public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestInsertMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
"-D INPUT 2",
rulesNew.Chains.First().Rules[1].GetActionCommand(),
rulesNew.Chains.First().Rules[2].GetActionCommand()
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestDeleteAndUpdate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 1 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer);
mock.TestSync(client, rulesOriginal, rulesNew, sync);
var commands = (client as IMockIpTablesRestoreGetOutput).GetOutput().ToList();
Assert.AreEqual(5, commands.Count);
Assert.True(commands[1].StartsWith("-D INPUT 1"));
Assert.True(commands[2].StartsWith("-R INPUT 1"));
Assert.True(commands[3].StartsWith("-R INPUT 2"));
}
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List <String> expectedCommands = new List <String> {
"*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
};
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
private void DumpRuleset(IpTablesRuleSet rulesOrig)
{
foreach (var r in rulesOrig.Rules)
{
Console.WriteLine(r.GetActionCommand());
}
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List <String> expectedCommands = new List <String> {
"*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew, CommentComparer);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestDeleteMultiplesMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3"
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", "-D INPUT 2", "-D INPUT 2", "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestSplit()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter <RuleOutputter, IPAddress> ma = new FeatureSplitter <RuleOutputter, IPAddress>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j QGkTSfSaLIaS4B/kr3WQ -m comment --comment '_|FS|INPUT_8.1.1.1'",
rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ciE0aMcfwN36u0sNiC6w -m comment --comment '_|FS|INPUT_8.1.1.2'",
rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
Assert.AreEqual("-A QGkTSfSaLIaS4B/kr3WQ -j ACCEPT -m udp --sport 1",
rules.Chains.Skip(1).First().Rules.First().GetActionCommand());
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestAddDuplicate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[2].GetActionCommand()
};
var sync = new DefaultNetfilterSync <IpTablesRule>();
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void Output(IpTablesSystem system, IpTablesRuleSet ruleSet)
{
foreach (var p in _protocols)
{
var description = _chain + "_" + p.Key;
String chainName = ShortHash.HexHash(description);
if (ruleSet.Chains.HasChain(chainName, _table))
{
throw new IpTablesNetException(String.Format("Duplicate feature split: {0}", chainName));
}
//Jump to chain
var chain = ruleSet.Chains.GetChainOrAdd(_chain, _table, system);
IpTablesRule jumpRule = new IpTablesRule(system, chain);
jumpRule.GetModuleOrLoad <CoreModule>("core").Jump = chainName;
jumpRule.GetModuleOrLoad <CommentModule>("comment").CommentText = _commentPrefix + "|FS|" + description;
_setter(jumpRule, p.Key);
ruleSet.AddRule(jumpRule);
//Nested output
ruleSet.AddChain(chainName, _table);
p.Value.Output(system, ruleSet);
}
}
public void TestAddFromEmpty()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
}, system);
rulesOriginal.Chains.AddChain("INPUT", "filter", system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List <String> expectedCommands = new List <String> {
"*filter", rulesNew.Chains.First().Rules[0].GetActionCommand(), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[1].GetActionCommand("-R")
};
var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer);
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List <String> expectedCommands = new List <String>()
{
"-D INPUT 1", "-D INPUT 2"
};
var sync = new DefaultNetfilterSync <IpTablesRule>();
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void TestSync <TSync>(INetfilterAdapterClient client, IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, TSync sync, List <string> expectedCommands = null) where TSync : INetfilterSync <IpTablesRule>
{
IpTablesChain chain = rulesOriginal.Chains.First();
chain.Sync(client, rulesNew.Chains.First().Rules, sync);
if (expectedCommands != null)
{
CollectionAssert.AreEqual(expectedCommands, ExecutionLog.Select(a => a.Value).ToList());
}
}
internal void TestApply(IpTablesRuleSet rulesOrig, IpTablesRuleSet rulesSynced, IpTablesRuleSet rulesNew, List <string> commands)
{
try
{
Assert.AreEqual(rulesNew, rulesSynced);
}
catch (Exception ex)
{
Console.WriteLine("Sync:");
DumpRuleset(rulesSynced);
Console.WriteLine("New:");
DumpRuleset(rulesNew);
throw;
}
String currentTable = "filter";
foreach (var cmd in commands)
{
if (cmd.StartsWith("*"))
{
currentTable = cmd.Substring(1);
continue;
}
if (!cmd.StartsWith("-"))
{
continue;
}
var ipCmd = IpTablesCommand.Parse(cmd, rulesOrig.System, rulesOrig.Chains, rulesOrig.IpVersion, currentTable);
if (ipCmd.Rule != null)
{
ipCmd.Rule.Chain = rulesOrig.Chains.GetChain(ipCmd.ChainName, ipCmd.Table);
}
rulesOrig.ApplyCommand(ipCmd);
}
try
{
Assert.AreEqual(rulesNew, rulesOrig);
}
catch (Exception ex)
{
Console.WriteLine("Orig:");
DumpRuleset(rulesOrig);
Console.WriteLine("New:");
DumpRuleset(rulesNew);
throw;
}
}
public void TestAddChain()
{
IpTablesRuleSet ruleSet = new IpTablesRuleSet(4, null);
String rule = "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
ruleSet.AddRule(irule);
Assert.AreEqual(1, ruleSet.Chains.Count());
Assert.AreEqual("filter", ruleSet.Chains.First().Table);
Assert.AreEqual(1, ruleSet.Chains.First().Rules.Count());
}
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, Func <IpTablesRule, IpTablesRule, bool> commentComparer = null)
{
