def get_all_simple_path_new(self, rule, current_path): """ create a list of path in order to go from the source to the dest of the rule :param rule: rule with the ip_source / port_source / port_dest / protocol / dest :param current_path: an empty list to begin :return: a list of list containing each element the packet go through """ path_list = [] if len(current_path) == 0: current_path.append([ rule.ip_source[0], rule.ip_dest[0], rule.port_source, rule.port_dest, rule.protocol ]) fw_ip_list = self.find_fw_from_ip(rule.ip_source[0]) for data in fw_ip_list: new_rule = Rule(rule.identifier, rule.name, rule.protocol, [data[1]], rule.port_source, rule.ip_dest, rule.port_dest, Action(True)) tmp_path = list(current_path) tmp_path.append(data[0]) tmp_list = self.get_all_simple_path_new(new_rule, tmp_path) path_list += tmp_list elif len(current_path) == 1: print "error when searching path" return else: current_fw = current_path[len(current_path) - 1] # if prerouting insert here datas = self.check_rule_fw(rule, current_fw) if len(datas): for data in datas: check_end = False tmp = list(current_path) for fw_interface in current_fw.interfaces: if fw_interface.network is not None: tmp_ope = Operator("EQ", fw_interface.network) final_ip = self.ip_operator_merge(data[1], tmp_ope) if final_ip is not None: tmp.append([ data[0], final_ip, data[2], data[3], data[4] ]) path_list.append(tmp) check_end = True if not check_end: routes_dests = self.find_routes(current_path, rule) for route_dest in routes_dests: rule.ip_dest = [routes_dests[1]] fw_list = self.find_fw_from_intefarce( route_dest[0].iface, current_fw) for fw in fw_list: tmp = list(current_path) tmp.append(fw) new_rule = Rule(0, "tmp_rule", data[4], [data[0]], data[2], [data[1]], data[3], Action(True)) tmp_list = self.get_all_simple_path_new( new_rule, tmp) path_list += tmp_list return path_list
def search_rules(self, rule, operator, action, tree_path): """Deep search option. Reparse all rules corresponding to the anomaly. Parameters ---------- rule : Rule. The rule to compare operator : Bdd.Operator. The operation to perform action : Bool or None. Filter rules having this action path : the current tested path index_path : the current position of the rule in the current path""" error_rules = deque() parent = tree_path[0] for i in xrange(1, len(tree_path)): if self.cancel: break if len(tree_path[i]) > 1: error_rules += self.search_rules(rule, operator, action, tree_path[i]) acl_list = NetworkGraph.NetworkGraph().get_acl_list(src=tree_path[i][0], dst=parent) for acl in acl_list: for rule_path in acl.get_rules_path(): for r, a in rule_path: rule_action = r.action.chain if isinstance(r.action.chain, bool) else a if action is not None and rule_action != action: continue if compare_bdd(rule.toBDD(), operator, r.toBDD()): error_rules.append(r) if not error_rules: deny_rule = Rule(-1, 'probably implicit deny', [], [], [], [], [], Action(False)) if not action and compare_bdd(rule.toBDD(), operator, deny_rule.toBDD()): error_rules.append(deny_rule) return error_rules
def get_all_flows(self): """ this function is intend to retrieve the flows in the matrix table as Rules, and return them into a list (of Rule class instance) """ print(self.liststore) for flow in self.liststore: current_rule = Rule(None, None, [], [], [], [], [], Action(False)) try: if isinstance(flow[0], str) and len(flow[0]) != 0: current_rule.identifier = int(flow[0]) if isinstance(flow[1], str) and len(flow[1]) != 0: protocols = flow[1].replace(' ','').split(',') for protocol in protocols: current_rule.protocol.append(Operator('EQ', Protocol(protocol))) if isinstance(flow[2], str) and len(flow[2]) != 0: ips = flow[2].split(',') if "-" in ips: ip1 = ips[:ip.index("-")] ip2 = ips[ip.index("-")+1:] current_rule.ip_source.append(Operator('RANGE', Ip(ip1, ip2))) else: for ip in ips: if '/' in ip: mask = ip[ip.index('/')+1:] ip = ip[:ip.index('/')] current_rule.ip_source.append(Operator('EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_source.append(Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[3], str) and len(flow[3]) != 0: ports = flow[3].split(',') for port in ports: current_rule.port_source.append(Operator('EQ', Port(int(port)))) if isinstance(flow[4], str) and len(flow[4]) != 0: ips = flow[4].split(',') if "-" in ips: ip1 = ips[:ip.index("-")] ip2 = ips[ip.index("-")+1:] current_rule.ip_source.append(Operator('RANGE', Ip(ip1, ip2))) else: for ip in ips: if '/' in ip: mask = ip[ip.index('/')+1:] ip = ip[:ip.index('/')] current_rule.ip_dest.append(Operator('EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_dest.append(Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[5], str) and len(flow[5]) != 0: ports = flow[5].split(',') for port in ports: current_rule.port_dest.append(Operator('EQ', Port(int(port)))) if flow[6] == 'deny': current_rule.action = Action(False) elif flow[6] == 'accept': current_rule.action = Action(True) except KeyError: print 'error' self.flows.append(current_rule)
def un_rules2(self, rule): out_rule = [] out_rule2 = [] out_rule3 = [] out_rule4 = [] out_rule5 = [] if len(rule.protocol) > 0: for proto in rule.protocol: out_rule.append( Rule(rule.identifier, rule.name, [proto], rule.ip_source, rule.port_source, rule.ip_dest, rule.port_dest, rule.action)) else: out_rule.append(rule) if len(rule.ip_source) > 0: for ip_src in rule.ip_source: for _rule in out_rule: out_rule2.append( Rule(rule.identifier, rule.name, _rule.protocol, [ip_src], _rule.port_source, _rule.ip_dest, _rule.port_dest, _rule.action)) else: out_rule2 = list(out_rule) if len(rule.port_source) > 0: for port_src in rule.port_source: for _rule in out_rule2: out_rule3.append( Rule(rule.identifier, rule.name, _rule.protocol, _rule.ip_source, [port_src], _rule.ip_dest, _rule.port_dest, _rule.action)) else: out_rule3 = list(out_rule2) if len(rule.ip_dest) > 0: for ip_dst in rule.ip_dest: for _rule in out_rule3: out_rule4.append( Rule(rule.identifier, rule.name, _rule.protocol, _rule.ip_source, _rule.port_source, [ip_dst], _rule.port_dest, _rule.action)) else: out_rule4 = list(out_rule3) if len(rule.port_dest) > 0: for port_dst in rule.port_dest: for _rule in out_rule4: out_rule5.append( Rule(rule.identifier, rule.name, _rule.protocol, _rule.ip_source, _rule.port_source, _rule.ip_dest, [port_dst], _rule.action)) else: out_rule5 = list(out_rule4) return out_rule5
def get_all_flows(self): for flow in self.liststore: current_rule = Rule(None, None, [], [], [], [], [], Action(False)) try: if isinstance(flow[0], str) and len(flow[0]) != 0: current_rule.identifier = int(flow[0]) if isinstance(flow[1], str) and len(flow[1]) != 0: protocols = flow[1].split(',') for protocol in protocols: current_rule.protocol.append( Operator('EQ', Protocol(protocol))) if isinstance(flow[2], str) and len(flow[2]) != 0: ips = flow[2].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_source.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_source.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[3], str) and len(flow[3]) != 0: ports = flow[3].split(',') for port in ports: current_rule.port_source.append( Operator('EQ', Port(int(port)))) if isinstance(flow[4], str) and len(flow[4]) != 0: ips = flow[4].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/') + 1:] ip = ip[:ip.index('/')] current_rule.ip_dest.append( Operator( 'EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_dest.append( Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[5], str) and len(flow[5]) != 0: ports = flow[5].split(',') for port in ports: current_rule.port_dest.append( Operator('EQ', Port(int(port)))) if flow[6] == 'deny': current_rule.action = Action(False) elif flow[6] == 'accept': current_rule.action = Action(True) except KeyError: print 'error' # self.flows.append(current_rule)
