def get_all_simple_path_new(self, rule, current_path):
"""
create a list of path in order to go from the source to the dest of the rule
:param rule: rule with the ip_source / port_source / port_dest / protocol / dest
:param current_path: an empty list to begin
:return: a list of list containing each element the packet go through
"""
path_list = []
if len(current_path) == 0:
current_path.append([
rule.ip_source[0], rule.ip_dest[0], rule.port_source,
rule.port_dest, rule.protocol
])
fw_ip_list = self.find_fw_from_ip(rule.ip_source[0])
for data in fw_ip_list:
new_rule = Rule(rule.identifier, rule.name, rule.protocol,
[data[1]], rule.port_source, rule.ip_dest,
rule.port_dest, Action(True))
tmp_path = list(current_path)
tmp_path.append(data[0])
tmp_list = self.get_all_simple_path_new(new_rule, tmp_path)
path_list += tmp_list
elif len(current_path) == 1:
print "error when searching path"
return
else:
current_fw = current_path[len(current_path) - 1]
# if prerouting insert here
datas = self.check_rule_fw(rule, current_fw)
if len(datas):
for data in datas:
check_end = False
tmp = list(current_path)
for fw_interface in current_fw.interfaces:
if fw_interface.network is not None:
tmp_ope = Operator("EQ", fw_interface.network)
final_ip = self.ip_operator_merge(data[1], tmp_ope)
if final_ip is not None:
tmp.append([
data[0], final_ip, data[2], data[3],
data[4]
])
path_list.append(tmp)
check_end = True
if not check_end:
routes_dests = self.find_routes(current_path, rule)
for route_dest in routes_dests:
rule.ip_dest = [routes_dests[1]]
fw_list = self.find_fw_from_intefarce(
route_dest[0].iface, current_fw)
for fw in fw_list:
tmp = list(current_path)
tmp.append(fw)
new_rule = Rule(0, "tmp_rule", data[4],
[data[0]], data[2], [data[1]],
data[3], Action(True))
tmp_list = self.get_all_simple_path_new(
new_rule, tmp)
path_list += tmp_list
return path_list
def init(name, raise_on_error=False):
# clear object variables
parser.object_dict.clear()
# init firewall
p_info['firewall'] = Firewall()
p_info['firewall'].name = name
p_info['firewall'].hostname = ntpath.basename(name)
p_info['firewall'].type = 'Iptables'
# create default acl
p_info['firewall'].acl.append(ACL('INPUT'))
p_info['firewall'].acl.append(ACL('FORWARD'))
p_info['firewall'].acl.append(ACL('OUTPUT'))
# init parser state
p_info['current_interface_name'] = None
p_info['used_object'] = set()
p_info['default_policy'] = dict()
p_info['default_policy']['INPUT'] = Action(True)
p_info['default_policy']['FORWARD'] = Action(True)
p_info['default_policy']['OUTPUT'] = Action(True)
p_info['current_chain'] = None
p_info['rule_id'] = 0
p_info['rule_list'] = []
p_info['rule_bind'] = dict()
p_info['current_rule'] = Rule(p_info['rule_id'], None, [], [], [], [], [],
Action(False))
p_info['rule_bind'][p_info['rule_id']] = [None, None]
p_info['current_table'] = None
# raise on error option
p_info['raise_on_error'] = raise_on_error
def p_action_reject2(p):
'''action_line : DENY SEMI_COLON'''
global parsing_level3, current_acl
if parsing_level3 == 'policy':
p_info['current_policy'].action = Action(False)
p_info['rules'].append(p_info['current_policy'])
current_acl.rules.append(p_info['current_policy'])
p_info['current_policy'] = Rule(0, "", [], [], [], [], [],
Action(False))
parsing_level3 = ''
def get_all_flows(self):
for flow in self.liststore:
current_rule = Rule(None, None, [], [], [], [], [], Action(False))
try:
if isinstance(flow[0], str) and len(flow[0]) != 0:
current_rule.identifier = int(flow[0])
if isinstance(flow[1], str) and len(flow[1]) != 0:
