private void FlushIPsInternal()
{
using var adapter = System.GetTableAdapter(4);
var sync = new DefaultNetfilterSync <IpTablesRule>();
(System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, Enumerable.Empty <IpTablesRule>(), sync);
}
public void TestDeleteAndUpdate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 1 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer);
mock.TestSync(client, rulesOriginal, rulesNew, sync);
var commands = (client as IMockIpTablesRestoreGetOutput).GetOutput().ToList();
Assert.AreEqual(5, commands.Count);
Assert.True(commands[1].StartsWith("-D INPUT 1"));
Assert.True(commands[2].StartsWith("-R INPUT 1"));
Assert.True(commands[3].StartsWith("-R INPUT 2"));
}
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List <String> expectedCommands = new List <String> {
"*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestDeleteMultiplesMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3"
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", "-D INPUT 2", "-D INPUT 2", "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestAddFromEmpty()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
}, system);
rulesOriginal.Chains.AddChain("INPUT", "filter", system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List <String> expectedCommands = new List <String> {
"*filter", rulesNew.Chains.First().Rules[0].GetActionCommand(), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestAddDuplicate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[2].GetActionCommand()
};
var sync = new DefaultNetfilterSync <IpTablesRule>();
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[1].GetActionCommand("-R")
};
var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer);
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List <String> expectedCommands = new List <String>()
{
"-D INPUT 1", "-D INPUT 2"
};
var sync = new DefaultNetfilterSync <IpTablesRule>();
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null)
{
IpTablesChain chain = rulesOriginal.Chains.First();
DefaultNetfilterSync<IpTablesRule> sync = new DefaultNetfilterSync<IpTablesRule>(commentComparer,null);
if (commentComparer == null)
chain.Sync(rulesNew.Chains.First().Rules, sync);
else
chain.Sync(rulesNew.Chains.First().Rules, sync);
}
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, Func <IpTablesRule, IpTablesRule, bool> commentComparer = null)
{
IpTablesChain chain = rulesOriginal.Chains.First();
DefaultNetfilterSync <IpTablesRule> sync = new DefaultNetfilterSync <IpTablesRule>(commentComparer, null);
if (commentComparer == null)
{
chain.Sync(rulesNew.Chains.First().Rules, sync);
}
else
{
chain.Sync(rulesNew.Chains.First().Rules, sync);
}
}
private void AcceptIPInternal(IPAddress address)
{
if (address == null)
{
return;
}
using var adapter = System.GetTableAdapter(4);
var chain = new IpTablesChain(IpTable, IpChain, 4, System);
var rule = new IpTablesRule(System, chain);
rule.AppendToRule(GetAcceptRule(address));
chain.AddRule(rule);
var sync = new DefaultNetfilterSync <IpTablesRule>();
(System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, chain.Rules, sync);
Logger.LogInformation($"Whitelisted {address}");
}
private void DropIPInternal(IPAddress address)
{
if (address == null)
{
return;
}
using var adapter = System.GetTableAdapter(4);
var chain = System.GetChain(adapter, IpTable, IpChain) as IpTablesChain;
var rule = chain.Rules.FirstOrDefault(x => x.GetCommand().Contains($"{address}"));
if (rule == null)
{
return;
}
chain.DeleteRule(rule);
var sync = new DefaultNetfilterSync <IpTablesRule>();
(System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, chain.Rules, sync);
Logger.LogInformation($"Blacklisted {address}");
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
var sync = new DefaultNetfilterSync <IpTablesRule>();
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
private async Task RefreshIPWhiteListAsync()
{
await AccessSemaphore.WaitAsync();
Logger.LogInformation("Refreshing iptables whitelist...");
FlushIPsInternal();
try
{
using var scope = Provider.CreateScope();
var dbContext = scope.ServiceProvider.GetRequiredService <MinerContext>();
using var adapter = System.GetTableAdapter(4);
var miners = await dbContext.Miners.ToListAsync();
var rules = new List <string>();
foreach (var miner in miners.Where(x => x.LastAddress != null && //Has an IP
x.NextIncrement >= DateTimeOffset.UtcNow - TimeSpan.FromHours(1))) //Has updated
{
rules.Add(GetAcceptRule(miner.LastAddress));
}
var ruleSet = new IpTablesRuleSet(4, rules, System);
var sync = new DefaultNetfilterSync <IpTablesRule>();
(System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, ruleSet.Rules, sync);
Logger.LogInformation("Finished refreshing iptables whitelist");
}
catch (Exception ex)
{
Logger.LogError(ex, "There was an error while refreshing iptables whitelist");
}
finally
{
AccessSemaphore.Release();
}
}
