root/honeyclient/branches/bug/42/lib/HoneyClient/Manager/FW.pm

#!/usr/bin/perl

#######################################################################
# Created on:  Dec 2, 2005
# Package:     HoneyClient::Manager::FW
# File:        FW.pm
# Description: A SOAP server that provides a way to remotely and dynamically configure iptables rules for all honeyclients.
#
# @author(s) durick, kindlund, xkovah
#
# SVN: $Id$
#
# Copyright (C) 2006 The MITRE Corporation.  All rights reserved.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, using version 2
# of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
#
#######################################################################

=pod

=head1 NAME

HoneyClient::Manager::FW - Perl module to remotely handle firewall rule/chain creation and deletion
which will provide network connectivity for the honeyclients during crawling.  Additionally, 
it will provide protection when the honeyclients become compromised by enabling static rate limiting(tcp/udp/icmp)
and MAC address filtering.

=head1 VERSION

This documentation refers to HoneyClient::Manager::FW version 1.0.

=head1 SYNOPSIS

=head2 CREATING THE SOAP SERVER

  # Make sure HoneyClient::Util::Config loads properly
use HoneyClient::Util::Config qw(getVar);

# Make sure IPTables::IPv4 loads
use IPTables::IPv4;

# Make sure HoneyClient::Manager::FW can load
use HoneyClient::Manager::Firewall::FW;

# Make sure HoneyClient::Util::SOAP loads properly
require_ok('HoneyClient::Util::SOAP');

package HoneyClient::Manager::Firewall::FW;
use HoneyClient::Util::SOAP qw(getClientHandle getServerHandle);
my $daemon = getServerHandle();
$daemon->handle;

The SOAP firewall server will  boot up when the honeywall is started by the HoneyClient manager.  The main
directory that holds all the listener code is the /hc directory.  startFWListener.pl is located in the /etc/rc.d/rc3.d directory and
will boot up when the honeywall starts up in run level three.  After start up, the firewall listener will await calls from the HoneyClient
manager so that the firewall may be configured properly and dynamically updated when crawling begins.

Steps to get honeyclient listening:

1.  Boot up honeyclient honeywall vmware image.
2.  Start up our SOAP firewall and SOAP log listener
/usr/bin/perl /hc/startFWListener.pl > /dev/null 2> /dev/null &
These will start upon boot of the honeywall so you will not have to do anything except boot the image.
3.  Now the firewall is listening for all SOAP client calls
4.  Do a "ps -xf" to confirm that your firewall is listening
    It should show something like:
    7580 pts/0    S      0:01 /usr/bin/perl /hc/startFWListener.pl
5.  Make your FW calls now from honeyclient-client.pl.

=head2 INTERACTING WITH SOAP SERVER 

 use HoneyClient::Util::SOAP qw(getClientHandle);
 use HoneyClient::Util::Config qw(getVar);
 
After the honeywall boots up, startFWListerner.pl will be executed and begin listening.  From 
here we want to start interacting with our SOAP FW server.
 
 # Create a new SOAP client, to talk to the HoneyClient::Manager::FW module
 # @initlist will contain all the return values sent back from the server (PID of startFWListerner.pl on server and status message)
 #  Lets set our default honeyclient ruleset:
  my $stub = getClientHandle(namespace => "HoneyClient::Manager::FW");
  my $som = $stub->fwInit();
  my @initlist = $som->paramsall;
  print "$_\n" foreach (@initlist);
  
 # To dynamically append new rules to the iptables ruleset, do the following
$hashref = this data structure will be passed from the manager to the HoneyClient::Manager::FW
 
 $som = $stub->addRule( $hashref );
 print $stub->result;
 print "\n";
 
# To dynamically delete rules, all you need to do is delete the user-defined chain that was originally created.
 
$som = $stub->deleteChain( $hashref );
print $stub->result;
print "\n";
 
# To get the status of the current iptables ruleset, this function prints to hard disk the working iptables ruleset
$som = $stub->getStatus();
print $stub->result;
print "\n";
 
# For all new VM's that we plan to add later on, we will have to add new VM chains:
$som = $stub->addChain( $hashref);
print $stub->result;
print "\n";

 # To shutdown the Firewall SOAP listner on the Honeywall
$som = $stub->FWShutdown();
print $stub->result;
print "\n";

=head1 DESCRIPTION

Once created, the daemon acts as a stand-alone SOAP server,
processing individual requests from the  HoneyClient manager
and manipulating the IPTables ruleset on the transparent
virtual honeywall.

