Class: Tablomat::IPTablesBase

Inherits:

Object

• Object
• Tablomat::IPTablesBase

Extended by:

Exec

Defined in:

lib/tablomat/iptables.rb,
lib/tablomat/iptables/rule.rb,
lib/tablomat/iptables/chain.rb,
lib/tablomat/iptables/table.rb

Overview

The base class for the IPTables interface

Direct Known Subclasses

IP6Tables, IPTables

Defined Under Namespace

Classes: Chain, Rule, Table

Instance Attribute Summary

• #active ⇒ Object readonly

  Returns the value of attribute active.

• #builtin_chains ⇒ Object readonly

  Returns the value of attribute builtin_chains.

• #iptables_bin ⇒ Object

  Returns the value of attribute iptables_bin.

• #tmp_chain ⇒ Object readonly

  Returns the value of attribute tmp_chain.

Instance Method Summary

• #activate ⇒ Object
• #append(table_name, chain_name, data) ⇒ Object
• #deactivate ⇒ Object
• #delete(table_name, chain_name, data) ⇒ Object
• #exec(cmd) ⇒ Object
• #exists(table_name, chain_name, data = nil) ⇒ Object

  rubocop:disable Metrics/AbcSize.

• #get_active_rules(table = 'nat', chain = 'PREROUTING') ⇒ Object

  rubocop:disable Metrics/AbcSize.

• #initialize ⇒ IPTablesBase constructor

  A new instance of IPTablesBase.

• #insert(table_name, chain_name, data, pos) ⇒ Object

  rubocop:enable Metrics/AbcSize.

• #normalize(data, table = 'filter') ⇒ Object

  converts any given rule to the iptables internal description format by using a temporary table rubocop:disable Metrics/AbcSize.

• #parse_chain(chain, rules) ⇒ Object
• #parse_data(data) ⇒ Object

  rubocop:enable Metrics/AbcSize.

• #parse_output(stdout) ⇒ Object

  rubocop:disable Metrics/AbcSize.

• #parse_table(table, chains) ⇒ Object
• #print ⇒ Object

  rubocop:enable Metrics/AbcSize.

• #switch_sources(old_src, new_src) ⇒ Object

  used to easily switch rules from one src ip to another.

• #synchronize ⇒ Object
• #table(name, owned = true, &block) ⇒ Object

Methods included from Exec

exec

Constructor Details

#initialize ⇒ IPTablesBase

Returns a new instance of IPTablesBase.

# File 'lib/tablomat/iptables.rb', line 16

def initialize
  # get random value for rule creation hack, iptables limits name to 28 characters
  @tmp_chain_prefix = 'tablomat'

  @builtin_chains = { filter: %w[INPUT FORWARD OUTPUT], nat: %w[PREROUTING INPUT OUTPUT POSTROUTING], mangle: %w[PREROUTING INPUT FORWARD OUTPUT POSTROUTING] }
  @tables = {}

  @active = true
end

Instance Attribute Details

#active ⇒ Object (readonly)

Returns the value of attribute active.

# File 'lib/tablomat/iptables.rb', line 14

def active
  @active
end

#builtin_chains ⇒ Object (readonly)

Returns the value of attribute builtin_chains.

# File 'lib/tablomat/iptables.rb', line 14

def builtin_chains
  @builtin_chains
end

#iptables_bin ⇒ Object

Returns the value of attribute iptables_bin.

# File 'lib/tablomat/iptables.rb', line 13

def iptables_bin
  @iptables_bin
end

#tmp_chain ⇒ Object (readonly)

Returns the value of attribute tmp_chain.

# File 'lib/tablomat/iptables.rb', line 14

def tmp_chain
  @tmp_chain
end

Instance Method Details

#activate ⇒ Object

# File 'lib/tablomat/iptables.rb', line 141

def activate
  @active = true
  @tables.each do |_name, table|
    table.activate
  end
end

#append(table_name, chain_name, data) ⇒ Object

# File 'lib/tablomat/iptables.rb', line 131

def append(table_name, chain_name, data)
  data = normalize data, table_name
  table(table_name).append(chain_name, data)
end

#deactivate ⇒ Object

# File 'lib/tablomat/iptables.rb', line 148

def deactivate
  @active = false
  tables.each do |_name, table|
    table.deactivate
  end
end

#delete(table_name, chain_name, data) ⇒ Object

# File 'lib/tablomat/iptables.rb', line 136

def delete(table_name, chain_name, data)
  data = normalize data, table_name
  table(table_name).delete(chain_name, data)
end

#exec(cmd) ⇒ Object

# File 'lib/tablomat/iptables.rb', line 26

def exec(cmd)
  Exec.exec(cmd)
end

#exists(table_name, chain_name, data = nil) ⇒ Object

rubocop:disable Metrics/AbcSize

# File 'lib/tablomat/iptables.rb', line 116

def exists(table_name, chain_name, data = nil)
  if data.nil?
    table(table_name).chain_exists(chain_name) && table(table_name).chain(chain_name).active
  else
    data = normalize data, table_name
    table(table_name).chain(chain_name).rules.count { |_k, v| normalize(v.description, table_name) == data && v.active } >= 1
  end
end

