public void TestSplit()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter<RuleOutputter, IPAddress> ma = new FeatureSplitter<RuleOutputter,IPAddress>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j QGkTSfSaLIaS4B/kr3WQ -m comment --comment '_|FS|INPUT_8.1.1.1'",
rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ciE0aMcfwN36u0sNiC6w -m comment --comment '_|FS|INPUT_8.1.1.2'",
rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
Assert.AreEqual("-A QGkTSfSaLIaS4B/kr3WQ -j ACCEPT -m udp --sport 1",
rules.Chains.Skip(1).First().Rules.First().GetActionCommand());
}
public void CheckBinary(IpTablesSystem system, int ipVersion)
{
using (var client = GetClient(system, ipVersion))
{
(client as Client.IPTablesRestoreAdapterClient).CheckBinary();
}
}
public override IIPTablesAdapterClient GetClient(IpTablesSystem system, int ipVersion = 4)
{
if (ipVersion == 6)
{
return new IPTablesBinaryAdapterClient(ipVersion, system, "ip6tables");
}
return new Client.IPTablesLibAdapterClient(ipVersion, system, ipVersion == 4 ? "iptables" : "ip6tables");
}
public IpSetSets(IEnumerable<String> commands, IpTablesSystem system)
{
_system = system;
foreach (var command in commands)
{
Accept(command, system);
}
}
public IpSetSet(IpSetType type, string name, int timeout, String family, IpTablesSystem system, IpSetSyncMode syncMode)
{
_type = type;
_name = name;
_timeout = timeout;
_family = family;
_system = system;
_syncMode = syncMode;
}
public IpSetSet(IpSetType type, string name, int timeout, String family, IpTablesSystem system, IpSetSyncMode syncMode)
{
_type = type;
_name = name;
_timeout = timeout;
_family = family;
_system = system;
_syncMode = syncMode;
}
public FirewallService()
{
var ad = new IPTablesBinaryAdapter();
var fa = new LocalFactory();
System = new IpTablesSystem(fa, ad);
AccessSemaphore = new SemaphoreSlim(1, 1);
}
public ModelLoad(IpTablesSystem iptables, Dictionary <int, IpTablesRuleSet> ruleSets, IpSetSets sets, DnsClient dns = null)
{
_iptables = iptables;
_ruleSets = ruleSets;
_sets = sets;
if (dns != null)
{
_dns = dns;
}
}
public IpSetSet(IpSetType type, string name, int timeout, String family, IpTablesSystem system, IpSetSyncMode syncMode, List <IpSetEntry> entries = null)
{
_type = type;
_name = name;
_timeout = timeout;
_family = family;
_system = system;
_syncMode = syncMode;
_entries = entries == null ? new List <IpSetEntry>() : entries.ToList();
}
public IpTablesRuleSet(int ipVersion, IEnumerable<string> rules, IpTablesSystem system)
{
_system = system;
_ipVersion = ipVersion;
_chains = new IpTablesChainSet(ipVersion);
foreach (string s in rules)
{
AddRule(s);
}
}
public IpTablesRuleSet(int ipVersion, IEnumerable <string> rules, IpTablesSystem system)
{
_system = system;
_ipVersion = ipVersion;
_chains = new IpTablesChainSet(ipVersion);
foreach (string s in rules)
{
AddRule(s);
}
}
public IpSetSet(IpSetType type, string name, int timeout, String family, IpTablesSystem system, IpSetSyncMode syncMode, PortOrRange bitmapRange, List <string> createOptions = null, List <IpSetEntry> entries = null)
{
_type = type;
_name = name;
_timeout = timeout;
_family = family;
_system = system;
_syncMode = syncMode;
_createOptions = createOptions == null ? new List <string>() : createOptions.ToList();
_entries = entries == null ? new List <IpSetEntry>() : entries.ToList();
_bitmapRange = bitmapRange;
}
public static IpSetSet Parse(String[] arguments, IpTablesSystem system, int startOffset = 0)
{
IpSetSet set = new IpSetSet(system);
var parser = new IpSetSetParser(arguments, set);
for (int i = startOffset; i < arguments.Length; i++)
{
i += parser.FeedToSkip(i, startOffset == i);
}
return(set);
}
public static IpSetSet Parse(String rule, IpTablesSystem system)
{
IpSetSet set = new IpSetSet(system);
string[] arguments = ArgumentHelper.SplitArguments(rule);
var parser = new IpSetSetParser(arguments, set);
for (int i = 0; i < arguments.Length; i++)
{
i += parser.FeedToSkip(i);
}
return(set);
}
public void Output(IpTablesSystem system, IpTablesRuleSet ruleSet)
{
foreach (var rule in _rules)
{
if (_chain != null)
{
var chain = ruleSet.Chains.GetChainOrDefault(_chain, _table);
if (chain == null)
{
throw new IpTablesNetException("Unable to find chain");
}
rule.Chain = chain;
}
ruleSet.AddRule(rule);
}
}
public void Output(IpTablesSystem system, IpTablesRuleSet ruleSet)
{
foreach (var rule in _rules)
{
if (_chain != null)
