private void FlushIPsInternal()
{
using var adapter = System.GetTableAdapter(4);
var sync = new DefaultNetfilterSync <IpTablesRule>();
(System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, Enumerable.Empty <IpTablesRule>(), sync);
}
public void TestDeleteAndUpdate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 1 -m comment --comment \"ID3\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID4\""
}, system);
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer);
mock.TestSync(client, rulesOriginal, rulesNew, sync);
var commands = (client as IMockIpTablesRestoreGetOutput).GetOutput().ToList();
Assert.AreEqual(5, commands.Count);
Assert.True(commands[1].StartsWith("-D INPUT 1"));
Assert.True(commands[2].StartsWith("-R INPUT 1"));
Assert.True(commands[3].StartsWith("-R INPUT 2"));
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[1].GetActionCommand("-R")
};
var sync = new DefaultNetfilterSync <IpTablesRule>(CommentComparer);
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List <String> expectedCommands = new List <String>()
{
"-D INPUT 1", "-D INPUT 2"
};
var sync = new DefaultNetfilterSync <IpTablesRule>();
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
public void TestRuleAdd()
{
if (IsLinux)
{
Assert.AreEqual(0, IptcInterface.RefCount);
var system = new IpTablesSystem(null, new IPTablesLibAdapter());
using (var client = system.GetTableAdapter(_ipVersion))
{
Assert.IsTrue(client is IPTablesLibAdapterClient);
var rules = client.ListRules("filter");
var chain = new IpTablesChainSet(4);
foreach (var c in rules.Chains)
{
chain.AddChain(c as IpTablesChain);
}
var rule = IpTablesRule.Parse("-A test2 -p 80 -j ACCEPT", system, chain);
client.StartTransaction();
client.AddRule(rule);
client.EndTransactionCommit();
var proc = Process.Start(new ProcessStartInfo("/sbin/" + GetBinary(), "-L test2")
{
RedirectStandardOutput = true, UseShellExecute = false
});
proc.WaitForExit();
String listOutput = proc.StandardOutput.ReadToEnd();
Assert.IsTrue(listOutput.Contains("anywhere"), "must have created rule");
}
Assert.AreEqual(0, IptcInterface.RefCount);
}
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List <String> expectedCommands = new List <String> {
"*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew, CommentComparer);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestDeleteMultiplesMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 3"
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", "-D INPUT 2", "-D INPUT 2", "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestInsertMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
"-D INPUT 2",
rulesNew.Chains.First().Rules[1].GetActionCommand(),
rulesNew.Chains.First().Rules[2].GetActionCommand()
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
};
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List <String> expectedCommands = new List <String> {
"*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestAddFromEmpty()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
}, system);
rulesOriginal.Chains.AddChain("INPUT", "filter", system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List <String> expectedCommands = new List <String> {
"*filter", rulesNew.Chains.First().Rules[0].GetActionCommand(), "COMMIT"
};
using (var client = system.GetTableAdapter(4))
{
var sync = new DefaultNetfilterSync <IpTablesRule>();
var rulesSynced = rulesOriginal.DeepClone();
mock.TestSync(client, rulesSynced, rulesNew, sync);
CollectionAssert.AreEqual(expectedCommands, (client as IMockIpTablesRestoreGetOutput).GetOutput());
TestApply(rulesOriginal, rulesSynced, rulesNew, expectedCommands);
}
}
public void TestAddDuplicate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List <String> expectedCommands = new List <String>()
{
rulesNew.Chains.First().Rules[2].GetActionCommand()
};
var sync = new DefaultNetfilterSync <IpTablesRule>();
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, sync, expectedCommands);
}
private async Task RefreshIPWhiteListAsync()
{
await AccessSemaphore.WaitAsync();
Logger.LogInformation("Refreshing iptables whitelist...");
FlushIPsInternal();
try
{
using var scope = Provider.CreateScope();
var dbContext = scope.ServiceProvider.GetRequiredService <MinerContext>();
using var adapter = System.GetTableAdapter(4);
var miners = await dbContext.Miners.ToListAsync();
var rules = new List <string>();
foreach (var miner in miners.Where(x => x.LastAddress != null && //Has an IP
x.NextIncrement >= DateTimeOffset.UtcNow - TimeSpan.FromHours(1))) //Has updated
{
rules.Add(GetAcceptRule(miner.LastAddress));
}
var ruleSet = new IpTablesRuleSet(4, rules, System);
var sync = new DefaultNetfilterSync <IpTablesRule>();
(System.GetChain(adapter, IpTable, IpChain) as IpTablesChain).Sync(adapter, ruleSet.Rules, sync);
Logger.LogInformation("Finished refreshing iptables whitelist");
}
catch (Exception ex)
{
Logger.LogError(ex, "There was an error while refreshing iptables whitelist");
}
finally
{
AccessSemaphore.Release();
}
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() {};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List<String> expectedCommands = new List<String>() { rulesNew.Chains.First().Rules[2].GetActionCommand() };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List<String> expectedCommands = new List<String> { "*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List<String> expectedCommands = new List<String> { "*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
