Module: Construqt::Flavour::Ubuntu::Firewall

Defined in:
lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb

Defined Under Namespace

Classes: ToFrom

Class Method Summary collapse

Class Method Details

.create(host, ifname, iface) ⇒ Object 



287
288
289
290
291
292
293
294
295
296
 
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb', line 287

def self.create(host, ifname, iface)
  throw 'interface must set' unless ifname
  writer = iface.host.result.etc_network_iptables
  iface.firewalls && iface.firewalls.each do |firewall|
    firewall.get_raw && Firewall.write_raw(firewall.get_raw, ifname, iface, writer.raw)
    firewall.get_nat && Firewall.write_nat(firewall.get_nat, ifname, iface, writer.nat)
    firewall.get_forward && Firewall.write_forward(firewall.get_forward, ifname, iface, writer.filter)
    firewall.get_host && Firewall.write_host(firewall.get_host, ifname, iface, writer.filter)
  end
end

.protocol_loop(rule) ⇒ Object 



219
220
221
222
223
224
225
226
227
228
229
 
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb', line 219

def self.protocol_loop(rule)
  protocol_loop = []
  if !rule.tcp? && !rule.udp?
    protocol_loop << ''
  else
    protocol_loop << '-p tcp' if rule.tcp?
    protocol_loop << '-p udp' if rule.udp?
  end

  protocol_loop
end

.write_forward(forward, ifname, iface, writer) ⇒ Object 



231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
 
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb', line 231

def self.write_forward(forward, ifname, iface, writer)
  forward.rules.each do |rule|
    throw "ACTION must set #{ifname}" unless rule.get_action
    #puts "write_forward #{rule.inspect} #{rule.input_only?} #{rule.output_only?}"
    if rule.get_log
      to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
        .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
        .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
      write_table("iptables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv4.forward))
      write_table("ip6tables", rule.clone.action("NFLOG"), to_from.factory(writer.ipv6.forward))
    end

    protocol_loop(rule).each do |protocol|
      #binding.pry
      to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
      to_from.push_begin_to(protocol)
      to_from.push_begin_from(protocol)
      if rule.get_ports && !rule.get_ports.empty?
        to_from.push_middle_from("-dports #{rule.get_ports.join(",")}")
        to_from.push_middle_to("-dports #{rule.get_ports.join(",")}")
      end

      if rule.connection?
        to_from.push_middle_from("-m state --state NEW,ESTABLISHED")
        to_from.push_middle_to("-m state --state RELATED,ESTABLISHED")
      end

      write_table("iptables", rule, to_from.factory(writer.ipv4.forward))
      write_table("ip6tables", rule, to_from.factory(writer.ipv6.forward))
    end
  end
end

.write_host(host, ifname, iface, writer) ⇒ Object 



264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
 
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb', line 264

def self.write_host(host, ifname, iface, writer)
  host.rules.each do |rule|
    in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
    out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
    if rule.get_log
      #binding.pry
      l_in_to_from = ToFrom.new.bind_interface(ifname, iface, rule).input_only
        .end_to("--nflog-prefix o:#{rule.get_log}:#{ifname}")
      l_out_to_from = ToFrom.new.bind_interface(ifname, iface, rule).output_only
        .end_from("--nflog-prefix i:#{rule.get_log}:#{ifname}")
      write_table("iptables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv4.input))
      write_table("iptables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv4.output))
      write_table("ip6tables", rule.clone.action("NFLOG"), l_in_to_from.factory(writer.ipv6.input))
      write_table("ip6tables", rule.clone.action("NFLOG"), l_out_to_from.factory(writer.ipv6.output))
    end

    write_table("iptables", rule, in_to_from.factory(writer.ipv4.input))
    write_table("iptables", rule, out_to_from.factory(writer.ipv4.output))
    write_table("ip6tables", rule, in_to_from.factory(writer.ipv6.input))
    write_table("ip6tables", rule, out_to_from.factory(writer.ipv6.output))
  end
end