=cut

package HoneyClient::Manager::FW;
require Exporter;    #  packages allow a program to be partitioned into separate namespaces

# Include HoneyClient libraries
use HoneyClient::Util::Config qw(getVar);
use HoneyClient::Util::SOAP qw(getServerHandle getClientHandle);

#use HoneyClient::Manager::FW::Argus;
#use HoneyClient::Manager::FW::Tcpdump;
#use HoneyClient::Manager::FW::Integrity;

# Include logging library
use Log::Log4perl qw(get_logger);

# Threading libraries
use threads;
use threads::shared;

# Additional libraries needed
use FileHandle;
use IO::File;
use IPTables::IPv4;
use Config::General;
use Data::Dumper;
use POSIX qw( WIFEXITED );
use English '-no_match_vars';

# set our configuration file location
my $config_file = getVar(name => "config_file");

# starting up the logging mechanism
Log::Log4perl->init($config_file);

=begin testing

diag("Beginning of HoneyClient::Manager::FW testing.");
diag("Making sure all Modules are present");

# Make sure Log::Log4perl loads.
BEGIN { use_ok('Log::Log4perl') or diag("Can't load Log::Log4perl package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('Log::Log4perl');
use Log::Log4perl;

# Make sure Filehandle loads.
BEGIN { use_ok('FileHandle') or diag("Can't load FileHandle package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('FileHandle');
use FileHandle;

# Make sure IO::File loads.
BEGIN { use_ok('IO::File') or diag("Can't load IO::File package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('IO::File');
use IO::File;

# Make sure IPTables::IPv4 loads.
BEGIN { use_ok('IPTables::IPv4') or diag("Can't load IPTables::IPv4 package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('IPTables::IPv4');
use IPTables::IPv4;

# Make sure Config::General loads.
BEGIN { use_ok('Config::General') or diag("Can't load Config::General package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('Config::General');
use Config::General;

# Make sure use Data::Dumper loads.
BEGIN { use_ok('Data::Dumper') or diag("Can't load use Data::Dumper package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('Data::Dumper');
use Data::Dumper;

# Make sure use Net::DNS::Resolver loads.
BEGIN { use_ok('Net::DNS::Resolver') or diag("Can't load use Net::DNS::Resolver package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('Net::DNS::Resolver');
use Net::DNS::Resolver;

# Make sure use Time::HiRes loads.
BEGIN { use_ok('Time::HiRes', qw(gettimeofday)) or diag("Can't load use Time::HiRes package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('Time::HiRes');
can_ok('Time::HiRes', 'gettimeofday');
use Time::HiRes qw(gettimeofday);

# Make sure use English loads.
BEGIN { use_ok('English') or diag("Can't load use English package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('English');
use English '-no_match_vars';

# Make sure use threads loads.
BEGIN { use_ok('threads') or diag("Can't load use threads package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('threads');
use threads;

# Make sure HoneyClient::Util::Config loads.
BEGIN { use_ok('HoneyClient::Util::Config', qw(getVar)) or diag("Can't load HoneyClient::Util::Config package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('HoneyClient::Util::Config');
can_ok('HoneyClient::Util::Config', 'getVar');
use HoneyClient::Util::Config qw(getVar);

# Make sure the module loads properly, with the exportable
# functions shared.
BEGIN { use_ok('HoneyClient::Manager::FW', qw(init_fw destroy_fw _getVMName)) or diag("Can't load HoneyClient::Manager:VM package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('HoneyClient::Manager::FW');
can_ok('HoneyClient::Manager::FW', 'init_fw');
can_ok('HoneyClient::Manager::FW', 'destroy_fw');
can_ok('HoneyClient::Manager::FW', '_getVMName');
use HoneyClient::Manager::FW qw(init_fw destroy_fw _getVMName);

# Make sure HoneyClient::Util::SOAP loads.
BEGIN { use_ok('HoneyClient::Util::SOAP', qw(getServerHandle getClientHandle)) or diag("Can't load HoneyClient::Util::SOAP package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('HoneyClient::Util::SOAP');
can_ok('HoneyClient::Util::SOAP', 'getServerHandle');
can_ok('HoneyClient::Util::SOAP', 'getClientHandle');
use HoneyClient::Util::SOAP qw(getServerHandle getClientHandle);

