def RonoQuarantineTest (ndmz, nhosts, nquarantine):
"""Some random real world test"""
firewall = 'f'
fw_address = 'ip_f'
quarantine_test_host = 'q0'
quarantine_test_addr = 'ip_q0'
host_addresses = ['ip_h%d'%(i) for i in xrange(nhosts)]
quarantine_addresses = ['ip_q%d'%(i) for i in xrange(1, nquarantine)]
outside = 'o'
outside_address = 'ip_o'
nodes = [firewall, quarantine_test_host, outside]
addresses = [fw_address, quarantine_test_addr, outside_address]
addresses.extend(quarantine_addresses)
addresses.extend(host_addresses)
ctx = components.Context(nodes, addresses)
net = components.Network (ctx)
outside = components.EndHost(getattr(ctx, outside), net, ctx)
quarantine_test_host = components.EndHost(getattr(ctx, quarantine_test_host), net, ctx)
firewall = components.LearningFirewall(getattr(ctx, firewall), net, ctx)
outside_address = getattr(ctx, outside_address)
fw_address = getattr(ctx, fw_address)
quarantine_test_addr = getattr(ctx, quarantine_test_addr)
#net.SetGateway(outside, firewall)
#net.SetGateway(dmz_test_host, firewall)
net.RoutingTable(firewall, [(outside_address, outside), \
(quarantine_test_addr, quarantine_test_host)])
net.RoutingTable(outside, [(outside_address, outside),
(quarantine_test_addr, firewall)])
net.RoutingTable(quarantine_test_host, [(outside_address, firewall),
(quarantine_test_addr, quarantine_test_host)])
net.setAddressMappings([(outside, outside_address), \
(firewall, fw_address), \
(quarantine_test_host, quarantine_test_addr)])
firewall.AddAcls([(quarantine_test_addr, outside_address), \
(outside_address, quarantine_test_addr)])
for ad in quarantine_addresses:
ad = getattr(ctx, ad)
firewall.AddAcls([(ad, outside_address), (outside_address, ad)])
for ad in host_addresses:
ad = getattr(ctx, ad)
firewall.AddAcls([(outside_address, ad)])
net.Attach(outside, quarantine_test_host, firewall)
class QuarantineRet (object):
def __init__ (self, outside, quarantine, fw, ctx, net):
self.outside = outside
self.quarantine = quarantine
self.fw = fw
self.ctx = ctx
self.net = net
self.check = components.PropertyChecker(ctx, net)
return QuarantineRet(outside, quarantine_test_host, firewall, ctx, net)
def ErroneousProxy ():
ctx = components.Context(['a', 'b', 'p'], \
['ip_a', 'ip_b', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
p = components.ErroneousAclWebProxy(ctx.p, net, ctx)
p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(p, ctx.ip_p)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_p, p)])
net.Attach(a, b, p)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, b, p):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.p = p
self.check = components.PropertyChecker (ctx, net)
return TrivialReturn (net, ctx, a, b, p)
def TrivialCtrExample ():
ctx = components.Context(['a', 'b', 'c'], \
['ip_a', 'ip_b', 'ip_c'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.NetworkCounter(ctx.c, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, c)])
net.RoutingTable(b, [(ctx.ip_a, c), \
(ctx.ip_b, b)])
net.RoutingTable(c, [(ctx.ip_a, a), \
(ctx.ip_b, b)])
net.Attach(a, b, c)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, b, c):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.check = components.PropertyChecker (ctx, net)
return TrivialReturn (net, ctx, a, b, c)
def TrivialWanOptimizerDeOptimizer():
ctx = components.Context(['a', 'b', 'w0', 'w1'], \
['ip_a', 'ip_b', 'ip_w0', 'ip_w1'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
gzip = components.CompressionAlgorithm('gzip')
ctx.AddPolicy(gzip)
w0 = components.WanOptimizer(gzip.compress, ctx.w0, net, ctx)
w1 = components.WanOptimizer(gzip.decompress, ctx.w1, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(w0, ctx.ip_w0), \
(w1, ctx.ip_w1)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, w0)])
net.RoutingTable(b, [(ctx.ip_a, w0), \
(ctx.ip_b, b)])
net.RoutingTable(w0, [(ctx.ip_a, w1), \
(ctx.ip_b, w1)])
net.RoutingTable(w1, [(ctx.ip_a, a), \
(ctx.ip_b, b)])
net.Attach(a, b, w0, w1)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, w0, w1):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.w0 = w0
self.w1 = w1
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, w0, w1)
def AclContentCacheSimpleTest ():
"""ACL content cache test"""
ctx = components.Context (['a', 'b', 'cc'],\
['ip_a', 'ip_b', 'ip_cc'])
net = components.Network (ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
