def __str__(self): """Render the output of the PF policy into config.""" target = [] pretty_platform = '%s%s' % (self._PLATFORM[0].upper(), self._PLATFORM[1:]) # Create address table. for name in sorted(self.address_book): v4 = sorted([x for x in self.address_book[name] if x.version == 4]) v6 = sorted([x for x in self.address_book[name] if x.version == 6]) entries = ',\\\n'.join(str(x) for x in v4 + v6) target.append('table <%s> {%s}' % (name, entries)) # pylint: disable=unused-variable for (header, filter_name, filter_type, terms) in self.pf_policies: # Add comments for this filter target.append('# %s %s Policy' % (pretty_platform, header.FilterName(self._PLATFORM))) # reformat long text comments, if needed comments = aclgenerator.WrapWords(header.comment, 70) if comments and comments[0]: for line in comments: target.append('# %s' % line) target.append('#') # add the p4 tags target.extend(aclgenerator.AddRepositoryTags('# ')) target.append('# ' + filter_type) # add the terms for term in terms: term_str = str(term) if term_str: target.append(term_str) target.append('') return '\n'.join(target)
def __str__(self): target_header = [] target = [] # add the p4 tags target.extend(aclgenerator.AddRepositoryTags('! ')) for (header, filter_name, filter_list, terms, obj_target) in self.cisco_policies: for filter_type in filter_list: target.extend( self._AppendTargetByFilterType(filter_name, filter_type)) if filter_type == 'object-group': obj_target.AddName(filter_name) # Add the Perforce Id/Date tags, these must come after # remove/re-create of the filter, otherwise config mode doesn't # know where to place these remarks in the configuration. if self.verbose: if filter_type == 'standard' and filter_name.isdigit(): target.extend( aclgenerator.AddRepositoryTags( 'access-list %s remark ' % filter_name, date=False, revision=False)) else: target.extend( aclgenerator.AddRepositoryTags(' remark ', date=False, revision=False)) # add a header comment if one exists for comment in aclgenerator.WrapWords( header.comment, _COMMENT_MAX_WIDTH): for line in comment.split('\n'): if (self._PLATFORM == 'cisco' and filter_type == 'standard' and filter_name.isdigit()): target.append('access-list %s remark %s' % (filter_name, line)) else: target.append(' remark %s' % line) # now add the terms for term in terms: term_str = str(term) if term_str: target.append(term_str) if obj_target.valid: target = [str(obj_target)] + target # ensure that the header is always first target = target_header + target target += ['', 'exit', ''] return '\n'.join(target)
def __str__(self): """Render the output of the JuniperSRX policy into config.""" target = IndentList(self.INDENT) target.append('security {') # ADDRESSBOOK target.extend(self._GenerateAddressBook()) # POLICIES target.IndentAppend(1, '/*') target.extend(aclgenerator.AddRepositoryTags(self.INDENT * 1)) target.IndentAppend(1, '*/') target.IndentAppend(1, 'replace: policies {') for (header, terms, filter_options) in self.srx_policies: if self._NOVERBOSE not in filter_options[4:]: target.IndentAppend(2, '/*') target.extend([ self.INDENT * 2 + line for line in aclgenerator.WrapWords( header.comment, self._MAX_HEADER_COMMENT_LENGTH) ]) target.IndentAppend(2, '*/') # ZONE DIRECTION if filter_options[1] == 'all' and filter_options[3] == 'all': target.IndentAppend(2, 'global {') else: target.IndentAppend( 2, 'from-zone ' + filter_options[1] + ' to-zone ' + filter_options[3] + ' {') # GROUPS if header.apply_groups: target.IndentAppend( 3, JunipersrxList('apply-groups', header.apply_groups)) # GROUPS EXCEPT if header.apply_groups_except: target.IndentAppend( 3, JunipersrxList('apply-groups-except', header.apply_groups_except)) for term in terms: str_result = str(term) if str_result: target.append(str_result) target.IndentAppend(2, '}') target.IndentAppend(1, '}') target.append('}') # APPLICATIONS target.extend(self._GenerateApplications()) return '\n'.join(target)
