Class: Puffy::Rule

Inherits:

Object

• Object
• Puffy::Rule

Defined in:

lib/puffy/rule.rb

Overview

Abstract firewall rule.

Instance Attribute Summary

• #action ⇒ Symbol

  The action to perform when the rule apply (:accept or :block).

• #af ⇒ Symbol

  The address family of the rule (:inet6 or :inet).

• #dir ⇒ Symbol

  The direction of the rule (:in or :out).

• #from ⇒ Hash

  The packet source as a Hash for the rule to apply.

• #in ⇒ String

  The interface packets must arrive on for the rule to apply in a forwarding context.

• #nat_to ⇒ IPAddr

  The packet destination when peforming NAT.

• #no_quick ⇒ Boolean

  Prevent the rule from being a quick one.

• #on ⇒ String

  The interface the rule applies to.

• #out ⇒ String

  The interface packets must be sent to for the rule to apply in a forwarding context.

• #proto ⇒ Symbol

  The protocol the Puffy::Rule applies to (:tcp, :udp, etc).

• #rdr_to ⇒ Hash

  The destination as a Hash for redirections.

• #return ⇒ Boolean

  Whether blocked packets must be returned to sender instead of being silently dropped.

• #to ⇒ Hash

  The packet destination as a Hash for the rule to apply.

Class Method Summary

• .fwd_rule(rule) ⇒ Puffy::Rule

  Instanciate a forward Puffy::Rule.

Instance Method Summary

• #filter? ⇒ Boolean

  Return true if the rule is a filter rule.

• #from_host ⇒ Object

  Returns the source host of the Puffy::Rule.

• #from_port ⇒ Object

  Returns the source port of the Puffy::Rule.

• #from_proto_hint ⇒ Object

  Returns the proto hint of the Puffy::Rule.

• #fwd? ⇒ Boolean

  Returns whether the rule performs forwarding.

• #implicit_ipv4? ⇒ Boolean

  Return true if the rule has an IPv4 source or destination.

• #implicit_ipv6? ⇒ Boolean

  Return true if the rule has an IPv6 source or destination.

• #in? ⇒ Boolean

  Returns whether the rule applies to incomming packets.

• #initialize(options = {}) ⇒ Rule constructor

  Instanciate a firewall Puffy::Rule.

• #ipv4? ⇒ Boolean

  Return true if the rule is valid in an IPv4 context.

• #ipv6? ⇒ Boolean

  Return true if the rule is valid in an IPv6 context.

• #nat? ⇒ Boolean

  Returns whether the rule performs Network Address Translation.

• #on_to_in_out! ⇒ void

  Setsthe #in / #out to #on depending on #dir.

• #out? ⇒ Boolean

  Returns whether the rule applies to outgoing packets.

• #rdr? ⇒ Boolean

  Returns whether the rule is a redirection.

• #rdr_to_host ⇒ Object

  Returns the redirect destination host of the Puffy::Rule.

• #rdr_to_port ⇒ Object

  Returns the redirect destination port of the Puffy::Rule.

• #rdr_to_proto_hint ⇒ Object

  Returns the proto hint of the Puffy::Rule (does not make sense).

• #to_host ⇒ Object

  Returns the destination host of the Puffy::Rule.

• #to_port ⇒ Object

  Returns the destination port of the Puffy::Rule.

• #to_proto_hint ⇒ Object

  Returns the proto hint of the Puffy::Rule.

Constructor Details

#initialize(options = {}) ⇒ Rule

Instanciate a firewall Puffy::Rule.

options is a Hash of the Puffy::Rule class attributes

Rule.new({ action: :accept, dir: :in, proto: :tcp, to: { port: 80 } })

# File 'lib/puffy/rule.rb', line 64

def initialize(options = {})
  send_options(options)

  self.af ||= detect_af
  self.proto ||= from_proto_hint || to_proto_hint

  raise "unsupported action `#{options[:action]}'" unless valid_action?
  raise 'if from_port or to_port is specified, the protocol must also be given' if port_without_protocol?
end

Instance Attribute Details

#action ⇒ Symbol

The action to perform when the rule apply (:accept or :block).

Returns:

• (Symbol) —

  Action

# File 'lib/puffy/rule.rb', line 57

def action
  @action
end

#af ⇒ Symbol

The address family of the rule (:inet6 or :inet)

Returns:

• (Symbol) —

  Address family

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#dir ⇒ Symbol

The direction of the rule (:in or :out).

Returns:

• (Symbol) —

  Direction

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#from ⇒ Hash

The packet source as a Hash for the rule to apply.

:host

address of the source host or network the rule apply to

:port

source port the rule apply to

Returns:

• (Hash) —

  Source

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#in ⇒ String

The interface packets must arrive on for the rule to apply in a forwarding context.

