Class: IPAccess::Socket

Inherits:
Socket
  • Object
show all
Includes:
Patches::Socket
Defined in:
lib/ipaccess/ghost_doc/ghost_doc_sockets.rb,
lib/ipaccess/socket.rb

Overview

Socket class with IP access control. It uses input and output access lists. Default list for methods that deal with rules is output.

This class acts the same way as Socket class but provides special member called acl and a few new instance methods for controlling IP access.

This documentation doesn’t cover description of all class and instance methods of the original Socket class, just the patched variants that make use of IP access control.

Example

require 'socket'                                        # load native sockets
require 'ipaccess/socket'                               # load sockets subsystem and IPAccess.arm method
include Socket::Constants

IPAccess::Set::Global.input.blacklist :localhost        # add localhost to global access set
                                                        # as a black rule of input list
socket = IPAccess::Socket.new(AF_INET, SOCK_STREAM, 0)  # create TCP socket
sockaddr = Socket.sockaddr_in(31337, '127.0.0.1')       # create sockadr_in structure
socket.bind(sockaddr)                                   # bind to port 31331 and IP 127.0.0.1
socket.listen(5)                                        # listen on socket
begin
  c_socket, c_sockaddr = socket.accept_nonblock         # call non-blocking accept for connections
rescue Errno::EAGAIN, Errno::ECONNABORTED,
       Errno::EPROTO, Errno::EINTR                  
  IO.select([socket])                                   # retry on retriable errors
  retry
rescue IPAccessDenied                                   # when access is denied
  c_socket.close                                        # close client socket
  socket.close                                          # close listener
  raise                                                 # raise exception
end
c_socket.puts "Hello world!"                            # otherwise continue
c_socket.close
socket.close

Instance Attribute Summary collapse

Attributes included from Patches::ACL

#opened_on_deny

Instance Method Summary collapse

Methods included from Patches::ACL

#__ipa_wrap_socket_call, #blacklist_reasonable, #blacklist_reasonable!, #close_on_deny, #close_on_deny=, #default_list, #terminate, #valid_acl?, #whitelist_reasonable, #whitelist_reasonable!

Instance Attribute Details

#aclObject

This member keeps the information about currently used access set. You may use it to do low-level operations on IPAccess::Set object associated with instance. You cannot however call any of global access set operations – to do that use IPAccess::Set.Global contant referencing to global ACL.



291
292
293
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 291

def acl
  @acl
end

Instance Method Details

#acl_recheckObject

This method allows you to re-check access on demad. It uses internal socket’s address and access set assigned to an object. It will close your communication session before throwing an exception in case of denied access – you can prevent it by setting the flag opened_on_deny to true. The flag can be set while initializing object (through argument :opened_on_deny) or by setting the attribute.



302
303
304
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 302

def acl_recheck
  # Real code hidden.
end

#blacklist(*addresses) ⇒ Object #blacklist(list, *addresses) ⇒ Object Also known as: add_black, deny, block

This method blacklists IP address(-es) in the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any whitelisted item.

Restrictions

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use blacklist! instead.

Return value

It will return the result of calling IPAccess::List#blacklist on the list.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.



161
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 161

def blacklist(*addresses); end

#blacklist!(*addresses) ⇒ Object #blacklist!(list, *addresses) ⇒ Object Also known as: add_black!, deny!, block!

This method works same way as blacklist but it will allow you to modify the list even if the global access set is used by object.



123
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 123

def blacklist!(*addresses); end

#unblacklist(*addresses) ⇒ Object #unblacklist(list, *addresses) ⇒ Object Also known as: unblock, del_black

This method removes blacklisted IP address(-es) from the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any whitelisted item.

Restrictions

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use unblacklist! instead.

Return value

It will return the result of calling IPAccess::List#unblacklist on the list.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.



255
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 255

def unblacklist(*addresses); end

#unblacklist!(*addresses) ⇒ Object #unblacklist!(list, *addresses) ⇒ Object Also known as: unblock!, del_black!

This method works same way as unblacklist but it will allow you to modify the list even if the global access set is used by object.



217
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 217

def unblacklist!(*addresses); end

#unwhitelist(*addresses) ⇒ Object #unwhitelist(list, *addresses) ⇒ Object Also known as: del_white

This method removes whitelisted IP address(-es) from the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any blacklisted item.

Restrictions

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use unwhitelist! instead.

Return value

It will return the result of calling IPAccess::List#unwhitelist on the list.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.



208
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 208

def unwhitelist(*addresses); end

#unwhitelist!(*addresses) ⇒ Object #unwhitelist!(list, *addresses) ⇒ Object Also known as: del_white!

This method works same way as unwhitelist but it will allow you to modify the list even if the global access set is used by object.



170
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 170

def unwhitelist!(*addresses); end

#whitelist(*addresses) ⇒ Object

This method whitelists IP address(-es) in the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any blacklisted item.

Restrictions

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use whitelist! instead.

Return value

It will return the result of calling IPAccess::List#whitelist on the list.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

@overload(*addresses) @overload(list, *addresses)



114
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 114

def whitelist(*addresses); end

#whitelist!(*addresses) ⇒ Object #whitelist!(list, *addresses) ⇒ Object

This method works same way as whitelist but it will allow you to modify the list even if the global access set is used by object.



77
 
# File 'lib/ipaccess/ghost_doc/ghost_doc_sockets.rb', line 77

def whitelist!(*addresses); end