var output = (system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput();
CollectionAssert.AreEqual(output, expectedCommands);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List <String> expectedCommands = new List <String>()
{
};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestRuleOutput()
{
if (IsLinux)
{
Assert.AreEqual(0, IptcInterface.RefCount);
var system = new IpTablesSystem(null, new IPTablesLibAdapter());
using (var client = system.GetTableAdapter(_ipVersion))
{
Debug.Assert(client is IPTablesLibAdapterClient);
var rules = client.ListRules("filter");
foreach (var chain in rules.Chains)
{
Assert.AreEqual(_ipVersion, chain.IpVersion, "Incorrect IP Version for chain: " + chain);
}
Assert.AreNotEqual(0, rules.Chains.SelectMany((a) => a.Rules).Count());
foreach (var rule in rules.Chains.SelectMany((a) => a.Rules))
{
Assert.AreEqual(_ipVersion, rule.IpVersion, "Incorrect IP Version for rule: " + rule);
}
}
Assert.AreEqual(0, IptcInterface.RefCount);
}
}
public void TestRuleOutput()
{
if (IsLinux)
{
Assert.AreEqual(0, IptcInterface.RefCount);
var system = new IpTablesSystem(null, new IPTablesLibAdapter());
using (var client = system.GetTableAdapter(_ipVersion))
{
Debug.Assert(client is IPTablesLibAdapterClient);
var rules = client.ListRules("filter");
foreach (var chain in rules.Chains)
{
Assert.AreEqual(_ipVersion, chain.IpVersion, "Incorrect IP Version for chain: " + chain);
}
Assert.AreNotEqual(0, rules.Chains.SelectMany((a)=>a.Rules).Count());
foreach (var rule in rules.Chains.SelectMany((a) => a.Rules))
{
Assert.AreEqual(_ipVersion, rule.IpVersion, "Incorrect IP Version for rule: " + rule);
}
}
Assert.AreEqual(0, IptcInterface.RefCount);
}
}
public void TestDelete()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List <String> expectedCommands = new List <String>()
{
"*filter", "-D INPUT 2", "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);;
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List <String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List <String> expectedCommands = new List <String> {
"*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT"
};
mock.TestSync(rulesOriginal, rulesNew);
var output = (system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput();
CollectionAssert.AreEqual(output, expectedCommands);
}
/// <summary>
/// Sync with an IPTables system
/// </summary>
/// <param name="sync"></param>
/// <param name="canDeleteChain"></param>
/// <param name="maxRetries"></param>
public void Sync(INetfilterSync <IpTablesRule> sync,
Func <IpTablesChain, bool> canDeleteChain = null, int maxRetries = 10)
{
var tableAdapter = _system.GetTableAdapter(_ipVersion);
List <IpTablesChain> chainsToAdd = new List <IpTablesChain>();
bool needed;
int retries = maxRetries;
do
{
try
{
//Start transaction
tableAdapter.StartTransaction();
//Load all chains, figure out what to add
var tableChains = new Dictionary <string, List <IpTablesChain> >();
foreach (IpTablesChain chain in Chains)
{
if (!tableChains.ContainsKey(chain.Table))
{
var chains = _system.GetChains(chain.Table, _ipVersion).ToList();
tableChains.Add(chain.Table, chains);
}
if (
tableChains[chain.Table].FirstOrDefault(a => a.Name == chain.Name && a.Table == chain.Table) ==
null)
{
//Chain doesnt exist, to create
chainsToAdd.Add(chain);
}
}
//Add the new chains / rules
foreach (var chain in chainsToAdd)
{
tableChains[chain.Table].Add(_system.AddChain(chain));
}
chainsToAdd.Clear();
//Special case
if (tableAdapter is IPTablesLibAdapterClient)
{
//Sync chain adds before starting rule adds
tableAdapter.EndTransactionCommit();
tableAdapter.StartTransaction();
}
//Update chains with differing rules
foreach (IpTablesChain chain in Chains)
{
IpTablesChain realChain =
tableChains[chain.Table].First(a => a.Name == chain.Name && a.Table == chain.Table);
if (realChain != null)
{
//Update chain
realChain.SyncInternal(chain.Rules, sync);
}
}
//End Transaction: COMMIT
tableAdapter.EndTransactionCommit();
if (canDeleteChain != null)
{
//Start transaction
//Needs new transaction, bug in libiptc?
tableAdapter.StartTransaction();
foreach (string table in Chains.Select(a => a.Table).Distinct())
{
foreach (IpTablesChain chain in _system.GetChains(table, _ipVersion))
{
if (!_chains.HasChain(chain.Name, chain.Table) && canDeleteChain(chain))
{
chain.Delete();
}
}
}
//End Transaction: COMMIT
tableAdapter.EndTransactionCommit();
}
needed = false;
}
catch (IpTablesNetExceptionErrno ex)
{
if (ex.Errno == 11 && retries != 0)//Resource Temporarily unavailable
{
Thread.Sleep(100 * (maxRetries - retries));
retries--;
needed = true;
}
else
{
throw;
}
}
} while (needed);
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List<String> expectedCommands = new List<String>() { "*filter", "-D INPUT 1", "-D INPUT 2", "COMMIT" };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List<String> expectedCommands = new List<String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT" };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew, CommentComparer);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List<String> expectedCommands = new List<String>()
{
rulesNew.Chains.First().Rules[1].GetActionCommand("-R")
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands, CommentComparer);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