Returns:

• (String) —

  Interface

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#nat_to ⇒ IPAddr

The packet destination when peforming NAT.

Returns:

• (IPAddr) —

  IP Adress

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#no_quick ⇒ Boolean

Prevent the rule from being a quick one.

Returns:

• (Boolean) —

  Quick flag

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#on ⇒ String

The interface the rule applies to.

Returns:

• (String) —

  Interface

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#out ⇒ String

The interface packets must be sent to for the rule to apply in a forwarding context.

Returns:

• (String) —

  Interface

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#proto ⇒ Symbol

The protocol the Puffy::Rule applies to (:tcp, :udp, etc).

Returns:

• (Symbol) —

  Protocol

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#rdr_to ⇒ Hash

The destination as a Hash for redirections.

:host

address of the destination host or network the rule apply to

:port

destination port the rule apply to

Returns:

• (Hash) —

  Destination

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#return ⇒ Boolean

Whether blocked packets must be returned to sender instead of being silently dropped.

Returns:

• (Boolean) —

  Return flag

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

#to ⇒ Hash

The packet destination as a Hash for the rule to apply.

:host

address of the destination host or network the rule apply to

:port

destination port the rule apply to

Returns:

• (Hash) —

  Destination

# File 'lib/puffy/rule.rb', line 57

attr_accessor :action, :return, :dir, :proto, :af, :on, :in, :out, :from, :to, :nat_to, :rdr_to, :no_quick

Class Method Details

.fwd_rule(rule) ⇒ Puffy::Rule

Instanciate a forward Puffy::Rule.

Parameters:

• rule (Puffy::Rule) —

  a NAT rule

Returns:

• (Puffy::Rule)

# File 'lib/puffy/rule.rb', line 79

def self.fwd_rule(rule)
  res = rule.dup
  res.on_to_in_out!
  res.to.merge!(res.rdr_to.compact)
  res.rdr_to = nil
  res.dir = :fwd
  res
end

Instance Method Details

#filter? ⇒ Boolean

Return true if the rule is a filter rule.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 109

def filter?
  !nat? && !rdr?
end

#from_host ⇒ Object

Returns the source host of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#from_port ⇒ Object

Returns the source port of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#from_proto_hint ⇒ Object

Returns the proto hint of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#fwd? ⇒ Boolean

Returns whether the rule performs forwarding.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 134

def fwd?
  dir == :fwd
end

#implicit_ipv4? ⇒ Boolean

Return true if the rule has an IPv4 source or destination.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 94

def implicit_ipv4?
  from_ipv4? || to_ipv4? || rdr_to_ipv4? || (rdr_to && af == :inet)
end

#implicit_ipv6? ⇒ Boolean

Return true if the rule has an IPv6 source or destination.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 104

def implicit_ipv6?
  from_ipv6? || to_ipv6? || rdr_to_ipv6? || (rdr_to && af == :inet6)
end

#in? ⇒ Boolean

Returns whether the rule applies to incomming packets.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 114

def in?
  dir.nil? || dir == :in
end

#ipv4? ⇒ Boolean

Return true if the rule is valid in an IPv4 context.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 89

def ipv4?
  af.nil? || af == :inet
end

#ipv6? ⇒ Boolean

Return true if the rule is valid in an IPv6 context.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 99

def ipv6?
  af.nil? || af == :inet6
end

#nat? ⇒ Boolean

Returns whether the rule performs Network Address Translation.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 124

def nat?
  nat_to
end

#on_to_in_out! ⇒ void

This method returns an undefined value.

Setsthe #in / #out to #on depending on #dir.

# File 'lib/puffy/rule.rb', line 168

def on_to_in_out!
  if dir == :in
    self.in ||= on
  else
    self.out ||= on
  end
  self.on = nil
end

#out? ⇒ Boolean

Returns whether the rule applies to outgoing packets.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 119

def out?
  dir.nil? || dir == :out
end

#rdr? ⇒ Boolean

Returns whether the rule is a redirection.

Returns:

• (Boolean)

# File 'lib/puffy/rule.rb', line 129

def rdr?
  rdr_to_host || rdr_to_port
end

#rdr_to_host ⇒ Object

Returns the redirect destination host of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#rdr_to_port ⇒ Object

Returns the redirect destination port of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#rdr_to_proto_hint ⇒ Object

Returns the proto hint of the Puffy::Rule (does not make sense).

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#to_host ⇒ Object

Returns the destination host of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#to_port ⇒ Object

Returns the destination port of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end

#to_proto_hint ⇒ Object

Returns the proto hint of the Puffy::Rule.

# File 'lib/puffy/rule.rb', line 156

%i[from to rdr_to].each do |destination|
  %i[host port proto_hint].each do |param|
    define_method("#{destination}_#{param}") do
      res = public_send(destination)
      res && res[param]
    end
  end
end