def TwoLearningFw():
""" A proxy and two firewalls. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw1', 'fw2', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f1', 'ip_f2', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw1 = components.AclFirewall(ctx.fw1, net, ctx)
fw2 = components.AclFirewall(ctx.fw2, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw1, ctx.ip_f1), \
(fw2, ctx.ip_f2), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f1, ctx.ip_f2]
net.RoutingTable(a, [(x, fw1) for x in addresses])
net.RoutingTable(b, [(x, fw1) for x in addresses])
net.RoutingTable(c, [(x, fw2) for x in addresses])
net.RoutingTable(d, [(x, fw2) for x in addresses])
net.RoutingTable(fw1, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p), \
(ctx.ip_f2, p)])
net.RoutingTable(fw2, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f1, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw1), \
(ctx.ip_b, fw1), \
(ctx.ip_c, fw2), \
(ctx.ip_d, fw2), \
(ctx.ip_f1, fw1), \
(ctx.ip_f2, fw2)])
fw1.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
fw2.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_d, ctx.ip_b)])
net.Attach(a, b, c, d, fw1, fw2, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def TrivialLbalancer():
ctx = components.Context(['a', 'b', 'f', 'l'], \
['ip_a', 'ip_b', 'ip_f', 'ip_l'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
l = components.LoadBalancer(ctx.l, net, ctx)
f.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(f, ctx.ip_f), \
(l, ctx.ip_l)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, l)])
net.RoutingTable(b, [(ctx.ip_a, l), \
(ctx.ip_b, b)])
net.RoutingTable(l, [(ctx.ip_a, [f, a]), \
(ctx.ip_b, [f, b])])
net.RoutingTable(f, [(ctx.ip_a, a), \
(ctx.ip_b, b)])
net.Attach(a, b, l, f)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, l, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.l = l
self.f = f
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, l, f)
def LSRRFwTriv (sz):
assert (sz >= 1)
endhosts = ['e0', 'e1']
lsrr_boxes = ['l_%d'%(l) for l in xrange(0, sz)]
firewall = ['f']
nodes = list()
nodes.extend(endhosts)
nodes.extend(lsrr_boxes)
nodes.extend(firewall)
addresses = ['ip_%s'%(c) for c in nodes]
ctx = components.Context(nodes, \
addresses)
net = components.Network(ctx)
# Register something that tells us about LSRR
ip_lsr_field = components.LSRROption ('ip_lsr', ctx)
ctx.AddPolicy (ip_lsr_field)
e0 = components.EndHost(ctx.e0, net, ctx)
e1 = components.EndHost(ctx.e1, net, ctx)
## Yeah I can put this in a list etc., doing it this way mostly for no good reason.
#a = components.LSRRRouter (ctx.a, ip_lsr_field, net, ctx)
#b = components.LSRRRouter (ctx.b, ip_lsr_field, net, ctx)
lsrrs = [components.LSRRRouter (getattr(ctx, n), ip_lsr_field, net, ctx) for n in lsrr_boxes]
lsrr_addresses = [getattr(ctx, 'ip_%s'%(l.z3Node)) for l in lsrrs]
f = components.AclFirewall (ctx.f, net, ctx)
address_mappings = [(e0, ctx.ip_e0), \
(e1, ctx.ip_e1), \
(f, ctx.ip_f)]
lsrr_address_mappings = zip(lsrrs, lsrr_addresses)
address_mappings.extend(lsrr_address_mappings)
net.setAddressMappings(address_mappings)
routing_table_base = zip(lsrr_addresses, lsrrs)
routing_table_base.append((ctx.ip_e0, e0))
net.SetGateway(e1, f)
f.AddAcls([(ctx.ip_e0, ctx.ip_e1)])
f.AddAcls([(a, ctx.ip_e1) for a in lsrr_addresses[:-1]])
f_routing_table = list(routing_table_base)
f_routing_table.append((ctx.ip_e1, e1))
net.RoutingTable(f, f_routing_table)
routing_table_base.append((ctx.ip_e1, f))
net.RoutingTable(e0, routing_table_base)
for l in lsrrs:
net.RoutingTable(l, routing_table_base)
net.Attach(e0, e1, f, *lsrrs)
class LSRRReturn (object):
def __init__ (self, net, ctx, e0, e1, f, lsrrs):
self.net = net
self.ctx = ctx
self.e0 = e0
self.e1 = e1
self.f = f
self.lsrrs = lsrrs
self.check = components.PropertyChecker (ctx, net)
return LSRRReturn (net, ctx, e0, e1, f, lsrrs)
def AclProxyMultiFw ():
"""This is really just a version of ErroneousProxyMultiFw with AclFirewall. As shown by that function there really isn't a