{
var chain = ruleSet.Chains.GetChainOrDefault(_chain, _table);
if (chain == null)
{
throw new IpTablesNetException("Unable to find chain");
}
rule.Chain = chain;
}
ruleSet.AddRule(rule);
}
}
public void Output(IpTablesSystem system, IpTablesRuleSet ruleSet)
{
//foreach group => rules
foreach (var p in _rules)
{
//The new chain
var description = _chain + "_" + p.Key;
String chainName = ShortHash.HexHash(description + "|" + _table);
if (ruleSet.Chains.HasChain(chainName, _table))
{
throw new IpTablesNetException(String.Format("Duplicate feature split: {0}", chainName));
}
var chain = ruleSet.Chains.GetChainOrAdd(chainName, _table, system);
//Nested output
var singleRule = OutputRulesForGroup(ruleSet, system, p.Value, chainName, p.Key);
//Console.WriteLine("Is Single Rule: {0}", singleRule == null ? "NO" : "YES");
if (singleRule == null)
{
if (chain.Rules.Count != 0)
{
IpTablesRule jumpRule = IpTablesRule.Parse(_baseRule, system, ruleSet.Chains);
_setJump(jumpRule, p.Key);
//jumpRule.
jumpRule.GetModuleOrLoad <CoreModule>("core").Jump = chainName;
jumpRule.GetModuleOrLoad <CommentModule>("comment").CommentText = _commentPrefix + "|MA|" +
description;
ruleSet.AddRule(jumpRule);
}
else
{
//Console.WriteLine(String.Format("No rules in the chain \"{0}\", skipping jump from {1}.", chainName, _chain));
}
}
else
{
_setJump(singleRule, p.Key);
//ruleSet.AddRule(singleRule);
}
if (chain.Rules.Count == 0)
{
ruleSet.Chains.RemoveChain(chain);
}
}
}
public void TestNesting()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter<MultiportAggregator<IPAddress>, String> ma = new FeatureSplitter<MultiportAggregator<IPAddress>, String>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth0 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -i eth0 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
}
public RuleBuilder(IpTablesSystem system, String nfbpf, Dictionary <int, IpTablesRuleSet> ruleSets, FunctionRegistry functions = null)
{
if (functions == null)
{
functions = new FunctionRegistry();
}
_system = system.System;
_nfbpf = nfbpf;
var chainsDict =
ruleSets.Select((a) => new KeyValuePair <int, IpTablesChainSet>(a.Key, a.Value.Chains))
.ToDictionary((a) => a.Key, (a) => a.Value);
_dcr = new DynamicChainRegister(system, chainsDict);
_formatDb = new DynamicDictionary <object>(_mappings);
_ruleSets = ruleSets;
_interpreter = new Interpreter();
_interpreter.SetVariable("var", _mappings);
functions.LoadFunctions(_interpreter);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestNesting()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter <MultiportAggregator <IPAddress>, String> ma = new FeatureSplitter <MultiportAggregator <IPAddress>, String>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth0 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -i eth0 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
}
public void TestSingular()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_", null);
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(1, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 1:2", rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ACCEPT -m comment --comment '_|s5FXv5bN+84QgKZzjZ3Q|1' -m multiport --sports 3", rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
}
public void TestAddDuplicate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List<String> expectedCommands = new List<String>() { rulesNew.Chains.First().Rules[2].GetActionCommand() };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() {};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestMultiple()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator <IPAddress> ma = new MultiportAggregator <IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 10 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 20 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 30 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 40 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 50 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 60 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 70 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 80 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 90 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 100 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 110 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 120 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 130 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 140 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 150 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 160 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 170 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 180 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 190 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(2, rules.Chains.Count());
