def TwoLearningFw(): """ A proxy and two firewalls. This results in a SAT result, i.e. the packet goes through since the proxy is used to send information through""" ctx = components.Context (['a', 'b', 'c', 'd', 'fw1', 'fw2', 'p'],\ ['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f1', 'ip_f2', 'ip_p']) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) c = components.EndHost(ctx.c, net, ctx) d = components.EndHost(ctx.d, net, ctx) fw1 = components.AclFirewall(ctx.fw1, net, ctx) fw2 = components.AclFirewall(ctx.fw2, net, ctx) p = components.WebProxy(ctx.p, net, ctx) net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (c, ctx.ip_c), \ (d, ctx.ip_d), \ (fw1, ctx.ip_f1), \ (fw2, ctx.ip_f2), \ (p, ctx.ip_p)]) addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f1, ctx.ip_f2] net.RoutingTable(a, [(x, fw1) for x in addresses]) net.RoutingTable(b, [(x, fw1) for x in addresses]) net.RoutingTable(c, [(x, fw2) for x in addresses]) net.RoutingTable(d, [(x, fw2) for x in addresses]) net.RoutingTable(fw1, [(ctx.ip_a, a), \ (ctx.ip_b, b), \ (ctx.ip_c, p), \ (ctx.ip_d, p), \ (ctx.ip_p, p), \ (ctx.ip_f2, p)]) net.RoutingTable(fw2, [(ctx.ip_a, p), \ (ctx.ip_b, p), \ (ctx.ip_c, c), \ (ctx.ip_d, d), \ (ctx.ip_f1, p), \ (ctx.ip_p, p)]) net.RoutingTable(p, [(ctx.ip_a, fw1), \ (ctx.ip_b, fw1), \ (ctx.ip_c, fw2), \ (ctx.ip_d, fw2), \ (ctx.ip_f1, fw1), \ (ctx.ip_f2, fw2)]) fw1.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)]) fw2.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_d, ctx.ip_b)]) net.Attach(a, b, c, d, fw1, fw2, p) endhosts = [a, b, c, d] check = components.PropertyChecker(ctx, net) return (endhosts, check)
def TrivialLbalancer(): ctx = components.Context(['a', 'b', 'f', 'l'], \ ['ip_a', 'ip_b', 'ip_f', 'ip_l']) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) f = components.AclFirewall(ctx.f, net, ctx) l = components.LoadBalancer(ctx.l, net, ctx) f.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)]) net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (f, ctx.ip_f), \ (l, ctx.ip_l)]) net.RoutingTable(a, [(ctx.ip_a, a), \ (ctx.ip_b, l)]) net.RoutingTable(b, [(ctx.ip_a, l), \ (ctx.ip_b, b)]) net.RoutingTable(l, [(ctx.ip_a, [f, a]), \ (ctx.ip_b, [f, b])]) net.RoutingTable(f, [(ctx.ip_a, a), \ (ctx.ip_b, b)]) net.Attach(a, b, l, f) class TrivialReturn(object): def __init__(self, net, ctx, a, b, l, f): self.net = net self.ctx = ctx self.a = a self.b = b self.l = l self.f = f self.check = components.PropertyChecker(ctx, net) return TrivialReturn(net, ctx, a, b, l, f)
def LSRRFwTriv (sz): assert (sz >= 1) endhosts = ['e0', 'e1'] lsrr_boxes = ['l_%d'%(l) for l in xrange(0, sz)] firewall = ['f'] nodes = list() nodes.extend(endhosts) nodes.extend(lsrr_boxes) nodes.extend(firewall) addresses = ['ip_%s'%(c) for c in nodes] ctx = components.Context(nodes, \ addresses) net = components.Network(ctx) # Register something that tells us about LSRR ip_lsr_field = components.LSRROption ('ip_lsr', ctx) ctx.AddPolicy (ip_lsr_field) e0 = components.EndHost(ctx.e0, net, ctx) e1 = components.EndHost(ctx.e1, net, ctx) ## Yeah I can