r26135 - in /trunk/libiptables-chainmgr-perl: Changes VERSION debian/changelog debian/control lib/IPTables/ChainMgr.pm

thialme-guest at users.alioth.debian.org thialme-guest at users.alioth.debian.org
Sat Oct 18 11:01:53 UTC 2008


Author: thialme-guest
Date: Sat Oct 18 11:01:46 2008
New Revision: 26135

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=26135
Log:
Upgraded package to version 0.8.

- Merged upstream tarball into trunk.
- Bumped up Standards-Version to 3.8.0 (no changes).
- Updated build-dependencies for libiptables-parse-perl (>= 0.7).
- Updated dependencies for libiptables-parse-perl (>=0.7-1).


Modified:
    trunk/libiptables-chainmgr-perl/Changes
    trunk/libiptables-chainmgr-perl/VERSION
    trunk/libiptables-chainmgr-perl/debian/changelog
    trunk/libiptables-chainmgr-perl/debian/control
    trunk/libiptables-chainmgr-perl/lib/IPTables/ChainMgr.pm

Modified: trunk/libiptables-chainmgr-perl/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libiptables-chainmgr-perl/Changes?rev=26135&op=diff
==============================================================================
--- trunk/libiptables-chainmgr-perl/Changes (original)
+++ trunk/libiptables-chainmgr-perl/Changes Sat Oct 18 11:01:46 2008
@@ -1,8 +1,24 @@
 Revision history for Perl extension IPTables::ChainMgr.
 
+0.8 Fri Oct 17 11:35:15 2008
+    - Added the ability to control iptables execution model.  The default is to
+      use waitpid(), but other options are to use system() or popen().
+    - Added the ability to introduce a configurable time delay between each
+      iptables command.
+    - Added the ability to use a function reference for the SIGCHLD signal
+      handler.
+    - Added the ability to configure the number of seconds used as the alarm
+      timeout for iptables command execution in the waitpid() execution model.
+    - Passed IPTables::ChainMgr option for execution model, configurable alarm
+      timeouts, the SIGCHLD signal handler reference, and the configurable
+      number of seconds for additional sleeps between iptables commands to the
+      IPTables::Parse module.
+    - Bugfix for SIGALRM handling to be more consistent with an example from
+      the perlipc man page.
+
 0.7 Sat May 17 10:49:15 2008
-	- Added perldoc documentation for 0.7 release.
+    - Added perldoc documentation for 0.7 release.
 
 0.01  Tue Feb 22 01:18:14 2005
-	- original version; created by h2xs 1.23 with options
-		-A -X -b 5.6.0 -n IPTables::ChainMgr
+    - original version; created by h2xs 1.23 with options
+        -A -X -b 5.6.0 -n IPTables::ChainMgr

Modified: trunk/libiptables-chainmgr-perl/VERSION
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libiptables-chainmgr-perl/VERSION?rev=26135&op=diff
==============================================================================
--- trunk/libiptables-chainmgr-perl/VERSION (original)
+++ trunk/libiptables-chainmgr-perl/VERSION Sat Oct 18 11:01:46 2008
@@ -1,1 +1,1 @@
-0.7
+0.8

Modified: trunk/libiptables-chainmgr-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libiptables-chainmgr-perl/debian/changelog?rev=26135&op=diff
==============================================================================
--- trunk/libiptables-chainmgr-perl/debian/changelog (original)
+++ trunk/libiptables-chainmgr-perl/debian/changelog Sat Oct 18 11:01:46 2008
@@ -1,3 +1,12 @@
+libiptables-chainmgr-perl (0.8-1) UNRELEASED; urgency=low
+
+  * New upstream release
+  * Bumped up Standards-Version to 3.8.0 (no changes).
+  * Updated build-dependencies for libiptables-parse-perl (>= 0.7).
+  * Updated dependencies for libiptables-parse-perl (>=0.7-1).
+
+ -- Franck Joncourt <franck.mail at dthconnex.com>  Sat, 18 Oct 2008 11:24:44 +0200
+
 libiptables-chainmgr-perl (0.7-1) unstable; urgency=low
 
