def testGoodHeader(self): nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.mock_naming), EXP_INFO) nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1 + GOOD_HEADER_2 + IPV6_TERM_2, self.mock_naming), EXP_INFO)) self.assertIn('flush table ip table_filter', nft) self.assertIn( 'table ip table_filter {\n\tchain chain_name {\n\t\ttype filter ' 'hook input priority 0;\n\t\taccept\n\t}\n}', nft) self.assertIn('flush table ip6 table_filter', nft) self.assertIn( 'table ip6 table_filter {\n\tchain chain_name {\n\t\ttype filter ' 'hook input priority 0;\n\t\tdrop\n\t}\n}', nft)
def testBuildWarningTokens(self): pol1 = nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_12, self.mock_naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEqual(st, SUPPORTED_TOKENS) self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
def testExpired(self, mock_logging_warn): nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + EXPIRED_TERM, self.mock_naming), EXP_INFO) mock_logging_warn.assert_called_once_with( 'Term %s in policy %s is expired ' 'and will not be rendered.', 'is_expired', 'chain_name')
def testSourceDestExcludeFromAllIps(self): source_network = [] source_exclude_network = [nacaddr.IPv4('192.168.0.0/27')] destination_network = [] destination_exclude_network = [nacaddr.IPv4('10.0.0.0/27')] self.mock_naming.GetNetAddr.side_effect = [ source_network, source_exclude_network, destination_network, destination_exclude_network ] nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_11, self.mock_naming), EXP_INFO)) self.assertIn( 'ip saddr { 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, ' '192.128.0.0/11, 192.160.0.0/13, 192.168.0.32/27, ' '192.168.0.64/26, 192.168.0.128/25, 192.168.1.0/24, ' '192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, ' '192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, ' '192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, ' '192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, ' '193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, ' '208.0.0.0/4, 224.0.0.0/3}', nft) self.assertIn( 'ip daddr { 0.0.0.0/5, 8.0.0.0/7, 10.0.0.32/27, ' '10.0.0.64/26, 10.0.0.128/25, 10.0.1.0/24, 10.0.2.0/23, ' '10.0.4.0/22, 10.0.8.0/21, 10.0.16.0/20, 10.0.32.0/19, ' '10.0.64.0/18, 10.0.128.0/17, 10.1.0.0/16, 10.2.0.0/15, ' '10.4.0.0/14, 10.8.0.0/13, 10.16.0.0/12, 10.32.0.0/11, ' '10.64.0.0/10, 10.128.0.0/9, 11.0.0.0/8, 12.0.0.0/6, ' '16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1}', nft)
def testVerbatimTerm(self): nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_10, self.mock_naming), EXP_INFO)) self.assertIn('mary had a little lamb', nft) # check if another platforms verbatim shows up self.assertNotIn('mary had a second lamb', nft) self.assertNotIn('mary had a third lamb', nft)
def testSingleSourceDestIp(self): source_network = [nacaddr.IPv4('172.16.0.0/24')] destination_network = [nacaddr.IPv4('10.0.0.0/24')] self.mock_naming.GetNetAddr.side_effect = [source_network, destination_network] nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2, self.mock_naming), EXP_INFO)) self.assertIn('ip saddr 172.16.0.0/24 ip daddr 10.0.0.0/24', nft)
def testSingleSport(self): source_ports = ['25'] self.mock_naming.GetServiceByProto.return_value = source_ports nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_8, self.mock_naming), EXP_INFO)) self.assertIn('sport 25', nft)
def testMultiSport(self): source_ports = ['25', '80', '6610', '6611', '6612'] self.mock_naming.GetServiceByProto.return_value = source_ports nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_8, self.mock_naming), EXP_INFO)) self.assertIn('sport { 25, 80, 6610-6612}', nft)
def testCommentOwner(self): nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_4, self.mock_naming), EXP_INFO)) self.assertIn( 'comment "comment first line comment second line ' 'Owner: [email protected]"', nft)
def testCommentTruncate(self, mock_logging_warn): nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_17, self.mock_naming), EXP_INFO)) mock_logging_warn.assert_called_once_with( 'Term %s in policy is too long (>%d characters) and will be' ' truncated', 'good-term-17', nftables.Term.MAX_CHARACTERS) # Ensure that the truncate did happen and stripped off the ':' self.assertIn('comment "%(long_line)s' % {'long_line': 'A' *127}, nft)
def testSingleDport(self): destination_ports = ['25'] self.mock_naming.GetServiceByProto.return_value = destination_ports nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_7, self.mock_naming), EXP_INFO)) self.assertIn('dport 25', nft)
def testIcmpv6InetMismatch(self, mock_logging_debug): str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + IPV6_TERM_1, self.mock_naming), EXP_INFO)) mock_logging_debug.assert_called_once_with('Term inet6-icmp will not be ' 'rendered, as it has ' '[u\'icmpv6\'] match specified ' 'but the ACL is of inet address ' 'family.')
def testExpiring(self, mock_logging_info): exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.mock_naming), EXP_INFO) mock_logging_info.assert_called_once_with('Term %s in policy %s ' 'expires in less than %d weeks.', 'is_expiring', 'chain_name', EXP_INFO)
def testSourceDestExclude(self): source_network = [nacaddr.IPv4('192.168.0.0/24')] source_exclude_network = [nacaddr.IPv4('192.168.0.0/27')] destination_network = [nacaddr.IPv4('10.0.0.0/24')] destination_exclude_network = [nacaddr.IPv4('10.0.0.0/27')] self.mock_naming.GetNetAddr.side_effect = [source_network, source_exclude_network, destination_network, destination_exclude_network] nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_11, self.mock_naming), EXP_INFO)) self.assertIn('ip saddr { 192.168.0.32/27, 192.168.0.64/26, ' '192.168.0.128/25}', nft) self.assertIn('ip daddr { 10.0.0.32/27, 10.0.0.64/26, ' '10.0.0.128/25}', nft)
def testCounterTerm(self): nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_16, self.mock_naming), EXP_INFO)) self.assertIn(' icmp counter accept', nft)
def testLogAndLogNameTerm(self): nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_15, self.mock_naming), EXP_INFO)) self.assertIn('log prefix "my log prefix: " ', nft)
def testIcmpType(self): nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_9, self.mock_naming), EXP_INFO)) self.assertIn('icmp type { echo-reply, echo-request}', nft)
def get_acl(inputs): """Generates an ACL using Capirca. Args: inputs: Module parameters. Returns: ACL string. """ header_base = ''' header { comment:: "$comment" target:: $platform $options } ''' result = "" # Create copy of input options removing any spaces inputs['options_copy'] = [ str(elem).replace(" ", "") for elem in inputs['filter_options'] ] # Add from/to-zone to 'paloalto' and 'srx'. if inputs['platform'] in ('paloalto' 'srx'): if len(inputs['options_copy']) < 2: raise AnsibleError( "The number of options for {0} is less than 2".format( inputs['platform'])) inputs['options_copy'][0] = "from-zone " + inputs['options_copy'][0] inputs['options_copy'][1] = "to-zone " + inputs['options_copy'][1] # Create option string for header inputs['options'] = ' '.join( [str(elem) for elem in inputs['options_copy']]) header_template = Template(header_base) header = header_template.safe_substitute(inputs) defs = naming.Naming(inputs['def_folder']) terms = open(inputs['pol_file']).read() pol = policy.ParsePolicy(header + '\n' + terms, defs, optimize=True) # Exp info in weeks EXP_INFO = 2 # List from https://github.com/google/capirca/blob/master/capirca/aclgen.py#L202 # Does Python have a Switch statement? if inputs['platform'] == 'juniper': result = juniper.Juniper(pol, EXP_INFO) elif inputs['platform'] == 'cisco': result = cisco.Cisco(pol, EXP_INFO) elif inputs['platform'] == 'ciscoasa': result = ciscoasa.CiscoASA(pol, EXP_INFO) elif inputs['platform'] == 'brocade': result = brocade.Brocade(pol, EXP_INFO) elif inputs['platform'] == 'arista': result = arista.Arista(pol, EXP_INFO) elif inputs['platform'] == 'aruba': result = aruba.Aruba(pol, EXP_INFO) elif inputs['platform'] == 'ipset': result = ipset.Ipset(pol, EXP_INFO) elif inputs['platform'] == 'iptables': result = iptables.Iptables(pol, EXP_INFO) elif inputs['platform'] == 'nsxv': result = nsxv.Nsxv(pol, EXP_INFO) elif inputs['platform'] == 'packetfilter': result = packetfilter.PacketFilter(pol, EXP_INFO) elif inputs['platform'] == 'pcap': result = pcap.PcapFilter(pol, EXP_INFO) elif inputs['platform'] == 'speedway': result = speedway.Speedway(pol, EXP_INFO) elif inputs['platform'] == 'srx': result = junipersrx.JuniperSRX(pol, EXP_INFO) elif inputs['platform'] == 'srxlo': result = srxlo.SRXlo(pol, EXP_INFO) elif inputs['platform'] == 'windows_advfirewall': result = windows_advfirewall.WindowsAdvFirewall(pol, EXP_INFO) elif inputs['platform'] == 'ciscoxr': result = ciscoxr.CiscoXR(pol, EXP_INFO) elif inputs['platform'] == 'nftables': result = nftables.Nftables(pol, EXP_INFO) elif inputs['platform'] == 'gce': result = gce.GCE(pol, EXP_INFO) elif inputs['platform'] == 'paloalto': result = paloaltofw.PaloAltoFW(pol, EXP_INFO) elif inputs['platform'] == 'cloudarmor': result = cloudarmor.CloudArmor(pol, EXP_INFO) return str(result)