def __str__(self): target = [] pretty_platform = '%s%s' % (self._PLATFORM[0].upper(), self._PLATFORM[1:]) if self._RENDER_PREFIX: target.append(self._RENDER_PREFIX) for (header, filter_name, filter_type, default_action, terms) in self.iptables_policies: # Add comments for this filter target.append('# %s %s Policy' % (pretty_platform, header.FilterName(self._PLATFORM))) # reformat long text comments, if needed comments = aclgenerator.WrapWords(header.comment, 70) if comments and comments[0]: for line in comments: target.append('# %s' % line) target.append('#') # add the p4 tags target.extend(aclgenerator.AddRepositoryTags('# ')) target.append('# ' + filter_type) if filter_name in self._GOOD_FILTERS: if default_action: target.append(self._DEFAULTACTION_FORMAT % (filter_name, default_action)) elif self._PLATFORM == 'speedway': # always specify the default filter states for speedway, # if default action policy not specified for iptables, do nothing. target.append(self._DEFAULTACTION_FORMAT % (filter_name, self._DEFAULT_ACTION)) else: # Custom chains have no concept of default policy. target.append(self._DEFAULTACTION_FORMAT_CUSTOM_CHAIN % filter_name) # add the terms for term in terms: term_str = str(term) if term_str: target.append(term_str) if self._RENDER_SUFFIX: target.append(self._RENDER_SUFFIX) target.append('') return '\n'.join(target)
def __str__(self): target = [] pretty_platform = '%s%s' % (self._PLATFORM[0].upper(), self._PLATFORM[1:]) if self._RENDER_PREFIX: target.append(self._RENDER_PREFIX) for header, _, filter_type, default_action, terms in self.windows_policies: # Add comments for this filter target.append(': %s %s Policy' % (pretty_platform, header.FilterName(self._PLATFORM))) self._HandlePolicyHeader(header, target) # reformat long text comments, if needed comments = aclgenerator.WrapWords(header.comment, 70) if comments and comments[0]: for line in comments: target.append(': %s' % line) target.append(':') # add the p4 tags target.extend(aclgenerator.AddRepositoryTags(': ')) target.append(': ' + filter_type) if default_action: raise aclgenerator.UnsupportedTargetOptionError( 'Windows generator does not support default actions') # add the terms for term in terms: term_str = str(term) if term_str: target.append(term_str) self._HandleTermFooter(header, term, target) target.append('') return '\n'.join(target)
def __str__(self): # Verify platform specific terms. Skip whole term if platform does not # match. if self.term.platform: if self._PLATFORM not in self.term.platform: return '' if self.term.platform_exclude: if self._PLATFORM in self.term.platform_exclude: return '' ret_str = [] # Don't render icmpv6 protocol terms under inet, or icmp under inet6 if ((self.af == 'inet6' and 'icmp' in self.term.protocol) or (self.af == 'inet' and 'icmpv6' in self.term.protocol)): logging.debug( self.NO_AF_LOG_PROTO.substitute(term=self.term.name, proto=', '.join( self.term.protocol), af=self.af)) return '' # Term verbatim output - this will skip over most normal term # creation code by returning early. Warnings provided in policy.py if self.term.verbatim: for next_verbatim in self.term.verbatim: if next_verbatim[0] == self._PLATFORM: ret_str.append(str(next_verbatim[1])) return '\n'.join(ret_str) # Create a new term self._SetDefaultAction() if self._TERM_FORMAT: ret_str.append(self._TERM_FORMAT.substitute(term=self.term_name)) if self._PREJUMP_FORMAT: ret_str.append( self._PREJUMP_FORMAT.substitute(filter=self.filter, term=self.term_name)) if self.verbose: if self.term.owner: self.term.comment.append('Owner: %s' % self.term.owner) # reformat long comments, if needed # # iptables allows individual comments up to 256 chars. # But our generator will limit a single comment line to < 120, using: # max = 119 - 27 (static chars in comment command) - [length