def testAddressListExcludeCaseSix(self):
# IPv6 does not affect IPv4
superset = [nacaddr.IPv6('0::ffff:0.0.0.0/96')]
excludes = [nacaddr.IPv4('0.0.0.0/0')]
expected = [nacaddr.IPv6('0::ffff:0.0.0.0/96')]
self.assertListEqual(nacaddr.AddressListExclude(superset, excludes),
expected)
def test_token_to_ips(self):
expected_results = [(r'GOOGLE_DNS', [
nacaddr.IPv4('8.8.4.4/32'),
nacaddr.IPv4('8.8.8.8/32'),
nacaddr.IPv6('2001:4860:4860::8844/128'),
nacaddr.IPv6('2001:4860:4860::8888/128')
])]
options = Namespace(obj=('GOOGLE_DNS', ), )
results = get_nets(options.obj, self.db)
self.assertEquals(results[0][0], expected_results[0][0])
self.assertEquals(set(results[0][1]), set(expected_results[0][1]))
def testTermAddressByteLength(self):
"""Tests the AddressByteLength function."""
pol = HEADER + GOOD_TERM_2
self.naming.GetNetAddr.return_value = [
nacaddr.IPv4('10.0.0.1/32'), nacaddr.IPv4('10.0.0.2/32'),
nacaddr.IPv6('2001:4860:4860::8844/128'),
nacaddr.IPv6('2001:4860:4860::8888/128')]
ret = policy.ParsePolicy(pol, self.naming)
term = ret.filters[0][1][0]
self.assertEqual(2, term.AddressesByteLength([4]))
self.assertEqual(8, term.AddressesByteLength([6]))
self.assertEqual(10, term.AddressesByteLength())
def testAddressListExcludeCaseOne(self):
# Small block eliminated by large block, and an extra block that stays.
# For both IP versions.
superset = [
nacaddr.IPv4('200.0.0.0/24'),
nacaddr.IPv4('10.1.0.0/24'),
nacaddr.IPv6('200::/56'),
nacaddr.IPv6('10:1::/56')
]
excludes = [nacaddr.IPv6('10::/16'), nacaddr.IPv4('10.0.0.0/8')]
expected = [nacaddr.IPv4('200.0.0.0/24'), nacaddr.IPv6('200::/56')]
self.assertListEqual(nacaddr.AddressListExclude(superset, excludes),
expected)
def __init__(self, term, af):
"""Setup a new nftables term.
Args:
term: A policy.Term object
af: The capirca address family for the term, "inet", "inet6", or "mixed"
Raises:
InvalidAddressFamily: if supplied target options are invalid.
Note: AF of mixed requires kernel 3.15 or higher
"""
super(Term, self).__init__(term)
self.term = term
self.af = af
if af == 'inet6':
self.all_ips = nacaddr.IPv6('::/0')
elif af == 'inet':
self.all_ips = nacaddr.IPv4('0.0.0.0/0')
elif af == 'mixed':
# TODO(castagno): Need to add support for a mixed address family
raise InvalidAddressFamily(
'Address family mixed is not supported yet')
else:
raise InvalidAddressFamily('Not a valid address family')
def __init__(self, term, filter_name, filter_action, af='inet'):
"""Setup a new term.
Args:
term: A policy.Term object to represent in windows_ipsec.
filter_name: The name of the filter chan to attach the term to.
filter_action: The default action of the filter.
af: Which address family ('inet' or 'inet6') to apply the term to.
Raises:
UnsupportedFilterError: Filter is not supported.
"""
super(Term, self).__init__(term)
self.term = term # term object
self.filter = filter_name # actual name of filter
self.default_action = filter_action
self.options = []
self.af = af
if af == 'inet6':
self._all_ips = nacaddr.IPv6('::/0')
else:
self._all_ips = nacaddr.IPv4('0.0.0.0/0')
self.term_name = '%s_%s' % (self.filter[:1], self.term.name)
def __init__(self, term, filter_name, trackstate, filter_action, af='inet',
verbose=True):
"""Setup a new term.
Args:
term: A policy.Term object to represent in iptables.
filter_name: The name of the filter chan to attach the term to.
trackstate: Specifies if conntrack should be used for new connections.
filter_action: The default action of the filter.
af: Which address family ('inet' or 'inet6') to apply the term to.
verbose: boolean if comments should be printed
Raises:
UnsupportedFilterError: Filter is not supported.
