File Coverage

blib/lib/ThreatNet/Filter/Network.pm

Criterion	Covered	Total	%
statement	42	42	100.0
branch	12	18	66.6
condition	2	3	66.6
subroutine	11	11	100.0
pod	4	4	100.0
total	71	78	91.0

line	stmt	bran	cond	sub	pod	time	code
1							package ThreatNet::Filter::Network;
2
3							=pod
4
5							=head1 NAME
6
7							ThreatNet::Filter::Network - Filter events within a set of IP ranges
8
9							=head1 SYNOPSIS
10
11							# Filter for IPs in our broadband customers' range
12							my $Broadband = ThreatNet::Filter::Network->new( keep => '123.123.0.0/16' );
13
14							# Create a filter for "local" and other things we want to discard
15							# (including our own personal broadband IP in the above network)
16							my $NotLocal = ThreatNet::Filter::Network->new( discard => qw{
17							123.123.123.123
18							LOCAL
19							111.245.76.248/29
20							222.234.52.192/29
21							} );
22
23							sub boot_zombies {
24							my $Msg = shift;
25							if ( $Broadband->keep($Msg) and $NotLocal->keep($Msg) ) {
26							my $account = $RadiusServer->ip_to_account($Msg->ip);
27							$account->disable();
28							$account->disconnect();
29							$account->add_support_note("You are infected with a virus");
30							}
31							}
32
33							=head1 DESCRIPTION
34
35							C is a filter class for creating network
36							filters.
37
38							That is, for filtering event streams to just those events that did
39							(or did not) occur within a particular network.
40
41							The objects only check in two modes.
42
43							The C keyword as first argument indicates events should be kept if
44							they match B of the networks.
45
46							The C keyword as first argument indicates events should be kept
47							only if they do B match any of networks.
48
49							For more complex network masks, see the L class
50							for chaining groups of C and C filters together.
51
52							=head2 Specifying the Networks
53
54							The actual matching is done using the L module. Any
55							values that can be used by it can also be used with it can thus also be
56							used with C.
57
58							=head2 Keyword Expansion
59
60							In addition to the normal IP specification above,
61							C also supports keyword expansion for a
62							number of standard sets of network masks.
63
64							When specified by name, they will be expanded into a list of IP ranges.
65
66							Thus you can do something like the following.
67
68							my $Remove = ThreatNet::Filter::Network->new(
69							discard => 'RFC1918', '123.123.123.0/24'
70							);
71
72							This will filter out the three standard "local" IP blocks specified by
73							RFC1918, plus the addition range 123.123.123.0 - 123.123.123.255.
74
75							All keywords are case-insensitive.
76
77							=head3 RFC1918
78
79							The C keyword is expanded to the three network blocks reserved
80							for local intranets. This specifically does NOT include the localhost
81							address space.
82
83							=head3 RFC3330
84
85							The C keyword is expanded to a larger set of network blocks
86							restricted for various purposes as identifier in RFC3330. This includes
87							those from C, the localhost block, and several additional
88							blocks reserved for benchmarking, IP 6to4 identifiers and various other
89							blocks that should not appear in threat messages.
90
91							Where correctness is a factor, such as posting to a non-C
92							channel, this filter should be applied before issuing messages, as they
93							are highly likely to be fraudulent or technically nonsensical.
94
95							=head3 LOCAL
96
97							The C keyword is expanded to represent the most common
98							interpretation of a "local" address, which is the RFC1918 addresses,
99							plus the C<127.0.0.0/8> localhost block.
100
101							=head2 Message Compatibility
102
103							Please note that because the module on which this filter is based only
104							supports IPv4 ranges, this filter class is B capable of processing
105							L (or subclass) objects.
106
107							Any other message types passed to C will be returns C, and
108							thus will act as a null filter in most configurations.
109
110							=head1 METHODS
111
112							=cut
113
114	3			3		6708	use strict;
	3					5
	3					119
115	3					150	use Params::Util '_INSTANCE',
116	3			3		16	'_IDENTIFIER';
	3					5
117	3			3		14	use base 'ThreatNet::Filter';
	3					4
	3					213
118	3			3		26195	use Net::IP::Match::XS ();