put this in a list etc., doing it this way mostly for no good reason. #a = components.LSRRRouter (ctx.a, ip_lsr_field, net, ctx) #b = components.LSRRRouter (ctx.b, ip_lsr_field, net, ctx) lsrrs = [components.LSRRRouter (getattr(ctx, n), ip_lsr_field, net, ctx) for n in lsrr_boxes] lsrr_addresses = [getattr(ctx, 'ip_%s'%(l.z3Node)) for l in lsrrs] f = components.AclFirewall (ctx.f, net, ctx) address_mappings = [(e0, ctx.ip_e0), \ (e1, ctx.ip_e1), \ (f, ctx.ip_f)] lsrr_address_mappings = zip(lsrrs, lsrr_addresses) address_mappings.extend(lsrr_address_mappings) net.setAddressMappings(address_mappings) routing_table_base = zip(lsrr_addresses, lsrrs) routing_table_base.append((ctx.ip_e0, e0)) net.SetGateway(e1, f) f.AddAcls([(ctx.ip_e0, ctx.ip_e1)]) f.AddAcls([(a, ctx.ip_e1) for a in lsrr_addresses[:-1]]) f_routing_table = list(routing_table_base) f_routing_table.append((ctx.ip_e1, e1)) net.RoutingTable(f, f_routing_table) routing_table_base.append((ctx.ip_e1, f)) net.RoutingTable(e0, routing_table_base) for l in lsrrs: net.RoutingTable(l, routing_table_base) net.Attach(e0, e1, f, *lsrrs) class LSRRReturn (object): def __init__ (self, net, ctx, e0, e1, f, lsrrs): self.net = net self.ctx = ctx self.e0 = e0 self.e1 = e1 self.f = f self.lsrrs = lsrrs self.check = components.PropertyChecker (ctx, net) return LSRRReturn (net, ctx, e0, e1, f, lsrrs)
def AclProxyMultiFw (): """This is really just a version of ErroneousProxyMultiFw with AclFirewall. As shown by that function there really isn't a way to violate isolation here. Here by using something that is path independent we can prove things without really having to deal with any of the other things""" ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \ ['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f']) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) c = components.EndHost(ctx.c, net, ctx) p = components.AclWebProxy(ctx.p, net, ctx) f = components.AclFirewall(ctx.f, net, ctx) net.SetIsolationConstraint (a, [p]) net.SetIsolationConstraint (b, [p]) net.SetIsolationConstraint (p, [a, b, f]) p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)]) f.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_a, ctx.ip_c)]) net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (c, ctx.ip_c), \ (p, ctx.ip_p), \ (f, ctx.ip_f)]) net.RoutingTable(a, [(ctx.ip_a, a), \ (ctx.ip_b, p), \ (ctx.ip_c, p), \ (ctx.ip_p, p)]) net.RoutingTable(b, [(ctx.ip_a, p), \ (ctx.ip_b, b), \ (ctx.ip_c, p), \ (ctx.ip_p, p)]) net.RoutingTable(f, [(ctx.ip_a, p), \ (ctx.ip_b, p), \ (ctx.ip_c, c), \ (ctx.ip_p, p)]) net.RoutingTable(c, [(ctx.ip_a, f), \ (ctx.ip_b, f), \ (ctx.ip_c, c), \ (ctx.ip_p, f)]) net.RoutingTable(p, [(ctx.ip_a, a), \ (ctx.ip_b, b), \ (ctx.ip_c, f), \ (ctx.ip_p, p)]) net.Attach(a, b, c, p, f) class TrivialReturn (object): def __init__ (self, net, ctx, a, b, c, p, f): self.net = net self.ctx = ctx self.a = a self.b = b self.c = c self.p = p self.f = f self.check = components.PropertyChecker (ctx, net) return TrivialReturn (net, ctx, a, b, c, p, f)