of term name] comment_max_width = 92 - len(self.term_name) if comment_max_width < 40: comment_max_width = 40 comments = aclgenerator.WrapWords(self.term.comment, comment_max_width) # append comments to output if comments and comments[0]: for line in comments: if not line: continue # iptables-restore does not like 0-length comments. # term comments # Strip out quotes as iptables cant have nested quotes ret_str.append( self._COMMENT_FORMAT.substitute( filter=self.filter, term=self.term_name, comment=str(line).replace('\"', ''))) # Unsupported configuration; in the case of 'accept' or 'next', we # skip the rule. In other cases, we blow up (raise an exception) # to ensure that this is not considered valid configuration. if self.term.source_prefix or self.term.destination_prefix: if str(self.term.action[0]) not in set(['accept', 'next']): raise UnsupportedFilterError( '%s %s %s %s %s %s %s %s' % ('\nTerm', self.term.name, 'has action', str(self.term.action[0]), 'with source_prefix or destination_prefix,', ' which is unsupported in', self._PLATFORM, 'iptables output.')) return ('# skipped %s due to source or destination prefix rule' % self.term.name) # protocol if self.term.protocol: protocol = self.term.protocol else: protocol = ['all'] if 'hopopt' in protocol and self.af == 'inet': logging.warning('Term %s is using hopopt in IPv4 context.', self.term_name) return '' (term_saddr, exclude_saddr, term_daddr, exclude_daddr) = self._CalculateAddresses( self.term.source_address, self.term.source_address_exclude, self.term.destination_address, self.term.destination_address_exclude) if not term_saddr: logging.debug( self.NO_AF_LOG_ADDR.substitute(term=self.term.name, direction='source', af=self.af)) return '' if not term_daddr: logging.debug( self.NO_AF_LOG_ADDR.substitute(term=self.term.name, direction='destination', af=self.af)) return '' # ports source_port = [] destination_port = [] if self.term.source_port: source_port = self.term.source_port if self.term.destination_port: destination_port = self.term.destination_port # icmp-types icmp_types = [''] if self.term.icmp_type: icmp_types = self.NormalizeIcmpTypes(self.term.icmp_type, protocol, self.af) source_interface = '' if self.term.source_interface: source_interface = self.term.source_interface destination_interface = '' if self.term.destination_interface: destination_interface = self.term.destination_interface log_hits = False if self.term.logging: # Iptables sends logs to hosts configured syslog log_hits = True # options tcp_flags = [] tcp_track_options = [] for next_opt in [str(x) for x in self.term.option]: # # Sanity checking and high-ports are added as appropriate in # pre-processing that is done in __str__ within class Iptables. # Option established will add destination port high-ports if protocol # contains only tcp, udp or both. This is done earlier in class Iptables. # if ((next_opt.find('established') == 0 or next_opt.find('tcp-established') == 0) and 'ESTABLISHED' not in [x.strip() for x in self.options]): if next_opt.find( 'tcp-established') == 0 and protocol != ['tcp']: raise TcpEstablishedError('%s %s %s' % ( '\noption tcp-established can only be applied for proto tcp.', '\nError in term:', self.term.name)) if self.trackstate: # Use nf_conntrack to track state -- works with any proto self.options.append('-m state --state ESTABLISHED,RELATED') elif protocol == ['tcp']: # Simple established-only rule for TCP: Must have ACK field # (SYN/ACK or subsequent ACK), or RST and no other flags. tcp_track_options = [(['ACK'], ['ACK']), (['SYN', 'FIN', 'ACK', 'RST'], ['RST'])] # Iterate through flags table, and create list of tcp-flags to append for next_flag in self._TCP_FLAGS_TABLE: if next_opt.find(next_flag) == 0: tcp_flags.append(self._TCP_FLAGS_TABLE.get(next_flag)) if next_opt in self._KNOWN_OPTIONS_MATCHERS: self.options.append(self._KNOWN_OPTIONS_MATCHERS[next_opt]) if