def init(name, raise_on_error=False): object_dict.clear() p_info['firewall'] = Firewall() p_info['firewall'].name = name p_info['firewall'].hostname = ntpath.basename(name) p_info['firewall'].type = 'JuniperNetscreen' p_info['current_policy'] = Rule(0, "", [], [], [], [], [], False) p_info['context_policy'] = Rule(0, "", [], [], [], [], [], False), p_info['policy_zone_src'] = None p_info['policy_zone_dst'] = None p_info['current_object'] = [] p_info['used_object'] = set() p_info['policy_context'] = 0 p_info['index_rule'] = -1 p_info['raise_on_error'] = raise_on_error
def get_general_rule(self, node): """ Return a rule in accords with the policy """ rule = None txt = node.data_list[0][2] + " " + node.data_list[0][3] if txt == "(policy DROP)\n": rule = Rule(self.instance.identifier, "all", [], [], [], [], [], Action(False)) self.instance.identifier += 1 elif txt == "(policy ACCEPT)\n": rule = Rule(self.instance.identifier, "all", [], [], [], [], [], Action(False)) self.instance.identifier += 1 return rule
def p_policy_name_line2(p): '''policy_name_line : POLICY NUMBER WORD LBRACKET''' global parsing_level3, cptr cptr += 1 parsing_level3 = 'policy' p_info['current_policy'] = Rule(p[2] + p[3], p[2] + p[3], [], [], [], [], [], Action(False))
def init(name, raise_on_error=False): global i, j, k, cptr, current_rule, d, nd i, j, k, cptr = 0, 0, 0, 0 current_rule = { 'index': None, 'action': None, 'src': [], 'dst': [], 'install': [], 'services': [] } p_info['firewall_list'] = [] p_info['name'] = name p_info['hostname'] = ntpath.basename(name) p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False)) p_info['firewall'] = Firewall() del object_dict[:], firewalls[:], used_objects[:], rules[:] d = { 'host': list(), 'port': list(), 'protocol': list(), 'machines_range': list(), 'netobj': list() } nd = { 'host': list(), 'port': list(), 'protocol': list(), 'machines_range': list(), 'netobj': list() }
def insert_rule(): if p_info['policy_zone_src'] and p_info['policy_zone_dst']: acl = p_info['firewall'].get_acl_by_name(p_info['policy_zone_src'] + '-' + p_info['policy_zone_dst']) if not acl: acl = ACL(p_info['policy_zone_src'] + '-' + p_info['policy_zone_dst']) p_info['firewall'].acl.append(acl) NetworkGraph.NetworkGraph.NetworkGraph().bind_acl( acl, p_info['firewall'], p_info['firewall'].get_interface_by_name( p_info['policy_zone_src']), p_info['firewall'].get_interface_by_name( p_info['policy_zone_dst'])) if p_info['index_rule'] != -1: acl.rules.insert(p_info['index_rule'], p_info['current_policy']) else: acl.rules.append(p_info['current_policy']) else: for acl in p_info['firewall'].acl: acl.rules.append(p_info['current_policy']) p_info['current_policy'] = Rule(0, "", [], [], [], [], [], False) p_info['policy_zone_src'] = None p_info['policy_zone_dst'] = None p_info['index_rule'] = -1
def init(name, raise_on_error=False): # clear object variables parser.object_dict.clear() # init firewall p_info['firewall'] = Firewall() p_info['firewall'].name = name p_info['firewall'].hostname = ntpath.basename(name) p_info['firewall'].type = 'Iptables' # create default acl p_info['firewall'].acl.append(ACL('INPUT')) p_info['firewall'].acl.append(ACL('FORWARD')) p_info['firewall'].acl.append(ACL('OUTPUT')) # init parser state p_info['current_interface_name'] = None p_info['used_object'] = set() p_info['default_policy'] = dict() p_info['default_policy']['INPUT'] = Action(True) p_info['default_policy']['FORWARD'] = Action(True) p_info['default_policy']['OUTPUT'] = Action(True) p_info['current_chain'] = None p_info['rule_id'] = 0 p_info['rule_list'] = [] p_info['rule_bind'] = dict() p_info['current_rule'] = Rule(p_info['rule_id'], None, [], [], [], [], [], Action(False)) p_info['rule_bind'][p_info['rule_id']] = [None, None] p_info['current_table'] = None # raise on error option p_info['raise_on_error'] = raise_on_error
