r26130 - in /branches/upstream/libiptables-parse-perl/current: Changes VERSION lib/IPTables/Parse.pm
thialme-guest at users.alioth.debian.org
thialme-guest at users.alioth.debian.org
Sat Oct 18 08:45:44 UTC 2008
Author: thialme-guest
Date: Sat Oct 18 08:45:41 2008
New Revision: 26130
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=26130
Log:
[svn-upgrade] Integrating new upstream version, libiptables-parse-perl (0.7)
Modified:
branches/upstream/libiptables-parse-perl/current/Changes
branches/upstream/libiptables-parse-perl/current/VERSION
branches/upstream/libiptables-parse-perl/current/lib/IPTables/Parse.pm
Modified: branches/upstream/libiptables-parse-perl/current/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libiptables-parse-perl/current/Changes?rev=26130&op=diff
==============================================================================
--- branches/upstream/libiptables-parse-perl/current/Changes (original)
+++ branches/upstream/libiptables-parse-perl/current/Changes Sat Oct 18 08:45:41 2008
@@ -1,13 +1,25 @@
Revision history for Perl extension IPTables::Parse.
+0.7 Fri Oct 17 11:55:01 2008
+ - Completely re-worked the manner in which iptables commands are executed
+ so that they are sent through a single function with various options
+ (described below) for controlling execution.
+ - Added the ability to control iptables execution model. The default is to
+ use waitpid(), but other options are to use system() or popen().
+ - Added the ability to introduce a configurable time delay between each
+ iptables command.
+ - Added the ability to use a function reference for the SIGCHLD signal
+ handler.
+ - Added the ability to configure the number of seconds used as the alarm
+ timeout for iptables command execution in the waitpid() execution model.
+
0.6 Mon May 19 10:15:01 2008
- - Added perldoc documentation for 0.6 release.
+ - Added perldoc documentation for 0.6 release.
0.3 12/18/2005
- Added test for ULOG target
- Update to allow -v iptables output (which may be supplied in a file).
0.01 Sat Feb 5 15:18:37 2005
- - original version; created by h2xs 1.23 with options
- -A -X -b 5.6.0 -n IPTables::Parse
-
+ - original version; created by h2xs 1.23 with options
+ -A -X -b 5.6.0 -n IPTables::Parse
Modified: branches/upstream/libiptables-parse-perl/current/VERSION
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libiptables-parse-perl/current/VERSION?rev=26130&op=diff
==============================================================================
--- branches/upstream/libiptables-parse-perl/current/VERSION (original)
+++ branches/upstream/libiptables-parse-perl/current/VERSION Sat Oct 18 08:45:41 2008
@@ -1,1 +1,1 @@
-0.6
+0.7
Modified: branches/upstream/libiptables-parse-perl/current/lib/IPTables/Parse.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libiptables-parse-perl/current/lib/IPTables/Parse.pm?rev=26130&op=diff
==============================================================================
--- branches/upstream/libiptables-parse-perl/current/lib/IPTables/Parse.pm (original)
+++ branches/upstream/libiptables-parse-perl/current/lib/IPTables/Parse.pm Sat Oct 18 08:45:41 2008