# Make sure use Proc::ProcessTable loads.
BEGIN { use_ok('Proc::ProcessTable') or diag("Can't load use Proc::ProcessTable package.  Check to make sure the package library is correctly listed within the path."); }
require_ok('Proc::ProcessTable');
use Proc::ProcessTable;

diag("Making sure perl and shell scripts exist.\n");
ok( "-f /hc/startFWListener.pl", '/hc/startFWListener.pl is present' );
ok( "-f /hc/startLogListener.pl", '/hc/startLogListener.pl is present' );
ok( "-f /hc/startFWListener.sh", '/hc/startFWListener.sh is present' );
ok( "-f /hc/startLogListener.sh", '/hc/startLogListener.sh is present' );
ok( "-f  /etc/honeylog.conf", '/etc/honeylog.conf is present' );
ok("-f  /etc/honeyclient.conf", '/etc/honeyclient.conf exists');
#ok( -f , "/proc/sys/net/ipv4/ip_forward", '/proc/sys/net/ipv4/ip_forward does exist');
ok(" -f /etc/resolv.conf", '/etc/resolv.conf file does exist');
ok(" -f /etc/syslog.conf", '/etc/syslog.conf file does exist');
ok( "-f /usr/bin/uptime", '/usr/bin/uptime is present' );
ok(" -f /bin/uname", '/bin/uname exists');
ok(" -f /bin/mail", 'mail() exists');
ok(" -f /sbin/iptables", 'IPTables binary does exist');
diag("Enabling test hash reference here");
my $hashref = {

    'foo' => {    
        'targets' => {   
            'rcf.mitre.org'   => { 'tcp' => [ 80 ], },
        },

        'resources' => {
            'http://www.mitre.org' => 1,
        },
        'sources' => {

            '00:0C:29:94:B9:15' => {
                '10.0.0.128' => {   
                    'tcp' => undef,
                    'udp' => [ 23, 53, '80:1024', ],
                },
            },
        },
    },
};

#my $hwall = getVar(name => "address");
#my $port = getVar(name => "port");

diag("Beginning our function testing now...");
$URL = HoneyClient::Manager::FW->init_fw();
is($URL, "http://192.168.0.129:8083/", "testing init_fw(), creation of the firewall server") or diag("Failed to start up the FW SOAP server.  Check to see if any other daemon is listening on TCP port $PORT.");
sleep 3;
is(HoneyClient::Manager::FW->destroy_fw(), 1, "destroy_fw(), destruction of the firewall server") or diag("Unable to terminate FW");
sleep 1;

=end testing

# This package name.
our $PACKAGE = __PACKAGE__;
our $DAEMON_PID : shared = undef;
# Complete URL of SOAP server, when initialized.
our $URL_BASE;
our $URL;
our $UPTIME = "/usr/bin/uptime";


BEGIN {

    # Defines which functions can be called externally.
    require Exporter;
    our ( @ISA, @EXPORT, @EXPORT_OK, %EXPORT_TAGS, $VERSION );

    # Set our package version.
    $VERSION = 0.9;

    @ISA = qw(Exporter);

    # Symbols to export on request
    @EXPORT =
      qw( _parseHash _validateInit init_fw destroy_fw _doFullBackup _flushChains _setAcceptPolicy _setDefaultDeny _set_log_rules _setstaticrate _setDefaultRules _remoteConnection _set_ip_forwarding _getpid);

    # Items to export into callers namespace by default. Note: do not export
    # names by default without a very good reason. Use EXPORT_OK instead.
    # Do not simply export all your public functions/methods/constants.

    # This allows declaration use HoneyClient::Manager::FW ':all';
    # If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
    # will save memory.

    %EXPORT_TAGS = ( 'all' => [qw(init_fw destroy_fw)], );

    # Symbols to autoexport (:DEFAULT tag)
    @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );

    $SIG{PIPE} = 'IGNORE';    # Do not exit on broken pipes.
}


=pod

=head1 EXTERNAL SOAP FUNCTIONS

=over 4

=item *

fwInit()

The fwInit function awaits a call from the Honeyclient manager, once a call is made the function performs numerous subfunctions but 
mainly handles creation of the default iptables ruleset for the honeyclient network.
IPTables ruleset:
Since we are using our honeywall to do transparent packet forwarding, forwarded packets will be traversing the 
IPTables FORWARD chain, which is associated with the filter table.  By adding rules to the FORWARD chain, you 
can control the flow of traffic between our two networks (honeyclient and external network).  
Instead of using a single, built-in chain for all protocols, we use a user-defined chain to determine the protocol type, 
then hand off the actual final processing to our user-defined chain in the filter table.