IpTablesChain chain = rulesOriginal.Chains.First();
DefaultNetfilterSync <IpTablesRule> sync = new DefaultNetfilterSync <IpTablesRule>(commentComparer, null);
if (commentComparer == null)
{
chain.Sync(rulesNew.Chains.First().Rules, sync);
}
else
{
chain.Sync(rulesNew.Chains.First().Rules, sync);
}
}
public void Output(IpTablesSystem system, IpTablesRuleSet ruleSet)
{
foreach (var rule in _rules)
{
if (_chain != null)
{
var chain = ruleSet.Chains.GetChainOrDefault(_chain, _table);
if (chain == null)
{
throw new IpTablesNetException("Unable to find chain");
}
rule.Chain = chain;
}
ruleSet.AddRule(rule);
}
}
public void Output(IpTablesSystem system, IpTablesRuleSet ruleSet)
{
foreach (var rule in _rules)
{
if (_chain != null)
{
var chain = ruleSet.Chains.GetChainOrDefault(_chain, _table);
if (chain == null)
{
throw new IpTablesNetException("Unable to find chain");
}
rule.Chain = chain;
}
ruleSet.AddRule(rule);
}
}
public void Output(IpTablesSystem system, IpTablesRuleSet ruleSet)
{
//foreach group => rules
foreach (var p in _rules)
{
//The new chain
var description = _chain + "_" + p.Key;
String chainName = ShortHash.HexHash(description + "|" + _table);
if (ruleSet.Chains.HasChain(chainName, _table))
{
throw new IpTablesNetException(String.Format("Duplicate feature split: {0}", chainName));
}
var chain = ruleSet.Chains.GetChainOrAdd(chainName, _table, system);
//Nested output
var singleRule = OutputRulesForGroup(ruleSet, system, p.Value, chainName, p.Key);
//Console.WriteLine("Is Single Rule: {0}", singleRule == null ? "NO" : "YES");
if (singleRule == null)
{
if (chain.Rules.Count != 0)
{
IpTablesRule jumpRule = IpTablesRule.Parse(_baseRule, system, ruleSet.Chains);
_setJump(jumpRule, p.Key);
//jumpRule.
jumpRule.GetModuleOrLoad <CoreModule>("core").Jump = chainName;
jumpRule.GetModuleOrLoad <CommentModule>("comment").CommentText = _commentPrefix + "|MA|" +
description;
ruleSet.AddRule(jumpRule);
}
else
{
//Console.WriteLine(String.Format("No rules in the chain \"{0}\", skipping jump from {1}.", chainName, _chain));
}
}
else
{
_setJump(singleRule, p.Key);
//ruleSet.AddRule(singleRule);
}
if (chain.Rules.Count == 0)
{
ruleSet.Chains.RemoveChain(chain);
}
}
}
public void TestNesting()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter <MultiportAggregator <IPAddress>, String> ma = new FeatureSplitter <MultiportAggregator <IPAddress>, String>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth0 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -i eth0 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
}
public void TestMultiple()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator <IPAddress> ma = new MultiportAggregator <IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 10 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 20 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 30 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 40 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 50 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 60 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 70 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 80 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 90 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 100 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 110 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 120 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 130 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 140 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 150 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 160 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 170 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 180 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 190 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(2, rules.Chains.Count());
Assert.AreEqual(1, rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j uXTlO5H/5x9hJe9WK1hw -m comment --comment '_|MA|INPUT_8.1.1.1'",
rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.First().GetActionCommand());
Assert.AreEqual("-A uXTlO5H/5x9hJe9WK1hw -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 10,20,30,40,50,60,70,80,90,100,110,120,130,140,150",
rules.Chains.GetChainOrDefault("uXTlO5H/5x9hJe9WK1hw", "filter").Rules.First().GetActionCommand());
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void PerformSync(string matches)
{
var whitelist = _aclProvider.GetWhitelisted();
IpSetSet set = new IpSetSet(IpSetType.HashIp, "wl_ip", 0, _system, IpSetSyncMode.SetAndEntries);
foreach (var w in whitelist)
{
set.Entries.Add(new IpSetEntry(set, new IpCidr(w)));
}
IpSetSets sets = new IpSetSets(_system);
sets.AddSet(set);
sets.Sync();
IpTablesRuleSet rules = new IpTablesRuleSet(4, _system);
rules.AddRule("-A INPUT -m set --match-set wl_ip src -j ACCEPT -m comment --comment WLRULE");
rules.AddRule("-A INPUT " + matches + " j DROP -m comment --comment DROPRULE");
rules.Sync(new DefaultNetfilterSync <IpTablesRule>(Comparer));
}
public void TestSingular()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator <IPAddress> ma = new MultiportAggregator <IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_", null);
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4, system);
ma.Output(system, rules);
Assert.AreEqual(1, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 1:2", rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ACCEPT -m comment --comment '_|s5FXv5bN+84QgKZzjZ3Q|1' -m multiport --sports 3", rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
}
public void TestDelete()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", "-D INPUT 2", "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);;
}
