Class: Mt::Wall::Model::FilterRule

Inherits:
Data
  • Object
show all
Defined in:
lib/mt/wall/model/filter_rule.rb

Overview

A device-local firewall rule on one chain (Layer B — the box’s own firewall). Unlike Model::Rule (the abstract, device-agnostic access grant), a FilterRule maps almost directly to a single RouterOS ‘/ip firewall filter` (or `/ipv6/firewall/filter`) rule: a chain, an action, and native match conditions.

‘match` is a normalized Hash of conditions. Supported keys:

:state         [Array<Symbol>] connection states (:established,
                               :related, :invalid, :new, :untracked)
:protocol      [Symbol]        :tcp, :udp, :icmp, ...
:dst_port      [Integer, Array, Range]
:src_port      [Integer, Array, Range]
:in_interface  [String]
:out_interface [String]
:in_interface_list  [String]   RouterOS /interface/list name (referenced)
:out_interface_list [String]   RouterOS /interface/list name (referenced)
:src           [String]        host/group name -> src-address-list
:dst           [String]        host/group name -> dst-address-list

DUAL-STACK: ‘family` scopes the rule to one address family. `nil` (the default) means BOTH — the Compiler emits the rule into the v4 filter table AND the v6 filter table. `:ip4` / `:ip6` restrict it to a single family (e.g. an ICMPv6-only rule). The optional `family:` keyword on the `accept`/`drop`/`reject` ChainBuilder verbs sets this.

RULE IDENTITY: mt-wall owns the ENTIRE filter table, so apply REPLACES it wholesale. To survive that, every emitted rule carries a deterministic identity tag ‘mt-wall:<stable-hash>` in its RouterOS `comment` field. The hash is CONTENT-ONLY — chain + normalized match + action + src/dst list references — and EXCLUDES position/order. Diff/Plan match desired vs. current by this tag, NOT by the opaque/unstable device-assigned `.id`. Ordering is a separate Plan concern (the :move op + Operation#position), so a pure reorder neither changes the tag nor churns as delete+create. The `comment` attribute here is the OPERATOR’s human-readable note; the Compiler merges it with the machine tag when rendering the device ‘comment` (e.g. `“mt-wall:ab12cd34 | allow ssh from admin”`).

RULE-LEVEL ATTRIBUTES (NOT match conditions): ‘log` / `log_prefix` and `disabled` configure HOW a rule behaves, not WHICH packets it matches. They are EXCLUDED from the content-only identity tag (see Compiler), so toggling them on an otherwise unchanged rule yields a stable identity and an in-place :update — never a delete+create churn. They compile to the RouterOS `log` / `log-prefix` / `disabled` row fields.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(chain:, action:, match: {}, family: nil, comment: nil, log: false, log_prefix: nil, disabled: false) ⇒ FilterRule

Returns a new instance of FilterRule.



59
60
61
62
 
# File 'lib/mt/wall/model/filter_rule.rb', line 59

def initialize(chain:, action:, match: {}, family: nil, comment: nil,
               log: false, log_prefix: nil, disabled: false)
  super
end

Instance Attribute Details

#actionObject (readonly)

Returns the value of attribute action

Returns:

  • (Object)

    the current value of action



58
59
60
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

def action
  @action
end

#chainObject (readonly)

Returns the value of attribute chain

Returns:

  • (Object)

    the current value of chain



58
59
60
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

def chain
  @chain
end

#commentObject (readonly)

Returns the value of attribute comment

Returns:

  • (Object)

    the current value of comment



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end

#disabledObject (readonly)

Returns the value of attribute disabled

Returns:

  • (Object)

    the current value of disabled



58
59
60
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

def disabled
  @disabled
end

#familyObject (readonly)

Returns the value of attribute family

Returns:

  • (Object)

    the current value of family



58
59
60
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

def family
  @family
end

#logObject (readonly)

Returns the value of attribute log

Returns:

  • (Object)

    the current value of log



58
59
60
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

def log
  @log
end

#log_prefixObject (readonly)

Returns the value of attribute log_prefix

Returns:

  • (Object)

    the current value of log_prefix



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end

#matchObject (readonly)

Returns the value of attribute match

Returns:

  • (Object)

    the current value of match



58
59
60
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

def match
  @match
end

Instance Method Details

#action=(value) ⇒ Object (readonly)

:accept, :drop or :reject



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end

#chain=(value) ⇒ Object (readonly)

:input, :output or :forward



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end

#disabled=(value) ⇒ Object (readonly)

keep the rule but inactive (disabled=yes)



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end

#family=(value) ⇒ Object (readonly)

:ip4, :ip6 or nil (both families)



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end

#log=(value) ⇒ Object (readonly)

log matched packets (RouterOS log=yes)



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end

#match=(value) ⇒ Object (readonly)

native match conditions (see above)



58
59
60
61
62
63
 
# File 'lib/mt/wall/model/filter_rule.rb', line 58

FilterRule = Data.define(:chain, :action, :match, :family, :comment, :log, :log_prefix, :disabled) do
  def initialize(chain:, action:, match: {}, family: nil, comment: nil,
                 log: false, log_prefix: nil, disabled: false)
    super
  end
end