way to violate isolation here. Here by using something that is path independent we can prove things without really having to deal
with any of the other things"""
ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
p = components.AclWebProxy(ctx.p, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.SetIsolationConstraint (a, [p])
net.SetIsolationConstraint (b, [p])
net.SetIsolationConstraint (p, [a, b, f])
p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
f.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_a, ctx.ip_c)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(p, ctx.ip_p), \
(f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(f, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_p, p)])
net.RoutingTable(c, [(ctx.ip_a, f), \
(ctx.ip_b, f), \
(ctx.ip_c, c), \
(ctx.ip_p, f)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, f), \
(ctx.ip_p, p)])
net.Attach(a, b, c, p, f)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.p = p
self.f = f
self.check = components.PropertyChecker (ctx, net)
return TrivialReturn (net, ctx, a, b, c, p, f)
def NumNodesTest(size):
fws = ['f_%d' % (f) for f in xrange(0, size)]
# Start with 4 end hosts
end_hosts = ['e_%d' % (e) for e in xrange(2)]
all_nodes = []
all_nodes.extend(end_hosts)
all_nodes.extend(fws)
addresses = ['ip_%s' % (n) for n in all_nodes]
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
end_hosts = [
components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts
]
firewalls = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in fws
]
[e0, e1] = end_hosts
all_node_objects = []
all_node_objects.extend(end_hosts)
all_node_objects.extend(firewalls)
addresses = [getattr(ctx, ad) for ad in addresses]
address_mappings = [(ob, ad)
for (ob, ad) in zip(all_node_objects, addresses)]
net.setAddressMappings(address_mappings)
# This is a test that can be used for both positive and negative testing; one pair
# of endhosts are allowed to send the other isn't
acl_policy = [(ctx.ip_e_0, ctx.ip_e_1), (ctx.ip_e_1, ctx.ip_e_0)]
for fw in firewalls:
fw.AddAcls(acl_policy)
"""Topology
f0
/ \
e0 e1"""
routing_table = [(ctx.ip_e_0, e0), \
(ctx.ip_e_1, e1)]
net.RoutingTable(firewalls[0], routing_table)
for e in end_hosts:
routing_table = [(ctx.ip_e_0, firewalls[0] if e != e0 else e0), \
(ctx.ip_e_1, firewalls[0] if e != e1 else e1)]
net.RoutingTable(e, routing_table)
net.Attach(*all_node_objects)
node_dict = dict(zip(all_nodes, all_node_objects))
class NumFwResult(object):
def __init__(self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
return NumFwResult(net, ctx, **node_dict)
def LoadBalancerFw (size):
assert(size > 1)
firewalls = ['f_%d'%(f) for f in xrange(size)]
endhosts = ['e_%d'%(e) for e in xrange(4)]
lbalancers = ['l_%d'%(l) for l in xrange(4)]
all_nodes = list()
all_nodes.extend(firewalls)
all_nodes.extend(endhosts)
all_nodes.extend(lbalancers)
addresses = ['ip_%s'%(n) for n in all_nodes]
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
endhosts = [components.EndHost(getattr(ctx, e), net, ctx) for e in endhosts]
[e0, e1, e2, e3] = endhosts
firewalls = [components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls]
lbalancers = [components.LoadBalancer(getattr(ctx, l), net, ctx) for l in lbalancers]
all_node_objects = list()
all_node_objects.extend(firewalls)
all_node_objects.extend(endhosts)
all_node_objects.extend(lbalancers)
addresses = [getattr(ctx, a) for a in addresses]
address_map = [(o, a) for (o, a) in zip(all_node_objects, addresses)]
net.setAddressMappings(address_map)
for i in xrange(4):
net.SetIsolationConstraint(endhosts[i], [lbalancers[i]])
lbalancer_nbr = [endhosts[i]]
lbalancer_nbr.extend(firewalls)
net.SetIsolationConstraint(lbalancers[i], lbalancer_nbr)
lbalancer_routing = [(getattr(ctx, 'ip_%s'%(endhosts[j].z3Node)), firewalls) \
for j in xrange(4) if j != i]
lbalancer_routing.append((getattr(ctx, 'ip_%s'%(endhosts[i].z3Node)), endhosts[i]))
net.RoutingTable(lbalancers[i], lbalancer_routing)
fw_routing_table = [(getattr(ctx, 'ip_%s'%(endhosts[i].z3Node)), lbalancers[i]) for i in xrange(4)]