def RenderFile(base_directory, input_file, output_directory, definitions, exp_info, write_files): """Render a single file. Args: base_directory: The base directory to look for acls. input_file: the name of the input policy file. output_directory: the directory in which we place the rendered file. definitions: the definitions from naming.Naming(). exp_info: print a info message when a term is set to expire in that many weeks. write_files: a list of file tuples, (output_file, acl_text), to write """ logging.debug('rendering file: %s into %s', input_file, output_directory) pol = None jcl = False acl = False asacl = False aacl = False bacl = False eacl = False gca = False gcefw = False ips = False ipt = False spd = False nsx = False pcap_accept = False pcap_deny = False pf = False srx = False jsl = False nft = False win_afw = False xacl = False paloalto = False try: with open(input_file) as f: conf = f.read() logging.debug('opened and read %s', input_file) except IOError as e: logging.warning('bad file: \n%s', e) raise try: pol = policy.ParsePolicy(conf, definitions, optimize=FLAGS.optimize, base_dir=base_directory, shade_check=FLAGS.shade_check) except policy.ShadingError as e: logging.warning('shading errors for %s:\n%s', input_file, e) return except (policy.Error, naming.Error): raise ACLParserError( 'Error parsing policy file %s:\n%s%s' % (input_file, sys.exc_info()[0], sys.exc_info()[1])) platforms = set() for header in pol.headers: platforms.update(header.platforms) if 'juniper' in platforms: jcl = copy.deepcopy(pol) if 'cisco' in platforms: acl = copy.deepcopy(pol) if 'ciscoasa' in platforms: asacl = copy.deepcopy(pol) if 'brocade' in platforms: bacl = copy.deepcopy(pol) if 'arista' in platforms: eacl = copy.deepcopy(pol) if 'aruba' in platforms: aacl = copy.deepcopy(pol) if 'ipset' in platforms: ips = copy.deepcopy(pol) if 'iptables' in platforms: ipt = copy.deepcopy(pol) if 'nsxv' in platforms: nsx = copy.deepcopy(pol) if 'packetfilter' in platforms: pf = copy.deepcopy(pol) if 'pcap' in platforms: pcap_accept = copy.deepcopy(pol) pcap_deny = copy.deepcopy(pol) if 'speedway' in platforms: spd = copy.deepcopy(pol) if 'srx' in platforms: srx = copy.deepcopy(pol) if 'srxlo' in platforms: jsl = copy.deepcopy(pol) if 'windows_advfirewall' in platforms: win_afw = copy.deepcopy(pol) if 'ciscoxr' in platforms: xacl = copy.deepcopy(pol) if 'nftables' in platforms: nft = copy.deepcopy(pol) if 'gce' in platforms: gcefw = copy.deepcopy(pol) if 'paloalto' in platforms: paloalto = copy.deepcopy(pol) if 'cloudarmor' in platforms: gca = copy.deepcopy(pol) if not output_directory.endswith('/'): output_directory += '/' try: if jcl: acl_obj = juniper.Juniper(jcl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if srx: acl_obj = junipersrx.JuniperSRX(srx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if acl: acl_obj = cisco.Cisco(acl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if asacl: acl_obj = ciscoasa.CiscoASA(asacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if aacl: acl_obj = aruba.Aruba(aacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if bacl: acl_obj = brocade.Brocade(bacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if eacl: acl_obj = arista.Arista(eacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ips: acl_obj = ipset.Ipset(ips, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ipt: acl_obj = iptables.Iptables(ipt, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nsx: acl_obj = nsxv.Nsxv(nsx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if spd: acl_obj = speedway.Speedway(spd, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_accept: acl_obj = pcap.PcapFilter(pcap_accept, exp_info) RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_deny: acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True) RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pf: acl_obj = packetfilter.PacketFilter(pf, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if win_afw: acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if jsl: acl_obj = srxlo.SRXlo(jsl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if xacl: acl_obj = ciscoxr.CiscoXR(xacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nft: acl_obj = nftables.Nftables(nft, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gcefw: acl_obj = gce.GCE(gcefw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if paloalto: acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gca: acl_obj = cloudarmor.CloudArmor(gca, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) # TODO(robankeny) add additional errors. except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error, iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error, aruba.Error, nftables.Error, gce.Error, cloudarmor.Error) as e: raise ACLGeneratorError('Error generating target ACL for %s:\n%s' % (input_file, e))
def testSingleProtocol(self): nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_5, self.mock_naming), EXP_INFO)) self.assertIn('ip protocol { ah, esp}', nft)
def testMultiProtocol(self): nft = str( nftables.Nftables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_6, self.mock_naming), EXP_INFO)) self.assertIn('ip protocol ah', nft)