Commit 1084a556 authored by Patrick J Cherry's avatar Patrick J Cherry
Browse files

Moved ipaddr library to common package

parent eec5b85b
......@@ -2,6 +2,8 @@
# Makefile for the firewall package
#
RUBYLIB := "$(PWD)/lib:$(PWD)/ext:$(PWD)/../common/lib"
nop:
@echo "Makefile - available targets"
@echo " "
......@@ -22,7 +24,7 @@ clean:
manpages/%.man: ./sbin/%
[ -d ./manpages ] || mkdir ./manpages
RUBYLIB=./lib:./ext $< --manual | sed -e 's/^=\+$$//' | txt2man -s 1 -t $(notdir $<) | sed -e 's/\\\\fB/\\fB/' > $@
RUBYLIB=$(RUBYLIB) $< --manual | sed -e 's/^=\+$$//' | txt2man -s 1 -t $(notdir $<) | sed -e 's/\\\\fB/\\fB/' > $@
manpages: ./manpages/symbiosis-firewall-whitelist.man ./manpages/symbiosis-firewall.man ./manpages/symbiosis-firewall-blacklist.man
......@@ -31,7 +33,7 @@ all: manpages ext/symbiosis_utmp.so
distclean: clean
test: ext/symbiosis_utmp.so
@cd test && ruby ./ts_firewall.rb
@cd test && RUBYLIB=$(RUBYLIB) ruby ./ts_firewall.rb
@if [ ! -d ./i ]; then mkdir ./i ; fi
@if [ ! -d ./i/incoming.d/ ]; then mkdir ./i/incoming.d/; fi
@if [ ! -d ./i/outgoing.d/ ]; then mkdir ./i/outgoing.d/; fi
......@@ -65,7 +67,7 @@ test: ext/symbiosis_utmp.so
@echo "212.110.161.177" > i/outgoing.d/20-accept
@echo "2001:41c8:20:862:ac1:1::|48" >> i/outgoing.d/20-accept
@touch i/outgoing.d/99-reject
@ruby -I lib ./sbin/symbiosis-firewall -p ./i -t rule.d -x -v -d
@RUBYLIB=$(RUBYLIB) ruby ./sbin/symbiosis-firewall -p ./i -t rule.d -x -v -d
ext/symbiosis_utmp.so: ext/Makefile
make -C ext $(notdir $@)
......
require 'ipaddr'
require 'pp'
module Symbiosis
module Firewall
class IPAddr < ::IPAddr
include Enumerable
def broadcast
case @family
when Socket::AF_INET
@mask_addr = IN4MASK if @mask_addr > IN4MASK
self.clone.set(self.network.to_i | ((~@mask_addr) & IN4MASK))
when Socket::AF_INET6
@mask_addr = IN6MASK if @mask_addr > IN6MASK
self.clone.set(self.network.to_i | ((~@mask_addr) & IN6MASK))
end
end
def network
self.clone.set(@addr & @mask_addr)
end
alias max broadcast
alias min network
def each
case @family
when Socket::AF_INET
(self.network.to_i..self.broadcast.to_i).each do |addr|
yield self.clone.set(addr).mask!(32)
end
when Socket::AF_INET6
(self.network.to_i..self.broadcast.to_i).each do |addr|
yield self.clone.set(addr).mask!(128)
end
end
end
def <=>(other)
@addr.to_i <=> other.to_i
end
def IPAddr.from_i(arg)
if arg < 0xffffffff
IPAddr.new((0..3).collect{|x| x*8}.collect{|x| (arg.to_i >> x & 0xff).to_s}.reverse.join("."))
else
IPAddr.new((0..7).collect{|x| x*16}.collect{|x| (arg.to_i >> x & 0xffff).to_s(16)}.reverse.join(":"))
end
end
def range_to_s
[_to_string(@addr), _to_string(@mask_addr)].join('/')
end
def cidr_mask
#
# Hmm.. this is a bit horrid. But without a log2 function, there's not
# much else we can do..
case @family
when Socket::AF_INET
@mask_addr = IN4MASK if @mask_addr > IN4MASK
n_addresses = ((~@mask_addr) & IN4MASK) + 1
32 - (0..32).find{|m| 2**m == n_addresses}
when Socket::AF_INET6
@mask_addr = IN6MASK if @mask_addr > IN6MASK
n_addresses = ((~@mask_addr) & IN6MASK) + 1
128 - (0..128).find{|m| 2**m == n_addresses}
end
end
#
# Append the CIDR mask if there is more than on IP in the range.
#
def to_s
s = [super]
s << cidr_mask if max.to_i - min.to_i > 0
s.join("/")
end
end
end
end
require 'symbiosis/firewall/ipaddr'
require 'symbiosis/ipaddr'
module Symbiosis
module Firewall
......
require 'symbiosis/firewall/ipaddr'
require 'symbiosis/ipaddr'
require 'symbiosis/firewall/ports'
require 'erb'
......