for fw in firewalls:
net.RoutingTable(fw, fw_routing_table)
net.SetIsolationConstraint(fw, lbalancers)
fw.AddAcls([(ctx.ip_e_0, ctx.ip_e_1), \
(ctx.ip_e_2, ctx.ip_e_3)])
net.Attach(*all_node_objects)
class LoadBalancerFwReturn (object):
def __init__ (self, net, ctx, **objdict):
self.net = net
self.ctx = ctx
for k, v in objdict.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker (ctx, net)
return LoadBalancerFwReturn(net, ctx, **dict(zip(all_nodes, all_node_objects)))
def ErroneousProxyMultiFw ():
ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
p = components.ErroneousAclWebProxy(ctx.p, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.SetIsolationConstraint (a, [p])
net.SetIsolationConstraint (b, [p])
net.SetIsolationConstraint (p, [a, b, f])
p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
f.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_a, ctx.ip_c)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(p, ctx.ip_p), \
(f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(f, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_p, p)])
net.RoutingTable(c, [(ctx.ip_a, f), \
(ctx.ip_b, f), \
(ctx.ip_c, c), \
(ctx.ip_p, f)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, f), \
(ctx.ip_p, p)])
net.Attach(a, b, c, p, f)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.p = p
self.f = f
self.check = components.PropertyChecker (ctx, net)
return TrivialReturn (net, ctx, a, b, c, p, f)
def PolicyScaleWithBranch(naddress, nbranches):
nodes = ['a', 'b']
firewalls = ['f_%d' % (f) for f in xrange(nbranches)]
nodes.extend(firewalls)
a_address = ['ip_a%d' % (a) for a in xrange(naddress)]
b_address = ['ip_b%d' % (b) for b in xrange(naddress)]
firewall_addresses = ['ip_%s' % (f) for f in firewalls]
addresses = list()
addresses.extend(firewall_addresses)
addresses.extend(a_address)
addresses.extend(b_address)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
fwalls = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls
]
net.SetIsolationConstraint(a, fwalls)
net.SetIsolationConstraint(b, fwalls)
for f in fwalls:
net.SetIsolationConstraint(f, [a, b])
a_addrs = map(lambda ad: getattr(ctx, ad), a_address)
b_addrs = map(lambda ad: getattr(ctx, ad), b_address)
admappings = zip(fwalls, [getattr(ctx, ad) for ad in firewall_addresses])
admappings.extend([(a, a_addrs), \
(b, b_addrs)])
net.setAddressMappings(admappings)
f_routing_table = [(addr, a) for addr in a_addrs]
f_routing_table.extend([(addr, b) for addr in b_addrs])
for f in fwalls:
net.RoutingTable(f, f_routing_table)
acls = list(itertools.product(a_addrs, b_addrs))
for f in fwalls[:-1]:
f.AddAcls(acls)
fwalls[-1].AddAcls(acls[:-1])
net.Attach(a, b, *fwalls)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.f = f
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, fwalls)
def NumPolicyNodesTest2 (size):
fws = ['f_%d'%(f) for f in xrange(0, 1)]
# Start with 2 end hosts
end_hosts = ['e_%d'%(e) for e in xrange(0, 2)]
other_nodes = ['o_%d'%(o) for o in xrange(0, size)]
all_nodes = []
all_nodes.extend(end_hosts)
all_nodes.extend(fws)
all_nodes.extend(other_nodes)
all_visible_nodes = []
all_visible_nodes.extend(end_hosts)
all_visible_nodes.extend(fws)
addresses = ['ip_e_0', 'ip_e_1', 'ip_f_0']
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
end_hosts = [components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts]
firewalls = [components.AclFirewall(getattr(ctx, f), net, ctx) for f in fws]
[e0, e1] = end_hosts
all_node_objects = []
all_node_objects.extend(end_hosts)
all_node_objects.extend(firewalls)
addresses = [getattr(ctx, ad) for ad in addresses]
address_mappings = [(ob, ad) for (ob, ad) in zip([e0, e1, firewalls[0]], addresses)]
net.setAddressMappings(address_mappings)
firewalls[0].AddAcls ([(ctx.ip_e_0, ctx.ip_e_1), \
(ctx.ip_e_1, ctx.ip_e_0)])
"""Topology
e0 e1
\ /
d0 """
for e in [end_hosts[0], end_hosts[1]]:
net.SetGateway(e, firewalls[0])
#net.SetIsolationConstraint (firewalls[0], end_hosts)
routing_table = [(ctx.ip_e_0, e0), \