"""
super(Term, self).__init__(term)
self.trackstate = trackstate
self.term = term # term object
self.filter = filter_name # actual name of filter
self.default_action = filter_action
self.options = []
self.af = af
self.verbose = verbose
if af == 'inet6':
self._all_ips = nacaddr.IPv6('::/0')
self._ACTION_TABLE['reject'] = ('-j REJECT --reject-with '
'icmp6-adm-prohibited')
else:
self._all_ips = nacaddr.IPv4('0.0.0.0/0')
self._ACTION_TABLE['reject'] = ('-j REJECT --reject-with '
'icmp-host-prohibited')
self.term_name = '%s_%s' % (self.filter[:1], self.term.name)
def testMixedAddresses(self):
self.assertListEqual(self.defs.GetNetAddr('BING'),
[nacaddr.IPv4('10.0.0.0/8'),
nacaddr.IPv6('::FFFF:FFFF:FFFF:FFFF')])
# same thing but letting nacaddr decide which v4 or v6.
self.assertListEqual(self.defs.GetNetAddr('BING'),
[nacaddr.IP('10.0.0.0/8'),
nacaddr.IP('::FFFF:FFFF:FFFF:FFFF')])
def testBridgeFilterInetType(self):
self.naming.GetNetAddr('LOCALHOST').AndReturn([nacaddr.IPv4('127.0.0.1'),
nacaddr.IPv6('::1/128')])
self.mox.ReplayAll()
jcl = juniper.Juniper(policy.ParsePolicy(
GOOD_HEADER_BRIDGE + GOOD_TERM_12, self.naming), EXP_INFO)
output = str(jcl)
self.failIf('::1/128' in output, output)
def test_token_to_ip_fail(self):
expected_results = [(r'GOOGLE_DNS', [
nacaddr.IPv4('69.171.239.12/32'),
nacaddr.IPv6('2a03:2880:fffe:c:face:b00c:0:35/128')
])]
options = Namespace(obj=('GOOGLE_DNS', ), )
results = get_nets(options.obj, self.db)
# the network object name should match, but not the IPs contained within
self.assertEquals(results[0][0], expected_results[0][0])
self.assertNotEquals(set(results[0][1]), set(expected_results[0][1]))
def testBridgeFilterInetType(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IPv4('127.0.0.1'), nacaddr.IPv6('::1/128')]
jcl = juniper.Juniper(policy.ParsePolicy(
GOOD_HEADER_BRIDGE + GOOD_TERM_12, self.naming), EXP_INFO)
output = str(jcl)
self.failIf('::1/128' in output, output)
self.naming.GetNetAddr.assert_called_once_with('LOCALHOST')
def testIPv6IcmpOrder(self):
self.naming.GetNetAddr('IPV6_INTERNAL').InAnyOrder().AndReturn(
[nacaddr.IPv6('fd87:6044:ac54:3558::/64')])
self.mox.ReplayAll()
pol = policy.ParsePolicy(IPV6_HEADER_1 + ICMPV6_TERM_1, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless(
'-s fd87:6044:ac54:3558::/64 -p ipv6-icmp -m icmp6'
' --icmpv6-type 1' in result,
'incorrect order of ICMPv6 match elements')
def testIPv6IcmpOrder(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IPv6('fd87:6044:ac54:3558::/64')]
pol = policy.ParsePolicy(IPV6_HEADER_1 + ICMPV6_TERM_1, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-s fd87:6044:ac54:3558::/64 -p ipv6-icmp -m icmp6'
' --icmpv6-type 1' in result,
'incorrect order of ICMPv6 match elements')
self.naming.GetNetAddr.assert_called_once_with('IPV6_INTERNAL')
def testCollapsing(self):
ip1 = nacaddr.IPv4('1.1.0.0/24', 'foo')
ip2 = nacaddr.IPv4('1.1.1.0/24', 'foo')
ip3 = nacaddr.IPv4('1.1.2.0/24', 'baz')
ip4 = nacaddr.IPv4('1.1.3.0/24')
ip5 = nacaddr.IPv4('1.1.4.0/24')
# stored in no particular order b/c we want CollapseAddr to call [].sort
# and we want that sort to call nacaddr.IP.__cmp__() on our array members
ip6 = nacaddr.IPv4('1.1.0.0/22')
