public void PerformSync(string matches) { var whitelist = _aclProvider.GetWhitelisted(); IpSetSet set = new IpSetSet(IpSetType.HashIp,"wl_ip",0, _system, IpSetSyncMode.SetAndEntries); foreach (var w in whitelist) { set.Entries.Add(new IpSetEntry(set, new IpCidr(w))); } IpSetSets sets = new IpSetSets(_system); sets.AddSet(set); sets.Sync(); IpTablesRuleSet rules = new IpTablesRuleSet(4, _system); rules.AddRule("-A INPUT -m set --match-set wl_ip src -j ACCEPT -m comment --comment WLRULE"); rules.AddRule("-A INPUT " + matches + " j DROP -m comment --comment DROPRULE"); rules.Sync(new DefaultNetfilterSync<IpTablesRule>(Comparer)); }
public void TestSplit() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesChainSet chains = new IpTablesChainSet(4); FeatureSplitter<RuleOutputter, IPAddress> ma = new FeatureSplitter<RuleOutputter,IPAddress>("INPUT", "filter", extractor, setter, nestedGenerator, "_"); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains)); IpTablesRuleSet rules = new IpTablesRuleSet(4,system); ma.Output(system, rules); Assert.AreEqual(3, rules.Chains.Count()); Assert.AreEqual(2, rules.Chains.First().Rules.Count); Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count); Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count); Assert.AreEqual("-A INPUT -s 8.1.1.1 -j QGkTSfSaLIaS4B/kr3WQ -m comment --comment '_|FS|INPUT_8.1.1.1'", rules.Chains.First().Rules.First().GetActionCommand()); Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ciE0aMcfwN36u0sNiC6w -m comment --comment '_|FS|INPUT_8.1.1.2'", rules.Chains.First().Rules.Skip(1).First().GetActionCommand()); Assert.AreEqual("-A QGkTSfSaLIaS4B/kr3WQ -j ACCEPT -m udp --sport 1", rules.Chains.Skip(1).First().Rules.First().GetActionCommand()); }
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null) { IpTablesChain chain = rulesOriginal.Chains.First(); DefaultNetfilterSync<IpTablesRule> sync = new DefaultNetfilterSync<IpTablesRule>(commentComparer,null); if (commentComparer == null) chain.Sync(rulesNew.Chains.First().Rules, sync); else chain.Sync(rulesNew.Chains.First().Rules, sync); }
public void TestAddChain() { IpTablesRuleSet ruleSet = new IpTablesRuleSet(4,null); String rule = "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10"; IpTablesChainSet chains = new IpTablesChainSet(4); IpTablesRule irule = IpTablesRule.Parse(rule, null, chains); ruleSet.AddRule(irule); Assert.AreEqual(1, ruleSet.Chains.Count()); Assert.AreEqual("filter", ruleSet.Chains.First().Table); Assert.AreEqual(1, ruleSet.Chains.First().Rules.Count()); }
public void TestNesting() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesChainSet chains = new IpTablesChainSet(4); FeatureSplitter<MultiportAggregator<IPAddress>, String> ma = new FeatureSplitter<MultiportAggregator<IPAddress>, String>("INPUT", "filter", extractor, setter, nestedGenerator, "_"); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth0 -m udp --sport 1 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth1 -m udp --sport 2 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -i eth0 -m udp --sport 3 -j ACCEPT", system, chains)); IpTablesRuleSet rules = new IpTablesRuleSet(4,system); ma.Output(system, rules); Assert.AreEqual(3, rules.Chains.Count()); Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count); Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count); }
public void TestNatDoNothing() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); List<String> expectedCommands = new List<String>() { }; mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands); }
public void TestSimpleDoNothing() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); List<String> expectedCommands = new List<String>() { }; mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands); }
public void TestAdd() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2", "-A INPUT -d 1.2.3.4/16 -j DROP" }, system); List<String> expectedCommands = new List<String>() { rulesNew.Chains.First().Rules[2].GetActionCommand() }; mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands); }
public void TestSingular() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesChainSet chains = new IpTablesChainSet(4); MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort, PortRangeHelpers.SourcePortSetter, setSourceIp, "_", null); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains)); IpTablesRuleSet rules = new IpTablesRuleSet(4,system); ma.Output(system, rules); Assert.AreEqual(1, rules.Chains.Count()); Assert.AreEqual(2, rules.Chains.First().Rules.Count); Assert.AreEqual("-A INPUT -s 8.1.1.1 -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 1:2", rules.Chains.First().Rules.First().GetActionCommand()); Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ACCEPT -m comment --comment '_|s5FXv5bN+84QgKZzjZ3Q|1' -m multiport --sports 3", rules.Chains.First().Rules.Skip(1).First().GetActionCommand()); }
public void TestSimpleDoNothing() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); List<String> expectedCommands = new List<String>() {}; mock.TestSync(rulesOriginal, rulesNew); CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands); }