I<Inputs>: nothing - No specific input
I<Output>: Success if default ruleset was created, failure if not

#=back

=begin testing

eval{
    diag("Testing fwInit()...");
    $URL = HoneyClient::Manager::FW->init_fw();
    # Wait at least a second, in order to initialize the daemon.
    sleep(1);
    # Connect to daemon as a client.
    $stub = getClientHandle(namespace => "HoneyClient::Manager::FW");
    $som = $stub->fwInit($hashref);
    $som = $stub->_validateInit();
    is($som->result, 24, "fwInit current has set up 28 rules")   or diag("The fwInit() call failed.");
    $som = $stub->_setAcceptPolicy();
    $som = $stub->_flushChains();
    
};

# Kill the child daemon, if it still exists.
HoneyClient::Manager::FW->destroy_fw();
sleep(1);

# Report any failure found.
if ($@) {
    fail($@);
}
    
=end testing

=cut

sub fwInit {
    my ($class) = shift();
    my ($systempid, $f_success, $del_success, $acceptsuccess, $denysuccess,
        $chain)
      = q{};
    my @default_chains = qw(INPUT OUTPUT FORWARD);
    my $outputdir      = getVar(name => "outputdir");
    my $processname    = "startFWListener.pl";
    my $table          = IPTables::IPv4::init('filter');


    #$systempid = _getpid($processname);
    my $log = get_logger("HoneyClient::Manager::FW");
    $log->info("Entering fwInit(), starting Firewall initialization...");

    # Could not connect to iptables
    if (!defined($table)) {
        $log->error_die("Error, could not connect to IPTABLES interface: $!");
        return(0);
    } else {
        $log->info("table is defined");
        # lets check for root access, the honeyclient can only be run as root
        my $root = _checkRoot();
        if (!$root) {
            $log->error_die("Error, you must be root to run this program: $!");
        }

# loads the interfaces in the /etc/interfaces.conf file - might be used later???
#   _load_interfaces();
# Peform a full backup of the existing rules
        _doFullBackup($outputdir);

# set ip forwarding to 0.  The script initially turns all forwarding off while it loads the firewall policy.
# Then, right before the script exits, the script turns forwarding back on.
        _set_ip_forwarding(0);

        # Sets accept all policy, return $acceptsuccess code
        _setAcceptPolicy();

        # flush and delete all existing chains/rules - starting clean
        _flushChains();
        
# Now lets set our default deny all policy, this drops all traffic for INPUT, FORWARD, and OUTPUT
        _setDefaultDeny();
        

        #  Create a Drop_Log_* user-defined chain, for logging packets before dropping them
        _createDropLog("Drop_Log_In", "INPUT: ");
        _createDropLog("Drop_Log_Out", "OUTPUT: ");
        _createDropLog("Drop_Log_Fwd", "FORWARD: ");

        # Now creating all rules for INPUT/OUTPUT/FORWARD chains
        _setDefaultRules();

# Creates a nat rule in the POSTROUTING chain.  The nat POSTROUTING chain performs
# source network address translation and masquerading.  The chain can contain rules that modify
# the source IP address or source port of packets that traverse it.  We do not use this chain for
# any filtering.
        _createNat();

        # sets up ip forwarding to active
        _set_ip_forwarding(1);
        my $totalRules = _validateInit();
        return $totalRules;
    }
}    # end of setup subroutine

=pod

=item *

_validateInit() is another helper function 

I<Inputs>:  no input
I<Output>: total number of rules across all chains (Default and user-defined)

=cut

sub _validateInit {
    my $table     = IPTables::IPv4::init('filter');
    my $natTable  = IPTables::IPv4::init('nat');
    my @chainList = qw(INPUT OUTPUT FORWARD Drop_Log);
    my @natChains = qw(PREROUTING POSTROUTING);
    my (@ruleList, @natList) = ();
    my ($numRules, $natRules, $totalRules) = q{};
    foreach my $chain (@chainList) {
        if (!$table->is_chain($chain)) {
            my $filter = 0;
        } else {
            @ruleList = $table->list_rules($chain);
            $numRules = scalar(@ruleList);
            print "Number of rules in $chain:  $numRules\n";
            $totalRules += $numRules;
        }
    }
    foreach my $natChain (@natChains) {
        if (!$natTable->is_chain($natChain)) {
            my $nat = 0;
        } else {
            @natList  = $natTable->list_rules($natChain);
            $natRules = scalar(@natList);
            print "Number of rules in $natChain:  $natRules\n";
            $totalRules += $natRules;
        }
    }
    return $totalRules;
}

=pod

=item *

_parseHash() is another helper function that takes in a hash reference from the honeyclient
manager and parses the data structure thus producing usable values to generate our firewall rules.