   * Initial release (Closes: #481544) 

Modified: trunk/libiptables-chainmgr-perl/debian/control
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libiptables-chainmgr-perl/debian/control?rev=26135&op=diff
==============================================================================
--- trunk/libiptables-chainmgr-perl/debian/control (original)
+++ trunk/libiptables-chainmgr-perl/debian/control Sat Oct 18 11:01:46 2008
@@ -2,17 +2,17 @@
 Section: perl
 Priority: optional
 Build-Depends: debhelper (>= 5)
-Build-Depends-Indep: perl (>= 5.6.10-12), libiptables-parse-perl, libnetwork-ipv4addr-perl
+Build-Depends-Indep: perl (>= 5.6.10-12), libiptables-parse-perl (>= 0.7), libnetwork-ipv4addr-perl
 Maintainer: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>
 Uploaders: Franck Joncourt <franck.mail at dthconnex.com>
-Standards-Version: 3.7.3
+Standards-Version: 3.8.0
 Homepage: http://www.cipherdyne.com/modules/
 Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libiptables-chainmgr-perl/
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-perl/trunk/libiptables-chainmgr-perl/
 
 Package: libiptables-chainmgr-perl
 Architecture: all
-Depends: ${perl:Depends}, ${misc:Depends}, libiptables-parse-perl, libnetwork-ipv4addr-perl
+Depends: ${perl:Depends}, ${misc:Depends}, libiptables-parse-perl (>= 0.7-1), libnetwork-ipv4addr-perl
 Conflicts: psad (<= 2.1.2-1)
 Replaces: psad (<= 2.1.2-1)
 Description: Perl extension for manipulating iptables policies

Modified: trunk/libiptables-chainmgr-perl/lib/IPTables/ChainMgr.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libiptables-chainmgr-perl/lib/IPTables/ChainMgr.pm?rev=26135&op=diff
==============================================================================
--- trunk/libiptables-chainmgr-perl/lib/IPTables/ChainMgr.pm (original)
+++ trunk/libiptables-chainmgr-perl/lib/IPTables/ChainMgr.pm Sat Oct 18 11:01:46 2008
@@ -10,7 +10,7 @@
 #
 # Author: Michael Rash (mbr at cipherdyne.org)
 #
-# Version: 0.7
+# Version: 0.8
 #
 ##############################################################################
 #
@@ -28,18 +28,22 @@
 use warnings;
 use vars qw($VERSION);
 
-$VERSION = '0.5';
+$VERSION = '0.8';
 
 sub new() {
     my $class = shift;
     my %args  = @_;
 
     my $self = {
-        _iptables => $args{'iptables'} || '/sbin/iptables',
-        _iptout   => $args{'iptout'}   || '/tmp/ipt.out',
-        _ipterr   => $args{'ipterr'}   || '/tmp/ipt.err',
-        _debug    => $args{'debug'}    || 0,
-        _verbose  => $args{'verbose'}  || 0,
+        _iptables  => $args{'iptables'}  || '/sbin/iptables',
+        _iptout    => $args{'iptout'}    || '/tmp/ipt.out',
+        _ipterr    => $args{'ipterr'}    || '/tmp/ipt.err',
+        _ipt_alarm => $args{'ipt_alarm'} || 30,
+        _debug     => $args{'debug'}     || 0,
+        _verbose   => $args{'verbose'}   || 0,
+        _ipt_exec_style => $args{'ipt_exec_style'} || 'waitpid',
+        _ipt_exec_sleep => $args{'ipt_exec_sleep'} || 0,
+        _sigchld_handler => $args{'sigchld_handler'} || \&REAPER,
     };
     croak "[*] $self->{'_iptables'} incorrect iptables path.\n"
         unless -e $self->{'_iptables'};
@@ -123,21 +127,21 @@
     return $self->run_ipt_cmd("$iptables -t $table -X $del_chain");
 }
 