@@ -7,7 +7,7 @@
#
# Author: Michael Rash (mbr at cipherdyne.org)
#
-# Version: 0.6
+# Version: 0.7
#
##################################################################
#
@@ -17,19 +17,28 @@
package IPTables::Parse;
use 5.006;
+use POSIX ":sys_wait_h";
use Carp;
use strict;
use warnings;
use vars qw($VERSION);
-$VERSION = '0.5';
+$VERSION = '0.7';
sub new() {
my $class = shift;
my %args = @_;
my $self = {
- _iptables => $args{'iptables'} || '/sbin/iptables'
+ _iptables => $args{'iptables'} || '/sbin/iptables',
+ _iptout => $args{'iptout'} || '/tmp/ipt.out',
+ _ipterr => $args{'ipterr'} || '/tmp/ipt.err',
+ _ipt_alarm => $args{'ipt_alarm'} || 30,
+ _debug => $args{'debug'} || 0,
+ _verbose => $args{'verbose'} || 0,
+ _ipt_exec_style => $args{'ipt_exec_style'} || 'waitpid',
+ _ipt_exec_sleep => $args{'ipt_exec_sleep'} || 0,
+ _sigchld_handler => $args{'sigchld_handler'} || \&REAPER,
};
croak "[*] $self->{'_iptables'} incorrect path.\n"
unless -e $self->{'_iptables'};
@@ -53,12 +62,9 @@
@ipt_lines = <F>;
close F;
} else {
- eval {
- open IPT, "$iptables -t $table -n -L $chain -v |"
- or croak "[*] Could not execute $iptables -t $table -n -L $chain -v";
- @ipt_lines = <IPT>;
- close IPT;
- };
+ my ($rv, $out_ar, $err_ar) = $self->exec_iptables(
+ "$iptables -t $table -v -n -L $chain");
+ @ipt_lines = @$out_ar;
}
my $policy = '';
@@ -100,12 +106,9 @@
@ipt_lines = <F>;
close F;
} else {
- eval {
- open IPT, "$iptables -t $table -n -L $chain -v |"
- or croak "[*] Could not execute $iptables -t $table -n -L $chain -v";
- @ipt_lines = <IPT>;
- close IPT;
- };
+ my ($rv, $out_ar, $err_ar) = $self->exec_iptables(
+ "$iptables -t $table -v -n -L $chain");
+ @ipt_lines = @$out_ar;
}
### determine the output style (e.g. "-nL -v" or just plain "-nL"; if the
@@ -300,12 +303,9 @@
close F;
} else {
### FIXME -v for interfaces?
- eval {
- open IPT, "$iptables -t $table -n -L $chain |"
- or croak "[*] Could not execute $iptables -t $table -n -L $chain";
- @ipt_lines = <IPT>;
- close IPT;
- };
+ my ($rv, $out_ar, $err_ar) = $self->exec_iptables(
+ "$iptables -t $table -n -L $chain");
+ @ipt_lines = @$out_ar;
}
return '[-] Could not get iptables output!', 0
@@ -390,12 +390,9 @@
@ipt_lines = <F>;
close F;
} else {
- eval {
- open IPT, "$iptables -t $table -n -L |"
- or croak "[*] Could not execute $iptables -t $table -n -L";
- @ipt_lines = <IPT>;
- close IPT;
- };
+ my ($rv, $out_ar, $err_ar) = $self->exec_iptables(
+ "$iptables -t $table -n -L $chain");
+ @ipt_lines = @$out_ar;
}
### determine the output style (e.g. "-nL -v" or just plain "-nL"; if the
@@ -508,6 +505,131 @@
return;
}
+sub exec_iptables() {
+ my $self = shift;
+ my $cmd = shift || croak '[*] Must specify an iptables command to run.';
+ my $iptables = $self->{'_iptables'};
+ my $iptout = $self->{'_iptout'};
+ my $ipterr = $self->{'_ipterr'};
+ my $debug = $self->{'_debug'};
+ my $ipt_alarm = $self->{'_ipt_alarm'};
+ my $verbose = $self->{'_verbose'};
+ my $ipt_exec_style = $self->{'_ipt_exec_style'};
+ my $ipt_exec_sleep = $self->{'_ipt_exec_sleep'};
+ my $sigchld_handler = $self->{'_sigchld_handler'};
+
+ croak "[*] $cmd does not look like an iptables command."