I<Inputs>:  Requires hash reference (hohohohoh).
I<Output>: returns hash of a hash to be used during  the addRule() function for rule generation.

=cut

sub _parseHash {
    my @temp = ();
    my %HoH  = ();

    # Extract arguments.
    my ($hashref) = @_;

    # Get the VM identifier.
    foreach $vm_ID (keys %{$hashref}) {

        # Get the VM's source MAC address.
        foreach $src_MAC_addr (keys %{ $hashref->{$vm_ID}->{'sources'} }) {

            # Get the VM's source IP address.
            foreach $src_IP_addr (
                     keys %{ $hashref->{$vm_ID}->{'sources'}->{$src_MAC_addr} })
            {

                # Get the VM's source protocol.
                foreach $src_IP_proto (
                            keys %{
                                $hashref->{$vm_ID}->{'sources'}->{$src_MAC_addr}
                                  ->{$src_IP_addr}
                            }
                  )
                {

          # Get the VM's source ports.
          # For this case, we can't use foreach, since we have to also factor in
          # cases where the array of ports is 'undef'.
          # Get the list of ports.
                    my @src_ports = ();
                    if (
                        defined(
                                $hashref->{$vm_ID}->{'sources'}->{$src_MAC_addr}
                                  ->{$src_IP_addr}->{$src_IP_proto}
                        )
                      )
                    {
                        @src_ports =
                          @{ $hashref->{$vm_ID}->{'sources'}->{$src_MAC_addr}
                              ->{$src_IP_addr}->{$src_IP_proto} };
                    }

                    # Figure out how big the array is.
                    my $num_of_src_ports = scalar(@src_ports);
                    my $src_port_counter = 0;
                    my $src_port         = undef;
                    do {

                        # We check to see if our source port array
                        # is empty.
                        if ($num_of_src_ports <= 0) {
                            $src_port = "*";
                        } else {
                            $src_port = $src_ports[$src_port_counter];
                        }

                        # Get the target hosts.
                        foreach $dst_host (
                                      keys %{ $hashref->{$vm_ID}->{'targets'} })
                        {

                            # Get the target IPs.
                            foreach $dst_IP_addr (_resolveHost($dst_host)) {

                                # Get the target protocol.
                                foreach $dst_IP_proto (
                                             keys %{
                                                 $hashref->{$vm_ID}->{'targets'}
                                                   ->{$dst_host}
                                             }
                                  )
                                {

         #print STDERR "Destination Protocol: " . $dst_IP_proto . "\n";
         # We skip over combinations, where the source and destination protocols
         # are different.
                                    next
                                      unless $src_IP_proto eq $dst_IP_proto;

          # Get the target ports.
          # For this case, we can't use foreach, since we have to also factor in
          # cases where the array of ports is 'undef'.
          # Get the list of ports.
                                    my @dst_ports = ();
                                    if (
                                        defined(
                                                $hashref->{$vm_ID}->{'targets'}
                                                  ->{$dst_host}->{$dst_IP_proto}
                                        )
                                      )
                                    {
                                        @dst_ports =
                                          @{ $hashref->{$vm_ID}->{'targets'}
                                              ->{$dst_host}->{$dst_IP_proto} };
                                    }

                                    # Figure out how big the array is.
                                    my $num_of_dst_ports = scalar(@dst_ports);
                                    my $dst_port_counter = 0;
                                    my $dst_port         = undef;
                                    do {

                                 # We check to see if our destination port array
                                 # is empty.
                                        if ($num_of_dst_ports <= 0) {
                                            $dst_port = "*";
                                        } else {
                                            $dst_port =
                                              $dst_ports[$dst_port_counter];
                                        }

           # generate our rules here into a %HoH based on destination ip address
                                        $HoH{$dst_IP_addr} = {
                                            "chain"       => "$vm_ID",
                                            "source-mac"  => "$src_MAC_addr",
                                            "source"      => "$src_IP_addr",
                                            "protocol"    => "$src_IP_proto",
                                            "source-port" => "$src_port",
                                            "destination-domain" => "$dst_host",
                                            "destination" => "$dst_IP_addr",
                                            "dest-proto"  => "$dst_IP_proto",
                                            "destination-port" => "$dst_port",
                                            "jump"             => "ACCEPT",
                                            "matches"          => ['mac']
                                        };
                                        $dst_port_counter++;
                                      } until (
                                        $dst_port_counter >= $num_of_dst_ports);
                                }
                            }
                        }
                        $src_port_counter++;
                    } until ($src_port_counter >= $num_of_src_ports);
                }
            }
        }
    }
    return %HoH;
}

=pod

=item *

addChain();

add_vm_chain adds the user-defined chain based on manager client parameters.

