Class: Puffy::Formatters::Netfilter::Rule

Inherits:

Base::Rule

• Object
• Base::Rule
• Puffy::Formatters::Netfilter::Rule

Defined in:

lib/puffy/formatters/netfilter.rb

Overview

Netfilter implementation of a Puffy Rule formatter.

Direct Known Subclasses

Puffy::Formatters::Netfilter4::Rule, Puffy::Formatters::Netfilter6::Rule

Instance Method Summary

• #emit_ct_rule(rule) ⇒ Object
• #emit_dnat(rule) ⇒ Object
• #emit_dst(rule) ⇒ Object
• #emit_dst_host(rule) ⇒ Object
• #emit_dst_port(rule) ⇒ Object
• #emit_filter_rule(rule) ⇒ Object
• #emit_if(rule) ⇒ Object
• #emit_in_out(rule) ⇒ Object
• #emit_jump(rule) ⇒ Object
• #emit_on(rule) ⇒ Object
• #emit_postrouting_rule(rule) ⇒ Object
• #emit_prerouting_rule(rule) ⇒ Object
• #emit_proto(rule) ⇒ Object
• #emit_redirect(rule) ⇒ Object
• #emit_redirect_or_dnat(rule) ⇒ Object
• #emit_rule(rule) ⇒ Object

  Returns a Netfilter String representation of the provided rule Puffy::Rule.

• #emit_src(rule) ⇒ Object
• #emit_src_host(rule) ⇒ Object
• #emit_src_port(rule) ⇒ Object
• #pp_rule(parts) ⇒ Object

Instance Method Details

#emit_ct_rule(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 130

def emit_ct_rule(rule)
  parts = ['-A PREROUTING']
  parts << emit_if(rule)
  parts << emit_proto(rule)
  parts << emit_src_port(rule)
  parts << emit_dst_port(rule)
  parts << '-j CT'
  parts << "--helper #{Ruleset.known_conntrack_helpers[rule.to_port]}"
  pp_rule(parts)
end

#emit_dnat(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 247

def emit_dnat(rule)
  res = "-j DNAT --to-destination #{rule.rdr_to_host}"
  res += ":#{rule.rdr_to_port}" if rule.rdr_to_port && rule.rdr_to_port != rule.to_port
  res
end

#emit_dst(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 215

def emit_dst(rule)
  emit_dst_host(rule) + emit_dst_port(rule)
end

#emit_dst_host(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 219

def emit_dst_host(rule)
  if rule.to_host
    ['-d', emit_address(rule.to_host)]
  else
    []
  end
end

#emit_dst_port(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 227

def emit_dst_port(rule)
  if rule.to_port
    ['--dport', emit_port(rule.to_port)]
  else
    []
  end
end

#emit_filter_rule(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 155

def emit_filter_rule(rule)
  iptables_direction = { in: 'INPUT', out: 'OUTPUT', fwd: 'FORWARD' }
  parts = ["-A #{iptables_direction[rule.dir]}"]
  parts << '-m conntrack --ctstate NEW' if %i[tcp udp].include?(rule.proto)
  parts << emit_if(rule)
  parts << emit_proto(rule)
  parts << emit_src(rule)
  parts << emit_dst(rule)
  parts << emit_jump(rule)
  pp_rule(parts)
end

#emit_if(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 167

def emit_if(rule)
  if rule.on
    emit_on(rule)
  else
    emit_in_out(rule)
  end
end

#emit_in_out(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 184

def emit_in_out(rule)
  parts = []
  parts << "-i #{rule.in}" if rule.in
  parts << "-o #{rule.out}" if rule.out
  parts
end

#emit_jump(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 253

def emit_jump(rule)
  "-j #{Puffy::Formatters::Netfilter.iptables_action(rule)}"
end

#emit_on(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 175

def emit_on(rule)
  on_direction_flag = { in: '-i', out: '-o' }

  return unless rule.on || rule.dir

  matches = /(!)?(.*)/.match(rule.on)
  [matches[1], on_direction_flag[rule.dir], matches[2]].compact
end

#emit_postrouting_rule(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 141

def emit_postrouting_rule(rule)
  "-A POSTROUTING -o #{rule.on} -j MASQUERADE"
end

#emit_prerouting_rule(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 145

def emit_prerouting_rule(rule)
  parts = ['-A PREROUTING']
  parts << emit_on(rule)
  parts << emit_proto(rule)
  parts << emit_src(rule)
  parts << emit_dst(rule)
  parts << emit_redirect_or_dnat(rule)
  pp_rule(parts)
end

#emit_proto(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 191

def emit_proto(rule)
  "-p #{rule.proto}" if rule.proto
end

#emit_redirect(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 243

def emit_redirect(rule)
  "-j REDIRECT --to-port #{rule.rdr_to_port}"
end

#emit_redirect_or_dnat(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 235

def emit_redirect_or_dnat(rule)
  if Puffy::Formatters::Base.loopback_addresses.include?(rule.rdr_to_host)
    emit_redirect(rule)
  else
    emit_dnat(rule)
  end
end

#emit_rule(rule) ⇒ Object

Returns a Netfilter String representation of the provided rule Puffy::Rule.

# File 'lib/puffy/formatters/netfilter.rb', line 120

def emit_rule(rule)
  if rule.nat?
    emit_postrouting_rule(rule)
  elsif rule.rdr?
    emit_prerouting_rule(rule)
  else
    emit_filter_rule(rule)
  end
end

#emit_src(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 195

def emit_src(rule)
  emit_src_host(rule) + emit_src_port(rule)
end

#emit_src_host(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 199

def emit_src_host(rule)
  if rule.from_host
    ['-s', emit_address(rule.from_host)]
  else
    []
  end
end

#emit_src_port(rule) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 207

def emit_src_port(rule)
  if rule.from_port
    ['--sport', emit_port(rule.from_port)]
  else
    []
  end
end

#pp_rule(parts) ⇒ Object

# File 'lib/puffy/formatters/netfilter.rb', line 257

def pp_rule(parts)
  parts.flatten.compact.join(' ')
end