-sub add_ip_rule() {
+sub append_ip_rule() {
     my $self = shift;
     my $src = shift || croak '[-] Must specify a src address/network.';
     my $dst = shift || croak '[-] Must specify a dst address/network.';
-    my $rulenum = shift || croak '[-] Must specify an insert rule number.';
     my $table   = shift || croak '[-] Must specify a table, e.g. "filter".';
     my $chain   = shift || croak '[-] Must specify a chain.';
     my $target  = shift ||
         croak '[-] Must specify a iptables target, e.g. "DROP"';
+
     ### optionally add port numbers and protocols, etc.
     my $extended_href = shift || {};
     my $iptables = $self->{'_iptables'};
 
     ### normalize src/dst if necessary; this is because iptables
-    ### always reports network address for subnets
+    ### always reports the network address for subnets
     my $normalized_src = $self->normalize_net($src);
     my $normalized_dst = $self->normalize_net($dst);
 
@@ -168,6 +172,93 @@
     my $msg     = '';
     my $idx_err = '';
 
+    if ($extended_href) {
+        $ipt_cmd = "$iptables -t $table -A $chain ";
+        $ipt_cmd .= "-p $extended_href->{'protocol'} "
+            if defined $extended_href->{'protocol'};
+        $ipt_cmd .= "-s $normalized_src ";
+        $ipt_cmd .= "--sport $extended_href->{'s_port'} "
+            if defined $extended_href->{'s_port'};
+        $ipt_cmd .= "-d $normalized_dst ";
+        $ipt_cmd .= "--dport $extended_href->{'d_port'} "
+            if defined $extended_href->{'d_port'};
+        $ipt_cmd .= "-j $target";
+
+        $msg = "Table: $table, chain: $chain, added $normalized_src " .
+            "-> $normalized_dst ";
+        for my $key qw(protocol s_port d_port) {
+            $msg .= "$key $extended_href->{$key} "
+                if defined $extended_href->{$key};
+        }
+
+        ### for NAT
+        if (defined $extended_href->{'to_ip'} and
+                defined $extended_href->{'to_port'}) {
+            $ipt_cmd .= " --to $extended_href->{'to_ip'}:" .
+                "$extended_href->{'to_port'}";
+            $msg .= "$extended_href->{'to_ip'}:$extended_href->{'to_port'}";
+        }
+
+        $msg =~ s/\s*$//;
+    } else {
+        $ipt_cmd = "$iptables -t $table -A $chain " .
+            "-s $normalized_src -d $normalized_dst -j $target";
+        $msg = "Table: $table, chain: $chain, added $normalized_src " .
+            "-> $normalized_dst";
+    }
+    my ($rv, $out_aref, $err_aref) = $self->run_ipt_cmd($ipt_cmd);
+    if ($rv) {
+        push @$out_aref, $msg if $msg;
+    }
+    push @$err_aref, $idx_err if $idx_err;
+    return $rv, $out_aref, $err_aref;
+}
+
+sub add_ip_rule() {
+    my $self = shift;
+    my $src = shift || croak '[-] Must specify a src address/network.';
+    my $dst = shift || croak '[-] Must specify a dst address/network.';
+    my $rulenum = shift || croak '[-] Must specify an insert rule number.';
+    my $table   = shift || croak '[-] Must specify a table, e.g. "filter".';
+    my $chain   = shift || croak '[-] Must specify a chain.';
+    my $target  = shift ||
+        croak '[-] Must specify a iptables target, e.g. "DROP"';
+    ### optionally add port numbers and protocols, etc.
+    my $extended_href = shift || {};
+    my $iptables = $self->{'_iptables'};
+
+    ### normalize src/dst if necessary; this is because iptables
+    ### always reports the network address for subnets
+    my $normalized_src = $self->normalize_net($src);
+    my $normalized_dst = $self->normalize_net($dst);
+
+    ### first check to see if this rule already exists
+    my ($rule_position, $num_chain_rules)
+            = $self->find_ip_rule($normalized_src, $normalized_dst, $table,
+                $chain, $target, $extended_href);
+
+    if ($rule_position) {
+        my $msg = '';
+        if ($extended_href) {
+            $msg = "Table: $table, chain: $chain, $normalized_src -> " .
+                "$normalized_dst ";
+            for my $key qw(protocol s_port d_port) {
+                $msg .= "$key $extended_href->{$key} "
+                    if defined $extended_href->{$key};
+            }
+            $msg .= 'rule already exists.';
+        } else {
+            $msg = "Table: $table, chain: $chain, $normalized_src -> " .
+                "$normalized_dst rule already exists.";
+        }
+        return 1, [$msg], [];
+    }
+
+    ### we need to add the rule
+    my $ipt_cmd = '';
+    my $msg     = '';
+    my $idx_err = '';
+
     ### check to see if the insertion index ($rulenum) is too big
     $rulenum = 1 if $rulenum <= 0;
     if ($rulenum > $num_chain_rules+1) {
@@ -267,6 +358,8 @@
 