I<Inputs>:  
B<$class>is the package name
B<$hashref> - hash reference that will be sent over from HoneyClient::Agent.  It will then be parsed by get_vm_from_hash()
and give me an array of VM names that will be added from the iptables chain list.  The reason we have broken
add_vm_chain() up and made it its separate subroutine is because when we add a rule to the iptables ruleset, we
must first have a user-defined chain in place.  A commit must occur which writes it to the kernel-level netfilter subsystem, then
the rule must be added after that has occurred.

I<Output>: returns true if VM chain was deleted, returns false if not

#=back

=begin testing

eval{
    diag("Testing addChain()...");
    $URL = HoneyClient::Manager::FW->init_fw();
    # Wait at least a second, in order to initialize the daemon.
    sleep 1;
    # Connect to daemon as a client.
    $stub = getClientHandle(namespace => "HoneyClient::Manager::FW");
    $som = $stub->addChain($hashref);
    ok($som->result, "addChain() successfully passed.")   or diag("The addChain() call failed.");
    $som = $stub->_setAcceptPolicy();
    $som = $stub->_flushChains();
};

# Kill the child daemon, if it still exists.
HoneyClient::Manager::FW->destroy_fw();
sleep 1;

# Report any failure found.
if ($@) {
    fail($@);
    }
    
=end testing

=cut

sub addChain {
    my ($class) = shift;    # pass in package name
    my $hashref =
      shift;    # pass in hash reference which is sent from HoneyClient::Agent
    my $log   = get_logger("HoneyClient::Manager::FW");
    my $table = IPTables::IPv4::init('filter');
    my ($vmlistin, $vmlistout, $vinret, $voutret) = q{};

# get_vm_from_hash() returns the VM name of the hash reference.  For now, one VM md5sum value
# will be passed in one hashref.
    $vmname = _getVMName($hashref);

    # lets modify the vmnames to apply to "-IN" and "-OUT" flows
    my $vin  = $vmname . "-IN";
    my $vout = $vmname . "-OUT";

  # Lets loop through the array contain all "-in" VM chain names and create them
    if ($table->is_chain($vin)) {
        $log->info("Sorry, $vin already exists - no chain was created");
        $vinret = 0;
    } else {
        $log->info("$vin was not found and created");
        $table->create_chain($vin) or
            die ("Error: Unable to create chain $vin");

        # the entry will be inserted to the head of the FORWARD chain (0)
        $table->insert_entry("FORWARD", { 'protocol' => "tcp", jump => $vin },
                             0) or
            die ("Error: Unable to insert entry into chain FORWARD");
        $log->info("Inserting rule in FORWARD chain to point to $vin");
        $vinret = 1;
    }

 # Lets loop through the array contain all "-out" VM chain names and create them
    if ($table->is_chain($vout)) {
        $log->info("Sorry, $vout already exists and was not created");
        $voutret = 0;
    } else {
        $log->info("$vout chain was was not found and created");
        $table->create_chain($vout) or
            die ("Error: Unable to create chain $vout");

        # the entry will be inserted to the head of the FORWARD chain (0)
        $table->insert_entry("FORWARD", { 'protocol' => "tcp", jump => $vout },
                             0) or
            die ("Error: Unable to insert entry into chain FORWARD");
        $voutret = 1;
    }

    # write to the iptables ruleset
    $log->info("Commiting all rules in addChain() function");
    $table->commit() or die ("Error: Unable to commit changes to filter table");
    return ($vinret, $voutret);
}

=pod

=item *

deleteChain();

delete_vm_chain deletes the user-defined chain based on manager client parameters.

I<Inputs>:  
B<$class>is the package name
B<$hashref> - hash reference that will be sent over from HoneyClient::Agent.  It will then be parsed by get_vm_from_hash()
and give me an array of VM names that will be deleted from the iptables chain list.