def NumNodesTest(size): fws = ['f_%d' % (f) for f in xrange(0, size)] # Start with 4 end hosts end_hosts = ['e_%d' % (e) for e in xrange(2)] all_nodes = [] all_nodes.extend(end_hosts) all_nodes.extend(fws) addresses = ['ip_%s' % (n) for n in all_nodes] ctx = components.Context(all_nodes, addresses) net = components.Network(ctx) end_hosts = [ components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts ] firewalls = [ components.AclFirewall(getattr(ctx, f), net, ctx) for f in fws ] [e0, e1] = end_hosts all_node_objects = [] all_node_objects.extend(end_hosts) all_node_objects.extend(firewalls) addresses = [getattr(ctx, ad) for ad in addresses] address_mappings = [(ob, ad) for (ob, ad) in zip(all_node_objects, addresses)] net.setAddressMappings(address_mappings) # This is a test that can be used for both positive and negative testing; one pair # of endhosts are allowed to send the other isn't acl_policy = [(ctx.ip_e_0, ctx.ip_e_1), (ctx.ip_e_1, ctx.ip_e_0)] for fw in firewalls: fw.AddAcls(acl_policy) """Topology f0 / \ e0 e1""" routing_table = [(ctx.ip_e_0, e0), \ (ctx.ip_e_1, e1)] net.RoutingTable(firewalls[0], routing_table) for e in end_hosts: routing_table = [(ctx.ip_e_0, firewalls[0] if e != e0 else e0), \ (ctx.ip_e_1, firewalls[0] if e != e1 else e1)] net.RoutingTable(e, routing_table) net.Attach(*all_node_objects) node_dict = dict(zip(all_nodes, all_node_objects)) class NumFwResult(object): def __init__(self, net, ctx, **nodes): self.net = net self.ctx = ctx for k, v in nodes.iteritems(): setattr(self, k, v) self.check = components.PropertyChecker(ctx, net) return NumFwResult(net, ctx, **node_dict)
def LoadBalancerFw (size): assert(size > 1) firewalls = ['f_%d'%(f) for f in xrange(size)] endhosts = ['e_%d'%(e) for e in xrange(4)] lbalancers = ['l_%d'%(l) for l in xrange(4)] all_nodes = list() all_nodes.extend(firewalls) all_nodes.extend(endhosts) all_nodes.extend(lbalancers) addresses = ['ip_%s'%(n) for n in all_nodes] ctx = components.Context(all_nodes, addresses) net = components.Network(ctx) endhosts = [components.EndHost(getattr(ctx, e), net, ctx) for e in endhosts] [e0, e1, e2, e3] = endhosts firewalls = [components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls] lbalancers = [components.LoadBalancer(getattr(ctx, l), net, ctx) for l in lbalancers] all_node_objects = list() all_node_objects.extend(firewalls) all_node_objects.extend(endhosts) all_node_objects.extend(lbalancers) addresses = [getattr(ctx, a) for a in addresses] address_map = [(o, a) for (o, a) in zip(all_node_objects, addresses)] net.setAddressMappings(address_map) for i in xrange(4): net.SetIsolationConstraint(endhosts[i], [lbalancers[i]]) lbalancer_nbr = [endhosts[i]] lbalancer_nbr.extend(firewalls) net.SetIsolationConstraint(lbalancers[i], lbalancer_nbr) lbalancer_routing = [(getattr(ctx, 'ip_%s'%(endhosts[j].z3Node)), firewalls) \ for j in xrange(4) if j != i] lbalancer_routing.append((getattr(ctx, 'ip_%s'%(endhosts[i].z3Node)), endhosts[i])) net.RoutingTable(lbalancers[i], lbalancer_routing) fw_routing_table = [(getattr(ctx, 'ip_%s'%(endhosts[i].z3Node)), lbalancers[i]) for i in xrange(4)] for fw in firewalls: net.RoutingTable(fw, fw_routing_table) net.SetIsolationConstraint(fw, lbalancers) fw.AddAcls([(ctx.ip_e_0, ctx.ip_e_1), \ (ctx.ip_e_2, ctx.ip_e_3)]) net.Attach(*all_node_objects) class LoadBalancerFwReturn (object): def __init__ (self, net, ctx, **objdict): self.net = net self.ctx = ctx for k, v in objdict.iteritems(): setattr(self, k, v) self.check = components.PropertyChecker (ctx, net) return LoadBalancerFwReturn(net, ctx, **dict(zip(all_nodes, all_node_objects)))
def ErroneousProxyMultiFw (): ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \ ['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f']) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) c = components.EndHost(ctx.c, net, ctx) p = components.ErroneousAclWebProxy(ctx.p, net, ctx) f = components.AclFirewall(ctx.f, net, ctx) net.SetIsolationConstraint (a, [p]) net.SetIsolationConstraint (b, [p]) net.SetIsolationConstraint (p, [a, b, f]) p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)]) f.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_a, ctx.ip_c)]) net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (c, ctx.ip_c), \ (p, ctx.ip_p), \ (f, ctx.ip_f)]) net.RoutingTable(a, [(ctx.ip_a, a), \ (ctx.ip_b, p), \ (ctx.ip_c, p), \ (ctx.ip_p, p)]) net.RoutingTable(b, [(ctx.ip_a, p), \ (ctx.ip_b, b), \ (ctx.ip_c, p), \ (ctx.ip_p, p)]) net.RoutingTable(f, [(ctx.ip_a, p), \ (ctx.ip_b, p), \ (ctx.ip_c, c), \ (ctx.ip_p, p)]) net.RoutingTable(c, [(ctx.ip_a, f), \ (ctx.ip_b, f), \ (ctx.ip_c, c), \ (ctx.ip_p, f)]) net.RoutingTable(p, [(ctx.ip_a, a), \ (ctx.ip_b, b), \ (ctx.ip_c, f), \ (ctx.ip_p, p)]) net.Attach(a, b, c, p, f) class TrivialReturn (object): def __init__ (self, net, ctx, a, b, c, p, f): self.net = net self.ctx = ctx self.a = a self.b = b self.c = c self.p = p self.f = f self.check = components.PropertyChecker (ctx, net) return TrivialReturn (net, ctx, a, b, c, p, f)
def PolicyScaleWithBranch(naddress, nbranches): nodes = ['a', 'b'] firewalls = ['f_%d' % (f) for f in xrange(nbranches)] nodes.extend(firewalls) a_address = ['ip_a%d' % (a) for a in xrange(naddress)] b_address = ['ip_b%d' % (b) for b in xrange(naddress)] firewall_addresses = ['ip_%s' % (f) for f in firewalls] addresses = list() addresses.extend(firewall_addresses) addresses.extend(a_address) addresses.extend(b_address) ctx = components.Context(nodes, addresses) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) fwalls = [ components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls ] net.SetIsolationConstraint(a, fwalls) net.SetIsolationConstraint(b, fwalls) for f in fwalls: net.SetIsolationConstraint(f, [a, b]) a_addrs = map(lambda ad: getattr(ctx, ad), a_address) b_addrs = map(lambda ad: getattr(ctx, ad), b_address) admappings = zip(fwalls, [getattr(ctx, ad) for ad in firewall_addresses]) admappings.extend([(a, a_addrs), \ (b, b_addrs)]) net.setAddressMappings(admappings) f_routing_table = [(addr, a) for addr in a_addrs] f_routing_table.extend([(addr, b) for addr in b_addrs]) for f in fwalls: net.RoutingTable(f, f_routing_table) acls = list(itertools.product(a_addrs, b_addrs)) for f in fwalls[:-1]: f.AddAcls(acls) fwalls[-1].AddAcls(acls[:-1]) net.Attach(a, b, *fwalls) class TrivialReturn(object): def __init__(self, net, ctx, a, b, f): self.net = net self.ctx = ctx self.a = a self.b = b self.f = f self.check = components.PropertyChecker(ctx, net) return TrivialReturn(net, ctx, a, b, fwalls)