(ctx.ip_e_1, e1)]
net.RoutingTable(firewalls[0], routing_table)
net.Attach(*all_node_objects)
node_dict = dict(zip(all_visible_nodes, all_node_objects))
class NumPolicyResult (object):
def __init__ (self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.participants = nodes.values()
self.check = components.PropertyChecker (ctx, net)
return NumPolicyResult (net, ctx, **node_dict)
def LinkTraversalScaling(size):
firewalls = ['f0', 'f1', 'f2', 'f3']
fw_addresses = ['ip_f0', 'ip_f1', 'ip_f2', 'ip_f3']
assert (size > 2)
hosts = ['e%d' % (n) for n in xrange(size)]
host_addresses = ['ip_%s' % (h) for h in hosts]
nodes = list(firewalls)
nodes.extend(hosts)
addresses = list(fw_addresses)
addresses.extend(host_addresses)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
[f0, f1, f2, f3] = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls
]
[ip_f0, ip_f1, ip_f2, ip_f3] = [getattr(ctx, f) for f in fw_addresses]
hosts = [components.EndHost(getattr(ctx, h), net, ctx) for h in hosts]
host_addresses = [getattr(ctx, h) for h in host_addresses]
addr_mapping = list(zip(hosts, host_addresses))
addr_mapping.extend([(f0, ip_f0), (f1, ip_f1), (f2, ip_f2), (f3, ip_f3)])
net.setAddressMappings(addr_mapping)
endhost_routing = [(h, f0) for h in host_addresses]
for h in hosts:
net.RoutingTable(h, endhost_routing)
f1_f2_routing = [(h, f3) for h in host_addresses]
net.RoutingTable(f1, f1_f2_routing)
net.RoutingTable(f2, f1_f2_routing)
f3_routing = [(a, h) for (a, h) in zip(host_addresses, hosts)]
net.RoutingTable(f3, f3_routing)
f0_routing = [(a, x) for (a, x) in zip(host_addresses, cycle([f1, f2]))]
net.RoutingTable(f0, f0_routing)
nodes = list(hosts)
nodes.extend([f0, f1, f2, f3])
net.Attach(*nodes)
class LinkTraversalReturn(object):
def __init__(self, net, ctx, hosts, f0, f1, f2, f3):
self.net = net
self.ctx = ctx
self.f0 = f0
self.f1 = f1
self.f2 = f2
self.f3 = f3
self.hosts = hosts
self.check = components.PropertyChecker(ctx, net)
return LinkTraversalReturn(net, ctx, hosts, f0, f1, f2, f3)
def LSRRFwTriv():
ctx = components.Context(['e0' , 'e1', 'a', 'b', 'f'], \
['ip_e0', 'ip_e1', 'ip_a', 'ip_b','ip_f'])
net = components.Network(ctx)
# Register something that tells us about LSR
ip_lsr_field = components.LSRROption('ip_lsr', ctx)
ctx.AddPolicy(ip_lsr_field)
e0 = components.EndHost(ctx.e0, net, ctx)
e1 = components.EndHost(ctx.e1, net, ctx)
# Yeah I can put this in a list etc., doing it this way mostly for no good reason.
a = components.LSRRRouter(ctx.a, ip_lsr_field, net, ctx)
b = components.LSRRRouter(ctx.b, ip_lsr_field, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.setAddressMappings([(e0, ctx.ip_e0), \
(e1, ctx.ip_e1), \
(a, ctx.ip_a), \
(b, ctx.ip_b), \
(f, ctx.ip_f)])
net.SetGateway(e0, a)
net.SetGateway(e1, b)
net.RoutingTable(a, [(ctx.ip_e0, e0), \
(ctx.ip_f, f), \
(ctx.ip_b, f), \
(ctx.ip_e1, f)])
net.RoutingTable(b, [(ctx.ip_e0, f), \
(ctx.ip_f, f), \
(ctx.ip_b, f), \
(ctx.ip_e1, e1)])
net.RoutingTable(f, [(ctx.ip_e0, a), \
(ctx.ip_e1, b), \
(ctx.ip_b, b), \
(ctx.ip_a, a)])
node_dict = {'e0': e0, \
'e1': e1, \
'a': a, \
'b': b, \
'f': f}
net.Attach(*node_dict.values())
class LSRRReturn(object):
def __init__(self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
return LSRRReturn(net, ctx, **node_dict)
def AclContentCacheScaleTestFP (endhosts):
"""ACL content cache test"""
nodes = ['cc', 'f', 's0']
nodes.extend(['n_%d'%(i) for i in xrange(0, 2)])
addresses = ['ip_%s'%(n) for n in nodes]
addresses.append('ip_cc')
addresses.append('ip_f')
addresses.append('ip_s0')
ctx = components.Context(nodes, addresses)
net = components.Network (ctx)
hosts = []
for e in ['n_%d'%(i) for i in xrange(0, 2)]:
hosts.append(components.EndHost(getattr(ctx, e), net, ctx))
s0 = components.EndHost(ctx.s0, net, ctx)
cc = components.AclContentCache(ctx.cc, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
address_mappings = [(getattr(ctx, n), getattr(ctx, 'ip_%s'%(n))) for n in nodes]
address_mappings.extend([(ctx.s0, ctx.ip_s0),
(ctx.cc, ctx.ip_cc),