def p_edit_line(p): '''edit_line : EDIT NUMBER | EDIT WORD''' if get_state() == 'vdom': finish() # finish restore_or_create_fw(p[2]) # reset to a new firewall elif get_state() == 'policy': p_info['current_rule'] = Rule(int(p[2]), None, [], [], [], [], [], Action(False)) p_info['srcintf'] = [] p_info['dstintf'] = [] elif get_state() in ('address', 'address_group', 'service', 'service_group'): object_dict[remove_quote(p[2])] = [] p_info['current_object'] = remove_quote(p[2]) p_info['range_ip'] = None p_info['range_port'] = None elif get_state() == 'interface': p_info['current_interface'] = Interface(remove_quote(p[2]), None, None, []) p_info['interface_list'].append([p_info['current_interface'], None]) elif get_state() == 'zone': p_info['zone_list'][remove_quote(p[2])] = [] p_info['current_zone'] = remove_quote(p[2]) elif parsing_route == True: p_info['current_route'].id = int(p[2])
def search_rules(self, rule, operator, action, tree_path): """Deep search option. Reparse all rules corresponding to the anomaly. Parameters ---------- rule : Rule. The rule to compare operator : Bdd.Operator. The operation to perform action : Bool or None. Filter rules having this action path : the current tested path index_path : the current position of the rule in the current path""" error_rules = deque() parent = tree_path[0] for i in xrange(1, len(tree_path)): if self.cancel: break if isinstance(i, list): error_rules.append( self.search_rules(rule, operator, action, tree_path[i])) acl_list = NetworkGraph.NetworkGraph().get_acl_list( src=parent, dst=tree_path[i][0]) for acl in acl_list: for r in acl.rules: if action and r.action != action: continue if compare_bdd(rule.toBDD(), operator, r.toBDD()): error_rules.append(r) if not error_rules: error_rules.append( Rule(-1, 'probably implicit deny', [], [], [], [], [], False)) return error_rules
def finish(): acls = {} index = 0 for fw in firewalls: acls[fw['name']] = [] for rule in rules: p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False)) p_info['current_rule'].identifier = index index += 1 if rule['action'] == 'accept': p_info['current_rule'].action = Action(True) elif rule['action'] == 'drop': p_info['current_rule'].action = Action(False) p_info['current_rule'].name = rule['name'] if rule['name'] else 'Rule' + str(index) if rule['src']: for s in rule['src']: finish_src(s) for s in rule['dst']: finish_dst(s) for s in rule['services']: finish_serv(s) if len(rule['install']) > 0: for elt in rule['install']: if elt == 'Gateways': for k in acls.keys(): acls[k].append(p_info['current_rule']) elif acls.has_key(elt): acls[elt].append(p_info['current_rule']) fill_unused_obj() for obj in object_dict: if obj['type'] in {'host', 'gateway', 'gateway_cluster', 'network', 'dynamic_net_obj'} and obj.has_key('ipaddr'): fill_obj_dict_netobj(obj) elif obj['type'] in {'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP'} : fill_obj_dict_serv1(obj) elif obj['type'] in {'other', 'Other'} : if obj.has_key('protocol'): fill_obj_dict_serv2(obj) elif obj['type'] in {'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf'} : fill_obj_dict_serv3(obj) finish_fw(acls) del firewalls[:]
def p_action_reject2(p): '''action_line : DENY SEMI_COLON''' global parsing_level3, current_acl if parsing_level3 == 'policy': p_info['current_policy'].action = Action(False) p_info['rules'].append(p_info['current_policy']) current_acl.rules.append(p_info['current_policy']) p_info['current_policy'] = Rule(0, "", [], [], [], [], [], Action(False)) parsing_level3 = ''