cc = components.AclContentCache(ctx.cc, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(cc, ctx.ip_cc)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_cc]
net.RoutingTable(a, [(x, cc) for x in addresses])
net.RoutingTable(b, [(x, cc) for x in addresses])
net.RoutingTable(cc, [(ctx.ip_a, a), \
(ctx.ip_b, b)])
endhosts = [a, b]
cc.AddAcls([(ctx.ip_a, ctx.ip_b)])
endhosts = [a, b]
net.Attach(a, b, cc)
class AclContentCacheSimpleReturn (object):
def __init__ (self, net, ctx, a, b, cc):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.cc = cc
self.check = components.PropertyChecker (ctx, net)
return AclContentCacheSimpleReturn(net, ctx, a, b, cc)
def dpiFwRono(sz):
"""DPI Firewall. Everything is UNSAT since no bad packets make it through"""
other_nodes = ['n_%d' % (x) for x in xrange(sz)]
nodes = ['a', 'b', 'c', 'd', 'fw', 'w']
nodes.extend(other_nodes)
addresses = ['ip_%s' % (n) for n in nodes]
ctx = components.Context (nodes,\
addresses)
dpi_policy = components.DPIPolicy('dpi')
ctx.AddPolicy(dpi_policy)
comp = components.CompressionAlgorithm('gzip')
ctx.AddPolicy(comp)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.IPS(dpi_policy, ctx.fw, net, ctx)
w = components.WanOptimizer(comp.compress, ctx.w, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(w, ctx.ip_w), \
(fw, ctx.ip_fw)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_fw]
net.SetIsolationConstraint(a, [fw, w])
net.SetIsolationConstraint(b, [fw, w])
net.SetIsolationConstraint(c, [fw, w])
net.SetIsolationConstraint(d, [fw, w])
net.SetIsolationConstraint(w, [fw])
net.RoutingTable(a, [(x, w) for x in addresses])
net.RoutingTable(b, [(x, w) for x in addresses])
net.RoutingTable(c, [(x, w) for x in addresses])
net.RoutingTable(d, [(x, w) for x in addresses])
net.RoutingTable(w, [(ctx.ip_a, fw), \
(ctx.ip_b, fw), \
(ctx.ip_c, fw), \
(ctx.ip_d, fw)])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
nodes = {'a': a, 'b': b, 'c': c, 'd': d, 'w': w, 'fw': fw}
net.Attach(*nodes.values())
class DPIReturn(object):
def __init__(self, net, ctx, dpi_policy, comp, **nodes):
self.net = net
self.ctx = ctx
self.dpi_policy = dpi_policy
self.comp = comp
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
return DPIReturn(net, ctx, dpi_policy, comp, **nodes)
def TrivialLbalancer():
ctx = components.Context(['a', 'b', 'f', 'l'], \
['ip_a', 'ip_b', 'ip_f', 'ip_l'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
l = components.LoadBalancer(ctx.l, net, ctx)
f.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(f, ctx.ip_f), \
(l, ctx.ip_l)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, l)])
net.RoutingTable(b, [(ctx.ip_a, l), \
(ctx.ip_b, b)])
net.RoutingTable(l, [(ctx.ip_a, [f, a]), \
(ctx.ip_b, [f, b])])
net.RoutingTable(f, [(ctx.ip_a, a), \
(ctx.ip_b, b)])
net.Attach(a, b, l, f)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, l, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.l = l
self.f = f
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, l, f)
def L7FirewallProxy():
ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
f = components.HTTPFirewall(ctx.f, net, ctx)
p = components.AclWebProxy(ctx.p, net, ctx)
net.SetIsolationConstraint(a, [p, b])
net.SetIsolationConstraint(b, [p, a])
net.SetIsolationConstraint(c, [f])
net.SetIsolationConstraint(f, [p, c])
net.SetIsolationConstraint(p, [a, b, f])
f.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_c, ctx.ip_a)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(p, ctx.ip_p), \
(f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(f, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_p, p)])
net.RoutingTable(c, [(ctx.ip_a, f), \
(ctx.ip_b, f), \
(ctx.ip_c, c), \
(ctx.ip_p, f)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, f), \
(ctx.ip_p, p)])
net.Attach(a, b, c, p, f)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.f = f
self.p = p
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, c, p, f)
def LSRRFwTriv (sz):
assert (sz >= 1)
endhosts = ['e0', 'e1']
lsrr_boxes = ['l_%d'%(l) for l in xrange(0, sz)]
firewall = ['f']
nodes = list()
nodes.extend(endhosts)
nodes.extend(lsrr_boxes)
nodes.extend(firewall)
addresses = ['ip_%s'%(c) for c in nodes]
ctx = components.Context(nodes, \
addresses)
net = components.Network(ctx)
# Register something that tells us about LSRR
ip_lsr_field = components.LSRROption ('ip_lsr', ctx)
ctx.AddPolicy (ip_lsr_field)
e0 = components.EndHost(ctx.e0, net, ctx)
e1 = components.EndHost(ctx.e1, net, ctx)