(ctx.f, ctx.ip_f)])
net.setAddressMappings(address_mappings)
addresses = [getattr(ctx, addr) for addr in addresses]
for host in hosts:
net.RoutingTable(host, [(x, f) for x in addresses])
net.RoutingTable(f, [(x, cc) for x in addresses])
net.RoutingTable(cc, [( getattr(ctx, 'ip_%s'%(n)), getattr(ctx, n)) for n in nodes])
net.RoutingTable(s0, [(x, cc) for x in addresses])
rnodes = list(hosts)
rnodes.append(f)
rnodes.append(cc)
rnodes.append(s0)
acls = [(ctx.ip_s0, ctx.ip_n_0)]
cc.AddAcls(acls)
f.AddAcls(acls)
net.Attach(*rnodes)
class AclContentCacheReturn (object):
def __init__ (self, net, ctx, cc, f, endhosts):
self.net = net
self.ctx = ctx
self.cc = cc
self.f = f
self.s0 = s0
self.endhosts = endhosts
self.check = components.PropertyChecker (ctx, net)
return AclContentCacheReturn(net, ctx, cc, f, hosts)
def NodeTraversalTest():
"""ACL firewall test"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.AclFirewall(ctx.fw, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, fw) if str(x) != 'ip_a' else (x, a)
for x in addresses])
net.RoutingTable(d, [(x, fw) for x in addresses])
#net.SetGateway(a, fw)
#net.SetGateway(b, fw)
#net.SetGateway(c, fw)
#net.SetGateway(d, fw)
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
fw.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)])
net.Attach(a, b, c, d, fw)
endhosts = [a, b, c, d]
class AclFwReturn(object):
def __init__(self, net, ctx, a, b, c, d, fw):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.d = d
self.fw = fw
self.check = components.PropertyChecker(ctx, net)
return AclFwReturn(net, ctx, a, b, c, d, fw)
def AclContentCacheTest ():
"""ACL content cache test"""
ctx = components.Context (['a', 'b', 'c', 'd', 'cc', 'f'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_cc', 'ip_f'])
net = components.Network (ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
cc = components.AclContentCache(ctx.cc, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(f, ctx.ip_f), \
(cc, ctx.ip_cc)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_cc, ctx.ip_f]
net.RoutingTable(a, [(x, f) for x in addresses])
net.RoutingTable(b, [(x, f) for x in addresses])
net.RoutingTable(c, [(x, f) for x in addresses])
net.RoutingTable(d, [(x, f) for x in addresses])
net.RoutingTable(f, [(x, cc) for x in addresses])
net.RoutingTable(cc, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
net.Attach(a, b, c, d, cc)
endhosts = [a, b, c, d]
f.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)])
cc.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)])
net.Attach(a, b, c, d, cc, f)
endhosts = [a, b, c, d]
class AclContentCacheReturn (object):
def __init__ (self, net, ctx, a, b, c, d, cc, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.d = d
self.cc = cc
self.f = f
self.check = components.PropertyChecker (ctx, net)
return AclContentCacheReturn(net, ctx, a, b, c, d, cc, f)
def PolicyScaleNeg(naddress):
nodes = ['a', 'b', 'f']
a_address = ['ip_a%d' % (a) for a in xrange(naddress)]
b_address = ['ip_b%d' % (b) for b in xrange(naddress)]
addresses = ['ip_f']
addresses.extend(a_address)
addresses.extend(b_address)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.SetIsolationConstraint(f, [a, b])
net.SetGateway(a, f)
net.SetGateway(b, f)
a_addrs = map(lambda ad: getattr(ctx, ad), a_address)
b_addrs = map(lambda ad: getattr(ctx, ad), b_address)
net.setAddressMappings([(a, a_addrs), \
(b, b_addrs), \
(f, ctx.ip_f)])
f_routing_table = [(addr, a) for addr in a_addrs]
f_routing_table.extend([(addr, b) for addr in b_addrs])
net.RoutingTable(f, f_routing_table)
acls = list(itertools.product(a_addrs, b_addrs))
f.AddAcls(acls)
net.Attach(a, b, f)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.f = f
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, f)
def withProxySat():
""" A proxy and a firewall. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.AclFirewall(ctx.fw, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, p) for x in addresses])
net.RoutingTable(d, [(x, p) for x in addresses])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw), \
