-
Notifications
You must be signed in to change notification settings - Fork 0
/
rules.go
151 lines (129 loc) · 3.33 KB
/
rules.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
package goaway2
import (
"net"
"strconv"
"strings"
)
/***Types***/
//fwRaw : used to extract raw data via sql-table for rules
type fwRaw struct {
Zone string
FromIP string
FromPort string
ToIP string
ToPort string
}
//strValidator : interface to allow for validation of different objects
type strValidator interface {
Validate(string) bool
}
//intValidator : interface to allow for validation of different objects
type intValidator interface {
Validate(int64) bool
}
//fwRule : rule validation object used in firewall
type fwRule struct {
Zone strValidator
SrcIP strValidator
SrcPort intValidator
DstIP strValidator
DstPort intValidator
}
//dfaults : contains variables relating to firewall options/defaults
type dfaults struct {
inbound string
outbound string
}
//zone : validator for rule zone (inbound/outbound/any)
type zone string
//ip : valiator of single ip for rules
type ip string
//ipRange : validator of ip-range for rules
type ipRange struct {
net.IPNet
}
//port : validator of single port for rules
type port int64
//portRange : validator of port-range for rules
type portRange struct {
start int64
end int64
}
/***Functions***/
//convertIPs : convert ip/ip-range to validator for rules
func convertIPs(rawips string) strValidator {
if _, iprange, err := net.ParseCIDR(rawips); err == nil {
return ipRange{*iprange}
} else {
return ip(rawips)
}
}
//convertPorts : convert port/port-range to validator for rules
func convertPorts(rawports string) intValidator {
switch {
// if ports is any
case rawports == "any":
return portRange{start: 0, end: 65535}
// if ports is port-range and return range
case strings.Contains(rawports, "-"):
// convert port range to ints for port-range validator
ports := strings.Split(rawports, "-")
start, _ := strconv.ParseInt(ports[0], 10, 64)
end, _ := strconv.ParseInt(ports[1], 10, 64)
return portRange{start: start, end: end}
default:
// convert port to int64 and set to single port validator
prt, _ := strconv.ParseInt(rawports, 10, 64)
return port(prt)
}
}
/***Methods***/
//(*fwRule).Validate : validate if packet data matches rule data validators
func (r *fwRule) Validate(pkt *PacketData) bool {
if r.Zone.Validate(pkt.SrcIP) &&
r.SrcIP.Validate(pkt.SrcIP) && r.SrcPort.Validate(pkt.SrcPort) &&
r.DstIP.Validate(pkt.DstIP) && r.DstPort.Validate(pkt.DstPort) {
return true
}
return false
}
//(zone).Validate : match ip-address to direction of zone (inbound/outbound/any)
func (z zone) Validate(srcip string) bool {
switch z {
case "inbound":
if _, ok := localIPs[srcip]; ok {
return false
}
return true
case "outbound":
if _, ok := localIPs[srcip]; ok {
return true
}
return false
default:
return true
}
}
//(ip).Validate : match ip-address to other ip-address
func (a ip) Validate(ip string) bool {
switch string(a) {
case "any":
return true
case ip:
return true
default:
return false
}
}
//(ipRange).Validate : match ip-range to other ip-address
func (a ipRange) Validate(ip string) bool {
return a.Contains(net.ParseIP(ip))
}
//(port).Validate : match port number to other port number
func (p port) Validate(portnum int64) bool {
return int64(p) == portnum
}
//(portRange).Validate : match port to see if its within the port range
func (p portRange) Validate(port int64) bool {
return p.start < port && port < p.end
}