## Yeah I can put this in a list etc., doing it this way mostly for no good reason.
#a = components.LSRRRouter (ctx.a, ip_lsr_field, net, ctx)
#b = components.LSRRRouter (ctx.b, ip_lsr_field, net, ctx)
lsrrs = [components.LSRRRouter (getattr(ctx, n), ip_lsr_field, net, ctx) for n in lsrr_boxes]
lsrr_addresses = [getattr(ctx, 'ip_%s'%(l.z3Node)) for l in lsrrs]
f = components.AclFirewall (ctx.f, net, ctx)
address_mappings = [(e0, ctx.ip_e0), \
(e1, ctx.ip_e1), \
(f, ctx.ip_f)]
lsrr_address_mappings = zip(lsrrs, lsrr_addresses)
address_mappings.extend(lsrr_address_mappings)
net.setAddressMappings(address_mappings)
routing_table_base = zip(lsrr_addresses, lsrrs)
routing_table_base.append((ctx.ip_e0, e0))
net.SetGateway(e1, f)
f.AddAcls([(ctx.ip_e0, ctx.ip_e1)])
f.AddAcls([(a, ctx.ip_e1) for a in lsrr_addresses[:-1]])
f_routing_table = list(routing_table_base)
f_routing_table.append((ctx.ip_e1, e1))
net.RoutingTable(f, f_routing_table)
routing_table_base.append((ctx.ip_e1, f))
net.RoutingTable(e0, routing_table_base)
for l in lsrrs:
net.RoutingTable(l, routing_table_base)
net.Attach(e0, e1, f, *lsrrs)
class LSRRReturn (object):
def __init__ (self, net, ctx, e0, e1, f, lsrrs):
self.net = net
self.ctx = ctx
self.e0 = e0
self.e1 = e1
self.f = f
self.lsrrs = lsrrs
self.check = components.PropertyChecker (ctx, net)
return LSRRReturn (net, ctx, e0, e1, f, lsrrs)
def AclProxyMultiFw ():
"""This is really just a version of ErroneousProxyMultiFw with AclFirewall. As shown by that function there really isn't a
way to violate isolation here. Here by using something that is path independent we can prove things without really having to deal
with any of the other things"""
ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
p = components.AclWebProxy(ctx.p, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.SetIsolationConstraint (a, [p])
net.SetIsolationConstraint (b, [p])
net.SetIsolationConstraint (p, [a, b, f])
p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
f.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_a, ctx.ip_c)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(p, ctx.ip_p), \
(f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(f, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_p, p)])
net.RoutingTable(c, [(ctx.ip_a, f), \
(ctx.ip_b, f), \
(ctx.ip_c, c), \
(ctx.ip_p, f)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, f), \
(ctx.ip_p, p)])
net.Attach(a, b, c, p, f)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.p = p
self.f = f
self.check = components.PropertyChecker (ctx, net)
return TrivialReturn (net, ctx, a, b, c, p, f)
def NumNodesTest(size):
fws = ['f_%d' % (f) for f in xrange(0, size)]
# Start with 4 end hosts
end_hosts = ['e_%d' % (e) for e in xrange(2)]
all_nodes = []
all_nodes.extend(end_hosts)
all_nodes.extend(fws)
addresses = ['ip_%s' % (n) for n in all_nodes]
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
end_hosts = [
components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts
]
firewalls = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in fws
]
[e0, e1] = end_hosts
all_node_objects = []
all_node_objects.extend(end_hosts)
all_node_objects.extend(firewalls)
addresses = [getattr(ctx, ad) for ad in addresses]
address_mappings = [(ob, ad)
for (ob, ad) in zip(all_node_objects, addresses)]
net.setAddressMappings(address_mappings)
# This is a test that can be used for both positive and negative testing; one pair
# of endhosts are allowed to send the other isn't
acl_policy = [(ctx.ip_e_0, ctx.ip_e_1), (ctx.ip_e_1, ctx.ip_e_0)]
for fw in firewalls:
fw.AddAcls(acl_policy)
"""Topology
f0
/ \
e0 e1"""
routing_table = [(ctx.ip_e_0, e0), \
(ctx.ip_e_1, e1)]
net.RoutingTable(firewalls[0], routing_table)
for e in end_hosts:
routing_table = [(ctx.ip_e_0, firewalls[0] if e != e0 else e0), \
(ctx.ip_e_1, firewalls[0] if e != e1 else e1)]
net.RoutingTable(e, routing_table)
net.Attach(*all_node_objects)
node_dict = dict(zip(all_nodes, all_node_objects))
class NumFwResult(object):
def __init__(self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
return NumFwResult(net, ctx, **node_dict)
def LoadBalancerFw (size):
assert(size > 1)
firewalls = ['f_%d'%(f) for f in xrange(size)]
endhosts = ['e_%d'%(e) for e in xrange(4)]
lbalancers = ['l_%d'%(l) for l in xrange(4)]
all_nodes = list()
all_nodes.extend(firewalls)
all_nodes.extend(endhosts)
all_nodes.extend(lbalancers)
addresses = ['ip_%s'%(n) for n in all_nodes]
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
endhosts = [components.EndHost(getattr(ctx, e), net, ctx) for e in endhosts]
[e0, e1, e2, e3] = endhosts
firewalls = [components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls]
lbalancers = [components.LoadBalancer(getattr(ctx, l), net, ctx) for l in lbalancers]
