public void FeedRule(IpTablesRule rule)
{
if (IsDynamic(rule))
{
AddRule(rule);
}
}
public RuleParser(string[] arguments, IpTablesRule ipRule, IpTablesChainSet chains, String defaultTable)
{
_arguments = arguments;
_ipRule = ipRule;
_parsers.AddRange(_moduleFactory.GetPreloadModules());
_chains = chains;
_tableName = defaultTable;
}
public RuleParser(string[] arguments, IpTablesRule ipRule, IpTablesChainSet chains, String defaultTable)
{
_arguments = arguments;
_ipRule = ipRule;
_parsers = ModuleRegistry.PreloadDuplicateModules.ToList();
_chains = chains;
_tableName = defaultTable;
}
public void TestPolyfillArgumentsComparison4()
{
String rule =
"-A INPUT -m unknown --unknown --unknown-2 \'this has spaces & a symbol\' -m unknown2 --unknown2 -p tcp -d 1.1.1.1 -m tcp --dport 80";
String rule2 =
"-A INPUT -m unknown2 --unknown2 -m unknown --unknown --unknown-2 \'this has spaces & a symbol\' -p tcp -d 1.1.1.1 -m tcp --dport 80";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.AreEqual(IpTablesRule.Parse(rule, null, chains, 4), IpTablesRule.Parse(rule2, null, chains));
}
public static bool Comparer(IpTablesRule rule1, IpTablesRule rule2)
{
var comment1 = rule1.GetModule<CommentModule>("comment");
var comment2 = rule2.GetModule<CommentModule>("comment");
if (comment1 == null || comment2 == null)
return false;
return comment1.CommentText == comment2.CommentText;
}
public void TestDropFragmentedTcpDnsEquality()
{
String rule = "-A INPUT -p tcp ! -f -j DROP -m tcp --sport 53";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains, 4);
Assert.IsTrue(irule2.Compare(irule1));
}
public void TestPolyfillArgumentsComparison3()
{
String rule =
"-A INPUT -m unknown --unknown --unknown-2 1111 -m unknown2 --unknown2 -p tcp -d 1.1.1.1 -m tcp --dport 80";
String rule2 =
"-A INPUT -m unknown2 --unknown2 -m unknown --unknown --unknown-2 1111 -p tcp -d 1.1.1.1 -m tcp --dport 80";
IpTablesChainSet chains = new IpTablesChainSet(4);
Assert.IsTrue(IpTablesRule.Parse(rule, null, chains, 4).Compare(IpTablesRule.Parse(rule2, null, chains)));
}
public void TestCoreSportEquality()
{
String rule = "-A INPUT -p tcp -j DROP -m tcp --sport 1";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains, 4);
Assert.IsTrue(irule2.Compare(irule1));
}
public void TestDropFragmentedTcpDnsWithCommentEquality()
{
String rule = "-A INPUT -p tcp ! -f -j DROP -m tcp --sport 53 -m comment --comment 'this is a test rule'";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(irule1, irule2);
}
public void TestCoreDropingUdpEquality()
{
String rule = "-A INPUT -p udp -j DROP";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(irule1, irule2);
}
public void TestDropConnectionLimitEquality()
{
String rule = "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(irule1, irule2);
}
public void TestCoreSportEquality()
{
String rule = "-A INPUT -p tcp -j DROP -m tcp --sport 1";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(irule1, irule2);
}
public void TestCoreDropingDestinationEquality()
{
String rule = "-A INPUT -d 1.2.3.4/16 -j DROP";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(irule1, irule2);
}
public void TestCoreFragmentingEquality()
{
String rule = "-A INPUT ! -f -j test";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(irule1, irule2);
}
public void TestComparisonMultiport()
{
String rule = "-A INPUT -p tcp -j RETURN -m multiport --dports 79,22 -m comment --comment TCP";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule r1 = IpTablesRule.Parse(rule, null, chains);
IpTablesRule r2 = IpTablesRule.Parse(rule, null, chains);
Assert.IsTrue(r1.Equals(r2));
}
public void TestXmark()
{
String rule = "-A INPUT -p tcp -j CONNMARK --set-xmark 0xFF";