Assert.AreEqual(1, rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j uXTlO5H/5x9hJe9WK1hw -m comment --comment '_|MA|INPUT_8.1.1.1'",
rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.First().GetActionCommand());
Assert.AreEqual("-A uXTlO5H/5x9hJe9WK1hw -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 10,20,30,40,50,60,70,80,90,100,110,120,130,140,150",
rules.Chains.GetChainOrDefault("uXTlO5H/5x9hJe9WK1hw", "filter").Rules.First().GetActionCommand());
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List<String> expectedCommands = new List<String> { "*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
var output = (system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput();
CollectionAssert.AreEqual(output, expectedCommands);
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List<String> expectedCommands = new List<String> { "*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestMultiple()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 10 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 20 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 30 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 40 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 50 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 60 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 70 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 80 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 90 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 100 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 110 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 120 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 130 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 140 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 150 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 160 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 170 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 180 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 190 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(2, rules.Chains.Count());
Assert.AreEqual(1, rules.Chains.GetChainOrDefault("INPUT","filter").Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j uXTlO5H/5x9hJe9WK1hw -m comment --comment '_|MA|INPUT_8.1.1.1'",
rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.First().GetActionCommand());
Assert.AreEqual("-A uXTlO5H/5x9hJe9WK1hw -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 10,20,30,40,50,60,70,80,90,100,110,120,130,140,150",
rules.Chains.GetChainOrDefault("uXTlO5H/5x9hJe9WK1hw", "filter").Rules.First().GetActionCommand());
}
public void TestSingular()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator <IPAddress> ma = new MultiportAggregator <IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_", null);
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(1, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 1:2", rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ACCEPT -m comment --comment '_|s5FXv5bN+84QgKZzjZ3Q|1' -m multiport --sports 3", rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestUpdateMiddleTwo()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 1 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter",
rulesNew.Chains.First().Rules[1].GetActionCommand("-R"),
rulesNew.Chains.First().Rules[2].GetActionCommand("-R"),
"COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestRuleOutput()
{
if (IsLinux)
{
Assert.AreEqual(0, IptcInterface.RefCount);
var system = new IpTablesSystem(null, new IPTablesLibAdapter());
using (var client = system.GetTableAdapter(_ipVersion))
{
Debug.Assert(client is IPTablesLibAdapterClient);
var rules = client.ListRules("filter");
foreach (var chain in rules.Chains)
{
Assert.AreEqual(_ipVersion, chain.IpVersion, "Incorrect IP Version for chain: " + chain);
}
Assert.AreNotEqual(0, rules.Chains.SelectMany((a) => a.Rules).Count());