all_node_objects = list()
all_node_objects.extend(firewalls)
all_node_objects.extend(endhosts)
all_node_objects.extend(lbalancers)
addresses = [getattr(ctx, a) for a in addresses]
address_map = [(o, a) for (o, a) in zip(all_node_objects, addresses)]
net.setAddressMappings(address_map)
for i in xrange(4):
net.SetIsolationConstraint(endhosts[i], [lbalancers[i]])
lbalancer_nbr = [endhosts[i]]
lbalancer_nbr.extend(firewalls)
net.SetIsolationConstraint(lbalancers[i], lbalancer_nbr)
lbalancer_routing = [(getattr(ctx, 'ip_%s'%(endhosts[j].z3Node)), firewalls) \
for j in xrange(4) if j != i]
lbalancer_routing.append((getattr(ctx, 'ip_%s'%(endhosts[i].z3Node)), endhosts[i]))
net.RoutingTable(lbalancers[i], lbalancer_routing)
fw_routing_table = [(getattr(ctx, 'ip_%s'%(endhosts[i].z3Node)), lbalancers[i]) for i in xrange(4)]
for fw in firewalls:
net.RoutingTable(fw, fw_routing_table)
net.SetIsolationConstraint(fw, lbalancers)
fw.AddAcls([(ctx.ip_e_0, ctx.ip_e_1), \
(ctx.ip_e_2, ctx.ip_e_3)])
net.Attach(*all_node_objects)
class LoadBalancerFwReturn (object):
def __init__ (self, net, ctx, **objdict):
self.net = net
self.ctx = ctx
for k, v in objdict.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker (ctx, net)
return LoadBalancerFwReturn(net, ctx, **dict(zip(all_nodes, all_node_objects)))
def PolicyScaleWithBranch(naddress, nbranches):
nodes = ['a', 'b']
firewalls = ['f_%d' % (f) for f in xrange(nbranches)]
nodes.extend(firewalls)
a_address = ['ip_a%d' % (a) for a in xrange(naddress)]
b_address = ['ip_b%d' % (b) for b in xrange(naddress)]
firewall_addresses = ['ip_%s' % (f) for f in firewalls]
addresses = list()
addresses.extend(firewall_addresses)
addresses.extend(a_address)
addresses.extend(b_address)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
fwalls = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls
]
net.SetIsolationConstraint(a, fwalls)
net.SetIsolationConstraint(b, fwalls)
for f in fwalls:
net.SetIsolationConstraint(f, [a, b])
a_addrs = map(lambda ad: getattr(ctx, ad), a_address)
b_addrs = map(lambda ad: getattr(ctx, ad), b_address)
admappings = zip(fwalls, [getattr(ctx, ad) for ad in firewall_addresses])
admappings.extend([(a, a_addrs), \
(b, b_addrs)])
net.setAddressMappings(admappings)
f_routing_table = [(addr, a) for addr in a_addrs]
f_routing_table.extend([(addr, b) for addr in b_addrs])
for f in fwalls:
net.RoutingTable(f, f_routing_table)
acls = list(itertools.product(a_addrs, b_addrs))
for f in fwalls[:-1]:
f.AddAcls(acls)
fwalls[-1].AddAcls(acls[:-1])
net.Attach(a, b, *fwalls)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.f = f
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, fwalls)
def DropEverythingTest(ndmz, nhosts, nquarantine):
"""Some random real world test"""
dpi = 'f'
fw_address = 'ip_f'
dmz_test_host = 'd1'
dmz_test_addr = 'ip_d1'
host_addresses = ['ip_h%d' % (i) for i in xrange(nhosts)]
quarantine_addresses = ['ip_q%d' % (i) for i in xrange(nquarantine)]
outside = 'o'
outside_address = 'ip_o'
nodes = [dpi, dmz_test_host, outside]
addresses = [fw_address, dmz_test_addr, outside_address]
addresses.extend(quarantine_addresses)
addresses.extend(host_addresses)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
outside = components.EndHost(getattr(ctx, outside), net, ctx)
dmz_test_host = components.EndHost(getattr(ctx, dmz_test_host), net, ctx)
dpi = components.DropAll(getattr(ctx, dpi), net, ctx)
outside_address = getattr(ctx, outside_address)
fw_address = getattr(ctx, fw_address)
dmz_test_addr = getattr(ctx, dmz_test_addr)
net.RoutingTable(dpi, [(outside_address, outside), \
(dmz_test_addr, dmz_test_host)])
net.RoutingTableWithFailure(outside, [(outside_address, lambda t: True, outside), \
(dmz_test_addr, components.not_failed(dpi), dpi), \
(dmz_test_addr, components.failed(dpi), dmz_test_host)])
net.RoutingTableWithFailure(dmz_test_host, [(outside_address, components.not_failed(dpi), dpi),\
(outside_address, components.failed(dpi), outside),
(dmz_test_addr, lambda t: True, dmz_test_host)])
net.setAddressMappings([(outside, outside_address), \
(dpi, fw_address), \
(dmz_test_host, dmz_test_addr)])
net.Attach(outside, dmz_test_host, dpi)
class DMZRet(object):
def __init__(self, outside, dmz, fw, ctx, net):
self.outside = outside
self.dmz = dmz
self.fw = fw
self.ctx = ctx
self.net = net
self.check = components.PropertyChecker(ctx, net)
return DMZRet(outside, dmz_test_host, dpi, ctx, net)
def ErroneousProxyMultiFwPi():
"""This is really just the policy version of ErroneousProxyMultiFw. As shown by that function there really isn't a
way to violate isolation here. However by virtue of the policy not being path independent we cannot prove or
disprove anything interesting here."""
ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
# c = components.EndHost(ctx.c, net, ctx)
p = components.ErroneousAclWebProxy(ctx.p, net, ctx)
# f = components.AclFirewall(ctx.f, net, ctx)
p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
# f.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_a, ctx.ip_c)])
net.SetIsolationConstraint(a, [p])
net.SetIsolationConstraint(b, [p])
net.SetIsolationConstraint(p, [a, b, ctx.f])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(ctx.c, ctx.ip_c), \
(p, ctx.ip_p), \
(ctx.f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
#(ctx.ip_c, ctx.f), \
(ctx.ip_p, p)])
net.Attach(a, b, p)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.p = p
self.f = f
self.check = components.PropertyChecker(ctx, net)
self.participants = [a, b, p]
return TrivialReturn(net, ctx, a, b, ctx.c, p, ctx.f)
def TwoLearningFw():
""" A proxy and two firewalls. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw1', 'fw2', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f1', 'ip_f2', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw1 = components.AclFirewall(ctx.fw1, net, ctx)
fw2 = components.AclFirewall(ctx.fw2, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw1, ctx.ip_f1), \
(fw2, ctx.ip_f2), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f1, ctx.ip_f2]
net.RoutingTable(a, [(x, fw1) for x in addresses])
net.RoutingTable(b, [(x, fw1) for x in addresses])
net.RoutingTable(c, [(x, fw2) for x in addresses])
net.RoutingTable(d, [(x, fw2) for x in addresses])
net.RoutingTable(fw1, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p), \
(ctx.ip_f2, p)])
net.RoutingTable(fw2, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f1, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw1), \
(ctx.ip_b, fw1), \
(ctx.ip_c, fw2), \
(ctx.ip_d, fw2), \
(ctx.ip_f1, fw1), \
(ctx.ip_f2, fw2)])
fw1.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
fw2.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_d, ctx.ip_b)])
net.Attach(a, b, c, d, fw1, fw2, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def NumPolicyNodesTest2 (size):
fws = ['f_%d'%(f) for f in xrange(0, 1)]
# Start with 2 end hosts
end_hosts = ['e_%d'%(e) for e in xrange(0, 2)]
other_nodes = ['o_%d'%(o) for o in xrange(0, size)]
all_nodes = []
all_nodes.extend(end_hosts)
all_nodes.extend(fws)
all_nodes.extend(other_nodes)
all_visible_nodes = []
all_visible_nodes.extend(end_hosts)
all_visible_nodes.extend(fws)
addresses = ['ip_e_0', 'ip_e_1', 'ip_f_0']
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
end_hosts = [components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts]
firewalls = [components.AclFirewall(getattr(ctx, f), net, ctx) for f in fws]
[e0, e1] = end_hosts
all_node_objects = []
all_node_objects.extend(end_hosts)
all_node_objects.extend(firewalls)
addresses = [getattr(ctx, ad) for ad in addresses]
address_mappings = [(ob, ad) for (ob, ad) in zip([e0, e1, firewalls[0]], addresses)]
net.setAddressMappings(address_mappings)
firewalls[0].AddAcls ([(ctx.ip_e_0, ctx.ip_e_1), \
(ctx.ip_e_1, ctx.ip_e_0)])
"""Topology
e0 e1
\ /
d0 """
for e in [end_hosts[0], end_hosts[1]]:
net.SetGateway(e, firewalls[0])
#net.SetIsolationConstraint (firewalls[0], end_hosts)
routing_table = [(ctx.ip_e_0, e0), \
(ctx.ip_e_1, e1)]
net.RoutingTable(firewalls[0], routing_table)
net.Attach(*all_node_objects)
node_dict = dict(zip(all_visible_nodes, all_node_objects))
class NumPolicyResult (object):
def __init__ (self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.participants = nodes.values()
self.check = components.PropertyChecker (ctx, net)
return NumPolicyResult (net, ctx, **node_dict)
def LinkTraversalScaling(size):
firewalls = ['f0', 'f1', 'f2', 'f3']
fw_addresses = ['ip_f0', 'ip_f1', 'ip_f2', 'ip_f3']
assert (size > 2)
hosts = ['e%d' % (n) for n in xrange(size)]
host_addresses = ['ip_%s' % (h) for h in hosts]
nodes = list(firewalls)
nodes.extend(hosts)
addresses = list(fw_addresses)
addresses.extend(host_addresses)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
[f0, f1, f2, f3] = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls
]
[ip_f0, ip_f1, ip_f2, ip_f3] = [getattr(ctx, f) for f in fw_addresses]
hosts = [components.EndHost(getattr(ctx, h), net, ctx) for h in hosts]
host_addresses = [getattr(ctx, h) for h in host_addresses]
addr_mapping = list(zip(hosts, host_addresses))
addr_mapping.extend([(f0, ip_f0), (f1, ip_f1), (f2, ip_f2), (f3, ip_f3)])
net.setAddressMappings(addr_mapping)
endhost_routing = [(h, f0) for h in host_addresses]
for h in hosts:
net.RoutingTable(h, endhost_routing)
f1_f2_routing = [(h, f3) for h in host_addresses]
net.RoutingTable(f1, f1_f2_routing)
net.RoutingTable(f2, f1_f2_routing)
f3_routing = [(a, h) for (a, h) in zip(host_addresses, hosts)]
net.RoutingTable(f3, f3_routing)
f0_routing = [(a, x) for (a, x) in zip(host_addresses, cycle([f1, f2]))]
net.RoutingTable(f0, f0_routing)
nodes = list(hosts)
nodes.extend([f0, f1, f2, f3])
net.Attach(*nodes)
class LinkTraversalReturn(object):
def __init__(self, net, ctx, hosts, f0, f1, f2, f3):
self.net = net
self.ctx = ctx
self.f0 = f0
self.f1 = f1
self.f2 = f2
self.f3 = f3
self.hosts = hosts
self.check = components.PropertyChecker(ctx, net)
return LinkTraversalReturn(net, ctx, hosts, f0, f1, f2, f3)
def LSRRFwTriv():
ctx = components.Context(['e0' , 'e1', 'a', 'b', 'f'], \
['ip_e0', 'ip_e1', 'ip_a', 'ip_b','ip_f'])
net = components.Network(ctx)
# Register something that tells us about LSR
ip_lsr_field = components.LSRROption('ip_lsr', ctx)
ctx.AddPolicy(ip_lsr_field)
e0 = components.EndHost(ctx.e0, net, ctx)
e1 = components.EndHost(ctx.e1, net, ctx)