String ruleExpect = "-A INPUT -p tcp -j CONNMARK --set-xmark 0xFF";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(ruleExpect, irule.GetActionCommand());
}
public void DnatTest1()
{
String rule = "-A A+B -p tcp -j DNAT --to-destination 1.2.3.4";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule, irule.GetActionCommand());
Assert.IsTrue(irule.Compare(IpTablesRule.Parse(rule, null, chains, 4)));
}
private IEnumerable <IpTablesRule> ParseAll(RuleBuilder rb, RuleDetails c)
{
var rule = c.Rule;
if (rule.Contains("{"))
{
foreach (var v in c.Versions)
{
var rules = _ruleSets[v];
foreach (var t in c.Tables)
{
IpTablesRule.ChainCreateMode chainMode = IpTablesRule.ChainCreateMode.DontCreateErrorInstead;
rule = c.Rule;
string formattedRule;
lock (_dynamicLock)
{
formattedRule = rb.Format(rule, t, v);
}
if (formattedRule != rule)
{
rule = formattedRule;
chainMode = IpTablesRule.ChainCreateMode.ReturnNewChain;
}
yield return(IpTablesRule.Parse(rule, _iptables, rules.Chains, v, t, chainMode));
}
}
}
else
{
IpTablesRule ruleTemplate = null;
foreach (var v in c.Versions)
{
var chains = _ruleSets[v].Chains;
foreach (var t in c.Tables)
{
if (ruleTemplate == null)
{
ruleTemplate = IpTablesRule.Parse(rule, _iptables, chains, v, t,
IpTablesRule.ChainCreateMode.DontCreateErrorInstead);
yield return(ruleTemplate);
}
else
{
//TODO: IPTables Rule clone
var theRule = new IpTablesRule(ruleTemplate);
theRule.Chain = chains.GetChainOrDefault(ruleTemplate.Chain.Name, t);
yield return(theRule);
}
}
}
}
}
public void MatchMarkHex()
{
String rule = "-A INPUT -p tcp -j ACCEPT -m mark --mark 0xc6ff00/0xFFFF00";
String ruleExpect = "-A INPUT -p tcp -j ACCEPT -m mark --mark 13041408/0xFFFF00";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(ruleExpect, irule.GetActionCommand());
Assert.AreEqual(IpTablesRule.Parse(ruleExpect, null, chains, 4), irule);
}
public void TestXorMark()
{
Int32 mark = 0;
String rule = "-A INPUT -p tcp -j CONNMARK --xor-mark " + mark;
String ruleExpect = "-A INPUT -p tcp -j CONNMARK --set-xmark 0x" + mark.ToString("X") + "/0x0";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(ruleExpect, irule.GetActionCommand());
}
private IpTablesRule CastRule(INetfilterRule rule)
{
IpTablesRule castRule = rule as IpTablesRule;
if (castRule == null)
{
throw new IpTablesNetException("Invalid rule type, not iptables");
}
return(castRule);
}
public void TestDoubleSpace()
{
String rule = "-A INPUT -j ACCEPT -m nfacct --nfacct-name \"test\"";
String rule2 = "-A INPUT -j ACCEPT -m nfacct --nfacct-name test";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
Assert.AreEqual(rule2, irule.GetActionCommand());
Assert.IsTrue(IpTablesRule.Parse(rule2, null, chains, 4).Compare(irule));
}
public void TestRandomRounding()
{
String rule = "-A CHAIN -t raw -m statistic --mode random --probability 0.03999999911";
String rule2 = "-A CHAIN -t raw -m statistic --mode random --probability 0.03999999957";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule2, null, chains, 4);
Assert.IsTrue(irule.Compare(irule2));
}
public void TestSnatRangeSourceAndEquality()
{
String rule = "-A POSTROUTING -t nat -s 1.1.1.1/24 -j SNAT --to-source 2.2.2.1-2.2.2.250";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(irule1, irule2);
Assert.AreEqual(rule, irule1.GetActionCommand());
Assert.AreEqual(rule, irule2.GetActionCommand());
}
/// <summary>
/// Comparison that detirmines equality based on comment text
/// </summary>
/// <param name="rule1"></param>
/// <param name="rule2"></param>
/// <returns></returns>
static bool CommentComparer(IpTablesRule rule1, IpTablesRule rule2)
{
var comment1 = rule1.GetModule <CommentModule>("comment");
var comment2 = rule2.GetModule <CommentModule>("comment");
if (comment1 == null || comment2 == null)
{
return(false);
}
return(comment1.CommentText == comment2.CommentText);