 sub find_ip_rule() {
     my $self = shift;
+    my $debug   = $self->{'_debug'};
+    my $verbose = $self->{'_verbose'};
     my $src   = shift || croak '[*] Must specify source address.';
     my $dst   = shift || croak '[*] Must specify destination address.';
     my $table = shift || croak '[*] Must specify iptables table.';
@@ -277,8 +370,25 @@
     my $extended_href = shift || {};
     my $iptables = $self->{'_iptables'};
 
-    my $ipt_parse = new IPTables::Parse('iptables' => $iptables)
-        or croak "[*] Could not acquire IPTables::Parse object";
+    my $ipt_parse = new IPTables::Parse(
+        'iptables'  => $self->{'_iptables'},
+        'iptout'    => $self->{'_iptout'},
+        'ipterr'    => $self->{'_ipterr'},
+        'debug'     => $self->{'_debug'},
+        'verbose'   => $self->{'_verbose'},
+        'ipt_alarm' => $self->{'_ipt_alarm'},
+        'ipt_exec_style' => $self->{'_ipt_exec_style'},
+        'ipt_exec_sleep' => $self->{'_ipt_exec_sleep'},
+        'sigchld_handler' => $self->{'_sigchld_handler'},
+    ) or croak "[*] Could not acquire IPTables::Parse object";
+
+    my $fh = *STDERR;
+    $fh = *STDOUT if $verbose;
+
+    if ($debug or $verbose) {
+        print $fh localtime() . " [+] IPTables::Parse::VERSION",
+            "$IPTables::Parse::VERSION\n"
+    }
 
     my $chain_aref = $ipt_parse->chain_rules($table, $chain);
 
@@ -396,54 +506,89 @@
     return;
 }
 
-
 sub run_ipt_cmd() {
     my $self  = shift;
     my $cmd = shift || croak '[*] Must specify an iptables command to run.';
-    my $iptables = $self->{'_iptables'};
-    my $iptout   = $self->{'_iptout'};
-    my $ipterr   = $self->{'_ipterr'};
-    my $debug    = $self->{'_debug'};
-    my $verbose  = $self->{'_verbose'};
+    my $iptables  = $self->{'_iptables'};
+    my $iptout    = $self->{'_iptout'};
+    my $ipterr    = $self->{'_ipterr'};
+    my $debug     = $self->{'_debug'};
+    my $ipt_alarm = $self->{'_ipt_alarm'};
+    my $verbose   = $self->{'_verbose'};
+    my $ipt_exec_style = $self->{'_ipt_exec_style'};
+    my $ipt_exec_sleep = $self->{'_ipt_exec_sleep'};
+    my $sigchld_handler = $self->{'_sigchld_handler'};
+
     croak "[*] $cmd does not look like an iptables command."
         unless $cmd =~ m|^\s*iptables| or $cmd =~ m|^\S+/iptables|;
-
-    my $fh = *STDERR;
-    $fh = *STDOUT if $verbose;
-
-    if ($debug or $verbose) {
-        print $fh localtime() . " [+] IPTables::ChainMgr::run_ipt_cmd() $cmd\n";
-    }
-
-    my $ipt_pid;
-
-    local $SIG{'CHLD'} = \&REAPER;
-    if ($ipt_pid = fork()) {
-        local $SIG{'ALRM'} = sub {die "[*] iptables command timeout.\n"};
-        ### iptables should never take longer than 60 seconds to execute,
-        ### unless there is some absolutely enormous policy or the kernel
-        ### is exceedingly busy
-        alarm 60;
-        eval {
-            waitpid($ipt_pid, 0);
-        };
-        alarm 0;
-        if ($@) {
-            kill 9, $ipt_pid unless kill 15, $ipt_pid;
-        }
-    } else {
-        die "[*] Could not fork iptables: $!"
-            unless defined $ipt_pid;
-
-        ### exec the iptables command and preserve stdout and stderr
-        exec qq{$cmd > $iptout 2> $ipterr};
-    }
 