# Yeah I can put this in a list etc., doing it this way mostly for no good reason.
a = components.LSRRRouter(ctx.a, ip_lsr_field, net, ctx)
b = components.LSRRRouter(ctx.b, ip_lsr_field, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.setAddressMappings([(e0, ctx.ip_e0), \
(e1, ctx.ip_e1), \
(a, ctx.ip_a), \
(b, ctx.ip_b), \
(f, ctx.ip_f)])
net.SetGateway(e0, a)
net.SetGateway(e1, b)
net.RoutingTable(a, [(ctx.ip_e0, e0), \
(ctx.ip_f, f), \
(ctx.ip_b, f), \
(ctx.ip_e1, f)])
net.RoutingTable(b, [(ctx.ip_e0, f), \
(ctx.ip_f, f), \
(ctx.ip_b, f), \
(ctx.ip_e1, e1)])
net.RoutingTable(f, [(ctx.ip_e0, a), \
(ctx.ip_e1, b), \
(ctx.ip_b, b), \
(ctx.ip_a, a)])
node_dict = {'e0': e0, \
'e1': e1, \
'a': a, \
'b': b, \
'f': f}
net.Attach(*node_dict.values())
class LSRRReturn(object):
def __init__(self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
return LSRRReturn(net, ctx, **node_dict)
def AclContentCacheScaleTestFP (endhosts):
"""ACL content cache test"""
nodes = ['cc', 'f', 's0']
nodes.extend(['n_%d'%(i) for i in xrange(0, 2)])
addresses = ['ip_%s'%(n) for n in nodes]
addresses.append('ip_cc')
addresses.append('ip_f')
addresses.append('ip_s0')
ctx = components.Context(nodes, addresses)
net = components.Network (ctx)
hosts = []
for e in ['n_%d'%(i) for i in xrange(0, 2)]:
hosts.append(components.EndHost(getattr(ctx, e), net, ctx))
s0 = components.EndHost(ctx.s0, net, ctx)
cc = components.AclContentCache(ctx.cc, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
address_mappings = [(getattr(ctx, n), getattr(ctx, 'ip_%s'%(n))) for n in nodes]
address_mappings.extend([(ctx.s0, ctx.ip_s0),
(ctx.cc, ctx.ip_cc),
(ctx.f, ctx.ip_f)])
net.setAddressMappings(address_mappings)
addresses = [getattr(ctx, addr) for addr in addresses]
for host in hosts:
net.RoutingTable(host, [(x, f) for x in addresses])
net.RoutingTable(f, [(x, cc) for x in addresses])
net.RoutingTable(cc, [( getattr(ctx, 'ip_%s'%(n)), getattr(ctx, n)) for n in nodes])
net.RoutingTable(s0, [(x, cc) for x in addresses])
rnodes = list(hosts)
rnodes.append(f)
rnodes.append(cc)
rnodes.append(s0)
acls = [(ctx.ip_s0, ctx.ip_n_0)]
cc.AddAcls(acls)
f.AddAcls(acls)
net.Attach(*rnodes)
class AclContentCacheReturn (object):
def __init__ (self, net, ctx, cc, f, endhosts):
self.net = net
self.ctx = ctx
self.cc = cc
self.f = f
self.s0 = s0
self.endhosts = endhosts
self.check = components.PropertyChecker (ctx, net)
return AclContentCacheReturn(net, ctx, cc, f, hosts)
def AclContentCacheTest ():
"""ACL content cache test"""
ctx = components.Context (['a', 'b', 'c', 'd', 'cc', 'f'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_cc', 'ip_f'])
net = components.Network (ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
cc = components.AclContentCache(ctx.cc, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(f, ctx.ip_f), \
(cc, ctx.ip_cc)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_cc, ctx.ip_f]
net.RoutingTable(a, [(x, f) for x in addresses])
net.RoutingTable(b, [(x, f) for x in addresses])
net.RoutingTable(c, [(x, f) for x in addresses])
net.RoutingTable(d, [(x, f) for x in addresses])
net.RoutingTable(f, [(x, cc) for x in addresses])
net.RoutingTable(cc, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
net.Attach(a, b, c, d, cc)
endhosts = [a, b, c, d]
f.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)])
cc.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)])
net.Attach(a, b, c, d, cc, f)
endhosts = [a, b, c, d]
class AclContentCacheReturn (object):
def __init__ (self, net, ctx, a, b, c, d, cc, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.d = d
self.cc = cc
self.f = f
self.check = components.PropertyChecker (ctx, net)
return AclContentCacheReturn(net, ctx, a, b, c, d, cc, f)
def NodeTraversalTest():
"""ACL firewall test"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.AclFirewall(ctx.fw, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, fw) if str(x) != 'ip_a' else (x, a)
for x in addresses])
net.RoutingTable(d, [(x, fw) for x in addresses])
#net.SetGateway(a, fw)
#net.SetGateway(b, fw)
#net.SetGateway(c, fw)
#net.SetGateway(d, fw)
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
fw.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)])
net.Attach(a, b, c, d, fw)
endhosts = [a, b, c, d]
class AclFwReturn(object):
def __init__(self, net, ctx, a, b, c, d, fw):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.d = d
self.fw = fw
self.check = components.PropertyChecker(ctx, net)
return AclFwReturn(net, ctx, a, b, c, d, fw)
def PolicyScaleNeg(naddress):
nodes = ['a', 'b', 'f']
a_address = ['ip_a%d' % (a) for a in xrange(naddress)]
b_address = ['ip_b%d' % (b) for b in xrange(naddress)]
addresses = ['ip_f']
addresses.extend(a_address)
addresses.extend(b_address)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.SetIsolationConstraint(f, [a, b])
net.SetGateway(a, f)
net.SetGateway(b, f)
a_addrs = map(lambda ad: getattr(ctx, ad), a_address)
b_addrs = map(lambda ad: getattr(ctx, ad), b_address)
net.setAddressMappings([(a, a_addrs), \
(b, b_addrs), \
(f, ctx.ip_f)])
f_routing_table = [(addr, a) for addr in a_addrs]