protocols = flow[1].split(',')
for protocol in protocols:
current_rule.protocol.append(
Operator('EQ', Protocol(protocol)))
if isinstance(flow[2], str) and len(flow[2]) != 0:
ips = flow[2].split(',')
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_source.append(
Operator(
'EQ', Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_source.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[3], str) and len(flow[3]) != 0:
ports = flow[3].split(',')
for port in ports:
current_rule.port_source.append(
Operator('EQ', Port(int(port))))
if isinstance(flow[4], str) and len(flow[4]) != 0:
ips = flow[4].split(',')
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_dest.append(
Operator(
'EQ', Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_dest.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[5], str) and len(flow[5]) != 0:
ports = flow[5].split(',')
for port in ports:
current_rule.port_dest.append(
Operator('EQ', Port(int(port))))
if flow[6] == 'deny':
current_rule.action = Action(False)
elif flow[6] == 'accept':
current_rule.action = Action(True)
except KeyError:
print 'error' #
self.flows.append(current_rule)
def get_rule_from_iptable_line(self, rule_line):
"""
get one iptable line and return a corresponding rule
This function need some improvement in order to manage every case
"""
action = Action(True) if rule_line[0] != "DROP" else Action(False)
if rule_line[3] == "anywhere":
ip_source = []
else:
if "/" not in rule_line[3]:
ip_source = [Operator("EQ", Ip(rule_line[3]))]
else:
ip_source = [
Operator(
'EQ',
Ip(rule_line[3].split('/')[0],
fromDec2Dotted(int(rule_line[3].split('/')[1]))))
]
if rule_line[4] == "anywhere":
ip_dest = []
else:
if "/" not in rule_line[4]:
ip_dest = [Operator("EQ", Ip(rule_line[4]))]
else:
ip_dest = [
Operator(
'EQ',
Ip(rule_line[4].split('/')[0],
fromDec2Dotted(int(rule_line[4].split('/')[1]))))
]
port_source = []
port_dest = []
protocol = [] if rule_line[1] == "all" else [
Operator("EQ", Protocol(rule_line[1]))
]
if len(rule_line) >= 7:
if "spt" in rule_line[6]:
port_source.append(Operator("EQ", Port(rule_line[6][4:-1])))
elif "dpt" in rule_line[6]:
port_dest.append(Operator("EQ", Port(rule_line[6][4:-1])))
elif "multiport" in rule_line:
tmp_idx = rule_line.index("multiport")
if rule_line[tmp_idx + 1] == "dports":
ports_dest_list = rule_line[tmp_idx + 2].split(",")
for tmp_port_dest in ports_dest_list:
port_dest.append(Operator("EQ", Port(tmp_port_dest)))
else:
tmp_line = ""
for tmp_elem in rule_line:
tmp_line += " " + tmp_elem
print tmp_line
return Rule(0, "", protocol, ip_source, port_source, ip_dest,
port_dest, action)
def finish():
acls = {}
index = 0
for fw in firewalls:
acls[fw['name']] = []
for rule in rules:
p_info['current_rule'] = Rule(None, None, [], [], [], [], [],
Action(False))
p_info['current_rule'].identifier = index
index += 1
if rule['action'] == 'accept':
p_info['current_rule'].action = Action(True)
elif rule['action'] == 'drop':
p_info['current_rule'].action = Action(False)
p_info['current_rule'].name = rule['name'] if rule[
'name'] else 'Rule' + str(index)
if rule['src']:
for s in rule['src']:
finish_src(s)
for s in rule['dst']:
finish_dst(s)
for s in rule['services']:
finish_serv(s)
if len(rule['install']) > 0:
for elt in rule['install']:
if elt == 'Gateways':
for k in acls.keys():
acls[k].append(p_info['current_rule'])
elif acls.has_key(elt):
acls[elt].append(p_info['current_rule'])
fill_unused_obj()
for obj in object_dict:
if obj['type'] in {
'host', 'gateway', 'gateway_cluster', 'network',
'dynamic_net_obj'
