Class: Mt::Wall::DSL::ChainBuilder

Inherits:

Object

• Object
• Mt::Wall::DSL::ChainBuilder

Defined in:

lib/mt/wall/dsl/chain_builder.rb

Overview

Block context for a single firewall chain inside a ‘device` block (Layer B — the box’s own firewall). Opened by ‘input`/`output`/`forward`. Each verb appends a Model::FilterRule for this chain.

forward do
  allow_established              # helper
  drop_invalid                   # helper
  accept protocol: :icmp         # native core
  accept protocol: :tcp, dst_port: 22, src: "admin"
end

Two layers of verbs (per the “core + helpers” design):

* CORE — accept / drop / reject — one rule with native match keywords:
    state:, protocol:, dst_port:, src_port:, in_interface:,
    out_interface:, in_interface_list:, out_interface_list:, src:, dst:,
    family:, comment:, and the rule-level flags log:, log_prefix:,
    disabled: (see below).
  `in_interface_list:` / `out_interface_list:` REFERENCE an existing
  RouterOS `/interface/list` (WAN/LAN, defined by the operator on the
  box) — mt-wall does not manage `/interface/list` itself in v1.
  `log:`/`log_prefix:` enable RouterOS logging; `disabled:` keeps the
  rule in git but inactive. These are rule ATTRIBUTES, not match
  conditions, so they are excluded from the identity tag (toggling them
  is an in-place :update, never delete+create).
  `src:` / `dst:` reference a Layer-A host/group by name (compiled to
  src-/dst-address-list); referencing an unknown name is a fail-fast
  error at compile time.
  `family:` (:ip4 | :ip6) scopes the rule to ONE address family;
  omitted, the rule applies to BOTH (emitted into the v4 AND the v6
  filter tables). Use it for family-specific rules (e.g. ICMPv6).
* HELPERS — sugar that expands to one or more core rules for the
  common baseline (allow_established, drop_invalid, ...).

VALIDATION (fail-fast at the DSL boundary): ports are 1..65535 (ranges allowed); ‘protocol:` is checked against an allowlist; interface and host/group names match `A+z`. This neutralizes .rsc / JSON injection through match values.

Instance Attribute Summary

• #rules ⇒ Array<Model::FilterRule> readonly

  The Model::FilterRule list collected for this chain.

Instance Method Summary

• #accept(**match) ⇒ void
• #allow_established ⇒ void

  accept state: [:established, :related].

• #drop(**match) ⇒ void
• #drop_invalid ⇒ void

  drop state: :invalid.

• #initialize(chain) ⇒ ChainBuilder constructor

  A new instance of ChainBuilder.

• #reject(**match) ⇒ void

Constructor Details

#initialize(chain) ⇒ ChainBuilder

Returns a new instance of ChainBuilder.

Parameters:

• chain (Symbol) —

  :input, :output or :forward

# File 'lib/mt/wall/dsl/chain_builder.rb', line 45

def initialize(chain)
  @chain = chain
  @rules = []
end

Instance Attribute Details

#rules ⇒ Array<Model::FilterRule> (readonly)

The Model::FilterRule list collected for this chain.

Returns:

• (Array<Model::FilterRule>)

# File 'lib/mt/wall/dsl/chain_builder.rb', line 83

def rules
  @rules
end

Instance Method Details

#accept(**match) ⇒ void

This method returns an undefined value.

# File 'lib/mt/wall/dsl/chain_builder.rb', line 53

def accept(**match)
  append(:accept, match)
end

#allow_established ⇒ void

This method returns an undefined value.

accept state: [:established, :related]

# File 'lib/mt/wall/dsl/chain_builder.rb', line 71

def allow_established
  accept(state: %i[established related])
end

#drop(**match) ⇒ void

This method returns an undefined value.

# File 'lib/mt/wall/dsl/chain_builder.rb', line 58

def drop(**match)
  append(:drop, match)
end

#drop_invalid ⇒ void

This method returns an undefined value.

drop state: :invalid

# File 'lib/mt/wall/dsl/chain_builder.rb', line 77

def drop_invalid
  drop(state: :invalid)
end

#reject(**match) ⇒ void

This method returns an undefined value.

# File 'lib/mt/wall/dsl/chain_builder.rb', line 63

def reject(**match)
  append(:reject, match)
end