self.term.packet_length: # Policy format is "#-#", but iptables format is "#:#" self.options.append('-m length --length %s' % self.term.packet_length.replace('-', ':')) if self.term.fragment_offset: self.options.append('-m u32 --u32 4&0x1FFF=%s' % self.term.fragment_offset.replace('-', ':')) icmp_code = [''] if self.term.icmp_code: icmp_code = self.term.icmp_code for saddr in exclude_saddr: ret_str.extend( self._FormatPart('', saddr, '', '', '', '', '', '', '', '', '', '', '', self._action_table.get('next'))) for daddr in exclude_daddr: ret_str.extend( self._FormatPart('', '', '', daddr, '', '', '', '', '', '', '', '', '', self._action_table.get('next'))) for saddr in term_saddr: for daddr in term_daddr: for icmp in icmp_types: for code in icmp_code: for proto in protocol: for tcp_matcher in tcp_track_options or (([], []), ): ret_str.extend( self._FormatPart( str(proto), saddr, source_port, daddr, destination_port, self.options, tcp_flags, icmp, code, tcp_matcher, source_interface, destination_interface, log_hits, self._action_table.get( str(self.term.action[0])))) if self._POSTJUMP_FORMAT: ret_str.append( self._POSTJUMP_FORMAT.substitute(filter=self.filter, term=self.term_name)) return '\n'.join(str(v) for v in ret_str if v)
def __str__(self): """Render config output from this term object.""" # Verify platform specific terms. Skip whole term if platform does not # match. if self.term.platform: if self._PLATFORM not in self.term.platform: return '' if self.term.platform_exclude: if self._PLATFORM in self.term.platform_exclude: return '' ret_str = [] self._SetDefaultAction() # Create a new term ret_str.append('\n# term %s' % self.term.name) comments = aclgenerator.WrapWords(self.term.comment, 80) # append comments to output if comments and comments[0]: for line in comments: ret_str.append('# %s' % str(line)) if str(self.term.action[0]) not in self._ACTION_TABLE: raise aclgenerator.UnsupportedFilterError( '%s %s %s %s' % ('\n', self.term.name, self.term.action[0], 'action not currently supported.')) if self.direction and str(self.direction) not in self._DIRECTION_TABLE: raise aclgenerator.UnsupportedFilterError( '%s %s %s %s' % ('\n', self.term.name, self.term.direction, 'direction not currently supported.')) # protocol if self.term.protocol: protocol = self.term.protocol else: protocol = [] # source address term_saddrs = self._CheckAddressAf(self.term.source_address) if not term_saddrs: logging.debug( self.NO_AF_LOG_ADDR.substitute(term=self.term.name, direction='source', af=self.af)) return '' term_saddr = self._GenerateAddrStatement( term_saddrs, self.term.source_address_exclude) # destination address term_daddrs = self._CheckAddressAf(self.term.destination_address) if not term_daddrs: logging.debug( self.NO_AF_LOG_ADDR.substitute(term=self.term.name, direction='destination', af=self.af)) return '' term_daddr = self._GenerateAddrStatement( term_daddrs, self.term.destination_address_exclude) # ports source_port = [] destination_port = [] if self.term.source_port: source_port = self._GeneratePortStatement(self.term.source_port) if self.term.destination_port: destination_port = self._GeneratePortStatement( self.term.destination_port) # icmp-type icmp_types = [''] if self.term.icmp_type: if self.af != 'mixed': af = self.af elif protocol == ['icmp']: af = 'inet' elif protocol == ['icmpv6']: af = 'inet6' else: raise aclgenerator.UnsupportedFilterError( '%s %s %s' % ('\n', self.term.name, 'icmp protocol is not defined or not supported.')) icmp_types = self.NormalizeIcmpTypes(self.term.icmp_type, protocol, af) # options tcp_flags_set = [] tcp_flags_check = [] for next_opt in [str(x) for x in self.term.option]: for next_flag in self._TCP_FLAGS_TABLE: if next_opt.find(next_flag) == 0: if protocol != ['tcp']: raise aclgenerator.UnsupportedFilterError( '%s %s %s' % ('\n', self.term.name, 'tcp flags