	3					51891
	3					135
119	3			3		2086	use ThreatNet::Message::IPv4 ();
	3					29
	3					60
120
121	3			3		14	use vars qw{$VERSION %KEYWORD};
	3					4
	3					327
122							BEGIN {
123	3			3		6	$VERSION = '0.20';
124
125							# Expandable network keywords
126	3					6	%KEYWORD = ();
127	3					27	$KEYWORD{RFC1918} = [qw{
128							10.0.0.0/8
129							172.16.0.0/12
130							192.168.0.0/16
131							}];
132	3					9	$KEYWORD{RFC3330} = [qw{
133							0.0.0.0/8
134							10.0.0.0/8
135							127.0.0.0/8
136							169.254.0.0/16
137							172.16.0.0/12
138							192.0.2.0/24
139							192.168.0.0/16
140							192.88.99.0/24
141							198.18.0.0/15
142							224.0.0.0/4
143							240.0.0.0/4
144							}];
145	3					6098	$KEYWORD{LOCAL} = [qw{
146							127.0.0.0/8
147							10.0.0.0/8
148							172.16.0.0/12
149							192.168.0.0/16
150							}];
151							}
152
153
154
155
156
157							####################################################################3
158							# Constructor and Accessors
159
160							=pod
161
162							=head2 new ('keep' \| 'discard'), $network, ...
163
164							The C constructor takes a param of either C or C,
165							followed by a list of one or more values which are either an expandable
166							keyword or an ip ranges compatible with L.
167
168							A ThreatNet filter is created which limits a message stream to events
169							either inside or outside of the resulting network.
170
171							Returns a new C object, or C if given
172							invalid params.
173
174							=cut
175
176							sub new {
177	2	50		2	1	1600	my $class = ref $_[0] ? ref shift : shift;
178
179							# Check we are either a 'keep' or 'discard' filter
180	2	50				61	my $type = lc _IDENTIFIER(shift) or return undef;
181	2	50	66			32	$type eq 'keep' or $type eq 'discard' or return undef;
182
183							# Get the list of values, filter and keyword-expand
184	4	100				14	my @network = map { $KEYWORD{$_} ? @{$KEYWORD{$_}} : $_ }
	2					10
	4					11
185	2					3	map { uc $_ } grep { defined $_ } @_;
	4					10
186
187							# Initial version doesn't check the IP ranges.
188							# It just makes sure we have at least one.
189	2	50				10	@network or return undef;
190
191							# Create the object
192	2					13	my $self = bless {
193							keep => $type eq 'keep',
194							network => [ @network ],
195							}, $class;
196
197	2					7	$self;
198							}
199
200							=pod
201
202							=head2 type
203
204							The C accessor returns the type of the network filter.
205
206							Returns either C<'keep'> or C<'discard'>.
207
208							=cut
209
210							sub type {
211	2	100		2	1	486	$_[0]->{keep} ? 'keep' : 'discard';
212							}
213
214							=pod
215
216							=head2 network
217
218							The C accessor returns the list of ip ranges as provided to
219							the constructor.
220
221							=cut
222
223							sub network {
224	2			2	1	3	@{$_[0]->{network}};
	2					18
225							}
226
227
228
229
230
231							#####################################################################
232							# ThreatNet::Filter Methods
233
234							=pod
235
236							=head2 keep $Message
237
238							The C method takes a C message as per the
239							L specification, and checks it against the network
240							specification and C\|C type.
241
242							Returns true if the message should be kept, false if not, or C on
243							error.
244
245							=cut
246
247							sub keep {
248	10			10	1	2088	my $self = shift;
249	10	50				88	my $Message = _INSTANCE(shift, 'ThreatNet::Message::IPv4') or return undef;
250	10					33	my $rv = Net::IP::Match::XS::match_ip( $Message->ip, @{$self->{network}} );
	10					64
251	10	100				68	defined $rv ? $self->{keep} ? !! $rv : ! $rv : undef;
		50
252							}
253
254							1;
255
256							=pod
257
258							=head1 SUPPORT
259
260							All bugs should be filed via the bug tracker at
261
262							L
263
264							For other issues, or commercial enhancement and support, contact the author
265
266							=head1 AUTHORS
267
268							Adam Kennedy Eadamk@cpan.orgE
269
270							=head1 SEE ALSO
271
272							L, L,
273							L.
274
275							=head1 COPYRIGHT
276
277							Copyright (c) 2005 Adam Kennedy. All rights reserved.
278							This program is free software; you can redistribute
279							it and/or modify it under the same terms as Perl itself.
280
281							The full text of the license can be found in the
282							LICENSE file included with this module.
283
284							=cut