}
public void TestAddCommentAfter()
{
String rule1 = "-A INPUT -p tcp ! -f -j DROP -m tcp --sport 53";
String rule2 = "-A INPUT -p tcp ! -f -j DROP -m tcp --sport 53 -m comment --comment 'this is a test rule'";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule1, null, chains);
irule1.SetComment("this is a test rule");
Assert.AreEqual(rule2, irule1.GetActionCommand());
}
public void TestParse()
{
String rule1 = "-A PREROUTING -t raw -p tcp -j CT --ctevents new,destroy";
String rule2 = "-A PREROUTING -t raw -p tcp -j CT --ctevents \"destroy, new\"";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule1, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule2, null, chains, 4);
irule2.Equals(irule1);
Assert.AreEqual(irule1, irule2);
}
public void TestDnatRangeSourceAndEquality()
{
String rule = "-A POSTROUTING -t nat -d 1.1.1.1/24 -j DNAT --to-destination 2.2.2.1-2.2.2.250";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule1 = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains, 4);
Assert.IsTrue(irule2.Compare(irule1));
Assert.AreEqual(rule, irule1.GetActionCommand());
Assert.AreEqual(rule, irule2.GetActionCommand());
}
public void TestLimitComparison()
{
String rule = "-A INPUT -m limit --limit 100/second --limit-burst 7";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(irule2, irule);
}
public void TestDifficultCharacters()
{
String rule = "-A kY9xlwGhPJW6N1QCHoRg -t mangle -p tcp -d 107.1.107.1 -g x_ComPlex -m comment --comment 'ABC||+sPeC14l=|1' -m tcp --dport 81";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(rule, irule.GetActionCommand());
IpTablesRule irule2 = IpTablesRule.Parse(rule, null, chains);
Assert.AreEqual(irule2, irule);
}
public void AddRule(IpTablesRule rule)
{
TKey key = _extractor(rule);
if (!_protocols.ContainsKey(key))
{
_protocols.Add(key, _nestedGenerator(ShortHash.HexHash(_chain + "_" + key), _table));
}
var gen = _protocols[key];
gen.AddRule(rule);
}
public override void ReplaceRule(IpTablesRule rule)
{
if (!_inTransaction)
{
//Revert to using IPTables Binary if non transactional
IPTablesBinaryAdapterClient binaryClient = new IPTablesBinaryAdapterClient(_ipVersion, _system, _iptablesBinary);
binaryClient.ReplaceRule(rule);
}
String command = rule.GetActionCommand("-R", false);
_builder.AddCommand(rule.Chain.Table, command);
}
public override void DeleteRule(IpTablesRule rule)
{
if (!_inTransaction)
{
//Revert to using IPTables Binary if non transactional
IPTablesBinaryAdapterClient binaryClient = new IPTablesBinaryAdapterClient(_ipVersion, _system, _iptablesBinary);
binaryClient.DeleteRule(rule);
return;
}
String command = rule.GetActionCommand("-D", false);
_builder.AddCommand(rule.Chain.Table, command);
}
public void TestRandomRounding3()
{
String rule = "-A CHAIN -t raw -m statistic --mode random --probability 0.09000000000";
String rule2 = "-A CHAIN -t raw -m statistic --mode random --probability 0.08999999985";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains, 4);
IpTablesRule irule2 = IpTablesRule.Parse(rule2, null, chains, 4);
Assert.AreEqual(irule.GetActionCommand(), irule2.GetActionCommand());
Assert.IsTrue(irule.Compare(irule2));
}
public void AddRule(IpTablesRule rule)
{
if (_extractKey == null)
{
throw new IpTablesNetException("No key extractor provided, key must hence be provided");
}
var key = _extractKey(rule);
if (!_rules.ContainsKey(key))
{
_rules.Add(key, new List <IpTablesRule>());
}
_rules[key].Add(rule);
}
public override void InsertRule(IpTablesRule rule)
{
if (!_inTransaction)
{
//Revert to using IPTables Binary if non transactional
IPTablesBinaryAdapterClient binaryClient = new IPTablesBinaryAdapterClient(_ipVersion, _system, _iptablesBinary);
binaryClient.InsertRule(rule);
return;
}