} and obj.has_key('ipaddr'):
fill_obj_dict_netobj(obj)
elif obj['type'] in {'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP'}:
fill_obj_dict_serv1(obj)
elif obj['type'] in {'other', 'Other'}:
if obj.has_key('protocol'):
fill_obj_dict_serv2(obj)
elif obj['type'] in {
'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf',
'OSPF', 'Ospf'
}:
fill_obj_dict_serv3(obj)
finish_fw(acls)
del firewalls[:]
def get_general_rule(self, node):
"""
Return a rule in accords with the policy
"""
rule = None
txt = node.data_list[0][2] + " " + node.data_list[0][3]
if txt == "(policy DROP)\n":
rule = Rule(self.instance.identifier, "all", [], [], [], [], [],
Action(False))
self.instance.identifier += 1
elif txt == "(policy ACCEPT)\n":
rule = Rule(self.instance.identifier, "all", [], [], [], [], [],
Action(False))
self.instance.identifier += 1
return rule
def init(name, raise_on_error=False):
global i, j, k, cptr, current_rule, d, nd
i, j, k, cptr = 0, 0, 0, 0
current_rule = {
'index': None,
'action': None,
'src': [],
'dst': [],
'install': [],
'services': []
}
p_info['firewall_list'] = []
p_info['name'] = name
p_info['hostname'] = ntpath.basename(name)
p_info['current_rule'] = Rule(None, None, [], [], [], [], [],
Action(False))
p_info['firewall'] = Firewall()
del object_dict[:], firewalls[:], used_objects[:], rules[:]
d = {
'host': list(),
'port': list(),
'protocol': list(),
'machines_range': list(),
'netobj': list()
}
nd = {
'host': list(),
'port': list(),
'protocol': list(),
'machines_range': list(),
'netobj': list()
}
def init(name, raise_on_error=False):
object_dict.clear()
p_info['firewall'] = Firewall()
p_info['firewall'].name = name
p_info['firewall'].hostname = ntpath.basename(name)
p_info['firewall'].type = 'Juniper Netscreen'
p_info['current_policy'] = Rule(0, "", [], [], [], [], [], Action(False))
p_info['context_policy'] = Rule(0, "", [], [], [], [], [], Action(False)),
p_info['policy_zone_src'] = None
p_info['policy_zone_dst'] = None
p_info['current_object'] = []
p_info['used_object'] = set()
p_info['policy_context'] = 0
p_info['index_rule'] = -1
p_info['default_permit_all'] = False
p_info['raise_on_error'] = raise_on_error
def insert_rule():
if p_info['policy_zone_src'] and p_info['policy_zone_dst']:
acl = p_info['firewall'].get_acl_by_name(p_info['policy_zone_src'] +
'-' +
p_info['policy_zone_dst'])
if not acl:
acl = ACL(p_info['policy_zone_src'] + '-' +
p_info['policy_zone_dst'])
p_info['firewall'].acl.append(acl)
NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(
acl, p_info['firewall'],
p_info['firewall'].get_interface_by_name(
p_info['policy_zone_src']),
p_info['firewall'].get_interface_by_name(
p_info['policy_zone_dst']))
if p_info['index_rule'] != -1:
acl.rules.insert(p_info['index_rule'], p_info['current_policy'])
else:
acl.rules.append(p_info['current_policy'])
else:
for acl in p_info['firewall'].acl:
acl.rules.append(p_info['current_policy'])
p_info['current_policy'] = Rule(0, "", [], [], [], [], [], Action(False))
p_info['policy_zone_src'] = None
p_info['policy_zone_dst'] = None
p_info['index_rule'] = -1
def p_edit_line(p):
'''edit_line : EDIT NUMBER
| EDIT WORD'''
if get_state() == 'vdom':
finish() # finish
restore_or_create_fw(p[2]) # reset to a new firewall
elif get_state() == 'policy':
p_info['current_rule'] = Rule(int(p[2]), None, [], [], [], [], [],
Action(False))
p_info['srcintf'] = []
p_info['dstintf'] = []
elif get_state() in ('address', 'address_group', 'service',
'service_group'):
object_dict[remove_quote(p[2])] = []
p_info['current_object'] = remove_quote(p[2])