......@@ -69,10 +69,10 @@
require 'getoptlong'
require 'tempfile'
require 'fileutils'
require 'symbiosis/ipaddr'
require 'symbiosis/firewall/blacklist'
require 'symbiosis/firewall/directory'
require 'symbiosis/firewall/template'
require 'symbiosis/firewall/ipaddr'
require 'symbiosis/firewall/logtail'
require 'symbiosis/firewall/pattern'
......@@ -220,7 +220,7 @@ blacklist.generate.each do |ip, ports|
# Make sure we can parse stuff
#
begin
ip = IPAddr.new(ip)
ip = Symbiosis::IPAddr.new(ip)
rescue ArgumentError => err
warn "Ignoring #{ip.inspect} because of #{err.to_s}"
next
......@@ -241,8 +241,8 @@ blacklist.generate.each do |ip, ports|
#
# FIXME: Need better IPv6 conditions.
#
next if ip.ipv4? and (IPAddr.new("127.0.0.1/8").include?(ip) or IPAddr.new("0.0.0.0") == ip )
next if ip.ipv6? and !IPAddr.new("2000::/3").include?(ip)
next if ip.ipv4? and (Symbiosis::IPAddr.new("127.0.0.1/8").include?(ip) or Symbiosis::IPAddr.new("0.0.0.0") == ip )
next if ip.ipv6? and !Symbiosis::IPAddr.new("2000::/3").include?(ip)
puts "Found IP address: #{ip}" if ( $VERBOSE )
......
......@@ -64,7 +64,7 @@ require 'fileutils'
require 'symbiosis/utmp'
require 'symbiosis/firewall/directory'
require 'symbiosis/firewall/template'
require 'symbiosis/firewall/ipaddr'
require 'symbiosis/ipaddr'
#
......@@ -204,7 +204,7 @@ updated=false
Symbiosis::Utmp.read(wtmp_file).each do |entry|
begin
ip = Symbiosis::Firewall::IPAddr.new(entry['ip'].to_s)
ip = Symbiosis::IPAddr.new(entry['ip'].to_s)
rescue ArgumentError
#
# Oops. Can't interpret the IP.
......@@ -233,8 +233,8 @@ Symbiosis::Utmp.read(wtmp_file).each do |entry|
#
# FIXME: Need better IPv6 conditions.
#
next if ip.ipv4? and (IPAddr.new("127.0.0.1/8").include?(ip) or IPAddr.new("0.0.0.0") == ip )
next if ip.ipv6? and !IPAddr.new("2000::/3").include?(ip)
next if ip.ipv4? and (Symbiosis::IPAddr.new("127.0.0.1/8").include?(ip) or Symbiosis::IPAddr.new("0.0.0.0") == ip )
next if ip.ipv6? and !Symbiosis::IPAddr.new("2000::/3").include?(ip)
puts "Found IP address: #{ip}" if ( $VERBOSE )
......
$: << "../lib/"
require 'symbiosis/firewall/ipaddr'
require 'test/unit'
require 'pp'
class TestIPAddr < Test::Unit::TestCase
include Symbiosis::Firewall
def test_to_s
assert_equal("1.2.3.4/32", IPAddr.new("1.2.3.4/32").to_s)
assert_equal("1.2.3.0/24", IPAddr.new("1.2.3.4/24").to_s)
assert_equal("2001:dead:beef:cafe:1234::1/128",IPAddr.new("2001:dead:beef:cafe:1234::1/128").to_s)
assert_equal("2001:dead:beef:cafe::/64",IPAddr.new("2001:dead:beef:cafe:1234::1/64").to_s)
end
def test_equality
assert_equal(IPAddr.new("1.2.3.4/24"), IPAddr.new("1.2.3.4/24"))
end
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment