def testUnicastIPv6(self):
self.naming.GetNetAddr('ANY').AndReturn([nacaddr.IP('::/0')])
self.mox.ReplayAll()
acl = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER_IN + UNICAST_TERM, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('(dst net localhost and ((proto \\tcp)))' in result,
'did not find actual terms for unicast-term')
def testStandardTermHostIPv6(self):
self.naming.GetNetAddr('SOME_HOST2').AndReturn(
[nacaddr.IP('2001::3/128')])
self.naming.GetServiceByProto('HTTP', 'tcp').AndReturn(['80'])
self.mox.ReplayAll()
pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_2, self.naming)
acl = ciscoxr.CiscoXR(pol, EXP_INFO)
expected = 'ipv6 access-list ipv6-test-filter'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
def testDscpWithByte(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.0.0.0/8')])
self.mox.ReplayAll()
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('dscp b111000;' in output, output)
def testInet6(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IP('10.0.0.0/8'),
nacaddr.IP('2001:4860:8000::/33')
]
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_8, self.naming),
EXP_INFO)
inet6_test1 = 'no ipv6 access-list inet6_acl'
inet6_test2 = 'ipv6 access-list inet6_acl'
inet6_test3 = 'permit tcp any 2001:4860:8000::/33'
self.failUnless(inet6_test1 in str(acl), '[%s]' % str(acl))
self.failUnless(inet6_test2 in str(acl), '[%s]' % str(acl))
self.failUnless(re.search(inet6_test3, str(acl)), str(acl))
self.failIf('10.0.0.0' in str(acl), str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testDscpWithByte(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
srx = junipersrx.JuniperSRX(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming),
EXP_INFO)
output = str(srx)
self.failUnless('dscp b111000;' in output, output)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testBuildTokens(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
pol1 = pcap.PcapFilter(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_TCP, self.naming),
EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testBadStandardTerm(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + BAD_STANDARD_TERM_1,
self.naming)
self.assertRaises(cisco.StandardAclTermError, cisco.Cisco, pol,
EXP_INFO)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testStandardFilterRange(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
pol = policy.ParsePolicy(BAD_STANDARD_HEADER_2 + GOOD_STANDARD_TERM_2,
self.naming)
self.assertRaises(cisco.UnsupportedCiscoAccessListError, cisco.Cisco,
pol, EXP_INFO)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testNextIpv6(self):
self.naming.GetNetAddr('TEST_NEXT').AndReturn(
[nacaddr.IP('2001::/128')])
self.mox.ReplayAll()
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless(('next-ip6 2001::/128;') in output)
def testNoIPv6InOutput(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2620:0:1000::/40')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failIf('::' in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testV4ToV4(self):
self.naming.GetNetAddr.side_effect = [[
nacaddr.IP('10.0.0.1'),
nacaddr.IP('10.0.0.2')
],
[
nacaddr.IP('10.0.0.0/8'),
nacaddr.IP('172.16.0.0/12'),
nacaddr.IP('192.168.0.0/16')
]]
source_addr, dest_addr = self.getSourceDestAddresses(MIXED_HEADER +
V4_TO_V4)
self.verifyAddressType(source_addr, 'Ipv4Address')
self.verifyAddressType(dest_addr, 'Ipv4Address')
self.naming.GetNetAddr.assert_has_calls(
[mock.call('NTP_SERVERS'),
mock.call('INTERNAL')])
def testOptimizedApplicationset(self):
some_host = [nacaddr.IP('10.0.0.1/32', token='SOMEHOST')]
foo = [nacaddr.IP('10.0.0.2/32', token='FOO')]
foobar = [nacaddr.IP('10.0.0.3/32', token='FOOBAR')]
self.naming.GetNetAddr.side_effect = [
some_host, foo, foobar, foobar, some_host
]
self.naming.GetServiceByProto.side_effect = [['25',
'25'], ['80', '80'],
['25', '25'],
['25', '25']]
pol = policy.ParsePolicy(
GOOD_HEADER + GOOD_TERM_2 + GOOD_TERM_20 + GOOD_TERM_12 +
GOOD_HEADER_2 + GOOD_TERM_14, self.naming)
output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
self.failIf('dup-of-term-1-app' in output)
def testBuildTokens(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/26')]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
st, sst = jcl._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testV6ToMixed(self):
self.naming.GetNetAddr.side_effect = [
[nacaddr.IP('2001:4860:8000::/33')],
[
nacaddr.IP('8.8.4.4'),
nacaddr.IP('8.8.8.8'),
nacaddr.IP('2001:4860:4860::8844'),
nacaddr.IP('2001:4860:4860::8888')
]
]
source_addr, dest_addr = self.getSourceDestAddresses(MIXED_HEADER +
V6_TO_MIXED)
self.verifyAddressType(source_addr, 'Ipv6Address')
self.verifyAddressType(dest_addr, 'Ipv6Address')
self.naming.GetNetAddr.assert_has_calls(
[mock.call('SOME_HOST'),
mock.call('GOOGLE_DNS')])
def testFailNextIpNetworkIP(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/26')]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
self.assertRaises(juniper.JuniperNextIpError, str, jcl)
self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testStandardTermHost(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')]
pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming)
acl = ciscoxr.CiscoXR(pol, EXP_INFO)
expected = 'ipv4 access-list test-filter'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def main(argv):
parser = OptionParser()
parser.add_option("-d", "--def", dest="defs", action="store",
help="Network Definitions directory location",
default="../def")
parser.add_option("-i", "--ip", dest="ip", action="store",
help="Return list of defintions containing this IP. "
"Multiple IPs permitted.")
parser.add_option("-t", "--token", dest="token", action="store",
help="See if an IP is contained within this token."
"Must be used in conjunction with --ip [addr].")
parser.add_option("-c", "--cmp", dest="cmp", action="store_true",
help="Compare two network definition tokens")
(options, args) = parser.parse_args()
db = naming.Naming(options.defs)
if options.ip is not None and options.token is None:
for arg in sys.argv[2:]:
print "%s: " % arg
rval = db.GetIpParents(arg)
print rval
if options.token is not None and options.ip is None:
print "You must specify and IP Address with --ip [addr] to check."
sys.exit(0)
if options.token is not None and options.ip is not None:
token = options.token
ip = options.ip
rval = db.GetIpParents(ip)
if token in rval:
print '%s is in %s' % (ip, token)
else:
print '%s is not in %s' % (ip, token)
if options.cmp is not None:
t1 = argv[2]
t2 = argv[3]
d1 = db.GetNet(t1)
d2 = db.GetNet(t2)
union = list(set(d1 + d2))
print 'Union of %s and %s:\n %s\n' % (t1, t2, union)
print 'Diff of %s and %s:' % (t1, t2)
for el in set(d1 + d2):
el = nacaddr.IP(el)
if el in d1 and el in d2:
print ' %s' % el
elif el in d1:
print '+ %s' % el
elif el in d2:
print '- %s' % el
def testObjectGroup(self):
ip_grp = ['object-group network ipv4 SOME_HOST']
ip_grp.append(' 10.0.0.0/8')
ip_grp.append('exit')
port_grp1 = ['object-group port 80-80']
port_grp1.append(' eq 80')
port_grp1.append('exit')
port_grp2 = ['object-group port 1024-65535']
port_grp2.append(' range 1024 65535')
port_grp2.append('exit')
self.naming.GetNetAddr.return_value = [
nacaddr.IP('10.0.0.0/8', token='SOME_HOST')
]
self.naming.GetServiceByProto.return_value = ['80']
pol = policy.ParsePolicy(
GOOD_OBJGRP_HEADER + GOOD_TERM_2 + GOOD_TERM_18, self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
self.failUnless('\n'.join(ip_grp) in str(acl),
'%s %s' % ('\n'.join(ip_grp), str(acl)))
self.failUnless('\n'.join(port_grp1) in str(acl),
'%s %s' % ('\n'.join(port_grp1), str(acl)))
self.failUnless('\n'.join(port_grp2) in str(acl),
'%s %s' % ('\n'.join(port_grp2), str(acl)))
# Object-group terms should use the object groups created.
self.failUnless(
' permit tcp any port-group 80-80 net-group SOME_HOST port-group'
' 1024-65535' in str(acl), str(acl))
self.failUnless(
' permit ip net-group SOME_HOST net-group SOME_HOST' in str(acl),
str(acl))
# There should be no addrgroups that look like IP addresses.
for addrgroup in re.findall(r'net-group ([a-f0-9.:/]+)', str(acl)):
self.assertRaises(ValueError, nacaddr.IP(addrgroup))
self.naming.GetNetAddr.assert_has_calls(
[mock.call('SOME_HOST'),
mock.call('SOME_HOST')])
self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')
def testBuildWarningTokens(self):
self.naming.GetNetAddr.side_effect = [[
nacaddr.IP('10.0.0.1'),
nacaddr.IP('10.0.0.2')
],
[
nacaddr.IP('10.0.0.0/8'),
nacaddr.IP('172.16.0.0/12'),
nacaddr.IP('192.168.0.0/16')
]]
self.naming.GetServiceByProto.return_value = ['123']
pol1 = nsxv.Nsxv(policy.ParsePolicy(INET_FILTER_2, self.naming), 2)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
self.naming.GetNetAddr.assert_has_calls(
[mock.call('NTP_SERVERS'),
mock.call('INTERNAL')])
def testNamedStandard(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_2 + GOOD_STANDARD_TERM_2,
self.naming)
acl = cisco.Cisco(pol, EXP_INFO)
expected = 'ip access-list standard FOO'
self.failUnless(expected in str(acl), '[%s]' % str(acl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testInterfaceSpecificHeader(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn(
[nacaddr.IP('10.0.0.0/8')])
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('interface-specific;' in output, output)
def testBuildWarningTokens(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::3/128')]
self.naming.GetServiceByProto.return_value = ['80']
pol1 = ciscoxr.CiscoXR(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_3, self.naming),
EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testNextIpv6(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/128')]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless(('next-ip6 2001::/128;') in output)
self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testBadFilterType(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(BAD_HEADER_2 + GOOD_TERM_1, self.naming)
self.assertRaises(aclgenerator.UnsupportedAF, juniper.Juniper, pol,
EXP_INFO)
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testNextIpFormat(self):
self.naming.GetNetAddr('TEST_NEXT').AndReturn([nacaddr.IP('10.1.1.1/32')])
self.mox.ReplayAll()
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless(
(' then {\n'
' next-ip 10.1.1.1/32;\n'
' }') in output)
def testDsmo(self):
addr_list = list()
for octet in range(0, 256):
net = nacaddr.IP('192.168.' + str(octet) + '.64/27')
addr_list.append(net)
self.naming.GetNetAddr('SOME_HOST').AndReturn(addr_list)
self.mox.ReplayAll()
acl = cisco.Cisco(
policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_8, self.naming),
EXP_INFO)
self.failUnless('permit 6 any 192.168.0.64 0.0.255.31' in str(acl))
def testPolicy(self):
self.naming.GetNetAddr('PROD_NET').AndReturn(
[nacaddr.IP('10.0.0.0/8')])
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
acl = windows_ipsec.WindowsIPSec(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_TCP, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless(['policy name=test-filter-policy assign=yes'], result,
'header')
def testTableDuplicateShortNameError(self):
prod_network = nacaddr.IP('10.0.0.0/8')
prod_network.parent_token = 'PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME'
prod_network_two = nacaddr.IP('172.0.0.1/8')
prod_network_two.parent_token = 'PROD_NETWORK_EXTREAMLY_LONG_VERY_GOOD_NAME'
self.naming.GetNetAddr(
'PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME').AndReturn(
[prod_network])
self.naming.GetNetAddr(
'PROD_NETWORK_EXTREAMLY_LONG_VERY_GOOD_NAME').AndReturn(
[prod_network_two])
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
self.assertRaises(
packetfilter.DuplicateShortenedTableName,
packetfilter.PacketFilter.__init__,
packetfilter.PacketFilter.__new__(packetfilter.PacketFilter),
policy.ParsePolicy(
GOOD_HEADER_DIRECTIONAL + DUPLICATE_LONG_NAME_TERM,
self.naming), EXP_INFO)
def testDsmo(self):
addr_list = list()
for octet in range(0, 256):
net = nacaddr.IP('192.168.' + str(octet) + '.64/27')
addr_list.append(net)
self.naming.GetNetAddr('SOME_HOST').AndReturn(addr_list)
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_1,
self.naming), EXP_INFO)
self.failUnless('192.168.0.64/255.255.0.224;' in str(jcl))
def testOptions(self):
self.naming.GetNetAddr('SOME_HOST').AndReturn([nacaddr.IP('10.0.0.0/8')])
self.naming.GetServiceByProto('HTTP', 'tcp').AndReturn(['80'])
self.mox.ReplayAll()
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('destination-port 1024-65535;' in output, output)
# Verify that tcp-established; doesn't get duplicated if both 'established'
# and 'tcp-established' options are included in term
self.assertEquals(output.count('tcp-established;'), 1)