def get_all_flows(self): for flow in self.liststore: current_rule = Rule(None, None, [], [], [], [], [], Action(False)) try: if isinstance(flow[0], str) and len(flow[0]) != 0: current_rule.identifier = int(flow[0]) if isinstance(flow[1], str) and len(flow[1]) != 0: protocols = flow[1].split(',') for protocol in protocols: current_rule.protocol.append(Operator('EQ', Protocol(protocol))) if isinstance(flow[2], str) and len(flow[2]) != 0: ips = flow[2].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/')+1:] ip = ip[:ip.index('/')] current_rule.ip_source.append(Operator('EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_source.append(Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[3], str) and len(flow[3]) != 0: ports = flow[3].split(',') for port in ports: current_rule.port_source.append(Operator('EQ', Port(int(port)))) if isinstance(flow[4], str) and len(flow[4]) != 0: ips = flow[4].split(',') for ip in ips: if '/' in ip: mask = ip[ip.index('/')+1:] ip = ip[:ip.index('/')] current_rule.ip_dest.append(Operator('EQ', Ip(ip, self.fromDec2Dotted(int(mask))))) else: current_rule.ip_dest.append(Operator('EQ', Ip(ip, '255.255.255.255'))) if isinstance(flow[5], str) and len(flow[5]) != 0 : ports = flow[5].split(',') for port in ports: current_rule.port_dest.append(Operator('EQ', Port(int(port)))) if flow[6] == 'deny': current_rule.action = Action(False) elif flow[6] == 'accept': current_rule.action = Action(True) except KeyError: print 'error'# self.flows.append(current_rule)
def finish(): p_info['firewall'].dictionnary = dict(object_dict) for k in object_dict: if k not in p_info['used_object']: p_info['firewall'].unused_objects.add(k) if p_info['default_permit_all']: for acl in p_info['firewall'].acl: acl.rules.append( Rule(-1, 'default', [], [], [], [], [], Action(True)))
def get_rule_from_iptable_line(self, rule_line): """ get one iptable line and return a corresponding rule This function need some improvement in order to manage every case """ action = Action(True) if rule_line[0] != "DROP" else Action(False) if rule_line[3] == "anywhere": ip_source = [] else: if "/" not in rule_line[3]: ip_source = [Operator("EQ", Ip(rule_line[3]))] else: ip_source = [ Operator( 'EQ', Ip(rule_line[3].split('/')[0], fromDec2Dotted(int(rule_line[3].split('/')[1])))) ] if rule_line[4] == "anywhere": ip_dest = [] else: if "/" not in rule_line[4]: ip_dest = [Operator("EQ", Ip(rule_line[4]))] else: ip_dest = [ Operator( 'EQ', Ip(rule_line[4].split('/')[0], fromDec2Dotted(int(rule_line[4].split('/')[1])))) ] port_source = [] port_dest = [] protocol = [] if rule_line[1] == "all" else [ Operator("EQ", Protocol(rule_line[1])) ] if len(rule_line) >= 7: if "spt" in rule_line[6]: port_source.append(Operator("EQ", Port(rule_line[6][4:-1]))) elif "dpt" in rule_line[6]: port_dest.append(Operator("EQ", Port(rule_line[6][4:-1]))) elif "multiport" in rule_line: tmp_idx = rule_line.index("multiport") if rule_line[tmp_idx + 1] == "dports": ports_dest_list = rule_line[tmp_idx + 2].split(",") for tmp_port_dest in ports_dest_list: port_dest.append(Operator("EQ", Port(tmp_port_dest))) else: tmp_line = "" for tmp_elem in rule_line: tmp_line += " " + tmp_elem print tmp_line return Rule(0, "", protocol, ip_source, port_source, ip_dest, port_dest, action)