foreach (var rule in rules.Chains.SelectMany((a) => a.Rules))
{
Assert.AreEqual(_ipVersion, rule.IpVersion, "Incorrect IP Version for rule: " + rule);
}
}
Assert.AreEqual(0, IptcInterface.RefCount);
}
}
public void TestAddDuplicate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[2].GetActionCommand()
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestRuleOutput()
{
if (IsLinux)
{
Assert.AreEqual(0, IptcInterface.RefCount);
var system = new IpTablesSystem(null, new IPTablesLibAdapter());
using (var client = system.GetTableAdapter(_ipVersion))
{
Debug.Assert(client is IPTablesLibAdapterClient);
var rules = client.ListRules("filter");
foreach (var chain in rules.Chains)
{
Assert.AreEqual(_ipVersion, chain.IpVersion, "Incorrect IP Version for chain: " + chain);
}
Assert.AreNotEqual(0, rules.Chains.SelectMany((a)=>a.Rules).Count());
foreach (var rule in rules.Chains.SelectMany((a) => a.Rules))
{
Assert.AreEqual(_ipVersion, rule.IpVersion, "Incorrect IP Version for rule: " + rule);
}
}
Assert.AreEqual(0, IptcInterface.RefCount);
}
}
public void TestSyncDelete()
{
var systemFactory = new MockIpsetSystemFactory();
var system = new MockIpsetBinaryAdapter(systemFactory);
var iptables = new IpTablesSystem(systemFactory, null, system);
IpSetSets rulesOriginal = new IpSetSets(new List<String>()
{
"create test hash:ip",
"add test 8.8.8.8"
}, iptables);
system.SetSets(rulesOriginal);
IpSetSets rulesNew = new IpSetSets(new List<String>()
{
}, iptables);
systemFactory.TestSync(rulesNew, new List<string>
{
"destroy test"
});
}
public void TestUpdateBegin()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\""
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[0].GetActionCommand("-R")
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands, CommentComparer);
}
public void TestSyncDelete()
{
var systemFactory = new MockIpsetSystemFactory();
var system = new MockIpsetBinaryAdapter(systemFactory);
var iptables = new IpTablesSystem(systemFactory, null, system);
IpSetSets rulesOriginal = new IpSetSets(new List <String>()
{
"create test hash:ip",
"add test 8.8.8.8"
}, iptables);
system.SetSets(rulesOriginal);
IpSetSets rulesNew = new IpSetSets(new List <String>()
{
}, iptables);
systemFactory.TestSync(rulesNew, new List <string>
{
"destroy test"
});
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List <String> expectedCommands = new List <String> {
"*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List <String> expectedCommands = new List <String>()
{
"-D INPUT 1", "-D INPUT 2"
};
mock.TestSync(rulesOriginal, rulesNew, expectedCommands);
}
public void Accept(String line, IpTablesSystem iptables)
{
String[] split = ArgumentHelper.SplitArguments(line);
if (split.Length == 0)
{
return;
}
var command = split[0];
switch (command)
{
case "create":
var set = IpSetSet.Parse(split, iptables, 1);
AddSet(set);
break;
case "add":
IpSetEntry.Parse(split, this, 1);
break;
}
}
public virtual IpSetSets SaveSets(IpTablesSystem iptables)
{
IpSetSets sets = new IpSetSets(iptables);
//ipset save
using (ISystemProcess process = _system.StartProcess(BinaryName, "save"))
{
ProcessHelper.ReadToEnd(process, line =>
{
if (line == null)
{
return;
}
var trimmed = line.Trim();
if (trimmed.Length != 0)
{
sets.Accept(trimmed, iptables);
}
}, err => { });
}
return(sets);
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List <String> expectedCommands = new List <String> {
"*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew);
var output = (system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput();
CollectionAssert.AreEqual(output, expectedCommands);
}
public void TestUpdateBegin()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\""
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", rulesNew.Chains.First().Rules[0].GetActionCommand("-R"), "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew, CommentComparer);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public virtual IpSetSets SaveSets(IpTablesSystem iptables)
{
ISystemProcess process = _system.StartProcess(BinaryName, "save");
IpSetSets sets = new IpSetSets(iptables);
String[] all = process.StandardOutput.ReadToEnd().Split(new string[] { "\r\n", "\n" }, StringSplitOptions.RemoveEmptyEntries);
foreach (String line in all)
{
if (String.IsNullOrEmpty(line))
{
break;
}
var trimmed = line.Trim();
if (trimmed.Length != 0)
{
sets.Accept(trimmed, iptables);