+ unless $cmd =~ m|^\s*iptables| or $cmd =~ m|^\S+/iptables|;
+
+ my $rv = 1;
+ my @stdout = ();
+ my @stderr = ();
+
+ my $fh = *STDERR;
+ $fh = *STDOUT if $verbose;
+
+ if ($debug or $verbose) {
+ print $fh localtime() . " [+] IPTables::Parse::",
+ "exec_iptables(${ipt_exec_style}()) $cmd\n";
+ if ($ipt_exec_sleep > 0) {
+ print $fh localtime() . " [+] IPTables::Parse::",
+ "exec_iptables() sleep seconds: $ipt_exec_sleep\n";
+ }
+ }
+
+ if ($ipt_exec_sleep > 0) {
+ if ($debug or $verbose) {
+ print $fh localtime() . " [+] IPTables::Parse: ",
+ "sleeping for $ipt_exec_sleep seconds before ",
+ "executing iptables command.\n";
+ }
+ sleep $ipt_exec_sleep;
+ }
+
+ if ($ipt_exec_style eq 'system') {
+ system qq{$cmd > $iptout 2> $ipterr};
+ } elsif ($ipt_exec_style eq 'popen') {
+ open CMD, "$cmd 2> $ipterr |" or croak "[*] Could not execute $cmd: $!";
+ @stdout = <CMD>;
+ close CMD;
+ open F, "> $iptout" or croak "[*] Could not open $iptout: $!";
+ print F for @stdout;
+ close F;
+ } else {
+ my $ipt_pid;
+
+ if ($debug or $verbose) {
+ print $fh localtime() . " [+] IPTables::Parse: " .
+ "Setting SIGCHLD handler to: " . $sigchld_handler . "\n";
+ }
+
+ local $SIG{'CHLD'} = $sigchld_handler;
+ if ($ipt_pid = fork()) {
+ eval {
+ ### iptables should never take longer than 30 seconds to execute,
+ ### unless there is some absolutely enormous policy or the kernel
+ ### is exceedingly busy
+ local $SIG{'ALRM'} = sub {die "[*] iptables command timeout.\n"};
+ alarm $ipt_alarm;
+ waitpid($ipt_pid, 0);
+ alarm 0;
+ };
+ if ($@) {
+ kill 9, $ipt_pid unless kill 15, $ipt_pid;
+ }
+ } else {
+ croak "[*] Could not fork iptables: $!"
+ unless defined $ipt_pid;
+
+ ### exec the iptables command and preserve stdout and stderr
+ exec qq{$cmd > $iptout 2> $ipterr};
+ }
+ }
+
+ if (-e $iptout) {
+ open F, "< $iptout" or croak "[*] Could not open $iptout";
+ @stdout = <F>;
+ close F;
+ }
+ if (-e $ipterr) {
+ open F, "< $ipterr" or croak "[*] Could not open $ipterr";
+ @stderr = <F>;
+ close F;
+
+ $rv = 0 if @stderr;
+ }
+
+ if ($debug or $verbose) {
+ print $fh localtime() . " iptables command stdout:\n";
+ for my $line (@stdout) {
+ if ($line =~ /\n$/) {
+ print $fh $line;
+ } else {
+ print $fh $line, "\n";
+ }
+ }
+ print $fh localtime() . " iptables command stderr:\n";
+ for my $line (@stderr) {
+ if ($line =~ /\n$/) {
+ print $fh $line;
+ } else {
+ print $fh $line, "\n";
+ }
+ }
+ }
+
+ return $rv, \@stdout, \@stderr;
+}
+
+sub REAPER {
+ my $stiff;
+ while(($stiff = waitpid(-1,WNOHANG))>0){
+ # do something with $stiff if you want
+ }
+ local $SIG{'CHLD'} = \&REAPER;
+ return;
+}
+
1;
__END__
@@ -535,7 +657,7 @@
my $table = 'filter';
my $chain = 'INPUT';
- my ($ipt_hr, $rv) = $ipt_obj->default_drop('filer', 'INPUT');
+ my ($ipt_hr, $rv) = $ipt_obj->default_drop($table, $chain);
if ($rv) {
if (defined $ipt_hr->{'all'}) {
print "The INPUT chain has a default DROP rule for all protocols.\n";
@@ -550,7 +672,7 @@
print "[-] Could not parse iptables policy\n";
}
- ($ipt_hr, $rv) = $ipt_obj->default_log('filer', 'INPUT');
+ ($ipt_hr, $rv) = $ipt_obj->default_log($table, $chain);
if ($rv) {
if (defined $ipt_hr->{'all'}) {
print "The INPUT chain has a default LOG rule for all protocols.\n";
More information about the Pkg-perl-cvs-commits
mailing list