Class: Puffy::Formatters::Iptables::Rule

Inherits:
Base::Rule
  • Object
show all
Defined in:
lib/puffy/formatters/iptables.rb

Overview

Iptables implementation of a Puffy Rule formatter.

Instance Method Summary collapse

Instance Method Details

#emit_ct_rule(rule) ⇒ Object 



158
159
160
161
162
163
164
165
166
167
 
# File 'lib/puffy/formatters/iptables.rb', line 158

def emit_ct_rule(rule)
  parts = ['-A PREROUTING']
  parts << emit_if(rule)
  parts << emit_proto(rule)
  parts << emit_src_port(rule)
  parts << emit_dst_port(rule)
  parts << '-j CT'
  parts << "--helper #{Ruleset.known_conntrack_helpers[rule.to_port]}"
  pp_rule(parts)
end

#emit_dnat(rule) ⇒ Object 



275
276
277
278
279
 
# File 'lib/puffy/formatters/iptables.rb', line 275

def emit_dnat(rule)
  res = "-j DNAT --to-destination #{rule.rdr_to_host}"
  res += ":#{rule.rdr_to_port}" if rule.rdr_to_port && rule.rdr_to_port != rule.to_port
  res
end

#emit_dst(rule) ⇒ Object 



243
244
245
 
# File 'lib/puffy/formatters/iptables.rb', line 243

def emit_dst(rule)
  emit_dst_host(rule) + emit_dst_port(rule)
end

#emit_dst_host(rule) ⇒ Object 



247
248
249
250
251
252
253
 
# File 'lib/puffy/formatters/iptables.rb', line 247

def emit_dst_host(rule)
  if rule.to_host
    ['-d', emit_address(rule.to_host)]
  else
    []
  end
end

#emit_dst_port(rule) ⇒ Object 



255
256
257
258
259
260
261
 
# File 'lib/puffy/formatters/iptables.rb', line 255

def emit_dst_port(rule)
  if rule.to_port
    ['--dport', emit_port(rule.to_port)]
  else
    []
  end
end

#emit_filter_rule(rule) ⇒ Object 



183
184
185
186
187
188
189
190
191
192
193
 
# File 'lib/puffy/formatters/iptables.rb', line 183

def emit_filter_rule(rule)
  iptables_direction = { in: 'INPUT', out: 'OUTPUT', fwd: 'FORWARD' }
  parts = ["-A #{iptables_direction[rule.dir]}"]
  parts << '-m conntrack --ctstate NEW' if %i[tcp udp].include?(rule.proto)
  parts << emit_if(rule)
  parts << emit_proto(rule)
  parts << emit_src(rule)
  parts << emit_dst(rule)
  parts << emit_jump(rule)
  pp_rule(parts)
end

#emit_if(rule) ⇒ Object 



195
196
197
198
199
200
201
 
# File 'lib/puffy/formatters/iptables.rb', line 195

def emit_if(rule)
  if rule.on
    emit_on(rule)
  else
    emit_in_out(rule)
  end
end

#emit_in_out(rule) ⇒ Object 



212
213
214
215
216
217
 
# File 'lib/puffy/formatters/iptables.rb', line 212

def emit_in_out(rule)
  parts = []
  parts << "-i #{rule.in}" if rule.in
  parts << "-o #{rule.out}" if rule.out
  parts
end

#emit_jump(rule) ⇒ Object 



281
282
283
 
# File 'lib/puffy/formatters/iptables.rb', line 281

def emit_jump(rule)
  "-j #{Puffy::Formatters::Iptables.iptables_action(rule)}"
end

#emit_on(rule) ⇒ Object 



203
204
205
206
207
208
209
210
 
# File 'lib/puffy/formatters/iptables.rb', line 203

def emit_on(rule)
  on_direction_flag = { in: '-i', out: '-o' }

  return unless rule.on || rule.dir

  matches = /(!)?(.*)/.match(rule.on)
  [matches[1], on_direction_flag[rule.dir], matches[2]].compact
end

#emit_postrouting_rule(rule) ⇒ Object 



169
170
171
 
# File 'lib/puffy/formatters/iptables.rb', line 169

def emit_postrouting_rule(rule)
  "-A POSTROUTING -o #{rule.on} -j MASQUERADE"
end

#emit_prerouting_rule(rule) ⇒ Object 



173
174
175
176
177
178
179
180
181
 
# File 'lib/puffy/formatters/iptables.rb', line 173

def emit_prerouting_rule(rule)
  parts = ['-A PREROUTING']
  parts << emit_on(rule)
  parts << emit_proto(rule)
  parts << emit_src(rule)
  parts << emit_dst(rule)
  parts << emit_redirect_or_dnat(rule)
  pp_rule(parts)
end

#emit_proto(rule) ⇒ Object 



219
220
221
 
# File 'lib/puffy/formatters/iptables.rb', line 219

def emit_proto(rule)
  "-p #{rule.proto}" if rule.proto
end

#emit_redirect(rule) ⇒ Object 



271
272
273
 
# File 'lib/puffy/formatters/iptables.rb', line 271

def emit_redirect(rule)
  "-j REDIRECT --to-port #{rule.rdr_to_port}"
end

#emit_redirect_or_dnat(rule) ⇒ Object 



263
264
265
266
267
268
269
 
# File 'lib/puffy/formatters/iptables.rb', line 263

def emit_redirect_or_dnat(rule)
  if Puffy::Formatters::Base.loopback_addresses.include?(rule.rdr_to_host)
    emit_redirect(rule)
  else
    emit_dnat(rule)
  end
end

#emit_rule(rule) ⇒ Object

Returns a Iptables String representation of the provided rule Puffy::Rule.



148
149
150
151
152
153
154
155
156
 
# File 'lib/puffy/formatters/iptables.rb', line 148

def emit_rule(rule)
  if rule.nat?
    emit_postrouting_rule(rule)
  elsif rule.rdr?
    emit_prerouting_rule(rule)
  else
    emit_filter_rule(rule)
  end
end

#emit_src(rule) ⇒ Object 



223
224
225
 
# File 'lib/puffy/formatters/iptables.rb', line 223

def emit_src(rule)
  emit_src_host(rule) + emit_src_port(rule)
end

#emit_src_host(rule) ⇒ Object 



227
228
229
230
231
232
233
 
# File 'lib/puffy/formatters/iptables.rb', line 227

def emit_src_host(rule)
  if rule.from_host
    ['-s', emit_address(rule.from_host)]
  else
    []
  end
end

#emit_src_port(rule) ⇒ Object 



235
236
237
238
239
240
241
 
# File 'lib/puffy/formatters/iptables.rb', line 235

def emit_src_port(rule)
  if rule.from_port
    ['--sport', emit_port(rule.from_port)]
  else
    []
  end
end

#pp_rule(parts) ⇒ Object 



285
286
287
 
# File 'lib/puffy/formatters/iptables.rb', line 285

def pp_rule(parts)
  parts.flatten.compact.join(' ')
end