public void PerformSync(string matches)
{
var whitelist = _aclProvider.GetWhitelisted();
IpSetSet set = new IpSetSet(IpSetType.HashIp,"wl_ip",0, _system, IpSetSyncMode.SetAndEntries);
foreach (var w in whitelist)
{
set.Entries.Add(new IpSetEntry(set, new IpCidr(w)));
}
IpSetSets sets = new IpSetSets(_system);
sets.AddSet(set);
sets.Sync();
IpTablesRuleSet rules = new IpTablesRuleSet(4, _system);
rules.AddRule("-A INPUT -m set --match-set wl_ip src -j ACCEPT -m comment --comment WLRULE");
rules.AddRule("-A INPUT " + matches + " j DROP -m comment --comment DROPRULE");
rules.Sync(new DefaultNetfilterSync<IpTablesRule>(Comparer));
}
public void TestSplit()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter<RuleOutputter, IPAddress> ma = new FeatureSplitter<RuleOutputter,IPAddress>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j QGkTSfSaLIaS4B/kr3WQ -m comment --comment '_|FS|INPUT_8.1.1.1'",
rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ciE0aMcfwN36u0sNiC6w -m comment --comment '_|FS|INPUT_8.1.1.2'",
rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
Assert.AreEqual("-A QGkTSfSaLIaS4B/kr3WQ -j ACCEPT -m udp --sport 1",
rules.Chains.Skip(1).First().Rules.First().GetActionCommand());
}
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null)
{
IpTablesChain chain = rulesOriginal.Chains.First();
DefaultNetfilterSync<IpTablesRule> sync = new DefaultNetfilterSync<IpTablesRule>(commentComparer,null);
if (commentComparer == null)
chain.Sync(rulesNew.Chains.First().Rules, sync);
else
chain.Sync(rulesNew.Chains.First().Rules, sync);
}
public void TestAddChain()
{
IpTablesRuleSet ruleSet = new IpTablesRuleSet(4,null);
String rule = "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10";
IpTablesChainSet chains = new IpTablesChainSet(4);
IpTablesRule irule = IpTablesRule.Parse(rule, null, chains);
ruleSet.AddRule(irule);
Assert.AreEqual(1, ruleSet.Chains.Count());
Assert.AreEqual("filter", ruleSet.Chains.First().Table);
Assert.AreEqual(1, ruleSet.Chains.First().Rules.Count());
}
public void TestNesting()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter<MultiportAggregator<IPAddress>, String> ma = new FeatureSplitter<MultiportAggregator<IPAddress>, String>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth0 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -i eth0 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List<String> expectedCommands = new List<String>() { rulesNew.Chains.First().Rules[2].GetActionCommand() };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSingular()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_", null);
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(1, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 1:2", rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ACCEPT -m comment --comment '_|s5FXv5bN+84QgKZzjZ3Q|1' -m multiport --sports 3", rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() {};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List<String> expectedCommands = new List<String> { "*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
var output = (system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput();
CollectionAssert.AreEqual(output, expectedCommands);
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List<String> expectedCommands = new List<String> { "*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestMultiple()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 10 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 20 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 30 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 40 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 50 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 60 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 70 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 80 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 90 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 100 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 110 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 120 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 130 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 140 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 150 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 160 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 170 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 180 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 190 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(2, rules.Chains.Count());
Assert.AreEqual(1, rules.Chains.GetChainOrDefault("INPUT","filter").Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j uXTlO5H/5x9hJe9WK1hw -m comment --comment '_|MA|INPUT_8.1.1.1'",
rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.First().GetActionCommand());
Assert.AreEqual("-A uXTlO5H/5x9hJe9WK1hw -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 10,20,30,40,50,60,70,80,90,100,110,120,130,140,150",
rules.Chains.GetChainOrDefault("uXTlO5H/5x9hJe9WK1hw", "filter").Rules.First().GetActionCommand());
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List<String> expectedCommands = new List<String>() { "*filter", "-D INPUT 1", "-D INPUT 2", "COMMIT" };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List<String> expectedCommands = new List<String>()
{
rulesNew.Chains.First().Rules[1].GetActionCommand("-R")
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands, CommentComparer);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, List<string> expectedCommands, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null)
{
TestSync(rulesOriginal, rulesNew, commentComparer);
CollectionAssert.AreEqual(expectedCommands, Commands.Select(a => a.Value).ToList());
}
public void TestSync(INetfilterAdapterClient client, IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, List<string> expectedCommands, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null)
{
TestSync(client, rulesOriginal, rulesNew, commentComparer);
CollectionAssert.AreEqual(expectedCommands, ExecutionLog.Select(a => a.Value).ToList());
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List<String> expectedCommands = new List<String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT" };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew, CommentComparer);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List<String> expectedCommands = new List<String>() { "-D INPUT 1", "-D INPUT 2" };
mock.TestSync(rulesOriginal, rulesNew, expectedCommands);
}