f_routing_table.extend([(addr, b) for addr in b_addrs])
net.RoutingTable(f, f_routing_table)
acls = list(itertools.product(a_addrs, b_addrs))
f.AddAcls(acls)
net.Attach(a, b, f)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.f = f
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, f)
def ContentCacheTest():
"""Learning firewall test"""
ctx = components.Context (['a', 'b', 'c', 'd', 'cc'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_cc'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
cc = components.ContentCache(ctx.cc, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(cc, ctx.ip_cc)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_cc]
net.RoutingTable(a, [(x, cc) for x in addresses])
net.RoutingTable(b, [(x, cc) for x in addresses])
net.RoutingTable(c, [(x, cc) for x in addresses])
net.RoutingTable(d, [(x, cc) for x in addresses])
net.RoutingTable(cc, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
net.Attach(a, b, c, d, cc)
endhosts = [a, b, c, d]
net.Attach(a, b, c, d, cc)
endhosts = [a, b, c, d]
class ContentCacheTestReturn(object):
def __init__(self, net, ctx, a, b, c, d, cc):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.d = d
self.cc = cc
self.check = components.PropertyChecker(ctx, net)
return ContentCacheTestReturn(net, ctx, a, b, c, d, cc)
def ErroneousProxyMultiplePi ():
ctx = components.Context(['a', 'b', 'c', 'p'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
# c = components.EndHost(ctx.c, net, ctx)
p = components.ErroneousAclWebProxy(ctx.p, net, ctx)
p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
net.SetIsolationConstraint (a, [p])
net.SetIsolationConstraint (b, [p])
net.SetIsolationConstraint (p, [a, b, ctx.c])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(ctx.c, ctx.ip_c), \
(p, ctx.ip_p)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
#(ctx.ip_c, ctx.c), \
(ctx.ip_p, p)])
net.Attach(a, b, p)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, b, c, p):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.p = p
self.check = components.PropertyChecker (ctx, net)
self.participants = [a, b, p]
return TrivialReturn (net, ctx, a, b, ctx.c, p)
def ConvertedLearningFwTest ():
"""Learning firewall test"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f'])
net = components.Network (ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.ConvertedLearningFw(ctx.fw, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, fw) for x in addresses])
net.RoutingTable(d, [(x, fw) for x in addresses])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
net.Attach(a, b, c, d, fw)
endhosts = [a, b, c, d]
fw.AddAcls([(ctx.ip_a, ctx.ip_b)])
net.Attach(a, b, c, d, fw)
endhosts = [a, b, c, d]
class LearnFwReturn (object):
def __init__ (self, net, ctx, a, b, c, d, fw):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.d = d
self.fw = fw
self.check = components.PropertyChecker (ctx, net)
return LearnFwReturn(net, ctx, a, b, c, d, fw)
def withProxySat():
""" A proxy and a firewall. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.AclFirewall(ctx.fw, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, p) for x in addresses])
net.RoutingTable(d, [(x, p) for x in addresses])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw), \
(ctx.ip_b, fw), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f, fw)])
fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
net.Attach(a, b, c, d, fw, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def dpiFw():
"""DPI Firewall. Everything is UNSAT since no bad packets make it through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f'])
dpi_policy = components.DPIPolicy('hate_bad')
ctx.AddPolicy(dpi_policy)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.IPS(dpi_policy, ctx.fw, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, fw) for x in addresses])
net.RoutingTable(d, [(x, fw) for x in addresses])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
#fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_c, ctx.ip_a), (ctx.ip_b, ctx.ip_d), (ctx.ip_d, ctx.ip_b)])
fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
net.Attach(a, b, c, d, fw)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return dict(ctx=ctx,
net=net,
endhosts=endhosts,
policy=dpi_policy,
check=check)
def SimpleIDSShuntTopo(nhosts, nids, nshunts):
# Use different scrubbers for different idses
nfirewalls = nhosts - nids
hosts = ['h%d' % (i) for i in xrange(nhosts)]
host_addresses = ['ip_%s' % h for h in hosts]
idses = ['i%d' % (i) for i in xrange(nids)]
ids_addresses = ['ip_%s' % i for i in idses]
shunts = ['s%d' % (i) for i in xrange(nshunts)]
shunt_addresses = ['ip_%s' % s for s in shunts]
firewalls = ['f%d' % i for i in xrange(nfirewalls)]
firewall_addresses = ['ip_%s' % f for f in firewalls]
nodes = list(hosts)
nodes.extend(idses)
nodes.extend(shunts)
nodes.extend(firewalls)
addresses = list(host_addresses)
addresses.extend(ids_addresses)
addresses.extend(firewall_addresses)
addresses.extend(shunt_addresses)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
address_mappings = []
host_concrete = []
for (host, address) in zip(hosts, host_addresses):