# check that addreses are subsumed properlly.
collapsed = nacaddr.CollapseAddrList([ip1, ip2, ip3, ip4, ip5, ip6])
self.assertEqual(len(collapsed), 2)
# test that the comments are collapsed properlly, and that comments aren't
# added to addresses that have no comments.
self.assertListEqual([collapsed[0].text, collapsed[1].text],
['foo, baz', ''])
self.assertListEqual(
collapsed,
[nacaddr.IPv4('1.1.0.0/22'),
nacaddr.IPv4('1.1.4.0/24')])
# test that two addresses are supernet'ed properlly
collapsed = nacaddr.CollapseAddrList([ip1, ip2])
self.assertEqual(len(collapsed), 1)
self.assertEqual(collapsed[0].text, 'foo')
self.assertListEqual(collapsed, [nacaddr.IPv4('1.1.0.0/23')])
ip_same1 = ip_same2 = nacaddr.IPv4('1.1.1.1/32')
self.assertListEqual(nacaddr.CollapseAddrList([ip_same1, ip_same2]),
[ip_same1])
ip1 = nacaddr.IPv6('::2001:1/100')
ip2 = nacaddr.IPv6('::2002:1/120')
ip3 = nacaddr.IPv6('::2001:1/96')
# test that ipv6 addresses are subsumed properlly.
collapsed = nacaddr.CollapseAddrList([ip1, ip2, ip3])
self.assertListEqual(collapsed, [ip3])
def __init__(self, term, af):
"""Setup a new nftables term.
Args:
term: A policy.Term object
af: The address family for the term, "inet" or "inet6"
"""
super(Term, self).__init__(term)
self.term = term
self.af = af
if af == 'inet6':
self.all_ips = nacaddr.IPv6('::/0')
else:
self.all_ips = nacaddr.IPv4('0.0.0.0/0')
def testNoVerboseV6(self):
addr_list = list()
for octet in range(0, 256):
net = nacaddr.IPv6('2001:db8:1010:' + str(octet) + '::64/64')
addr_list.append(net)
self.naming.GetNetAddr.return_value = addr_list
self.naming.GetServiceByProto.return_value = ['25']
jcl = juniper.Juniper(
policy.ParsePolicy(
GOOD_NOVERBOSE_V6_HEADER + GOOD_TERM_1 + GOOD_TERM_COMMENT,
self.naming), EXP_INFO)
self.failUnless('2001:db8:1010:90::/61;' in str(jcl))
self.failUnless('COMMENT' not in str(jcl))
self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testAddressListExcludeCaseThree(self):
# Two blocks off both ends of a large block.
superset = [
nacaddr.IPv4('200.0.0.0/24'),
nacaddr.IPv4('10.0.0.0/8'),
nacaddr.IPv6('200::/56'),
nacaddr.IPv6('10::/16')
]
excludes = [
nacaddr.IPv6('10::/18'),
nacaddr.IPv6('10:c000::/18'),
nacaddr.IPv4('10.0.0.0/10'),
nacaddr.IPv4('10.192.0.0/10')
]
expected = [
nacaddr.IPv4('10.64.0.0/10'),
nacaddr.IPv4('10.128.0.0/10'),
nacaddr.IPv4('200.0.0.0/24'),
nacaddr.IPv6('10:4000::/18'),
nacaddr.IPv6('10:8000::/18'),
nacaddr.IPv6('200::/56')
]
self.assertListEqual(nacaddr.AddressListExclude(superset, excludes),
expected)
def testInet6Address(self):
self.assertListEqual(
self.defs.GetNetAddr('BAZ'),
[nacaddr.IPv6('::FFFF:FFFF:FFFF:FFFF'),
nacaddr.IPv6('::1/128')])
def setUp(self):
self.addr1 = nacaddr.IPv4('10.0.0.0/8', 'The 10 block')
self.addr2 = nacaddr.IPv6('DEAD:BEEF:BABE:FACE:DEAF:FEED:C0DE:F001/64',
'An IPv6 Address')