p_info['range_ip'] = None
p_info['range_port'] = None
elif get_state() == 'interface':
p_info['current_interface'] = Interface(remove_quote(p[2]), None, None,
[])
p_info['interface_list'].append([p_info['current_interface'], None])
elif get_state() == 'zone':
p_info['zone_list'][remove_quote(p[2])] = []
p_info['current_zone'] = remove_quote(p[2])
elif parsing_route == True:
p_info['current_route'].id = int(p[2])
def p_policy_name_line2(p):
'''policy_name_line : POLICY NUMBER WORD LBRACKET'''
global parsing_level3, cptr
cptr += 1
parsing_level3 = 'policy'
p_info['current_policy'] = Rule(p[2] + p[3], p[2] + p[3], [], [], [], [],
[], Action(False))
def finish():
p_info['firewall'].dictionnary = dict(object_dict)
for k in object_dict:
if k not in p_info['used_object']:
p_info['firewall'].unused_objects.add(k)
if p_info['default_permit_all']:
for acl in p_info['firewall'].acl:
acl.rules.append(
Rule(-1, 'default', [], [], [], [], [], Action(True)))
def finish():
acls = {}
for rule in rules:
p_info['current_rule'] = Rule(None, None, [], [], [], [], [],
Action(False))
p_info['current_rule'].identifier = rule['index']
if rule['action'] == 'accept':
p_info['current_rule'].action = Action(True)
elif rule['action'] == 'drop':
p_info['current_rule'].action = Action(False)
p_info['current_rule'].name = 'Rule-' + rule['index']
if rule['src']:
for s in rule['src']:
finish_src(s)
for s in rule['dst']:
finish_dst(s)
for s in rule['services']:
finish_serv(s)
if acls.has_key(rule['install'][0]):
acls[rule['install'][0]].append(p_info['current_rule'])
else:
acls[rule['install'][0]] = []
acls[rule['install'][0]].append(p_info['current_rule'])
fill_unused_obj()
for obj in object_dict:
if obj['type'] in {
'host', 'gateway', 'gateway_cluster', 'network', 'bogus_ip'
}:
fill_obj_dict_netobj(obj)
elif obj['type'] in {'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP'}:
fill_obj_dict_serv1(obj)
elif obj['type'] in {'other', 'Other'}:
fill_obj_dict_serv2(obj)
elif obj['type'] in {
'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf',
'OSPF', 'Ospf'
}:
fill_obj_dict_serv3(obj)
finish_fw(acls)
del firewalls[:]
def init(name, raise_on_error=False):
object_dict.clear()
p_info['firewall'] = Firewall()
p_info['firewall'].name = name
p_info['firewall'].hostname = ntpath.basename(name)
p_info['firewall'].type = 'Cisco Asa'
p_info['interface_state'] = False
p_info['current_interface'] = None
p_info['object_name'] = None
p_info['used_object'] = set()
p_info['bounded_rules'] = set()
p_info['rule_id'] = 0
p_info['rule_list'] = []
p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False))
p_info['index_rule'] = 0
p_info['global_rules'] = []
p_info['raise_on_error'] = raise_on_error
def _init(vdom):
object_dict.clear()
p_info['firewall'] = Firewall()
p_info['firewall'].name = p_info['name']
p_info['firewall'].hostname = p_info['hostname'] + ('-' +
vdom if vdom else '')
p_info['firewall'].type = 'Fortinet FortiGate'
p_info['vdom'] = vdom
p_info['srcintf'] = []
p_info['dstintf'] = []
p_info['used_object'] = set()
p_info['bounded_rules'] = set()
p_info['current_rule'] = Rule(None, None, [], [], [], [], [],
Action(False))
p_info['current_interface'] = Interface(None, None, None, [])
p_info['current_object'] = None
p_info['range_ip'] = None
p_info['range_port'] = None
p_info['route_list'] = []
p_info['current_route'] = Route(None, None, None, None, None, 1)
p_info['index_route'] = 0
def search_rules(self, rule, operator, action, tree_path):
"""Deep search option.
Reparse all rules corresponding to the anomaly.