public void TestQuotes() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP", }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP", "-A INPUT -m comment --comment 'test space'" }, system); List<String> expectedCommands = new List<String> { "*filter", "-A INPUT -m comment --comment \"test space\"", "COMMIT" }; mock.TestSync(rulesOriginal, rulesNew); var output = (system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(); CollectionAssert.AreEqual(output, expectedCommands); }
public void TestAdd() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2", "-A INPUT -d 1.2.3.4/16 -j DROP" }, system); List<String> expectedCommands = new List<String> { "*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT" }; mock.TestSync(rulesOriginal, rulesNew); CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands); }
public void TestMultiple() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesChainSet chains = new IpTablesChainSet(4); MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort, PortRangeHelpers.SourcePortSetter, setSourceIp, "_"); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 10 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 20 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 30 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 40 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 50 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 60 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 70 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 80 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 90 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 100 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 110 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 120 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 130 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 140 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 150 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 160 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 170 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 180 -j ACCEPT", system, chains)); ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 190 -j ACCEPT", system, chains)); IpTablesRuleSet rules = new IpTablesRuleSet(4,system); ma.Output(system, rules); Assert.AreEqual(2, rules.Chains.Count()); Assert.AreEqual(1, rules.Chains.GetChainOrDefault("INPUT","filter").Rules.Count); Assert.AreEqual("-A INPUT -s 8.1.1.1 -j uXTlO5H/5x9hJe9WK1hw -m comment --comment '_|MA|INPUT_8.1.1.1'", rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.First().GetActionCommand()); Assert.AreEqual("-A uXTlO5H/5x9hJe9WK1hw -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 10,20,30,40,50,60,70,80,90,100,110,120,130,140,150", rules.Chains.GetChainOrDefault("uXTlO5H/5x9hJe9WK1hw", "filter").Rules.First().GetActionCommand()); }
public void TestDeleteMultiples() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5" }, system); List<String> expectedCommands = new List<String>() { "*filter", "-D INPUT 1", "-D INPUT 2", "COMMIT" }; using (var client = system.GetTableAdapter(4)) { mock.TestSync(client, rulesOriginal, rulesNew); CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands); } }
public void TestUpdateMiddle() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); List<String> expectedCommands = new List<String>() { rulesNew.Chains.First().Rules[1].GetActionCommand("-R") }; mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands, CommentComparer); }
public void TestNatDoNothing() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>() { "-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80", "-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80" }, system); List<String> expectedCommands = new List<String>() { }; using (var client = system.GetTableAdapter(4)) { mock.TestSync(client, rulesOriginal, rulesNew); CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands); } }
public void TestSync(IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, List<string> expectedCommands, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null) { TestSync(rulesOriginal, rulesNew, commentComparer); CollectionAssert.AreEqual(expectedCommands, Commands.Select(a => a.Value).ToList()); }
public void TestSync(INetfilterAdapterClient client, IpTablesRuleSet rulesOriginal, IpTablesRuleSet rulesNew, List<string> expectedCommands, Func<IpTablesRule, IpTablesRule, bool> commentComparer = null) { TestSync(client, rulesOriginal, rulesNew, commentComparer); CollectionAssert.AreEqual(expectedCommands, ExecutionLog.Select(a => a.Value).ToList()); }
public void TestUpdateMiddle() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\"" }, system); List<String> expectedCommands = new List<String>() { "*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT" }; using (var client = system.GetTableAdapter(4)) { mock.TestSync(client, rulesOriginal, rulesNew, CommentComparer); CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands); } }
public void TestDeleteMultiples() { var mock = new MockIptablesSystemFactory(); var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter()); IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10", "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5", "-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2" }, system); IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>() { "-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5" }, system); List<String> expectedCommands = new List<String>() { "-D INPUT 1", "-D INPUT 2" }; mock.TestSync(rulesOriginal, rulesNew, expectedCommands); }