def finish(): acls = {} for rule in rules: p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False)) p_info['current_rule'].identifier = rule['index'] if rule['action'] == 'accept': p_info['current_rule'].action = Action(True) elif rule['action'] == 'drop': p_info['current_rule'].action = Action(False) p_info['current_rule'].name = 'Rule-' + rule['index'] if rule['src']: for s in rule['src']: finish_src(s) for s in rule['dst']: finish_dst(s) for s in rule['services']: finish_serv(s) if acls.has_key(rule['install'][0]): acls[rule['install'][0]].append(p_info['current_rule']) else: acls[rule['install'][0]] = [] acls[rule['install'][0]].append(p_info['current_rule']) fill_unused_obj() for obj in object_dict: if obj['type'] in {'host', 'gateway', 'gateway_cluster', 'network', 'bogus_ip'} : fill_obj_dict_netobj(obj) elif obj['type'] in {'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP'} : fill_obj_dict_serv1(obj) elif obj['type'] in {'other', 'Other'} : fill_obj_dict_serv2(obj) elif obj['type'] in {'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf'} : fill_obj_dict_serv3(obj) finish_fw(acls) del firewalls[:]
def p_edit_line(p): '''edit_line : EDIT NUMBER | EDIT WORD''' if get_state() == 'policy': p_info['current_rule'] = Rule(int(p[2]), None, [], [], [], [], [], False) p_info['srcintf'] = None p_info['dstintf'] = None elif get_state() in ('address', 'address_group', 'service', 'service_group'): object_dict[remove_quote(p[2])] = [] p_info['current_object'] = remove_quote(p[2]) p_info['range_ip'] = None p_info['range_port'] = None elif get_state() == 'interface': p_info['current_interface'] = Interface(remove_quote(p[2]), None, None, []) p_info['firewall'].interfaces.append(p_info['current_interface'])
def merge_rules(self, list_rules): """ merge a list of rule into a unique rule compose with all the common element of each rules """ protocol_list = [] port_source_list = [] port_dest_list = [] ip_source_list = [] ip_dest_list = [] action_list = [] # collect data for rule in list_rules: protocol_list.append(rule.protocol) port_source_list.append(rule.port_source) ip_source_list.append(rule.ip_source) port_dest_list.append(rule.port_dest) ip_dest_list.append(rule.ip_dest) action_list.append(rule.action) # merge all data protocol_list = self.merge_protocol(protocol_list) port_source_list = self.merge_port(port_source_list) port_dest_list = self.merge_port(port_dest_list) ip_source_list = self.merge_ip(ip_source_list) ip_dest_list = self.merge_ip(ip_dest_list) if protocol_list is None \ or port_source_list is None \ or port_dest_list is None \ or ip_source_list is None \ or ip_dest_list is None: print "Error merging iptables rules" tmp_error = "protocol : OK\n" if protocol_list is None else "protocol : Error\n" tmp_error += "port source : OK\n" if port_source_list is None else "port source : Error\n" tmp_error += "port dest : OK\n" if port_dest_list is None else "port dest : Error\n" tmp_error += "ip source : OK\n" if ip_source_list is None else "ip source : Error\n" tmp_error += "ip dest : OK\n" if ip_dest_list is None else "ip dest : Error\n" print tmp_error return None # create a new rule rule = Rule(self.instance.identifier, "", protocol_list, ip_source_list, port_source_list, ip_dest_list, port_dest_list, action_list[len(action_list) - 1]) self.instance.identifier += 1 return rule
def init(name, raise_on_error=False): object_dict.clear() p_info['firewall'] = Firewall() p_info['firewall'].name = name p_info['firewall'].hostname = ntpath.basename(name) p_info['firewall'].type = 'Cisco Asa' p_info['interface_state'] = False p_info['current_interface'] = None p_info['object_name'] = None p_info['used_object'] = set() p_info['bounded_rules'] = set() p_info['rule_id'] = 0 p_info['rule_list'] = [] p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False)) p_info['index_rule'] = 0 p_info['global_rules'] = [] p_info['raise_on_error'] = raise_on_error
def init(name, raise_on_error=False): object_dict.clear() p_info['firewall'] = Firewall() p_info['firewall'].name = name p_info['firewall'].hostname = ntpath.basename(name) p_info['firewall'].type = 'FortiGate' p_info['srcintf'] = None p_info['dstintf'] = None p_info['used_object'] = set() p_info['bounded_rules'] = set() p_info['current_rule'] = Rule(None, None, [], [], [], [], [], False) p_info['current_interface'] = Interface(None, None, None, []) p_info['current_object'] = None p_info['current_state'] = [] p_info['range_ip'] = None p_info['range_port'] = None p_info['raise_on_error'] = raise_on_error