(ctx.ip_b, fw), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f, fw)])
fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
net.Attach(a, b, c, d, fw, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def LSRRDenyFwExample(size):
left_nodes = ['l_%d' % (l) for l in xrange(size)]
right_nodes = ['r_%d' % (r) for r in xrange(size)]
end_hosts = ['e0', 'e1']
firewalls = ['f0']
all_nodes = []
all_nodes.extend(left_nodes)
all_nodes.extend(right_nodes)
all_nodes.extend(end_hosts)
all_nodes.extend(firewalls)
addresses = ['ip_%s' % (n) for n in all_nodes]
ctx = components.Context(all_nodes, addresses)
net = components.Network(ctx)
# Register something that tells us about LSR
ip_lsr_field = components.LSRROption('ip_lsr', ctx)
ctx.AddPolicy(ip_lsr_field)
end_hosts = [
components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts
]
[e0, e1] = end_hosts
firewalls = [
components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls
]
left_nodes = [
components.LSRRRouter(getattr(ctx, l), ip_lsr_field, net, ctx)
for l in left_nodes
]
right_nodes = [
components.LSRRRouter(getattr(ctx, l), ip_lsr_field, net, ctx)
for l in right_nodes
]
all_node_objects = []
all_node_objects.extend(left_nodes)
all_node_objects.extend(right_nodes)
all_node_objects.extend(end_hosts)
all_node_objects.extend(firewalls)
addresses = [getattr(ctx, a) for a in addresses]
address_map = [(o, a) for (o, a) in zip(all_node_objects, addresses)]
net.setAddressMappings(address_map)
#firewalls[0].AddAcls([(ctx.ip_e0, ctx.ip_e1), \
#(ctx.ip_e1, ctx.ip_e0)])
firewalls[0].AddAcls([(getattr(ctx, 'ip_%s' % (left_nodes[-1].z3Node)),
getattr(ctx, 'ip_%s' % (right_nodes[-1].z3Node)))])
e0_routing_table = [(getattr(ctx, 'ip_%s' % (ol.z3Node)), ol)
for ol in left_nodes]
e0_routing_table.append((ctx.ip_e1, firewalls[0]))
net.RoutingTable(e0, e0_routing_table)
left_routing_table = [(getattr(ctx, 'ip_%s' % (orr.z3Node)), firewalls[0])
for orr in right_nodes]
left_routing_table.append((ctx.ip_e0, e0))
for ol in left_nodes:
net.RoutingTable(ol, left_routing_table)
right_routing_table = [(getattr(ctx, 'ip_%s' % (ol.z3Node)), firewalls[0])
for ol in left_nodes]
right_routing_table.append((ctx.ip_e1, e1))
for orr in right_nodes:
net.RoutingTable(orr, right_routing_table)
firewall_routing_table = [(a, o)
for (a, o) in zip(addresses, all_node_objects)]
net.RoutingTable(firewalls[0], firewall_routing_table)
net.Attach(*all_node_objects)
class LSRRReturn(object):
def __init__(self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
return LSRRReturn(net, ctx, **dict(zip(all_nodes, all_node_objects)))
def IMC(nservers):
nodes = ['n%d' % i for i in xrange(nservers)]
servers = list(nodes)
nodes.append('lb1_o')
nodes.append('lb2_o')
lbs_out = ['lb1_o', 'lb2_o']
nodes.append('lb1_i')
nodes.append('lb2_i')
lbs_in = ['lb1_i', 'lb2_i']
nodes.append('dpi1')
nodes.append('dpi2')
dpis = ['dpi1', 'dpi2']
nodes.append('fw1_o')
nodes.append('fw2_o')
fws_out = ['fw1_o', 'fw2_o']
nodes.append('fw1_i')
nodes.append('fw2_i')
fws_in = ['fw1_i', 'fw2_i']
addresses = ['i_%s' % n for n in nodes]
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
# Make nodes
all_nodes = []
servers = [components.EndHost(getattr(ctx, s), net, ctx) for s in servers]
all_nodes += servers
lbs_out = [components.AllowAll(getattr(ctx, s), net, ctx) for s in lbs_out]
all_nodes += lbs_out
lbs_in = [components.AllowAll(getattr(ctx, s), net, ctx) for s in lbs_in]
all_nodes += lbs_in
dpis = [components.AllowAll(getattr(ctx, s), net, ctx) for s in dpis]
all_nodes += dpis
fws_out = [
components.AclFirewall(getattr(ctx, s), net, ctx) for s in fws_out
]
all_nodes += fws_out
fws_in = [
components.AclFirewall(getattr(ctx, s), net, ctx) for s in fws_in
]
all_nodes += fws_in
address_mapping = zip(nodes, addresses)
address_mapping = map(lambda (n, a): (getattr(ctx, n), getattr(ctx, a)), \
address_mapping)
net.Attach(*all_nodes)
net.setAddressMappings(address_mapping)
server_addresses = [getattr(ctx, 'i_%s' % s) for s in servers]