.write_nat(nat, ifname, iface, writer) ⇒ Object 



205
206
207
208
209
210
211
212
213
214
215
216
217
 
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb', line 205

def self.write_nat(nat, ifname, iface, writer)
  nat.rules.each do |rule|
    throw "ACTION must set #{ifname}" unless rule.get_action
    throw "TO_SOURCE must set #{ifname}" unless rule.to_source?
    if rule.to_source? && rule.postrouting?
      src = iface.address.ips.select{|ip| ip.ipv4?}.first
      throw "missing ipv4 address and postrouting and to_source is used #{ifname}" unless src
      to_from = ToFrom.new.only_in_out(rule).end_to("--to-source #{src}")
        .ifname(ifname).factory(writer.ipv4.postrouting)
      write_table("iptables", rule, to_from)
    end
  end
end

.write_raw(raw, ifname, iface, writer) ⇒ Object 



186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
 
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb', line 186

def self.write_raw(raw, ifname, iface, writer)
  #        puts ">>>RAW #{iface.name} #{raw.firewall.name}"
  raw.rules.each do |rule|
    throw "ACTION must set #{ifname}" unless rule.get_action
    if rule.prerouting?
      to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
      #puts "PREROUTING #{to_from.inspect}"
      write_table("iptables", rule, to_from.factory(writer.ipv4.prerouting))
      write_table("ip6tables", rule, to_from.factory(writer.ipv6.prerouting))
    end

    if rule.output?
      to_from = ToFrom.new.bind_interface(ifname, iface, rule).only_in_out(rule)
      write_table("iptables", rule, to_from.factory(writer.ipv4.output))
      write_table("ip6tables", rule, to_from.factory(writer.ipv6.output))
    end
  end
end

.write_table(iptables, rule, to_from) ⇒ Object 



128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
 
# File 'lib/construqt/flavour/ubuntu/flavour_ubuntu_firewall.rb', line 128

def self.write_table(iptables, rule, to_from)
  family = iptables=="ip6tables" ? Construqt::Addresses::IPV6 : Construqt::Addresses::IPV4
  if rule.from_interface?
    #binding.pry
    from_list = IPAddress::IPv4::summarize(
      *(iptables=="ip6tables" ? to_from.get_interface.address.v6s : to_from.get_interface.address.v4s).map do |adr|
        adr.to_string
      end)
  else
    from_list = Construqt::Tags.ips_net(rule.get_from_net, family)
  end

  to_list = Construqt::Tags.ips_net(rule.get_to_net, family)
  #puts ">>>>>#{from_list.inspect}"
  #puts ">>>>>#{state.inspect} end_to:#{state.end_to}:#{state.end_from}:#{state.middle_to}#{state.middle_from}"
  action_i = action_o = rule.get_action
  if to_list.empty? && from_list.empty?
    #puts "write_table=>o:#{to_from.output_only?}:#{to_from.output_ifname} i:#{to_from.input_only?}:#{to_from.input_ifname}"
    if to_from.output_only?
      to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from}#{to_from.get_middle_to} -j #{rule.get_action}#{to_from.get_end_to}")
    end

    if to_from.input_only?
      to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_from.get_middle_from} -j #{rule.get_action}#{to_from.get_end_from}")
    end
  end

  if to_list.length > 1
    action_o = "I.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
    action_i = "O.#{to_from.get_ifname}.#{rule.object_id.to_s(32)}"
    to_list.each do |ip|
      if to_from.output_only?
        to_from.factory!.table(action_o).row("#{to_from.output_ifname} -d #{ip.to_string} -j #{rule.get_action}")
      end

      if to_from.input_only?
        to_from.factory!.table(action_i).row("#{to_from.input_ifname} -s #{ip.to_string} -j #{rule.get_action}")
      end
    end

  elsif to_list.length == 1
    from_dst = " -d #{to_list.first.to_string}"
    to_src = " -s #{to_list.first.to_string}"
  else
    from_dst = to_src =""
  end

  from_list.each do |ip|
    if to_from.output_only?
      to_from.factory!.row("#{to_from.output_ifname}#{to_from.get_begin_from} -s #{ip.to_string}#{from_dst}#{to_from.get_middle_from} -j #{action_o}#{to_from.get_end_to}")
    end

    if to_from.input_only?
      to_from.factory!.row("#{to_from.input_ifname}#{to_from.get_begin_to}#{to_src} -d #{ip.to_string}#{to_from.get_middle_to} -j #{action_i}#{to_from.get_end_from}")
    end
  end
end