I<Output>: returns true if VM chain was deleted, returns false if not

=begin testing

eval{
     diag("Testing deleteChain()...");
    $URL = HoneyClient::Manager::FW->init_fw();
    # Wait at least a second, in order to initialize the daemon.
    sleep 1;
    # Connect to daemon as a client.
    $stub = getClientHandle(namespace => "HoneyClient::Manager::FW");
    $som = $stub->addChain($hashref);
    sleep 1;
    $som = $stub->deleteChain($hashref);
    ok($som->result, "deleteChain() successfully passed.")   or diag("The deleteChain() call failed.");
    $som = $stub->_setAcceptPolicy();
    $som = $stub->_flushChains();

};

# Kill the child daemon, if it still exists.
HoneyClient::Manager::FW->destroy_fw();
sleep 1;

# Report any failure found.
if ($@) {
    fail($@);
    }
    
=end testing

=cut

sub deleteChain {
    my ($class)      = shift;
    my ($hashref)    = shift;
    my $table        = IPTables::IPv4::init('filter');
    my @forwardrules = $table->list_rules("FORWARD");
    my $vmname       = _getVMName($hashref);
    my @chainArray   = ();
    my $log   = get_logger("HoneyClient::Manager::FW");
    $log->info("Entering deleteChain()...");

    # concatenate vm names to specify in and out chains
    my $vin  = $vmname . "-IN";
    my $vout = $vmname . "-OUT";
    push(@chainArray, $vin);
    push(@chainArray, $vout);

# Within this loop, we are deleting the rules within the FORWARD chain, since our chain is
# user-defined, we also has a rule within the FORWARD chain that points to the next chain but
# we need to delete this rule too.  This loop applies the user-defined "in" chain.
    $log->info("Starting to loop all the rules in the FORWARD chain");
    for (my $i = 0 ; $i <= $#forwardrules ; $i++) {

        # if there is a match, delete it
        if (   ($forwardrules[$i]->{'protocol'} eq "tcp")
            && ($forwardrules[$i]->{'jump'} eq $vin))
        {
            $log->info("Deleting rule in FORWARD chain where jump is $vin");
            $table->delete_entry("FORWARD", $forwardrules[$i]) or
                die ("Error: Unable to delete entry in chain FORWARD");
            print "deleting $forwardrules[$i] in FORWARD chain\n";
        } else {
            print "No match with the rules, keep looking\n";
        }
    }

# Within this loop, we are deleting the rules within the FORWARD chain, since our chain is
# user-defined, we also has a rule within the FORWARD chain that points to the next chain but
# we need to delete this rule too.  This loop applies the user-defined "out" chain.
    for (my $j = 0 ; $j <= $#forwardrules ; $j++) {
        if (   ($forwardrules[$j]->{'protocol'} eq "tcp")
            && ($forwardrules[$j]->{'jump'} eq $vout))
        {
            $log->info("Deleting rule in FORWARD chain where jump is $vout");
            $table->delete_entry("FORWARD", $forwardrules[$j]) or
                die ("Error: Unable to delete entry in chain FORWARD");
        } else {
            print "No match with the rules, keep looking\n";
        }
    }

# Flush the entry and delete the chain here
# This deletes all the rules within that chain first, then deletes the actual chain last.
$log->info("Flushing the entries and chains now...");
    foreach my $chainname (@chainArray) {
        $log->info("Flusing entries in $chainname");
        $table->flush_entries($chainname) or
            die ("Error: Unable to flush entries in chain $chainname");
        $log->info("Deleting $chainname");
        $table->delete_chain($chainname);
            die ("Error: Unable to delete chain $chainname");
    }
    $table->commit() or die ("Error: Unable to commit changes to filter table");
}

#Deletes the rules that it would have added for a given hashref in a given custom chain
sub deleteRules(){
my ($class)      = shift;
my ($hashref)    = shift;
my $vmname       = _getVMName($hashref);
my @chainArray   = ();
my $table        = IPTables::IPv4::init('filter');
my $result       = 0;

#   print Dumper($table)
    # concatenating chain name to handle "in" chain flow and "out" chain flow
    $vin  = $vmname . "-IN";
    $vout = $vmname . "-OUT";

    $result = $table->flush_entries($vin);
    if($result){
        print "flushed entries from $vin\n"
    }
    else{
        die ("Error: Unable to flush entries in chain $vin");
        print "flush on $vin failed\n";
        return $result; 
    }
    
    $result = $table->flush_entries($vout);
    if($result){
        print "flushed entries from $vout\n";
    }
    else{
        die ("Error: Unable to flush entries in chain $vout");
        print "flush on $vout failed\n";
        return $result;
    }
    
    $table->commit() or die ("Error: Unable to commit changes to filter table");
    # Lets delete our PREROUTING logging
    $result = _deletePreroutingLogging($hashref, $vmname);
    print "got $result in deleteRules\n";
    return $result;
}

=pod

=item *

addRule($hashref)

addRule is a function that handles the addition of a new iptable rule into the existing IPTables ruleset which allow honeyclients functionality to crawl
the internet in search of malicious web sites.  FWPunch first checks for the existance of the user-defined chain before it
creates a new VM rule.  If the chain already exists, the rule can not be added since their is no corresponding chain.
If it does exist, the rule is added successfully.  All FWPunch calls are logged.

