy
+    expect(@iptables.exists('nat', 'rspec', source: '1.2.3.5', protocol: :tcp, sport: 123, jump: :DNAT, 'to-destination': '127.0.0.1:123')).to be_falsey
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'simplecov'
+SimpleCov.start do
+  enable_coverage :branch
+  add_filter '/spec/'
+end
+
+require 'rubygems'
+require 'bundler/setup'
+require 'tablomat'
+
+RSpec.configure do |config|
+  # RSpec::Core::Configuration#treat_symbols_as_metadata_keys_with_true_values= is deprecated, it is now set to true as default and setting it to false has no effect.
+  # config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.raise_errors_for_deprecations!
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  config.order = 'random'
+end

metadata

@@ -0,0 +1,133 @@
+--- !ruby/object:Gem::Specification
+name: tablomat
+version: !ruby/object:Gem::Version
+  version: 1.2.1
+platform: ruby
+authors:
+- Matthias Wübbeling
+- Arnold Sykosch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-03-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.0.1
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.88.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.88.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.1
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.18.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.18.5
+description: A simple wrapper for iptables
+email:
+- matthias.wuebbeling@cs.uni-bonn.de
+- sykosch@cs.uni-bonn.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/tablomat.rb
+- lib/tablomat/exec.rb
+- lib/tablomat/ipset.rb
+- lib/tablomat/ipset/entry.rb
+- lib/tablomat/ipset/set.rb
+- lib/tablomat/iptables.rb
+- lib/tablomat/iptables/chain.rb
+- lib/tablomat/iptables/rule.rb
+- lib/tablomat/iptables/table.rb
+- lib/tablomat/version.rb
+- spec/ipset_spec.rb
+- spec/ipsetiptables_spec.rb
+- spec/iptables_spec.rb
+- spec/spec_helper.rb
+homepage: https://gitlab.com/itsape/tablomat
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: This wrapper provides an interface to iptables.
+test_files:
+- spec/ipset_spec.rb
+- spec/ipsetiptables_spec.rb
+- spec/iptables_spec.rb
+- spec/spec_helper.rb