public List <IpTablesRule> GetDynamicChainRules(IpTablesChain chain, String arg)
{
if (!IsDynamic(chain))
{
throw new Exception("Chain " + chain.Name + " should be dynamic");
}
var chains = _chains[chain.IpVersion];
List <IpTablesRule> rules = new List <IpTablesRule>();
var targetTemplate = _dynamicChains[chain];
if (targetTemplate.Count == 0)
{
throw new Exception("Chain " + chain.Name + " should have rules");
}
foreach (var rule in targetTemplate)
{
var formatted = String.Format(rule.GetActionCommand(), arg);
var newRule = IpTablesRule.Parse(formatted, _system, chains, rule.Chain.IpVersion,
rule.Chain.Table, IpTablesRule.ChainCreateMode.CreateNewChainIfNeeded);
rules.Add(newRule);
}
return(rules);
}
public void TestRuleAdd()
{
if (IsLinux)
{
Assert.AreEqual(0, IptcInterface.RefCount);
var system = new IpTablesSystem(null, new IPTablesLibAdapter());
using (var client = system.GetTableAdapter(_ipVersion))
{
Assert.IsTrue(client is IPTablesLibAdapterClient);
var rules = client.ListRules("filter");
var chain = new IpTablesChainSet(4);
foreach (var c in rules.Chains)
{
chain.AddChain(c as IpTablesChain);
}
var rule = IpTablesRule.Parse("-A test2 -p 80 -j ACCEPT", system, chain);
client.StartTransaction();
client.AddRule(rule);
client.EndTransactionCommit();
var proc = Process.Start(new ProcessStartInfo("/sbin/" + GetBinary(), "-L test2")
{
RedirectStandardOutput = true, UseShellExecute = false
});
proc.WaitForExit();
String listOutput = proc.StandardOutput.ReadToEnd();
Assert.IsTrue(listOutput.Contains("anywhere"), "must have created rule");
}
Assert.AreEqual(0, IptcInterface.RefCount);
}
}
public void TestCompare1()
{
String rule = "-A ATTK_CHECK -m recent --rcheck --name BANNED --seconds 180 --reap --rttl -j ATTACKED";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.AreEqual(IpTablesRule.Parse(rule, null, chains, 4), IpTablesRule.Parse(rule, null, chains, 4));
}
public void TestCompare1()
{
String rule = "-A ABC -m hashlimit --hashlimit-name aaaaaaaaaaaaaaaaaaaaaa --hashlimit-above 125/second --hashlimit-burst 500 --hashlimit-mode dstip,dstport --hashlimit-srcmask 32 --hashlimit-dstmask 32 --hashlimit-htable-size 65000 --hashlimit-htable-max 30000 --hashlimit-htable-expire 6 --hashlimit-htable-gcinterval 600 -j AVS";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.IsTrue(IpTablesRule.Parse(rule, null, chains, 4).Compare(IpTablesRule.Parse(rule, null, chains, 4)));
}
public void TestPolyfillArgumentsComparison1()
{
String rule = "-A INPUT -m unknown --unknown --unknown-2 1111 -p tcp -d 1.1.1.1 -m tcp --dport 80";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.AreEqual(IpTablesRule.Parse(rule, null, chains, 4), IpTablesRule.Parse(rule, null, chains, 4));
}
public void TestPolyfillArgumentsComparison5()
{
String rule = "-A INPUT -m unknown --unknown \'6&0xFF=0x6&&0>>22&0x33@12&0xFFFF=12333\' -g TEST";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.AreEqual(IpTablesRule.Parse(rule, null, chains, 4), IpTablesRule.Parse(rule, null, chains, 4));
}
public void TestDefaultChain()
{
IpTablesChainSet chains = new IpTablesChainSet(4);
var rule = IpTablesRule.Parse("-A PREROUTING -s 1.1.1.1 -j TEST", null, chains, 4, "raw", IpTablesRule.ChainCreateMode.CreateNewChainIfNeeded);
Assert.AreEqual("raw", rule.Chain.Table);
}
public void TestSplit()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter <RuleOutputter, IPAddress> ma = new FeatureSplitter <RuleOutputter, IPAddress>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j QGkTSfSaLIaS4B/kr3WQ -m comment --comment '_|FS|INPUT_8.1.1.1'",
rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ciE0aMcfwN36u0sNiC6w -m comment --comment '_|FS|INPUT_8.1.1.2'",
rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
Assert.AreEqual("-A QGkTSfSaLIaS4B/kr3WQ -j ACCEPT -m udp --sport 1",
rules.Chains.Skip(1).First().Rules.First().GetActionCommand());
}
public void TestAppendRule()
{
IpTablesChainSet chains = new IpTablesChainSet(4);
var rule = IpTablesRule.Parse("-A PREROUTING -s 1.1.1.1 -j TEST", null, chains, 4, "raw", IpTablesRule.ChainCreateMode.CreateNewChainIfNeeded);
rule.AppendToRule("! -m devgroup --src-group 0x2");
}
public override IpTablesChainSet ListRules(String table)
{
IpTablesChainSet chains = new IpTablesChainSet(_ipVersion);
var ipc = GetInterface(table);
foreach (String chain in ipc.GetChains())
{
chains.AddChain(chain, table, _system);
}
foreach (var chain in chains)
{
foreach (var ipc_rule in ipc.GetRules(chain.Name))
{
String rule = ipc.GetRuleString(chain.Name, ipc_rule);
if (rule == null)
{
throw new IpTablesNetException("Unable to get string version of rule");
}
chains.AddRule(IpTablesRule.Parse(rule, _system, chains, table));
}
}
return(chains);
}
public void TestCompare1()
{