host_concrete.append(components.EndHost(getattr(ctx, host), net, ctx))
address_mappings.append((host_concrete[-1], getattr(ctx, address)))
shunt_concrete = []
for (shunt, address) in zip(shunts, shunt_addresses):
shunt_concrete.append(
components.Scrubber(getattr(ctx, shunt), net, ctx))
address_mappings.append((shunt_concrete[-1], getattr(ctx, address)))
ids_concrete = []
for (ids, address, shunt) in zip(idses, ids_addresses,
cycle(shunt_concrete)):
ids_concrete.append(
components.SpreadIDS(getattr(ctx, ids), net, ctx, shunt))
address_mappings.append((ids_concrete[-1], getattr(ctx, address)))
fw_concrete = []
for (fw, address) in zip(firewalls, firewall_addresses):
fw_concrete.append(
components.LearningFirewall(getattr(ctx, fw), net, ctx))
address_mappings.append((fw_concrete[-1], getattr(ctx, address)))
net.setAddressMappings(address_mappings)
for (host, ids) in zip(host_concrete, ids_concrete):
net.SetGateway(host, ids)
# Compute routing tables
for (host, fw) in zip(host_concrete[len(ids_concrete):], fw_concrete):
routing_table = []
for a in host_addresses:
routing_table.append((getattr(ctx, a), fw))
net.RoutingTable(host, routing_table)
for (ids, shunt) in zip(ids_concrete, cycle(shunt_concrete)):
routing_table = []
for (a, i) in zip(host_addresses, ids_concrete):
if str(i) == str(ids):
continue
routing_table.append((getattr(ctx, a), i))
for (a, f) in zip(host_addresses[nids:], fw_concrete):
routing_table.append((getattr(ctx, a), f))
net.RoutingTableShunt(ids, routing_table, shunt)
for (fw, host, ha) in zip(fw_concrete, host_concrete[len(ids_concrete):],
host_addresses[len(ids_concrete):]):
routing_table = []
routing_table.append((getattr(ctx, ha), host))
for (a, i) in zip(host_addresses, ids_concrete):
routing_table.append((getattr(ctx, a), i))
for (a, f) in zip(host_addresses[nids:], fw_concrete):
if str(f) == str(fw):
continue
routing_table.append((getattr(ctx, a), f))
net.RoutingTable(fw, routing_table)
for shunt in shunt_concrete:
routing_table = []
for (a, h) in zip(host_addresses, host_concrete):
routing_table.append((getattr(ctx, a), h))
net.RoutingTable(shunt, routing_table)
# Compute ACLs
fw_acls = []
for a1 in host_addresses[:nids]:
for a2 in host_addresses[nids:]:
fw_acls.append((getattr(ctx, a1), getattr(ctx, a2)))
fw_acls.append((getattr(ctx, a2), getattr(ctx, a1)))
for fw in fw_concrete:
#pass
fw.AddAcls(fw_acls)
#net.Attach(*host_concrete)
#net.Attach(*ids_concrete)
#net.Attach(*fw_concrete)
#net.Attach(*shunt_concrete)
class SimpleIDSShuntRet(object):
def __init__(self):
self.net = net
self.ctx = ctx
self.fws = fw_concrete
self.shunts = shunt_concrete
self.ids = ids_concrete
self.hosts = host_concrete
self.checker = components.PropertyChecker(ctx, net)
return SimpleIDSShuntRet()
def LSRRDenyFwExample(size):
left_nodes = ['l_%d' % (l) for l in xrange(size)]
right_nodes = ['r_%d' % (r) for r in xrange(size)]
end_hosts = ['e0', 'e1']
firewalls = ['f0']
all_nodes = []
all_nodes.extend(left_nodes)
all_nodes.extend(right_nodes)
all_nodes.extend(end_hosts)
all_nodes.extend(firewalls)
addresses = ['ip_%s' % (n) for n in all_nodes]
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
# Register something that tells us about LSR
ip_lsr_field = components.LSRROption('ip_lsr', ctx)
ctx.AddPolicy(ip_lsr_field)
end_hosts = [
components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts
]
[e0, e1] = end_hosts
firewalls = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls
]
left_nodes = [
components.LSRRRouter(getattr(ctx, l), ip_lsr_field, net, ctx)
for l in left_nodes
]
right_nodes = [
components.LSRRRouter(getattr(ctx, l), ip_lsr_field, net, ctx)
for l in right_nodes
]
all_node_objects = []
all_node_objects.extend(left_nodes)
all_node_objects.extend(right_nodes)
all_node_objects.extend(end_hosts)
all_node_objects.extend(firewalls)
addresses = [getattr(ctx, a) for a in addresses]
address_map = [(o, a) for (o, a) in zip(all_node_objects, addresses)]
net.setAddressMappings(address_map)
#firewalls[0].AddAcls([(ctx.ip_e0, ctx.ip_e1), \
#(ctx.ip_e1, ctx.ip_e0)])
firewalls[0].AddAcls([(getattr(ctx, 'ip_%s' % (left_nodes[-1].z3Node)),
getattr(ctx, 'ip_%s' % (right_nodes[-1].z3Node)))])
e0_routing_table = [(getattr(ctx, 'ip_%s' % (ol.z3Node)), ol)
for ol in left_nodes]
e0_routing_table.append((ctx.ip_e1, firewalls[0]))
net.RoutingTable(e0, e0_routing_table)
left_routing_table = [(getattr(ctx, 'ip_%s' % (orr.z3Node)), firewalls[0])
for orr in right_nodes]
left_routing_table.append((ctx.ip_e0, e0))
for ol in left_nodes:
net.RoutingTable(ol, left_routing_table)
right_routing_table = [(getattr(ctx, 'ip_%s' % (ol.z3Node)), firewalls[0])
for ol in left_nodes]
right_routing_table.append((ctx.ip_e1, e1))
for orr in right_nodes:
net.RoutingTable(orr, right_routing_table)
firewall_routing_table = [(a, o)
for (a, o) in zip(addresses, all_node_objects)]
net.RoutingTable(firewalls[0], firewall_routing_table)
net.Attach(*all_node_objects)
class LSRRReturn(object):
def __init__(self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
return LSRRReturn(net, ctx, **dict(zip(all_nodes, all_node_objects)))