def NumPolicyNodesTest2 (size): fws = ['f_%d'%(f) for f in xrange(0, 1)] # Start with 2 end hosts end_hosts = ['e_%d'%(e) for e in xrange(0, 2)] other_nodes = ['o_%d'%(o) for o in xrange(0, size)] all_nodes = [] all_nodes.extend(end_hosts) all_nodes.extend(fws) all_nodes.extend(other_nodes) all_visible_nodes = [] all_visible_nodes.extend(end_hosts) all_visible_nodes.extend(fws) addresses = ['ip_e_0', 'ip_e_1', 'ip_f_0'] ctx = components.Context(all_nodes, addresses) net = components.Network(ctx) end_hosts = [components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts] firewalls = [components.AclFirewall(getattr(ctx, f), net, ctx) for f in fws] [e0, e1] = end_hosts all_node_objects = [] all_node_objects.extend(end_hosts) all_node_objects.extend(firewalls) addresses = [getattr(ctx, ad) for ad in addresses] address_mappings = [(ob, ad) for (ob, ad) in zip([e0, e1, firewalls[0]], addresses)] net.setAddressMappings(address_mappings) firewalls[0].AddAcls ([(ctx.ip_e_0, ctx.ip_e_1), \ (ctx.ip_e_1, ctx.ip_e_0)]) """Topology e0 e1 \ / d0 """ for e in [end_hosts[0], end_hosts[1]]: net.SetGateway(e, firewalls[0]) #net.SetIsolationConstraint (firewalls[0], end_hosts) routing_table = [(ctx.ip_e_0, e0), \ (ctx.ip_e_1, e1)] net.RoutingTable(firewalls[0], routing_table) net.Attach(*all_node_objects) node_dict = dict(zip(all_visible_nodes, all_node_objects)) class NumPolicyResult (object): def __init__ (self, net, ctx, **nodes): self.net = net self.ctx = ctx for k, v in nodes.iteritems(): setattr(self, k, v) self.participants = nodes.values() self.check = components.PropertyChecker (ctx, net) return NumPolicyResult (net, ctx, **node_dict)
def LinkTraversalScaling(size): firewalls = ['f0', 'f1', 'f2', 'f3'] fw_addresses = ['ip_f0', 'ip_f1', 'ip_f2', 'ip_f3'] assert (size > 2) hosts = ['e%d' % (n) for n in xrange(size)] host_addresses = ['ip_%s' % (h) for h in hosts] nodes = list(firewalls) nodes.extend(hosts) addresses = list(fw_addresses) addresses.extend(host_addresses) ctx = components.Context(nodes, addresses) net = components.Network(ctx) [f0, f1, f2, f3] = [ components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls ] [ip_f0, ip_f1, ip_f2, ip_f3] = [getattr(ctx, f) for f in fw_addresses] hosts = [components.EndHost(getattr(ctx, h), net, ctx) for h in hosts] host_addresses = [getattr(ctx, h) for h in host_addresses] addr_mapping = list(zip(hosts, host_addresses)) addr_mapping.extend([(f0, ip_f0), (f1, ip_f1), (f2, ip_f2), (f3, ip_f3)]) net.setAddressMappings(addr_mapping) endhost_routing = [(h, f0) for h in host_addresses] for h in hosts: net.RoutingTable(h, endhost_routing) f1_f2_routing = [(h, f3) for h in host_addresses] net.RoutingTable(f1, f1_f2_routing) net.RoutingTable(f2, f1_f2_routing) f3_routing = [(a, h) for (a, h) in