def print_table(self,
table_style=TableStyle.UNICODE,
local_src=LocalFlag.BOTH,
local_dst=LocalFlag.BOTH):
"""
Print the table showing the synthesis
Args:
table_style (TableStyle): select the style of the table
local_src (LocalFlag): hide local addresses if explicitly removed from ranges in the source IP
local_dst (LocalFlag): hide local addresses if explicitly removed from ranges in the destination IP
"""
Synthesis.diff_table(table_style, self.firewall.name,
self.firewall2.name, self.__plus, self.__minus,
self.firewall.locals, local_src, local_dst)
def get_rules(self):
"Get the rules as lists of Rule objects"
if self.mrules_precomputed:
rules = self.__rules
else:
rules = [Synthesis.mrule_list(r) for r in self.__rules]
return [Rule(Packet(*pin), Packet(*pout)) for pin, pout in rules]
def print_table(self,
table_style=TableStyle.UNICODE,
local_src=LocalFlag.BOTH,
local_dst=LocalFlag.BOTH,
nat=NatFlag.ALL):
"""
Print the table showing the synthesis
Args:
table_style (TableStyle): select the style of the table
local_src (LocalFlag): hide local addresses if explicitly removed from ranges in the source IP
local_dst (LocalFlag): hide local addresses if explicitly removed from ranges in the destination IP
nat (NatFlag): show only nat or filter rules
"""
Synthesis.mrule_table(self.__rules, table_style, self.firewall.locals,
local_src, local_dst, nat)
def synthesize(self,
local_src=LocalFlag.BOTH,
local_dst=LocalFlag.BOTH,
query="true"):
"""
Synthesize a specification
Args:
local_src (LocalFlag): constraint for the source address
local_dst (LocalFlag): constraint for the destination address
query (str): generic constraint expressed in the query language
Returns:
SynthesisOutput object
"""
rules = Synthesis.synthesize(self.__fw, self.locals, local_src,
local_dst, query)
droprules = Synthesis.synthesize_drop(self.__fw, self.locals,
local_src, local_dst, query)
return SynthesisOutput(self, rules, droprules)
def get_drop_rules_no_duplicates(self):
"Get the rules as lists of ints"
FWS_rules = [Synthesis.mrule_list(r) for r in self.__droprules]
rules = []
for rule in FWS_rules:
for pkt in rule:
for field in pkt:
field.sort()
normalize_rule(rule)
if rule[0][7] == [[1, 1]]:
del rule
continue
transformation = "DROP"
packets = rule[0][0:4] + [rule[0][6]]
rules = rules + [[packets, transformation]]
change = True
while change:
change = False
i = 0
while i < len(rules) - 1:
j = i + 1
while j < len(rules):
diff = -1
for z in range(0, len(rules[i][0])):
if rules[i][0][z] != rules[j][0][z]:
if diff > -1:
# print(z)
diff = -2
break
diff = z
# When I make the union, len change and also my position
if diff > -1:
change = True
rules[i][0][diff].sort()
rules[j][0][diff].sort()
union_z = segment_set_union(rules[i][0][diff],
rules[j][0][diff])
rules[i][0][diff] = union_z
del rules[j]
elif diff == -1:
del rules[j]
else:
diff = -1
j = j + 1
i = i + 1
return [[pin, pout] for pin, pout in rules]
def __init__(self, name, diagram, chains, local_addresses):
"""
Make a Firewall Object
Args:
name (str): name of the firewall (displayed in parser error messages)
diagram (str): diagram file path
chains (str): chain file contents in the generic language
local_addresses (List[str]): local addresses of the firewall
"""
self.name = name
self.locals = local_addresses
self.__fw = Synthesis.make_firewall(diagram, name, chains,
local_addresses)
def synthesize_nd(self,
local_src=LocalFlag.BOTH,
local_dst=LocalFlag.BOTH,
query="true"):
"""
Synthesize non-deterministically dropped packets
Args:
local_src (LocalFlag): constraint for the source address
local_dst (LocalFlag): constraint for the destination address
query (str): generic constraint expressed in the query language
Returns:
SynthesisOutput object
"""
rules = Synthesis.synthesize_nd(self.__fw, self.locals, local_src,
local_dst, query)
return SynthesisOutput(self, rules)
def equivalence(self,
other,
local_src=LocalFlag.BOTH,
local_dst=LocalFlag.BOTH,
query="true"):
"""
Check for equivalence between two firewalls
Args:
other (Firewall): other firewall to check
local_src (LocalFlag): constraint for the source address
local_dst (LocalFlag): constraint for the destination address