The addRule() function will recieve a $hashref which will be a muli-level hash table whose structure 
will resemble the below data structure:

my $hashref = {

    '0d599f0ec05c3bda8c3b8a6' => {    # VM identifier.
        # You'll notice that we add a new layer to the table.
        # This is an MD5SUM that represents the unique identifier
        # of the VM *NAME*.  You can assume that this name will be
        # initially generated and used by HC::Manager::VM.

        # The next 2 keys contain the data from HC::Agent::Driver->next()
        'targets' => {    # This keyname used to be called 'servers'

            # The browser will contact 'www.mitre.org' at
            # TCP port 80.
            'www.mitre.org'   => { 'tcp' => [ 80 ], },
            'rcf.mitre.org'   => { 'tcp' => [ 80 ], },
            'blogs.mitre.org' => { 'tcp' => [ 80 ], },
            'www.cnn.com'     => { 'tcp' => [ 80, 8080 ], },
            'pool.ntp.org'    => { 'udp' => [ 123, ], },

            # General example:
            # The application will contact '192.168.1.1' at
            # some unknown TCP port.
            #
            # If the ports are unknown, the firewall
            # should allow outbound contact to all unprivileged
            # ports (1025-65535) on the specified server. (Yes, I
            # realize in reality, there's an upstream DMZ firewall
            # blocking this functionality; this is simply an
            # architectural design, for now.)
            #'192.168.1.1' => { 'tcp' => "undef", },

            # Or, more generically:
            #'hostname_or_IP' => {
            #    'protocol_type' => [ portnumbers_as_list ],
            #},

        },

        'resources' => {

            # This hashtable contains a list of key, value pairs
            # that reflect the list of resources that the driver
            # will contact next. For browsers, this means URLs.
            # The (1) value is simply a numerical
            # placeholder that serves no purpose, for now.
            'http://www.mitre.org' => 1,
        },

        # Now, we expect HC::Manager to add this next key.
        # This sub-hashtable contains all the source IPs, ports,
        # and protocols that the VM will use to make its outbound
        # connection to remote resources.
        'sources' => {

            '00:04:23:08:7d:54' => { # The VM's MAC address.

                '10.0.0.128' => {    # The VM's internal IP.

                    # In most cases, a VM will only _have_ one
                    # NAT-ted IP.  However, this format allows for the
                    # remote possibility that a VM may have multiple
                    # virtual NICs or multiple IP aliases, in which case
                    # the VM may have multiple source IPs.

                    'tcp' => undef,

                    # We use the same protocol => port syntax as described
                    # before.  Again, if the value is 'undef', then that
                    # indicates that the VM may use any unprivileged port
                    # locally inside its OS, when initiating outbound
                    # communication to the remote resource.

                    'udp' => [ 23, 53, '80:1024', ],
                },
            },
        },
    },
};

I<Inputs>: 
B<$class> is the package name.
B<$hashref>

I<Output>: Return true if success or false if failure

=back

=begin testing

eval{
     diag("Testing addRule()...");
    $URL = HoneyClient::Manager::FW->init_fw();
    # Wait at least a second, in order to initialize the daemon.
    sleep 1;
    # Connect to daemon as a client.
    $stub = getClientHandle(namespace => "HoneyClient::Manager::FW");
    my $som  = $stub->fwInit($hashref);
    $som = $stub->addChain($hashref);
    $som = $stub->addRule($hashref);
    ok($som->result, "addRule() successfully passed and added a new rule.")   or diag("The addRule() call failed.");
    $som = $stub->_setAcceptPolicy();
    $som = $stub->_flushChains();
};

# Kill the child daemon, if it still exists.
HoneyClient::Manager::FW->destroy_fw();
sleep 1;

# Report any failure found.
if ($@) {
    fail($@);
    }

=end testing

=cut

sub addRules {
    use Time::HiRes qw(gettimeofday);

    #   my ( $class, $dest, $port, $source, $protocol, $vmnum ) = @_;
    my ($class)   = shift;
    my ($hashref) = shift;
    my $table     = IPTables::IPv4::init('filter');
    my ($log, $vin, $vout) = q{};
    my $counter = 0;
    my %rules   = ();

 #start represents the time at which we starting to time our addChain() function
    my $start = gettimeofday();

    # debugging options, automatically logs to logfile for review later
    $log =