zip(host_addresses, hosts)] net.RoutingTable(f3, f3_routing) f0_routing = [(a, x) for (a, x) in zip(host_addresses, cycle([f1, f2]))] net.RoutingTable(f0, f0_routing) nodes = list(hosts) nodes.extend([f0, f1, f2, f3]) net.Attach(*nodes) class LinkTraversalReturn(object): def __init__(self, net, ctx, hosts, f0, f1, f2, f3): self.net = net self.ctx = ctx self.f0 = f0 self.f1 = f1 self.f2 = f2 self.f3 = f3 self.hosts = hosts self.check = components.PropertyChecker(ctx, net) return LinkTraversalReturn(net, ctx, hosts, f0, f1, f2, f3)
def LSRRFwTriv(): ctx = components.Context(['e0' , 'e1', 'a', 'b', 'f'], \ ['ip_e0', 'ip_e1', 'ip_a', 'ip_b','ip_f']) net = components.Network(ctx) # Register something that tells us about LSR ip_lsr_field = components.LSRROption('ip_lsr', ctx) ctx.AddPolicy(ip_lsr_field) e0 = components.EndHost(ctx.e0, net, ctx) e1 = components.EndHost(ctx.e1, net, ctx) # Yeah I can put this in a list etc., doing it this way mostly for no good reason. a = components.LSRRRouter(ctx.a, ip_lsr_field, net, ctx) b = components.LSRRRouter(ctx.b, ip_lsr_field, net, ctx) f = components.AclFirewall(ctx.f, net, ctx) net.setAddressMappings([(e0, ctx.ip_e0), \ (e1, ctx.ip_e1), \ (a, ctx.ip_a), \ (b, ctx.ip_b), \ (f, ctx.ip_f)]) net.SetGateway(e0, a) net.SetGateway(e1, b) net.RoutingTable(a, [(ctx.ip_e0, e0), \ (ctx.ip_f, f), \ (ctx.ip_b, f), \ (ctx.ip_e1, f)]) net.RoutingTable(b, [(ctx.ip_e0, f), \ (ctx.ip_f, f), \ (ctx.ip_b, f), \ (ctx.ip_e1, e1)]) net.RoutingTable(f, [(ctx.ip_e0, a), \ (ctx.ip_e1, b), \ (ctx.ip_b, b), \ (ctx.ip_a, a)]) node_dict = {'e0': e0, \ 'e1': e1, \ 'a': a, \ 'b': b, \ 'f': f} net.Attach(*node_dict.values()) class LSRRReturn(object): def __init__(self, net, ctx, **nodes): self.net = net self.ctx = ctx for k, v in nodes.iteritems(): setattr(self, k, v) self.check = components.PropertyChecker(ctx, net) return LSRRReturn(net, ctx, **node_dict)
def AclContentCacheScaleTestFP (endhosts): """ACL content cache test""" nodes = ['cc', 'f', 's0'] nodes.extend(['n_%d'%(i) for i in xrange(0, 2)]) addresses = ['ip_%s'%(n) for n in nodes] addresses.append('ip_cc') addresses.append('ip_f') addresses.append('ip_s0') ctx = components.Context(nodes, addresses) net = components.Network (ctx) hosts = [] for e in ['n_%d'%(i) for i in xrange(0, 2)]: hosts.append(components.EndHost(getattr(ctx, e), net, ctx)) s0 = components.EndHost(ctx.s0, net, ctx) cc = components.AclContentCache(ctx.cc, net, ctx) f = components.AclFirewall(ctx.f, net, ctx) address_mappings = [(getattr(ctx, n), getattr(ctx, 'ip_%s'%(n))) for n in nodes] address_mappings.extend([(ctx.s0, ctx.ip_s0), (ctx.cc, ctx.ip_cc), (ctx.f, ctx.ip_f)]) net.setAddressMappings(address_mappings) addresses = [getattr(ctx, addr) for addr in addresses] for host in hosts: net.RoutingTable(host, [(x, f) for x in addresses]) net.RoutingTable(f, [(x, cc) for x in addresses]) net.RoutingTable(cc, [( getattr(ctx, 'ip_%s'%(n)), getattr(ctx, n)) for n in nodes]) net.RoutingTable(s0, [(x, cc) for x in addresses]) rnodes = list(hosts) rnodes.append(f) rnodes.append(cc) rnodes.append(s0) acls = [(ctx.ip_s0, ctx.ip_n_0)] cc.AddAcls(acls) f.AddAcls(acls) net.Attach(*rnodes) class AclContentCacheReturn (object): def __init__ (self, net, ctx, cc, f, endhosts): self.net = net self.ctx = ctx self.cc = cc self.f = f self.s0 = s0 self.endhosts = endhosts self.check = components.PropertyChecker (ctx, net) return AclContentCacheReturn(net, ctx, cc, f, hosts)
