def p_interface_line_2(p):
'''interface_line : SET INTERFACE object_name opt_tag ZONE object_name'''
if re.match(r'.*/.*\..*', p[3]):
nameif = p[3].split('.')
interface = p_info['firewall'].get_interface_by_nameif(nameif[0])
if not interface:
interface = Interface(nameif[0], None, None, [])
p_info['firewall'].interfaces.append(interface)
sub_if = interface.get_subif_by_nameif(p[3])
if sub_if:
sub_if.name = p[6]
else:
sub_if = Interface(p[3], None, p[6], [])
interface.sub_interfaces.append(sub_if)
if p[4]:
sub_if.attributes['tag'] = p[4]
else:
interface = p_info['firewall'].get_interface_by_nameif(p[3])
if interface:
interface.name = p[6]
else:
interface = Interface(p[3], None, p[6], [])
p_info['firewall'].interfaces.append(interface)
if p[4]:
interface.attributes['tag'] = p[4]
def p_edit_line(p):
'''edit_line : EDIT NUMBER
| EDIT WORD'''
if get_state() == 'vdom':
finish() # finish
restore_or_create_fw(p[2]) # reset to a new firewall
elif get_state() == 'policy':
p_info['current_rule'] = Rule(int(p[2]), None, [], [], [], [], [],
Action(False))
p_info['srcintf'] = []
p_info['dstintf'] = []
elif get_state() in ('address', 'address_group', 'service',
'service_group'):
object_dict[remove_quote(p[2])] = []
p_info['current_object'] = remove_quote(p[2])
p_info['range_ip'] = None
p_info['range_port'] = None
elif get_state() == 'interface':
p_info['current_interface'] = Interface(remove_quote(p[2]), None, None,
[])
p_info['interface_list'].append([p_info['current_interface'], None])
elif get_state() == 'zone':
p_info['zone_list'][remove_quote(p[2])] = []
p_info['current_zone'] = remove_quote(p[2])
elif parsing_route == True:
p_info['current_route'].id = int(p[2])
def p_interface_line_2(p):
'''interface_line : SET INTERFACE object_name opt_tag ZONE object_name'''
if re.match(r'.*/.*\..*', p[3]):
nameif = p[3].split('.')
interface = p_info['firewall'].get_interface_by_nameif(nameif[0])
if not interface:
interface = Interface(nameif[0], None, None, [])
p_info['firewall'].interfaces.append(interface)
sub_if = interface.get_subif_by_nameif(p[3])
if sub_if:
sub_if.name = p[6]
else:
sub_if = Interface(p[3], None, p[6], [])
interface.sub_interfaces.append(sub_if)
if p[4]:
sub_if.attributes['tag'] = p[4]
else:
interface = p_info['firewall'].get_interface_by_nameif(p[3])
if interface:
interface.name = p[6]
else:
interface = Interface(p[3], None, p[6], [])
p_info['firewall'].interfaces.append(interface)
if p[4]:
interface.attributes['tag'] = p[4]
def parse_ifconfig(self, data):
if data[0][len(data[0]) - 1] == ":":
tmp = Interface(data[0][:len(data[0]) - 1])
tmp.name = data[0][:len(data[0]) - 1]
self.full_data.append(tmp)
elif len(data) > 0:
if data[0] == "inet":
ip_device = None
mask = None
if len(data) == 6:
ip_device = data[1]
mask = data[3]
elif len(data) == 4:
ip_device = data[1]
mask = data[3]
if ip_device is not None and mask is not None:
new_ip = Ip(ip_device, mask)
self.full_data[len(self.full_data) - 1].network = new_ip
def parse_ifconfig(self, data):
if data[0][len(data[0]) - 1] == ":":
tmp = Interface(data[0][:len(data[0]) - 1])
tmp.name = data[0][:len(data[0]) - 1]
self.full_data.append(tmp)
elif len(data) > 0:
if data[0] == "inet":
ip_device = None
mask = None
if len(data) == 6:
ip_device = data[1]
mask = data[3]
elif len(data) == 4:
ip_device = data[1]
mask = data[3]
if ip_device is not None and mask is not None:
new_ip = Ip(ip_device, mask)
self.full_data[len(self.full_data) - 1].network = new_ip
def p_interface_line(p):
'''interface_line : INTERFACE item
| INTERFACE REDUNDANT item
| INTERFACE PORT_CHANNEL item
| BANG'''
if p[1] == '!':
p_info['interface_state'] = False
else:
p_info['interface_state'] = True
# detect sub-interface
if re.match(r'.*/.*\..*', p[len(p) - 1]):
nameif = p[len(p) - 1].split('.')