#get_active_rules(table = 'nat', chain = 'PREROUTING') ⇒ Object

rubocop:disable Metrics/AbcSize

# File 'lib/tablomat/iptables.rb', line 156

def get_active_rules(table = 'nat', chain = 'PREROUTING')
  rrgx = /(?<key>--?[[:alpha:]-]+) (?<value>[[:alnum:]:\.]+)/.freeze
  switch_map = { '-s' => :source, '--source' => :source,
                 '-d' => :destination, '--destination' => :destination,
                 '--dport' => :dport, '--to-destination' => :to_dest,
                 '-p' => :protocol, '--protocol' => :protocol,
                 '-j' => :jump, '--jump' => :jump,
                 '--match-set' => :match }

  table(table).chain(chain).rules.filter { |_, r| r.active }.map do |_, rule|
    rule.description.to_enum(:scan, rrgx)
        .map { Regexp.last_match }
        .map { |m| [switch_map[m[:key]], m[:value]] }
        .filter { |m| m[0] }.to_h
  end
end

#insert(table_name, chain_name, data, pos) ⇒ Object

rubocop:enable Metrics/AbcSize

# File 'lib/tablomat/iptables.rb', line 126

def insert(table_name, chain_name, data, pos)
  data = normalize data, table_name
  table(table_name).insert(chain_name, data, pos)
end

#normalize(data, table = 'filter') ⇒ Object

converts any given rule to the iptables internal description format by using a temporary table rubocop:disable Metrics/AbcSize

# File 'lib/tablomat/iptables.rb', line 98

def normalize(data, table = 'filter')
  synchronize
  tmp_chain = "#{@tmp_chain_prefix}#{Digest::SHA256.hexdigest Random.rand(1024).to_s}"[0, 28]
  self.table(table).chain(tmp_chain).activate
  self.table(table).append(tmp_chain, data)
  synchronize
  normalized = data
  self.table(table).chain(tmp_chain).rules.select { |_k, r| r.owned == false }.each do |_k, r|
    normalized = r.description
  end
  self.table(table).delete(tmp_chain, data)
  self.table(table).chain(tmp_chain).deactivate
  self.table(table).chain(tmp_chain).apply_delete
  normalized
end

#parse_chain(chain, rules) ⇒ Object

# File 'lib/tablomat/iptables.rb', line 81

def parse_chain(chain, rules)
  rules.each do |rule|
    r = chain.rule(rule, false)
    r.activate true
  end
end

#parse_data(data) ⇒ Object

rubocop:enable Metrics/AbcSize

# File 'lib/tablomat/iptables.rb', line 65

def parse_data(data)
  data.each do |table, chains|
    t = self.table(table, false)
    t.activate true
    parse_table(t, chains)
  end
end

#parse_output(stdout) ⇒ Object

rubocop:disable Metrics/AbcSize

# File 'lib/tablomat/iptables.rb', line 44

def parse_output(stdout)
  stdout = stdout.split("\n").reject { |s| s[0] == '#' }.join("\n")
  data = {}
  stdout.split(/^\*/).reject { |s| s == '' }.each do |ruleset|
    table, rule = ruleset.match(/(.+?)\n(.*)/m).to_a[1..-1]
    data[table] = {}

    raise "Empty ruleset in table #{table}" if table.nil?

    rule.scan(/^:(.+?)\s+/).each do |match|
      data[table][match[0]] = []
    end

    rule.scan(/^-A (.+?) (.+?)\n/).each do |match|
      data[table][match[0]] << match[1]
    end
  end
  parse_data(data)
end

#parse_table(table, chains) ⇒ Object

# File 'lib/tablomat/iptables.rb', line 73

def parse_table(table, chains)
  chains.each do |chain, rules|
    c = table.chain(chain, false)
    c.activate true
    parse_chain(c, rules)
  end
end

#print ⇒ Object

rubocop:enable Metrics/AbcSize

# File 'lib/tablomat/iptables.rb', line 192

def print
  require 'pp'
  pp self
end

#switch_sources(old_src, new_src) ⇒ Object

used to easily switch rules from one src ip to another

# File 'lib/tablomat/iptables.rb', line 174

def switch_sources(old_src, new_src)
  @tables.to_a.each do |_kt, tbl|
    tbl.chains.to_a.each do |_kc, chn|
      next if chn.name.include? 'tablomat'

      chn.rules.to_a.each do |_key, rule|
        next unless rule.description.include? "-s #{old_src}"

        new_data = normalize(rule.description, tbl.name).sub "-s #{old_src}", "-s #{new_src}"
        pos = rule.position + 1
        delete(tbl.name, chn.name, rule.description)
        insert(tbl.name, chn.name, new_data, pos)
      end
    end
  end
end

#synchronize ⇒ Object

# File 'lib/tablomat/iptables.rb', line 30

def synchronize
  # called regularly by normalize
  command = "#{@iptables_bin}-save"
  stdout = `#{command} 2>&1`.strip << "\n"
  if $CHILD_STATUS != 0
    # throw error
    puts "Invalid return value when calling #{command}"
  end
  parse_output stdout
rescue StandardError => e
  puts "[error] #{e}"
end

#table(name, owned = true, &block) ⇒ Object

# File 'lib/tablomat/iptables.rb', line 88

def table(name, owned = true, &block)
  name = name.to_s.downcase
  (@tables[name] || Table.new(self, name, owned)).tap do |table|
    @tables[name] = table
    block&.call(table)
  end
end