def finish(): acls = {} index = 0 for fw in firewalls: acls[fw['name']] = [] for rule in rules: p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False)) p_info['current_rule'].identifier = index index += 1 if rule['action'] == 'accept': p_info['current_rule'].action = Action(True) elif rule['action'] == 'drop': p_info['current_rule'].action = Action(False) p_info['current_rule'].name = rule['name'] if rule[ 'name'] else 'Rule' + str(index) if rule['src']: for s in rule['src']: finish_src(s) for s in rule['dst']: finish_dst(s) for s in rule['services']: finish_serv(s) if len(rule['install']) > 0: for elt in rule['install']: if elt == 'Gateways': for k in acls.keys(): acls[k].append(p_info['current_rule']) elif acls.has_key(elt): acls[elt].append(p_info['current_rule']) fill_unused_obj() for obj in object_dict: if obj['type'] in { 'host', 'gateway', 'gateway_cluster', 'network', 'dynamic_net_obj' } and obj.has_key('ipaddr'): fill_obj_dict_netobj(obj) elif obj['type'] in {'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP'}: fill_obj_dict_serv1(obj) elif obj['type'] in {'other', 'Other'}: if obj.has_key('protocol'): fill_obj_dict_serv2(obj) elif obj['type'] in { 'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf' }: fill_obj_dict_serv3(obj) finish_fw(acls) del firewalls[:]
def _init(vdom): object_dict.clear() p_info['firewall'] = Firewall() p_info['firewall'].name = p_info['name'] p_info['firewall'].hostname = p_info['hostname'] + ('-' + vdom if vdom else '') p_info['firewall'].type = 'Fortinet FortiGate' p_info['vdom'] = vdom p_info['srcintf'] = [] p_info['dstintf'] = [] p_info['used_object'] = set() p_info['bounded_rules'] = set() p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False)) p_info['current_interface'] = Interface(None, None, None, []) p_info['current_object'] = None p_info['range_ip'] = None p_info['range_port'] = None p_info['route_list'] = [] p_info['current_route'] = Route(None, None, None, None, None, 1) p_info['index_route'] = 0
def finish(): # apply default policy for k, v in p_info['default_policy'].items(): for acl in p_info['firewall'].acl: if acl.name == k: acl.rules.append(Rule(-1, 'default', [], [], [], [], [], v)) # bind ACLs # only INPUT, FORWARD and OUTPUT are concerned all_interfaces.list = [] # reset interfaces list acl_input = find_chain_by_name('INPUT') for rule in acl_input.rules: itf_in, _ = get_interface_list(rule.identifier) for itf in itf_in: get_acl(itf, p_info['firewall'], p_info['firewall'], 'INPUT').rules.append(rule) acl_forward = find_chain_by_name('FORWARD') for rule in acl_forward.rules: itf_in, itf_out = get_interface_list(rule.identifier) for itf1 in itf_in: for itf2 in itf_out: if itf1 is not itf2: get_acl(itf1, itf2, p_info['firewall'], 'FORWARD').rules.append(rule) acl_output = find_chain_by_name('OUTPUT') for rule in acl_output.rules: _, itf_out = get_interface_list(rule.identifier) for itf in itf_out: get_acl(p_info['firewall'], itf, p_info['firewall'], 'OUTPUT').rules.append(rule) # detach not default ACL p_info['firewall'].acl = [ a for a in p_info['firewall'].acl if a.name in ('INPUT', 'FORWARD', 'OUTPUT') ] p_info['firewall'].route_list = list(p_info['route_list'])