}
}
process.WaitForExit();
return(sets);
}
public IpTablesRuleSet(int ipVersion, IpTablesSystem system)
{
_system = system;
_ipVersion = ipVersion;
_chains = new IpTablesChainSet(ipVersion);
}
public void Accept(String line, IpTablesSystem iptables)
{
String[] split = line.Split(new char[] { ' ' });
if (split.Length == 0)
{
return;
}
var command = split[0];
var options = String.Join(" ", split.Skip(1).ToArray());
switch (command)
{
case "create":
var set = IpSetSet.Parse(options, iptables);
AddSet(set);
break;
case "add":
IpSetEntry.Parse(options, this);
break;
}
}
public virtual IpSetSets SaveSets(IpTablesSystem iptables)
{
ISystemProcess process = _system.StartProcess(BinaryName, "save");
IpSetSets sets = new IpSetSets(iptables);
String[] all = process.StandardOutput.ReadToEnd().Split(new string[]{"\r\n","\n"}, StringSplitOptions.RemoveEmptyEntries);
foreach(String line in all){
if (String.IsNullOrEmpty(line))
{
break;
}
var trimmed = line.Trim();
if (trimmed.Length != 0)
{
sets.Accept(trimmed, iptables);
}
}
process.WaitForExit();
return sets;
}
public IpSetSets(IpTablesSystem system)
{
_system = system;
}
public void TestSyncCreateNet()
{
var systemFactory = new MockIpsetSystemFactory();
var system = new MockIpsetBinaryAdapter(systemFactory);
var iptables = new IpTablesSystem(systemFactory, null, system);
IpSetSets rulesOriginal = new IpSetSets(new List<String>()
{
}, iptables);
system.SetSets(rulesOriginal);
IpSetSets rulesNew = new IpSetSets(new List<String>()
{
"create test hash:net",
"add test 8.8.8.8/32"
}, iptables);
systemFactory.TestSync(rulesNew, new List<string>
{
"create test hash:net family inet hashsize 1024 maxelem 65536",
"add test 8.8.8.8"
});
}
public override IIPTablesAdapterClient GetClient(IpTablesSystem system, int ipVersion = 4)
{
return new Client.IPTablesRestoreAdapterClient(ipVersion, system, ipVersion == 4 ? _iptablesRestoreBinary4 : _iptablesRestoreBinary6, ipVersion == 4 ? _iptablesSaveBinary4 : _iptablesSaveBinary6, ipVersion == 4 ? "iptables" : "ip6tables");
}
public void TestBitmapPort()
{
var systemFactory = new MockIpsetSystemFactory();
var system = new MockIpsetBinaryAdapter(systemFactory);
var iptables = new IpTablesSystem(systemFactory, null, system);
IpSetSets rulesOriginal = new IpSetSets(new List<String>()
{
"create test bitmap:port family inet",
"add test 80"
}, iptables);
system.SetSets(rulesOriginal);
IpSetSets rulesNew = new IpSetSets(new List<String>()
{
"create test bitmap:port"
}, iptables);
rulesNew.Sets.FirstOrDefault().SyncMode = IpSetSyncMode.SetOnly;
systemFactory.TestSync(rulesNew, new List<string>
{
});
}
public void TestBitmapPortNoChange()
{
var systemFactory = new MockIpsetSystemFactory();
var system = new MockIpsetBinaryAdapter(systemFactory);
var iptables = new IpTablesSystem(systemFactory, null, system);
IpSetSets rulesOriginal = new IpSetSets(new List<String>()
{
"create test bitmap:port range 1-65535",
"add test 80",
"add test 81"
}, iptables);
rulesOriginal.Sets.FirstOrDefault().SyncMode = IpSetSyncMode.SetAndEntries;
system.SetSets(rulesOriginal);
IpSetSets rulesNew = new IpSetSets(new List<String>()
{
"create test bitmap:port bitmap:port range 1-65535",
"add test 81",
"add test 80"
}, iptables);
rulesNew.Sets.FirstOrDefault().SyncMode = IpSetSyncMode.SetAndEntries;
systemFactory.TestSync(rulesNew, new List<string>
{
});
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestSyncEntryNotValues()
{
var systemFactory = new MockIpsetSystemFactory();
var system = new MockIpsetBinaryAdapter(systemFactory);
var iptables = new IpTablesSystem(systemFactory, null, system);
IpSetSets rulesOriginal = new IpSetSets(new List<String>()
{
"create test hash:ip family inet hashsize 1024 maxelem 65536",
"add test 8.8.8.8"
}, iptables);
system.SetSets(rulesOriginal);
IpSetSets rulesNew = new IpSetSets(new List<String>()
{
"create test hash:ip"
}, iptables);
rulesNew.Sets.FirstOrDefault().SyncMode = IpSetSyncMode.SetOnly;
systemFactory.TestSync(rulesNew, new List<string>
{
});
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List<String> expectedCommands = new List<String>()
{
rulesNew.Chains.First().Rules[1].GetActionCommand("-R")
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands, CommentComparer);
}
public void CheckBinary(IpTablesSystem system)
{
var client = GetClient(system);
(client as Client.IPTablesRestoreAdapterClient).CheckBinary();
}