String rule = "-A ABC -m hashroute --hashroute-name aaaaaaaaaaaaaaaaaaaaaa --hashroute-mode dstip,dstport --hashroute-srcmask 32 --hashroute-dstmask 32 --hashroute-htable-size 65000 --hashroute-htable-max 30000 --hashroute-htable-expire 6 --hashroute-htable-gcinterval 600 -j AVS";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.AreEqual(IpTablesRule.Parse(rule, null, chains, 4), IpTablesRule.Parse(rule, null, chains, 4));
}
public void TestCompare2()
{
String rule = "-A AAAA -t raw -m hashroute --hashroute-name synflood_spoofe --hashroute-mode dstip,dstport --hashroute-srcmask 32 --hashroute-dstmask 32 --hashroute-htable-size 65000 --hashroute-htable-max 30000 --hashroute-htable-expire 6 --hashroute-htable-gcinterval 600 -g AA";
String rule2 = "-A AAAA -t raw -m hashroute --hashroute-mode dstip,dstport --hashroute-name synflood_spoofe --hashroute-htable-size 65000 --hashroute-htable-max 30000 --hashroute-htable-gcinterval 600 --hashroute-htable-expire 6 -g AA";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.AreEqual(IpTablesRule.Parse(rule, null, chains, 4), IpTablesRule.Parse(rule2, null, chains));
}
public void TestCompare2()
{
String rule = "-A AAAA -t raw -m hashlimit --hashlimit-name synflood_spoofe --hashlimit-above 111/second --hashlimit-burst 500 --hashlimit-mode dstip,dstport --hashlimit-srcmask 32 --hashlimit-dstmask 32 --hashlimit-htable-size 65000 --hashlimit-htable-max 30000 --hashlimit-htable-expire 6 --hashlimit-htable-gcinterval 600 -g AA";
String rule2 = "-A AAAA -t raw -m hashlimit --hashlimit-above 111/sec --hashlimit-burst 500 --hashlimit-mode dstip,dstport --hashlimit-name synflood_spoofe --hashlimit-htable-size 65000 --hashlimit-htable-max 30000 --hashlimit-htable-gcinterval 600 --hashlimit-htable-expire 6 -g AA";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.IsTrue(IpTablesRule.Parse(rule, null, chains, 4).Compare(IpTablesRule.Parse(rule2, null, chains)));
}
public void TestCompareTarget1()
{
String rule = "-A ABC -j HASHROUTE --hashroute-name aaaaaaaaaaaaaaaaaaaaaa --hashroute-mode dstip,dstport --hashroute-srcmask 32 --hashroute-dstmask 32 --hashroute-htable-size 65000 --hashroute-htable-max 30000 --hashroute-htable-expire 6 --hashroute-htable-gcinterval 600 -j AVS";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.AreEqual(IpTablesRule.Parse(rule, null, chains, 4), IpTablesRule.Parse(rule, null, chains, 4));
Assert.IsFalse(IpTablesRule.Parse(rule, null, chains, 4).GetCommand().Contains("-m HASHROUTE"));
}
public void Test2()
{
String rule = "-A FORWARD -m set --match-set test src --return-nomatch ! --update-counters --packets-lt 3 ! --bytes-eq 1";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void Test1()
{
String rule = "-A FORWARD -m set --match-set test src";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestPolyfillParse()
{
String rule = "-A INPUT -m unknown --unknown";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestRandom()
{
String rule = "-A CHAIN -t raw -m statistic --mode random --probability 0.04";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestEvery()
{
String rule = "-A FORWARD -m statistic --mode nth --every 3 --packet 1";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestSnatSingleSource()
{
String rule = "-A POSTROUTING -t nat -s 1.1.1.1/24 -j SNAT --to-source 2.2.2.2";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestPolyfillParseAdditionalOptionsAfter()
{
String rule = "-A INPUT -m unknown --unknown -p tcp -d 1.1.1.1 -m tcp --dport 80";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestCoreFragmenting()
{
String rule = "-A INPUT ! -f -j test";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestCoreDropingUdp()
{
String rule = "-A INPUT -p udp -j DROP";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestCoreDropingDestination()
{
String rule = "-A INPUT -d 1.2.3.4/16 -j DROP";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestCoreSportZeroValue()
{
String rule = "-A INPUT -p tcp -j DROP -m tcp --sport 0";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule, irule1.GetActionCommand());
}
public void TestSourceNotMultiports()
{
String rule = "-A INPUT -p tcp -m multiport ! --dports 80,1000:1080";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestXMarkMasked()
{
String rule = "-A RETURN_AFWCON -j CONNMARK --set-xmark 0x1/0x1";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestXmark()
{
String rule = "-A INPUT -j NFQUEUE --queue-num 1 --queue-bypass";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestLogWithPrefix()
{
String rule = "-A INPUT -j LOG --log-prefix 'IPTABLES (Rule ATTACKED): ' --log-level 7";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
}
public void TestDropFragmentedTcpDns()
{
String rule = "-A INPUT -p tcp ! -f -j DROP -m tcp --sport 53";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule, irule.GetActionCommand());
}