# Server routing does not need to account for source.
server_routing = []
for addr in server_addresses:
server_routing.append(
(addr, components.not_failed(lbs_out[0]), lbs_out[0]))
server_routing.append(
(addr, components.failed(lbs_out[0]), lbs_out[1]))
for s in servers:
net.RoutingTableWithFailure(s, server_routing)
lb_out_routing = []
lb_in_routing = []
for (addr, server) in zip(server_addresses, servers):
lb_in_routing.append((addr, server))
lb_out_routing.append(
(addr, components.not_failed(fws_out[0]), fws_out[0]))
lb_out_routing.append(
(addr, components.failed(fws_out[0]), fws_out[1]))
for lb in lbs_in:
net.RoutingTable(lb, lb_in_routing)
for lb in lbs_out:
net.RoutingTableWithFailure(lb, lb_out_routing)
fw_out_routing = []
fw_in_routing = []
dpi_routing = []
for addr in server_addresses:
fw_in_routing.append(
(addr, components.not_failed(lbs_in[0]), lbs_in[0]))
fw_in_routing.append((addr, components.failed(lbs_in[0]), lbs_in[1]))
fw_out_routing.append((addr, components.not_failed(dpis[0]), dpis[0]))
fw_out_routing.append((addr, components.failed(dpis[0]), dpis[1]))
dpi_routing.append((addr, components.failed(fws_in[0]), fws_in[1]))
dpi_routing.append((addr, components.not_failed(fws_in[0]), fws_in[0]))
for fw in fws_out:
net.RoutingTableWithFailure(fw, fw_out_routing)
for fw in fws_in:
net.RoutingTableWithFailure(fw, fw_in_routing)
for dpi in dpis:
net.RoutingTableWithFailure(dpi, dpi_routing)
class IMCTopo(object):
def __init__(self):
self.servers = servers
self.lbs_out = lbs_out
self.lbs_in = lbs_in
self.fws_out = fws_out
self.fws_in = fws_in
self.dpis = dpis
self.ctx = ctx
self.network = net
self.check = components.PropertyChecker(ctx, net)
self.addresses = dict([(str(x), y) for (x, y) in address_mapping])
return IMCTopo()
def TrivialPolicyTest():
"""This policy test just uses a simple scheme of the following form:
A - fw1 - p - fw2 - B
C - fw3 /
src, dest are strings representing the source and destination between which we
want to test isolation between"""
nodes = ['A', 'fw1', 'p', 'fw2', 'B', 'C', 'fw3']
addresses = map(lambda n: 'a_%s' % (n), nodes)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
nodes_dict = {n: getattr(ctx, n) for n in nodes}
address_dict = {a: getattr(ctx, a) for a in addresses}
net.setAddressMappings([(nodes_dict[n], address_dict['a_%s' % (n)])
for n in nodes])
# TODO: For now we cheat and just care about only one set. We can deal with several of them later
A = components.EndHost(ctx.A, net, ctx)
B = components.EndHost(ctx.B, net, ctx)
fw1 = components.AclFirewall(ctx.fw1, net, ctx)
fw2 = components.AclFirewall(ctx.fw2, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.SetGateway(A, fw1)
net.SetGateway(B, fw2)
net.RoutingTable(fw1, [(ctx.a_A, A), (ctx.a_B, p), (ctx.a_p, p),
(ctx.a_C, p)])
net.RoutingTable(fw2, [(ctx.a_B, B), (ctx.a_p, p), (ctx.a_A, p),
(ctx.a_C, p)])
net.RoutingTable(p, [(ctx.a_B, fw2), (ctx.a_A, fw1)])
fw1.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)])
fw2.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)])
net.SetIsolationConstraint(fw1, [A, p])
net.SetIsolationConstraint(fw2, [B, p])
net.SetIsolationConstraint(p, [fw1, fw2, ctx.fw3])
import z3
n0 = z3.Const('__triv_node_0', ctx.node)
n1 = z3.Const('__triv_node_1', ctx.node)
p0 = z3.Const('__triv_packet_0', ctx.packet)