String command = rule.GetActionCommand("-I");
if (GetInterface(rule.Chain.Table).ExecuteCommand(_iptablesBinary + " " + command) != 1)
{
throw new IpTablesNetException(String.Format("Failed to insert rule \"{0}\" due to error: \"{1}\"", command, GetInterface(rule.Chain.Table).GetErrorString()));
}
}
public abstract void AddRule(IpTablesRule rule);
private void setter(IpTablesRule arg1, IPAddress arg2)
{
arg1.GetModuleOrLoad<CoreModule>("core").Source = new ValueOrNot<IpCidr>(new IpCidr(arg2));
}
private IPAddress extractor(IpTablesRule arg)
{
IPAddress addr = arg.GetModule<CoreModule>("core").Source.Value.Address;
arg.GetModule<CoreModule>("core").Source = new ValueOrNot<IpCidr>();
return addr;
}
public static void SourcePortSetter(IpTablesRule rule, List<PortOrRange> ranges)
{
var protocol = rule.GetModule<CoreModule>("core").Protocol;
if (ranges.Count == 1 && !protocol.Null && !protocol.Not)
{
if (protocol.Value == "tcp")
{
var tcp = rule.GetModuleOrLoad<TcpModule>("tcp");
tcp.SourcePort = new ValueOrNot<PortOrRange>(ranges[0]);
}
else
{
var tcp = rule.GetModuleOrLoad<UdpModule>("udp");
tcp.SourcePort = new ValueOrNot<PortOrRange>(ranges[0]);
}
}
else
{
var multiport = rule.GetModuleOrLoad<MultiportModule>("multiport");
multiport.SourcePorts = new ValueOrNot<IEnumerable<PortOrRange>>(ranges);
}
}
private String extractor(IpTablesRule arg)
{
String addr = arg.GetModule<CoreModule>("core").InInterface.Value;
arg.GetModule<CoreModule>("core").InInterface = new ValueOrNot<String>();
return addr;
}
public override void AddRule(IpTablesRule rule)
{
String command = rule.GetActionCommand();
ExecutionHelper.ExecuteIptables(_system, command, _iptablesBinary);
}
public bool IsDynamic(IpTablesRule rule)
{
return IsDynamic(rule.Chain);
}
public void AddRule(IpTablesRule rule)
{
_rules.Add(rule);
}
private IEnumerable<IpTablesRule> ParseAll(RuleBuilder rb, RuleDetails c)
{
var rule = c.Rule;
if (rule.Contains("{"))
{
foreach (var v in c.Versions)
{
var rules = _ruleSets[v];
foreach (var t in c.Tables)
{
IpTablesRule.ChainCreateMode chainMode = IpTablesRule.ChainCreateMode.DontCreateErrorInstead;
rule = c.Rule;
string formattedRule;
lock (_dynamicLock)
{
formattedRule = rb.Format(rule, t, v);
}
if (formattedRule != rule)
{
rule = formattedRule;
chainMode = IpTablesRule.ChainCreateMode.ReturnNewChain;
}
yield return IpTablesRule.Parse(rule, _iptables, rules.Chains, v, t, chainMode);
}
}
}
else
{
IpTablesRule ruleTemplate = null;
foreach (var v in c.Versions)
{
var chains = _ruleSets[v].Chains;
foreach (var t in c.Tables)
{
if (ruleTemplate == null)
{
ruleTemplate = IpTablesRule.Parse(rule, _iptables, chains, v, t,
IpTablesRule.ChainCreateMode.DontCreateErrorInstead);
yield return ruleTemplate;
}
else
{
//TODO: IPTables Rule clone
var theRule = new IpTablesRule(ruleTemplate);
theRule.Chain = chains.GetChainOrDefault(ruleTemplate.Chain.Name, t);
yield return theRule;
}
}
}
}
}
public void AddRule(IpTablesRule rule)
{
Debug.Assert(IsDynamic(rule));
_dynamicChains[rule.Chain].Add(rule);
}
private void setter(IpTablesRule arg1, String arg2)
{
arg1.GetModuleOrLoad<CoreModule>("core").InInterface = new ValueOrNot<String>(arg2);
}
/// <summary>
/// Add an IPTables rule to the set
/// </summary>
/// <param name="rule"></param>
public void AddRule(IpTablesRule rule)
{
IpTablesChain ipchain = _chains.GetChainOrAdd(rule.Chain);
ipchain.Rules.Add(rule);
}
public abstract void ReplaceRule(IpTablesRule rule);
public abstract void InsertRule(IpTablesRule rule);
public abstract void DeleteRule(IpTablesRule rule);
private PortOrRange extractSrcPort(IpTablesRule arg)
{
return arg.GetModule<UdpModule>("udp").SourcePort.Value;
}
private IPAddress extractSrcIp(IpTablesRule arg)
{
return arg.GetModule<CoreModule>("core").Source.Value.Address;
}