interface = p_info['firewall'].get_interface_by_nameif(nameif[0])
if interface:
interface.sub_interfaces.append(Interface(p[len(p) - 1], None, None, []))
p_info['current_interface'] = interface.get_subif_by_nameif(p[len(p) - 1])
else:
p_info['firewall'].interfaces.append(Interface(p[len(p) - 1], None, None, []))
p_info['current_interface'] = p_info['firewall'].get_interface_by_nameif(p[len(p) - 1])
def p_interface_line_1(p):
'''interface_line : SET INTERFACE object_name IP IP_ADDR SLASH NUMBER
| SET INTERFACE object_name IP IP_ADDR SLASH NUMBER SECONDARY'''
# detect sub-interface
if re.match(r'.*/.*\..*', p[3]):
nameif = p[3].split('.')
interface = p_info['firewall'].get_interface_by_nameif(nameif[0])
if not interface:
interface = Interface(nameif[0], None, None, [])
p_info['firewall'].interfaces.append(interface)
sub_if = interface.get_subif_by_nameif(p[3])
if sub_if:
sub_if.network = Ip(p[5], Ip.CidrToMask(int(p[7])))
else:
interface.sub_interfaces.append(Interface(p[3], Ip(p[5], Ip.CidrToMask(int(p[7]))), None, []))
else:
interface = p_info['firewall'].get_interface_by_nameif(p[3])
if interface:
interface.network = Ip(p[5], Ip.CidrToMask(int(p[7])))
else:
p_info['firewall'].interfaces.append(Interface(p[3], Ip(p[5], Ip.CidrToMask(int(p[7]))), None, []))
def p_sub_iface_address_line(p):
'''iface_attr_line : ADDRESS IP_ADDR SLASH NUMBER SEMI_COLON
| ADDRESS IP_ADDR SLASH NUMBER LBRACKET '''
global current_sub_iface, cptr, parsing_level3, current_iface
if p[5] == '{':
cptr += 1
if parsing_level3 == 'sub_interface':
current_sub_iface.network = Ip(p[2], fromDec2Dotted(int(p[4])))
ifaces.append(current_sub_iface)
#current_iface.sub_interfaces.append(current_sub_iface)
#p_info['firewall'].interfaces.append(current_sub_iface)
del current_sub_iface.sub_interfaces[:]
current_sub_iface = Interface(None)
parsing_level3 = ''
def p_edit_line(p):
'''edit_line : EDIT NUMBER
| EDIT WORD'''
if get_state() == 'policy':
p_info['current_rule'] = Rule(int(p[2]), None, [], [], [], [], [], False)
p_info['srcintf'] = None
p_info['dstintf'] = None
elif get_state() in ('address', 'address_group', 'service', 'service_group'):
object_dict[remove_quote(p[2])] = []
p_info['current_object'] = remove_quote(p[2])
p_info['range_ip'] = None
p_info['range_port'] = None
elif get_state() == 'interface':
p_info['current_interface'] = Interface(remove_quote(p[2]), None, None, [])
p_info['firewall'].interfaces.append(p_info['current_interface'])
def init(name, raise_on_error=False):
object_dict.clear()
p_info['firewall'] = Firewall()
p_info['firewall'].name = name
p_info['firewall'].hostname = ntpath.basename(name)
p_info['firewall'].type = 'FortiGate'
p_info['srcintf'] = None
p_info['dstintf'] = None
p_info['used_object'] = set()
p_info['bounded_rules'] = set()
p_info['current_rule'] = Rule(None, None, [], [], [], [], [], False)
p_info['current_interface'] = Interface(None, None, None, [])
p_info['current_object'] = None
p_info['current_state'] = []
p_info['range_ip'] = None
p_info['range_port'] = None
p_info['raise_on_error'] = raise_on_error
def p_end_line(p):
'''end_line : RBRACKET'''
global parsing_level1, parsing_level2, parsing_level3, current_set,current_service,\
networks_set, networks, services, services_set, cptr, j, current_iface, ifaces, zones
cptr -= 1
j += 1
if parsing_level3 == 'address_set':
networks_set.append({
'name': current_set['name'],
'elts': list(current_set['elts'])
})
current_set['name'] = ''
parsing_level3 = ''
del current_set['elts'][:]
elif parsing_level3 == 'service':
services.append(dict(current_service))
current_service.clear()
parsing_level3 = ''
elif parsing_level3 == 'service_set':
services_set.append({
'name': current_set['name'],
'elts': list(current_set['elts'])
})
current_set['name'] = ''
del current_set['elts'][:]
parsing_level3 = ''
#print 'cptr ....................' + str(cptr)
if cptr == 1 and parsing_level2 == 'interfaces':
#p_info['firewall'].interfaces.append(current_iface)
ifaces.append(current_iface)
current_iface = Interface(None)
if cptr == 0 and parsing_level2 == 'interfaces':