query (str): generic constraint expressed in the query language
Returns:
boolean value if the second firewall is equivalent to `self`
"""
return Synthesis.equivalence(self.__fw, other.__fw, self.locals,
local_src, local_dst, query)
def difference(self,
other,
local_src=LocalFlag.BOTH,
local_dst=LocalFlag.BOTH,
query="true"):
"""
Synthesize the difference between two firealls
Args:
local_src (LocalFlag): constraint for the source address
local_dst (LocalFlag): constraint for the destination address
query (str): generic constraint expressed in the query language
Returns:
DiffOutput object
"""
plus, minus = Synthesis.difference(self.__fw, other.__fw, self.locals,
local_src, local_dst, query)
return DiffOutput(self, other, plus, minus)
def get_rules_no_duplicates(self):
if self.mrules_precomputed:
rules = self.__rules
else:
rules = [Synthesis.mrule_list(r) for r in self.__rules]
for rule in rules:
for pkt in rule:
for field in pkt:
field.sort()
change = True
while change:
change = False
i = 0
while i < len(rules) - 1:
j = i + 1
while j < len(rules):
if rules[i][1] != rules[j][1]:
j = j + 1
continue
diff = None
for z in range(0, len(rules[i][0])):
if rules[i][0][z] != rules[j][0][z]:
if diff is not None:
diff = None
break
diff = z
# When I make the union, len change and also my position
if diff is not None:
change = True
rules[i][0][diff].sort()
rules[j][0][diff].sort()
union_z = segment_set_union(rules[i][0][diff],
rules[j][0][diff])
rules[i][0][diff] = union_z
del rules[j]
j = i + 1
else:
j = j + 1
i = i + 1
return [Rule(Packet(*pin), Packet(*pout)) for pin, pout in rules]
def get_rules(self):
"Get the rules as tuple of lists of Rule objects"
plus = [Synthesis.mrule_list(r) for r in self.__plus]
minus = [Synthesis.mrule_list(r) for r in self.__minus]
return ([Rule(Packet(*pin), Packet(*pout)) for pin, pout in plus],
[Rule(Packet(*pin), Packet(*pout)) for pin, pout in minus])
def get_rules(self):
"Get the rules as list of lists of ints"
return ([Synthesis.mrule_list(r) for r in self.__plus],
[Synthesis.mrule_list(r) for r in self.__minus])
def get_rules_no_duplicates(self):
FWS_rules = [Synthesis.mrule_list(r) for r in self.__rules]
rules = []
for rule in FWS_rules:
for pkt in rule:
for field in pkt:
field.sort()
normalize_rule(rule)
if rule[0][7] == [[1, 1]]:
del rule
continue
if rule[1][0] == []:
tr_srcIP = "id"
else:
if len(rule[1][0]) > 1 or rule[1][0][0][0] != rule[1][0][0][0]:
print(
'ERROR! This tool does not support NAT to range of addresses'
)
continue
else:
tr_srcIP = rule[1][0][0][0]
# srcPort
if rule[1][1] == []:
tr_srcPort = "id"
else:
if len(rule[1][1]) > 1 or rule[1][1][0][0] != rule[1][1][0][0]:
print(
'ERROR! This tool does not support NAT to range of addresses'
)
continue
else:
tr_srcPort = rule[1][1][0][0]
# dstIP
if rule[1][2] == []:
tr_dstIP = "id"
else:
if len(rule[1][2]) > 1 or rule[1][2][0][0] != rule[1][2][0][0]:
print(
'ERROR! This tool does not support NAT to range of addresses'
)
continue
else:
tr_dstIP = rule[1][2][0][0]
# srcPort
if rule[1][3] == []:
tr_dstPort = "id"
else:
if len(rule[1][3]) > 1 or rule[1][3][0][0] != rule[1][3][0][0]:
print(
'ERROR! This tool does not support NAT to range of addresses'
)
continue
else:
tr_dstPort = rule[1][3][0][0]
transformation = {
"srcIP": tr_srcIP,
"srcPort": tr_srcPort,
"dstIP": tr_dstIP,
"dstPort": tr_dstPort
}
packets = rule[0][0:4] + [rule[0][6]]
rules = rules + [[packets, transformation]]
change = True
while change:
change = False
i = 0
while i < len(rules) - 1:
j = i + 1
while j < len(rules):
if rules[i][1] != rules[j][1]:
j = j + 1
continue
diff = None
for z in range(0, len(rules[i][0])):
if rules[i][0][z] != rules[j][0][z]:
if diff is not None:
diff = None
break
diff = z
# When I make the union, len change and also my position
if diff is not None:
change = True
rules[i][0][diff].sort()
rules[j][0][diff].sort()
union_z = segment_set_union(rules[i][0][diff],
rules[j][0][diff])
rules[i][0][diff] = union_z
del rules[j]
j = i + 1
else:
j = j + 1
i = i + 1
return rules
def get_drop_rules(self):
"Get the rules as lists of ints"
return [Synthesis.mrule_list(r) for r in self.__droprules]