Parameters
----------
rule : Rule. The rule to compare
operator : Bdd.Operator. The operation to perform
action : Bool or None. Filter rules having this action
path : the current tested path
index_path : the current position of the rule in the current path"""
error_rules = deque()
parent = tree_path[0]
for i in xrange(1, len(tree_path)):
if self.cancel:
break
if len(tree_path[i]) > 1:
error_rules += self.search_rules(rule, operator, action,
tree_path[i])
acl_list = NetworkGraph.NetworkGraph().get_acl_list(
src=tree_path[i][0], dst=parent)
for acl in acl_list:
for rule_path in acl.get_rules_path():
for r, a in rule_path:
rule_action = r.action.chain if isinstance(
r.action.chain, bool) else a
if action is not None and rule_action != action:
continue
if compare_bdd(rule.toBDD(), operator, r.toBDD()):
error_rules.append(r)
if not error_rules:
deny_rule = Rule(-1, 'probably implicit deny', [], [], [], [], [],
Action(False))
if not action and compare_bdd(rule.toBDD(), operator,
deny_rule.toBDD()):
error_rules.append(deny_rule)
return error_rules
def p_hyphen_line(p):
'''hyphen_line : DBL_HYPHEN'''
p_info['rule_list'].append(p_info['current_rule'])
p_info['current_rule'] = Rule(0, '', [], [], [], [], [], Action(False))
def init():
p_info['rule_list'] = []
p_info['current_rule'] = Rule(0, '', [], [], [], [], [], Action(True))
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from Parser.ply import yacc
from Parser.QueryPathParser.QueryPathLex import tokens
from Parser.QueryPathParser.QueryPathLex import lexer
from SpringBase.Rule import Rule
from SpringBase.Operator import Operator
from SpringBase.Protocol import Protocol
from SpringBase.Ip import Ip
from SpringBase.Port import Port
from SpringBase.Action import Action
p_info = {
'rule_list': [],
'current_rule': Rule(0, '', [], [], [], [], [], Action(True)),
}
def init():
p_info['rule_list'] = []
p_info['current_rule'] = Rule(0, '', [], [], [], [], [], Action(True))
def get_query():
p_info['rule_list'].append(p_info['current_rule'])
return p_info['rule_list']
def p_lines(p):
'''lines : line
def p_policy_set_line_2(p):
'''policy_set_line : SET ACTION DENY'''
if get_state() == 'policy':
p_info['current_rule'].action = Action(False)
def p_policy_set_line_1(p):
'''policy_set_line : SET ACTION ACCEPT'''
if get_state() == 'policy':
p_info['current_rule'].action = Action(True)
def p_target2(p):
'''target : DROP'''
p[0] = Action(False)
# Use for construct dictionary of object and object group
object_dict = {}
parsing_route = False
parsing_ipsec = False
# Use for detect state
p_info = {
'firewall_list': [],
'firewall': Firewall(),
'vdom': None,
'name': None,
'hostname': None,
'srcintf': [],
'dstintf': [],
'used_object': set(),
'bounded_rules': set(),
'current_rule': Rule(None, None, [], [], [], [], [], Action(False)),
'current_interface': Interface(None, None, None, []),
'current_object': None,
'current_state': [],
'range_ip': None,
'range_port': None,
'raise_on_error': False,
'use_vdom': False,
'interface_list': [],
'zone_list': {},
'current_zone': None,
'route_list': [],
'current_route': Route(None, None, None, None, None, 1),
'index_route': 0,
}
def p_target4(p):
'''target : RETURN'''
p[0] = Action('RETURN')
def p_target1(p):
'''target : ACCEPT'''
p[0] = Action(True)
zones = []
current_acl = ACL(None)
current_iface = Interface(None)
current_sub_iface = Interface(None)
ifaces = []
# Use for construct dictionary of object and object group
object_dict = {}
# Use for detect state
p_info = {
'firewall': Firewall(),
'current_policy': Rule(0, "", [], [], [], [], [], Action(False)),
'context_policy': Rule(0, "", [], [], [], [], [], Action(False)),
'policy_zone_src': None,
'policy_zone_dst': None,
'current_object': None,
'used_object': set(),
'policy_context': 0,
'index_rule': -1,
'default_permit_all': False,
'raise_on_error': False,
'route_list': [],
'current_route': Route(None, None, None, None, None, 1),
'index_route': 0,
'rules': [],
}
def p_action_2(p):
'''action : DENY'''
p_info['current_rule'].action = Action(False)
def p_action_1(p):
'''action : ACCEPT'''
p_info['current_rule'].action = Action(True)
def p_target5(p):
'''target : WORD'''
if p_info['current_table'] == 'filter':
p[0] = Action(find_chain_by_name(p[1]))
