updated IPTables::ChainMgr to 1.6

ChangeLog

@@ -1,5 +1,6 @@
 psad-2.4.4 (11//2016):
     - Updated to version 5.2.13 of the whois client.
+    - Updated to IPTables::ChainMgr 1.6.
 
 psad-2.4.3 (12/19/2015):
     - Bug fix in fwcheck_psad related to an uninitialized variable related to

deps/IPTables-ChainMgr/Changes

@@ -1,5 +1,13 @@
 Revision history for Perl extension IPTables::ChainMgr.
 
+1.6 Sat Dec 04 15:42:45 2016
+    - Additional t/basic_tests.pl tests for 'mangle', 'nat', and 'raw' tables.
+    - Minor additional bug fix for IPTables::Parse version comparison (reported
+      by github user 'meZee').
+    - Minor documentation update to ensure to not recommend using predictable
+      temporary file paths for iptables output. The default paths are
+      provided via the File::Temp module in IPTables::Parse.
+
 1.5 Sat Dec 19 10:55:12 2015
     - Minor bug fix for IPTables::Parse version comparison (reported by github
       user 'HellUnit').

deps/IPTables-ChainMgr/META.json

@@ -38,5 +38,5 @@
       }
    },
    "release_status" : "stable",
-   "version" : "1.5"
+   "version" : "1.6"
 }

deps/IPTables-ChainMgr/META.yml

@@ -1,6 +1,6 @@
 --- #YAML:1.0
 name:               IPTables-ChainMgr
-version:            1.5
+version:            1.6
 abstract:           Perl extension for manipulating iptables and ip6tables policies
 author:
     - Michael Rash <mbr@cipherdyne.org>

deps/IPTables-ChainMgr/README

@@ -1,4 +1,4 @@
-IPTables-ChainMgr version 1.5
+IPTables-ChainMgr version 1.6
 ==============================
 
 The README is used to introduce the module and provide instructions on

deps/IPTables-ChainMgr/VERSION

@@ -1 +1 @@
-1.5
+1.6

deps/IPTables-ChainMgr/lib/IPTables/ChainMgr.pm

@@ -10,7 +10,7 @@
 #
 # Author: Michael Rash (mbr@cipherdyne.org)
 #
-# Version: 1.5
+# Version: 1.6
 #
 ##############################################################################
 #
@@ -26,7 +26,7 @@ use strict;
 use warnings;
 use vars qw($VERSION);
 
-$VERSION = '1.5';
+$VERSION = '1.6';
 
 sub new() {
     my $class = shift;
@@ -169,6 +169,7 @@ sub add_ip_rule() {
     my $target  = shift ||
         croak qq|[-] Must specify $self->{'_ipt_bin_name'} | .
             qq|target, e.g. "DROP"|;
+
     ### optionally add port numbers and protocols, etc.
     my $extended_hr = shift || {};
 
@@ -256,7 +257,7 @@ sub build_ipt_matches() {
     my $ipt_matches = '';
     my $msg = '';
 
-    if ($IPTables::Parse::VERSION > 1.1) {
+    if ($IPTables::Parse::VERSION gt 1.1) {
 
         ### src and dst
         if ($normalized_src ne '') {
@@ -512,7 +513,7 @@ sub find_ip_rule() {
 sub print_parse_capabilities() {
     my $self = shift;
 
-    if ($IPTables::Parse::VERSION > 1.1) {
+    if ($IPTables::Parse::VERSION gt 1.1) {
 
         print "[+] IPTables::Parse regular options:\n";
         for my $key (keys %{$self->{'parse_obj'}->{'parse_keys'}->{'regular'}}) {
@@ -685,8 +686,6 @@ IPTables::ChainMgr - Perl extension for manipulating iptables and ip6tables poli
       'use_ipv6' => 0,         # can set to 1 to force ip6tables usage
       'ipt_rules_file' => '',  # optional file path from
                                # which to read iptables rules
-      'iptout'   => '/tmp/iptables.out',
-      'ipterr'   => '/tmp/iptables.err',
       'debug'    => 0,
       'verbose'  => 0
 

deps/IPTables-ChainMgr/t/basic_tests.pl

@@ -19,9 +19,21 @@
 my %test_chains = (
     'filter' => [
         {'chain' => 'CHAINMGR', 'jump_from' => 'INPUT'},
+        {'chain' => 'CHAINMGR', 'jump_from' => 'FORWARD'},
         ### iptables allows odd chain names
         {'chain' => 'SC~!@#^%&$*-[]+={}-test', 'jump_from' => 'INPUT'}
     ],
+    'mangle' => [
+        {'chain' => 'CHAINMGR', 'jump_from' => 'INPUT'},
+        {'chain' => 'CHAINMGR', 'jump_from' => 'FORWARD'},
+        {'chain' => 'SC~!@#^%&$*-[]+={}-test', 'jump_from' => 'INPUT'}
+    ],
+    'raw' => [
+        {'chain' => 'CHAINMGR', 'jump_from' => 'PREROUTING'},
+    ],
+    'nat' => [
+        {'chain' => 'CHAINMGR', 'jump_from' => 'PREROUTING'},
+    ],
 );
 
 ### normalization will produce the correct network addresses ("10.1.2.3/24" is
@@ -209,7 +221,6 @@ ()
     return;
 }
 
-
 sub add_jump_rule_test() {
     my ($ipt_obj, $table, $chain, $jump_from_chain) = @_;
 
@@ -277,6 +288,10 @@ ()
 sub add_extended_rules_tests() {
     my ($ipt_obj, $table, $chain) = @_;
 
+    ### for any -> any testing
+    my $ip_any_net = '0.0.0.0/0';
+    $ip_any_net = '::/0' if $ipt_obj->{'_ipv6'};
+
     my $src_ip = $ipt_obj->normalize_net($ipv4_src);
     my $dst_ip = $ipt_obj->normalize_net($ipv4_dst);
 
@@ -339,6 +354,23 @@ ()
         &pass_fail($rule_position, "   Could not find TCP $src_ip(0) -> " .
             "$dst_ip(80) ctstate ESTABLISHED,RELATED $target rule");
 
+        ### all protocols and IP's, MAC source
+        &dots_print("add_ext_ip_rules(): $table $chain $ip_any_net " .
+            "-> $ip_any_net $target mac_source $mac_source ");
+        ($rv, $out_ar, $err_ar) = $ipt_obj->add_ip_rule($ip_any_net,
+                $ip_any_net, $chain_past_end, $table, $chain, $target,
+                {'mac_source' => $mac_source});
+        &pass_fail($rv, "   Could not add $ip_any_net -> $ip_any_net " .
+            "$target mac_source $mac_source");
+
+        &dots_print("find ext rule: $table $chain $ip_any_net " .
+            "-> $ip_any_net $target mac_source $mac_source ");
+        ($rule_position, $num_chain_rules) = $ipt_obj->find_ip_rule($ip_any_net,
+                $ip_any_net, $table, $chain, $target,
+                {'mac_source' => $mac_source});
+        &pass_fail($rule_position, "   Could not find $ip_any_net " .
+                "-> $ip_any_net $target mac_source $mac_source");
+
         ### TCP + mac source
         &dots_print("add_ext_ip_rules(): $table $chain TCP " .
             "$src_ip(0) -> $dst_ip(80) $target mac_source $mac_source ");
@@ -541,7 +573,7 @@ ()
 
     $< == 0 && $> == 0 or
         die "[*] $0: You must be root (or equivalent ",
-            "UID 0 account) to effectively test fwknop";
+            "UID 0 account) to effectively test IPTables::ChainMgr";
 
     unlink $logfile if -e $logfile;