may only be specified with tcp protocol.' )) tcp_flags_set.append(self._TCP_FLAGS_TABLE.get(next_flag)) tcp_flags_check.append( self._TCP_FLAGS_TABLE.get(next_flag)) # If tcp-established is set, override any of the flags above with the # S/SA flags. Issue an error if flags are specified with 'established'. for opt in [str(x) for x in self.term.option]: if opt == 'established' or opt == 'tcp-established': if tcp_flags_set or tcp_flags_check: raise aclgenerator.UnsupportedFilterError( '%s %s %s' % ('\n', self.term.name, 'tcp flags may not be specified with tcp-established.' )) # We need to set 'flags A/A' for established regardless of whether or # not we're stateful: # - if we stateful, the default is 'flags S/SA' which prevent writing # rules for reply packets. # - if we're stateless, this is the only way to do it. if not protocol or 'tcp' in protocol: tcp_flags_set.append(self._TCP_FLAGS_TABLE.get('ack')) tcp_flags_check.append(self._TCP_FLAGS_TABLE.get('ack')) # The default behavior of pf is 'keep state flags S/SA'. If we're not # stateless, and if flags have not been specified explicitly via options, # append that here. Note that pf allows appending flags for udp and icmp; # they are just ignored, as long as TCP is in the proto. This lets you # doing things like 'proto { tcp udp icmp } flags S/SA' and have the flags # only applied to the tcp bits that match. However, the policy description # language prohibits setting flags on non-TCP, since it doesn't make sense # on all platforms. if ((not protocol or protocol == ['tcp']) and self.stateful and not tcp_flags_set and not tcp_flags_check): tcp_flags_set.append(self._TCP_FLAGS_TABLE.get('syn')) tcp_flags_check.append(self._TCP_FLAGS_TABLE.get('syn')) tcp_flags_check.append(self._TCP_FLAGS_TABLE.get('ack')) ret_str.extend( self._FormatPart( self.term.action[0], self.direction, self.term.logging, self.af, protocol, term_saddr, source_port, term_daddr, destination_port, tcp_flags_set, tcp_flags_check, icmp_types, self.options, self.stateful, )) return '\n'.join(str(v) for v in ret_str if v is not '')
def __str__(self): """Render config output from this term object.""" # Verify platform specific terms. Skip whole term if platform does not # match. if self.term.platform: if 'srx' not in self.term.platform: return '' if self.term.platform_exclude: if 'srx' in self.term.platform_exclude: return '' ret_str = IndentList(JuniperSRX.INDENT) # COMMENTS comment_max_width = 68 if self.term.owner and self.verbose: self.term.comment.append('Owner: %s' % self.term.owner) comments = aclgenerator.WrapWords(self.term.comment, comment_max_width) if comments and comments[0] and self.verbose: ret_str.IndentAppend(3, '/*') for line in comments: ret_str.IndentAppend(3, line) ret_str.IndentAppend(3, '*/') ret_str.IndentAppend(3, 'policy ' + self.term.name + ' {') ret_str.IndentAppend(4, 'match {') # SOURCE-ADDRESS if self.term.source_address: saddr_check = set() for saddr in self.term.source_address: saddr_check.add(saddr.parent_token) saddr_check = sorted(saddr_check) ret_str.IndentAppend(5, JunipersrxList('source-address', saddr_check)) else: ret_str.IndentAppend(5, 'source-address any;') # DESTINATION-ADDRESS if self.term.destination_address: daddr_check = [] for daddr in self.term.destination_address: daddr_check.append(daddr.parent_token) daddr_check = set(daddr_check) daddr_check = list(daddr_check) daddr_check.sort() ret_str.IndentAppend( 5, JunipersrxList('destination-address', daddr_check)) else: ret_str.IndentAppend(5, 'destination-address any;') # APPLICATION if (not self.term.source_port and not self.term.destination_port and not self.term.icmp_type and not self.term.protocol): ret_str.IndentAppend(5, 'application any;') else: if hasattr(self.term, 'replacement_application_name'): ret_str.IndentAppend( 5, 'application ' + self.term.replacement_application_name + '-app;') else: ret_str.IndentAppend(5, 'application ' + self.term.name + '-app;') # DSCP MATCH if self.term.dscp_match: ret_str.IndentAppend(5, JunipersrxList('dscp', self.term.dscp_match)) # DSCP EXCEPT if self.term.dscp_except: ret_str.IndentAppend( 5, JunipersrxList('dscp-except', self.term.dscp_except)) ret_str.IndentAppend(4, '}') # ACTIONS for action in self.term.action: ret_str.IndentAppend(4, 'then {') # VPN target can be only specified when ACTION is accept if str(action) == 'accept' and self.term.vpn: ret_str.IndentAppend(5, self.ACTIONS.get(str(action)) + ' {') ret_str.IndentAppend(6, 'tunnel {') ret_str.IndentAppend(7, 'ipsec-vpn %s;' % self.term.vpn[0]) if self.term.vpn[1]: ret_str.IndentAppend(7, 'pair-policy %s;' % self.term.vpn[1]) ret_str.IndentAppend(6, '}') ret_str.IndentAppend(5, '}') else: ret_str.IndentAppend(5, self.ACTIONS.get(str(action)) + ';') # DSCP SET if self.term.dscp_set: ret_str.IndentAppend(5, 'dscp ' + self.term.dscp_set + ';') # LOGGING if self.term.logging: ret_str.IndentAppend(5, 'log {') ret_str.IndentAppend(6, 'session-init;') for log_target in self.term.logging: if str(log_target) == 'log-both': ret_str.IndentAppend(6, 'session-close;') ret_str.IndentAppend(5, '}') ret_str.IndentAppend(4, '}') ret_str.IndentAppend(3, '}') return '\n'.join(ret_str)
def __str__(self): # Verify platform specific terms. Skip whole term if platform does not # match. if self.term.platform: if self.platform not in self.term.platform: return '' if self.term.platform_exclude: if self.platform in self.term.platform_exclude: return '' source_address_set = set() destination_address_set = set() ret_str = ['\n'] if self.verbose: ret_str.append(' remark %s' % self.term.name) comments = aclgenerator.WrapWords(self.term.comment, _COMMENT_MAX_WIDTH) if comments and comments[0]: for comment in comments: ret_str.append(' remark %s' % str(comment)) # Term verbatim output - this will skip over normal term creation # code by returning early. Warnings provided in policy.py. if self.term.verbatim: for next_verbatim in self.term.verbatim: if next_verbatim[0] == self.platform: ret_str.append(str(next_verbatim[1])) return '\n'.join(ret_str) # protocol if not self.term.protocol: protocol = ['ip'] else: protocol = [ proto if proto in self.ALLOWED_PROTO_STRINGS else self.PROTO_MAP.get(proto) for proto in self.term.protocol ] # addresses source_address = self.term.source_address if not self.term.source_address: source_address = [nacaddr.IPv4('0.0.0.0/0', token='any')] source_address_set.add(source_address[0].parent_token) destination_address = self.term.destination_address if not self.term.destination_address: destination_address = [nacaddr.IPv4('0.0.0.0/0', token='any')] destination_address_set.add(destination_address[0].parent_token) # ports source_port = [()] destination_port = [()] if self.term.source_port: source_port = self.term.source_port if self.term.destination_port: destination_port = self.term.destination_port for saddr in source_address_set: for daddr in destination_address_set: for sport in source_port: for dport in destination_port: for proto in protocol: ret_str.append( self._TermletToStr( _ACTION_TABLE.get(str( self.term.action[0])), proto, saddr, sport, daddr, dport)) return '\n'.join(ret_str)
def __str__(self): # Verify platform specific terms. Skip whole term if platform does not # match. if self.term.platform: if self.platform not in self.term.platform: return '' if self.term.platform_exclude: if self.platform in self.term.platform_exclude: return '' ret_str = [] # Term verbatim output - this will skip over normal term creation # code by returning early. Warnings provided in policy.py. if self.term.verbatim: for next_verbatim in self.term.verbatim: if next_verbatim[0] == self.platform: ret_str.append(str(next_verbatim[1])) return '\n'.join(ret_str) v4_addresses = [ x for x in self.term.address if not