     my $rv = 1;
     my @stdout = ();
     my @stderr = ();
 
-    if (-e $iptout) {
+    my $fh = *STDERR;
+    $fh = *STDOUT if $verbose;
+
+    if ($debug or $verbose) {
+        print $fh localtime() . " [+] IPTables::ChainMgr::",
+            "run_ipt_cmd(${ipt_exec_style}()) $cmd\n";
+        if ($ipt_exec_sleep > 0) {
+            print $fh localtime() . " [+] IPTables::ChainMgr::",
+                "run_ipt_cmd() sleep seconds: $ipt_exec_sleep\n";
+        }
+    }
+
+    if ($ipt_exec_sleep > 0) {
+
+        if ($debug or $verbose) {
+            print $fh localtime() . " [+] IPTables::ChainMgr: ",
+                "sleeping for $ipt_exec_sleep seconds before ",
+                "executing iptables command.\n";
+        }
+        sleep $ipt_exec_sleep;
+    }
+
+    if ($ipt_exec_style eq 'system') {
+        system qq{$cmd > $iptout 2> $ipterr};
+    } elsif ($ipt_exec_style eq 'popen') {
+        open CMD, "$cmd 2> $ipterr |" or croak "[*] Could not execute $cmd: $!";
+        @stdout = <CMD>;
+        close CMD;
+        open F, "> $iptout" or croak "[*] Could not open $iptout: $!";
+        print F for @stdout;
+        close F;
+    } else {
+        my $ipt_pid;
+
+        if ($debug or $verbose) {
+            print $fh localtime() . " [+] IPTables::ChainMgr: " .
+                "Setting SIGCHLD handler to: " . $sigchld_handler . "\n";
+        }
+
+        local $SIG{'CHLD'} = $sigchld_handler;
+        if ($ipt_pid = fork()) {
+            eval {
+                ### iptables should never take longer than 30 seconds to execute,
+                ### unless there is some absolutely enormous policy or the kernel
+                ### is exceedingly busy
+                local $SIG{'ALRM'} = sub {die "[*] iptables command timeout.\n"};
+                alarm $ipt_alarm;
+                waitpid($ipt_pid, 0);
+                alarm 0;
+            };
+            if ($@) {
+                kill 9, $ipt_pid unless kill 15, $ipt_pid;
+            }
+        } else {
+            croak "[*] Could not fork iptables: $!"
+                unless defined $ipt_pid;
+
+            ### exec the iptables command and preserve stdout and stderr
+            exec qq{$cmd > $iptout 2> $ipterr};
+        }
+    }
+
+    if (not @stdout and -e $iptout) {
         open F, "< $iptout" or croak "[*] Could not open $iptout";
         @stdout = <F>;
         close F;
@@ -481,7 +626,6 @@
 1;
 