# This is a part of policy?
net.Attach(A, B, fw1, fw2, p)
check = components.PropertyChecker(ctx, net)
check.AddExternalConstraints( \
z3.ForAll([n0, n1, p0], \
z3.Implies( \
z3.And(ctx.send(n0, n1, p0),\
z3.Or(n0 == ctx.C.z3Node, \
n0 == ctx.fw3.z3Node)), \
z3.Not(ctx.packet.origin(p0) == ctx.A.z3Node))))
check.AddExternalConstraints( \
z3.ForAll([n0, n1, p0], \
z3.Implies( \
z3.And(ctx.send(n0, n1, p0),\
z3.Or(n0 == ctx.C.z3Node, \
n0 == ctx.fw3.z3Node)), \
z3.Not(z3.Or(ctx.packet.src(p0) == ctx.a_A, ctx.packet.src(p0) == ctx.a_B)))))
res = check.CheckIsolationProperty(A, B)
return res, check, ctx
def permuteTest(other_nodes):
main_complex = ['a', 'b', 'm', 'fw']
other_endhosts = ['e%d' % (i) for i in xrange(other_nodes)]
other_permboxes = ['m%d' % (i) for i in xrange(other_nodes)]
nodes = []
nodes.extend(main_complex)
nodes.extend(other_endhosts)
nodes.extend(other_permboxes)
main_eh_addresses = ['ip_a', 'ip_b']
main_mb_addresses = [
'ip_m%d' % (i) for i in xrange(0, 2 * other_nodes + 1)
]
other_mb_addresses = ['ip_om%d' % (i) for i in xrange(0, other_nodes)]
other_eh_addresses = ['ip_%s' % (e) for e in other_endhosts]
addresses = ['ip_f']
addresses.extend(main_eh_addresses)
addresses.extend(other_eh_addresses)
addresses.extend(main_mb_addresses)
addresses.extend(other_mb_addresses)
ctx = components.Context (nodes,\
addresses)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
main_mb_addresses = map(lambda ad: getattr(ctx, ad), main_mb_addresses)
other_eh_addresses = map(lambda ad: getattr(ctx, ad), other_eh_addresses)
other_mb_addresses = map(lambda ad: getattr(ctx, ad), other_mb_addresses)
main_eh_addresses = map(lambda ad: getattr(ctx, ad), main_eh_addresses)
other_addresses = []
other_addresses.extend(other_mb_addresses)
other_addresses.extend(other_eh_addresses)
other_addresses.append(ctx.ip_a)
m = components.PermutationMiddlebox(ctx.m, \
main_mb_addresses, \
other_addresses, \
net, \
ctx)
fw = components.AclFirewall(ctx.fw, net, ctx)
to_register = [a, b, m, fw]
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(fw, ctx.ip_f), \
(m, main_mb_addresses)])
net.SetGateway(a, m)
net.SetGateway(b, fw)
other_endhosts = map(lambda eh: getattr(ctx, eh), other_endhosts)
other_endhosts_eh = map(lambda eh: components.EndHost(eh, net, ctx),
other_endhosts)
net.setAddressMappings(zip(other_endhosts_eh, other_eh_addresses))
to_register.extend(other_endhosts_eh)
other_permboxes = map(lambda eh: getattr(ctx, eh), other_permboxes)
other_pm_alt_addr = []
other_pm_alt_addr.extend(other_eh_addresses)
other_pm_alt_addr.extend(main_eh_addresses)
other_permbox_addr_zip = zip(other_permboxes, other_mb_addresses)
other_permbox_pm = map(lambda(n, a): components.PermutationMiddlebox(n, [a],
other_pm_alt_addr, net, ctx), \
other_permbox_addr_zip)
net.setAddressMappings(other_permbox_addr_zip)
to_register.extend(other_permbox_pm)
universal_routing = zip(other_eh_addresses, other_permbox_pm)
universal_routing.append((ctx.ip_a, m))
universal_routing.append((ctx.ip_b, m))
for (node, mb) in zip(other_endhosts_eh, other_permbox_pm):
net.RoutingTable(mb, universal_routing)
net.SetGateway(node, mb)
universal_routing = zip(other_eh_addresses, other_permbox_pm)
m_routing = []
m_routing.extend(universal_routing)
m_routing.extend([(ctx.ip_a, a), (ctx.ip_b, fw)])
net.RoutingTable(m, m_routing)
from itertools import repeat
f_routing = []
f_routing = zip(other_eh_addresses, repeat(m))
f_routing.extend([(ctx.ip_a, m), (ctx.ip_b, b), (ctx.ip_m0, m)])
net.RoutingTable(fw, f_routing)
fw.AddAcls([(ctx.ip_a, ctx.ip_b)])
fw.AddAcls(zip(main_mb_addresses, repeat(ctx.ip_b)))
net.Attach(*to_register)
class PReturn(object):
def __init__(self):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.m = m
self.fw = fw
self.check = components.PropertyChecker(ctx, net)
self.other_mb = other_permbox_pm
self.other_eh = other_endhosts_eh
return PReturn()