isinstance(x, nacaddr.IPv6) ] if self.filter_name.isdigit(): if self.verbose: ret_str.append('access-list %s remark %s' % (self.filter_name, self.term.name)) comments = aclgenerator.WrapWords(self.term.comment, _COMMENT_MAX_WIDTH) for comment in comments: ret_str.append('access-list %s remark %s' % (self.filter_name, comment)) action = _ACTION_TABLE.get(str(self.term.action[0])) if v4_addresses: for addr in v4_addresses: if addr.prefixlen == 32: ret_str.append( 'access-list %s %s %s%s%s' % (self.filter_name, action, addr.network_address, self.logstring, self.dscpstring)) else: ret_str.append( 'access-list %s %s %s %s%s%s' % (self.filter_name, action, addr.network_address, addr.hostmask, self.logstring, self.dscpstring)) else: ret_str.append('access-list %s %s %s%s%s' % (self.filter_name, action, 'any', self.logstring, self.dscpstring)) else: if self.verbose: ret_str.append(' remark ' + self.term.name) comments = aclgenerator.WrapWords(self.term.comment, _COMMENT_MAX_WIDTH) if comments and comments[0]: for comment in comments: ret_str.append(' remark ' + str(comment)) action = _ACTION_TABLE.get(str(self.term.action[0])) if v4_addresses: for addr in v4_addresses: if addr.prefixlen == 32: ret_str.append(' %s host %s%s%s' % (action, addr.network_address, self.logstring, self.dscpstring)) elif self.platform == 'arista': ret_str.append( ' %s %s/%s%s%s' % (action, addr.network_address, addr.prefixlen, self.logstring, self.dscpstring)) else: ret_str.append( ' %s %s %s%s%s' % (action, addr.network_address, addr.hostmask, self.logstring, self.dscpstring)) else: ret_str.append( ' %s %s%s%s' % (action, 'any', self.logstring, self.dscpstring)) return '\n'.join(ret_str)
def __str__(self): netdestinations = [] ret_str = [] term_af = self.AF_MAP.get(self.filter_type) if self.term.verbatim: for next_verbatim in self.term.verbatim: if next_verbatim[0] == _PLATFORM and next_verbatim[1]: ret_str.append('%s%s' % (self._IDENT, next_verbatim[1])) return '\n'.join(t for t in ret_str if t) comments = self.term.comment[:] if self.term.owner: comments.append('Owner: %s' % self.term.owner) if comments: for line in aclgenerator.WrapWords(comments, self._COMMENT_LINE_LENGTH): ret_str.append('%s%s %s' % (self._IDENT, _COMMENT_MARKER, line)) src_addr_token = '' dst_addr_token = '' if self._SOURCE_IS_USER_OPT_STR in self.term.option: src_addr_token = self._USER_STR else: if self.term.source_address: src_addr = self.term.GetAddressOfVersion( 'source_address', term_af) if not src_addr: return '' src_netdest_id = '%s%s' % (self.term.name.lower(), self._SRC_NETDEST_SUF) src_addr_token = '%s %s' % (self._ALIAS_STR, src_netdest_id) netdestinations.append( self._GenerateNetdest(src_netdest_id, src_addr, term_af)) else: src_addr_token = self._ANY_STR if self._DESTINATION_IS_USER_OPT_STR in self.term.option: dst_addr_token = self._USER_STR else: if self.term.destination_address: dst_addr = self.term.GetAddressOfVersion( 'destination_address', term_af) if not dst_addr: return '' dst_netdest_id = '%s%s' % (self.term.name.lower(), self._DST_NETDEST_SUF) dst_addr_token = '%s %s' % (self._ALIAS_STR, dst_netdest_id) netdestinations.append( self._GenerateNetdest(dst_netdest_id, dst_addr, term_af)) else: dst_addr_token = self._ANY_STR dst_protocol_list = [] if self.term.protocol: dst_protocol_list = self._GeneratePortTokens( self.term.protocol, self.term.destination_port) else: dst_protocol_list = [self._ANY_STR] for dst_port in dst_protocol_list: str_tok = [' '] if self._NEGATE_OPT_STR in self.term.option: str_tok.append(self._NEGATOR) if term_af == 6: str_tok.append(self._IPV6_START_STR) str_tok.append(src_addr_token) str_tok.append(dst_addr_token) str_tok.append(dst_port) str_tok.append(self._ACTIONS.get(self.term.action[0])) ret_str.append(' '.join(t for t in str_tok if t)) self.netdestinations = netdestinations return '\n'.join(t for t in ret_str if t)