 __END__
-# Below is stub documentation for your module. You'd better edit it!
 
 =head1 NAME
 
@@ -497,6 +641,13 @@
       'ipterr'   => '/tmp/iptables.err',
       'debug'    => 0,
       'verbose'  => 0
+
+      ### advanced options
+      'ipt_alarm' => 5,  ### max seconds to wait for iptables execution.
+      'ipt_exec_style' => 'waitpid',  ### can be 'waitpid',
+                                      ### 'system', or 'popen'.
+      'ipt_exec_sleep' => 1, ### add in time delay between execution of
+                             ### iptables commands (default is 0).
   );
 
   my $ipt_obj = new IPTables::ChainMgr(%opts)
@@ -541,9 +692,16 @@
       '192.168.1.2', 5, 'filter', 'INPUT', 'ACCEPT', {});
 
   # add rule at the 4th rule position to allow all traffic from
-  # 10.1.2.3 to 192.168.1.2 via the CUSTOM chain in the filter table
+  # 10.1.2.3 to 192.168.1.2 over TCP port 80 via the CUSTOM chain
+  # in the filter table
   ($rv, $out_ar, $errs_ar) = $ipt_obj->add_ip_rule('10.1.2.3',
-      '192.168.1.2', 5, 'filter', 'CUSTOM', 'ACCEPT',
+      '192.168.1.2', 4, 'filter', 'CUSTOM', 'ACCEPT',
+      {'protocol' => 'tcp', 's_port' => 0, 'd_port' => 80});
+
+  # append rule at the end of the CUSTOM chain in the filter table to
+  # allow all traffic from 10.1.2.3 to 192.168.1.2 via port 80
+  ($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule('10.1.2.3',
+      '192.168.1.2', 'filter', 'CUSTOM', 'ACCEPT',
       {'protocol' => 'tcp', 's_port' => 0, 'd_port' => 80});
 
   # run an arbitrary iptables command and collect the output
@@ -555,11 +713,12 @@
 The C<IPTables::ChainMgr> package provide an interface to manipulate iptables
 policies on Linux systems through the direct execution of iptables commands.
 Although making a perl extension of libiptc provided by the iptables project is
-possible (and has been done by the FIXME module), it is easy to just execute
-iptables commands directly in order to both parse and change the configuration of
-the policy.  Further, this simplifies installation since the only external
-requirement is (in the spirit of scripting) to be able to point IPTables::ChainMgr
-at an installed iptables binary instead of having to compile against a library.
+possible (and has been done by the IPTables::libiptc module available from CPAN),
+it is also easy enough to just execute iptables commands directly in order to
+both parse and change the configuration of the policy.  Further, this simplifies
+installation since the only external requirement is (in the spirit of scripting)
+to be able to point IPTables::ChainMgr at an installed iptables binary instead
+of having to compile against a library.
 
 =head1 FUNCTIONS
 
@@ -643,6 +802,12 @@
 
 This function inserts a rule into the running iptables chain and table at the
 specified rule number.  Return values are success or failure along with the
+iptables stdout and stderr.
+
+=item append_ip_rule($src, $dst, $table, $chain, $target, %extended_info)
+
+This function appends a rule at the end of the iptables chain in the specified
+table.  Return values are success or failure along with the
 iptables stdout and stderr.
 
 =item delete_ip_rule($src, $dst, $table, $chain, $target, %extended_info)
@@ -686,8 +851,9 @@
 The IPTables::ChainMgr extension is closely associated with the IPTables::Parse
 extension, and both are heavily used by the psad, fwsnort, and fwknop projects
 to manipulate iptables policies based on various criteria (see the psad(8),
-fwsnort(8), and fwknop(8) man pages).  As always, the iptables(8) provides the
-best information on command line execution and theory behind iptables.
+fwsnort(8), and fwknop(8) man pages).  As always, the iptables(8) man page
+provides the best information on command line execution and theory behind
+iptables.
 
 Although there is no mailing that is devoted specifically to the IPTables::ChainMgr
 extension, questions about the extension will be answered on the following




More information about the Pkg-perl-cvs-commits mailing list