def finish(): acls = {} for rule in rules: p_info['current_rule'] = Rule(None, None, [], [], [], [], [], Action(False)) p_info['current_rule'].identifier = rule['index'] if rule['action'] == 'accept': p_info['current_rule'].action = Action(True) elif rule['action'] == 'drop': p_info['current_rule'].action = Action(False) p_info['current_rule'].name = 'Rule-' + rule['index'] if rule['src']: for s in rule['src']: finish_src(s) for s in rule['dst']: finish_dst(s) for s in rule['services']: finish_serv(s) if acls.has_key(rule['install'][0]): acls[rule['install'][0]].append(p_info['current_rule']) else: acls[rule['install'][0]] = [] acls[rule['install'][0]].append(p_info['current_rule']) fill_unused_obj() for obj in object_dict: if obj['type'] in { 'host', 'gateway', 'gateway_cluster', 'network', 'bogus_ip' }: fill_obj_dict_netobj(obj) elif obj['type'] in {'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP'}: fill_obj_dict_serv1(obj) elif obj['type'] in {'other', 'Other'}: fill_obj_dict_serv2(obj) elif obj['type'] in { 'icmp', 'Icmp', 'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf' }: fill_obj_dict_serv3(obj) finish_fw(acls) del firewalls[:]
def update(): p_info['current_rule'] = Rule(p_info['rule_id'], None, [], [], [], [], [], Action(False)) p_info['rule_bind'][p_info['rule_id']] = [None, None]
def p_hyphen_line(p): '''hyphen_line : DBL_HYPHEN''' p_info['rule_list'].append(p_info['current_rule']) p_info['current_rule'] = Rule(0, '', [], [], [], [], [], Action(False))
def init(): p_info['rule_list'] = [] p_info['current_rule'] = Rule(0, '', [], [], [], [], [], Action(True))
#! /usr/bin/env python # -*- coding: utf-8 -*- from Parser.ply import yacc from Parser.QueryPathParser.QueryPathLex import tokens from Parser.QueryPathParser.QueryPathLex import lexer from SpringBase.Rule import Rule from SpringBase.Operator import Operator from SpringBase.Protocol import Protocol from SpringBase.Ip import Ip from SpringBase.Port import Port from SpringBase.Action import Action p_info = { 'rule_list': [], 'current_rule': Rule(0, '', [], [], [], [], [], Action(True)), } def init(): p_info['rule_list'] = [] p_info['current_rule'] = Rule(0, '', [], [], [], [], [], Action(True)) def get_query(): p_info['rule_list'].append(p_info['current_rule']) return p_info['rule_list'] def p_lines(p): '''lines : line
def __init__(self, identifier, name, protocol, ip_source, port_source, ip_dest, port_dest, action, translate_address, nat_type, translate_port): Rule.__init__(self, identifier, name, protocol, ip_source, port_source, ip_dest, port_dest, action) self.translate_address = translate_address self.translate_port = translate_port self.nat_type = nat_type
# Use for construct dictionary of object and object group object_dict = {} parsing_route = False parsing_ipsec = False # Use for detect state p_info = { 'firewall_list': [], 'firewall': Firewall(), 'vdom': None, 'name': None, 'hostname': None, 'srcintf': [], 'dstintf': [], 'used_object': set(), 'bounded_rules': set(), 'current_rule': Rule(None, None, [], [], [], [], [], Action(False)), 'current_interface': Interface(None, None, None, []), 'current_object': None, 'current_state': [], 'range_ip': None, 'range_port': None, 'raise_on_error': False, 'use_vdom': False, 'interface_list': [], 'zone_list': {}, 'current_zone': None, 'route_list': [], 'current_route': Route(None, None, None, None, None, 1), 'index_route': 0, }
def update(): p_info['current_rule'] = Rule(None, None, [], [], [], [], [], False) p_info['index_rule'] = len(p_info['rule_list'])
zones = [] current_acl = ACL(None) current_iface = Interface(None) current_sub_iface = Interface(None) ifaces = [] # Use for construct dictionary of object and object group object_dict = {} # Use for detect state p_info = { 'firewall': Firewall(), 'current_policy': Rule(0, "", [], [], [], [], [], Action(False)), 'context_policy': Rule(0, "", [], [], [], [], [], Action(False)), 'policy_zone_src': None, 'policy_zone_dst': None, 'current_object': None, 'used_object': set(), 'policy_context': 0, 'index_rule': -1, 'default_permit_all': False, 'raise_on_error': False, 'route_list': [], 'current_route': Route(None, None, None, None, None, 1), 'index_route': 0, 'rules': [], }