parsing_level2 = ''
if cptr == 2 and parsing_level3 == 'sub_interface':
parsing_level3 = ''
### to parse security zones
if parsing_level3 == 'zones_ifaces' and cptr == 3:
zones.append(copy.deepcopy(current_set))
current_set.clear()
parsing_level3 = ''
if cptr == 1 and parsing_level2 == 'zones':
parsing_level2 = ''
def _init(vdom):
object_dict.clear()
p_info['firewall'] = Firewall()
p_info['firewall'].name = p_info['name']
p_info['firewall'].hostname = p_info['hostname'] + ('-' +
vdom if vdom else '')
p_info['firewall'].type = 'Fortinet FortiGate'
p_info['vdom'] = vdom
p_info['srcintf'] = []
p_info['dstintf'] = []
p_info['used_object'] = set()
p_info['bounded_rules'] = set()
p_info['current_rule'] = Rule(None, None, [], [], [], [], [],
Action(False))
p_info['current_interface'] = Interface(None, None, None, [])
p_info['current_object'] = None
p_info['range_ip'] = None
p_info['range_port'] = None
p_info['route_list'] = []
p_info['current_route'] = Route(None, None, None, None, None, 1)
p_info['index_route'] = 0
def finish_fw(acls):
for fw in firewalls:
p_info['firewall'] = Firewall()
p_info['firewall'].name = p_info['name']
p_info['firewall'].hostname = fw['name']
p_info['firewall'].type = 'CheckPoint'
p_info['firewall'].unused_objects = set(unused_objects)
p_info['firewall'].dictionnary = dict(nd)
if fw['ifaces']:
for iface in fw['ifaces']:
p_info['firewall'].interfaces.append(
Interface(iface['name'],
Ip(iface['ipaddr'], iface['netmask']),
iface['index']))
for name, acl in acls.iteritems():
if name == p_info['firewall'].hostname:
newAcl = ACL(name)
newAcl.rules = acl
p_info['firewall'].acl.append(newAcl)
p_info['firewall_list'].append(p_info['firewall'])
def p_interface_line_1(p):
'''interface_line : SET INTERFACE object_name IP IP_ADDR SLASH NUMBER
| SET INTERFACE object_name IP IP_ADDR SLASH NUMBER SECONDARY'''
# detect sub-interface
if re.match(r'.*/.*\..*', p[3]):
nameif = p[3].split('.')
interface = p_info['firewall'].get_interface_by_nameif(nameif[0])
if not interface:
interface = Interface(nameif[0], None, None, [])
p_info['firewall'].interfaces.append(interface)
sub_if = interface.get_subif_by_nameif(p[3])
if sub_if:
sub_if.network = Ip(p[5], Ip.CidrToMask(int(p[7])))
else:
interface.sub_interfaces.append(
Interface(p[3], Ip(p[5], Ip.CidrToMask(int(p[7]))), None, []))
else:
interface = p_info['firewall'].get_interface_by_nameif(p[3])
if interface:
interface.network = Ip(p[5], Ip.CidrToMask(int(p[7])))
else:
p_info['firewall'].interfaces.append(
Interface(p[3], Ip(p[5], Ip.CidrToMask(int(p[7]))), None, []))
object_dict = {}
parsing_route = False
parsing_ipsec = False
# Use for detect state
p_info = {
'firewall_list': [],
'firewall': Firewall(),
'vdom': None,
'name': None,
'hostname': None,
'srcintf': [],
'dstintf': [],
'used_object': set(),
'bounded_rules': set(),
'current_rule': Rule(None, None, [], [], [], [], [], Action(False)),
'current_interface': Interface(None, None, None, []),
'current_object': None,
'current_state': [],
'range_ip': None,
'range_port': None,
'raise_on_error': False,
'use_vdom': False,
'interface_list': [],
'zone_list': {},
'current_zone': None,
'route_list': [],
'current_route': Route(None, None, None, None, None, 1),
'index_route': 0,
}
services = []
services_set = []
current_service = {}
current_set = {}
policies = []
cptr = 0
zones = []
current_acl = ACL(None)
current_iface = Interface(None)
current_sub_iface = Interface(None)
ifaces = []
# Use for construct dictionary of object and object group
object_dict = {}
# Use for detect state
p_info = {
'firewall': Firewall(),
'current_policy': Rule(0, "", [], [], [], [], [], Action(False)),
'context_policy': Rule(0, "", [], [], [], [], [], Action(False)),
'policy_zone_src': None,
'policy_zone_dst': None,
'current_object': None,
'used_object': set(),
def p_interface_address(p):
'''interface_address : INET ADDR COLON IP_ADDR opt_bcast MASK COLON IP_ADDR'''
ip_addr = Ip(p[4], p[8])
p_info['firewall'].interfaces.append(
Interface(p_info['current_interface_name'], ip_addr,
p_info['current_interface_name'], []))