def NodeTraversalTest(): """ACL firewall test""" ctx = components.Context (['a', 'b', 'c', 'd', 'fw'],\ ['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f']) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) c = components.EndHost(ctx.c, net, ctx) d = components.EndHost(ctx.d, net, ctx) fw = components.AclFirewall(ctx.fw, net, ctx) net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (c, ctx.ip_c), \ (d, ctx.ip_d), \ (fw, ctx.ip_f)]) addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f] net.RoutingTable(a, [(x, fw) for x in addresses]) net.RoutingTable(b, [(x, fw) for x in addresses]) net.RoutingTable(c, [(x, fw) if str(x) != 'ip_a' else (x, a) for x in addresses]) net.RoutingTable(d, [(x, fw) for x in addresses]) #net.SetGateway(a, fw) #net.SetGateway(b, fw) #net.SetGateway(c, fw) #net.SetGateway(d, fw) net.RoutingTable(fw, [(ctx.ip_a, a), \ (ctx.ip_b, b), \ (ctx.ip_c, c), \ (ctx.ip_d, d)]) fw.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)]) net.Attach(a, b, c, d, fw) endhosts = [a, b, c, d] class AclFwReturn(object): def __init__(self, net, ctx, a, b, c, d, fw): self.net = net self.ctx = ctx self.a = a self.b = b self.c = c self.d = d self.fw = fw self.check = components.PropertyChecker(ctx, net) return AclFwReturn(net, ctx, a, b, c, d, fw)
def AclContentCacheTest (): """ACL content cache test""" ctx = components.Context (['a', 'b', 'c', 'd', 'cc', 'f'],\ ['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_cc', 'ip_f']) net = components.Network (ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) c = components.EndHost(ctx.c, net, ctx) d = components.EndHost(ctx.d, net, ctx) cc = components.AclContentCache(ctx.cc, net, ctx) f = components.AclFirewall(ctx.f, net, ctx) net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (c, ctx.ip_c), \ (d, ctx.ip_d), \ (f, ctx.ip_f), \ (cc, ctx.ip_cc)]) addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_cc, ctx.ip_f] net.RoutingTable(a, [(x, f) for x in addresses]) net.RoutingTable(b, [(x, f) for x in addresses]) net.RoutingTable(c, [(x, f) for x in addresses]) net.RoutingTable(d, [(x, f) for x in addresses]) net.RoutingTable(f, [(x, cc) for x in addresses]) net.RoutingTable(cc, [(ctx.ip_a, a), \ (ctx.ip_b, b), \ (ctx.ip_c, c), \ (ctx.ip_d, d)]) net.Attach(a, b, c, d, cc) endhosts = [a, b, c, d] f.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)]) cc.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_c, ctx.ip_d)]) net.Attach(a, b, c, d, cc, f) endhosts = [a, b, c, d] class AclContentCacheReturn (object): def __init__ (self, net, ctx, a, b, c, d, cc, f): self.net = net self.ctx = ctx self.a = a self.b = b self.c = c self.d = d self.cc = cc self.f = f self.check = components.PropertyChecker (ctx, net) return AclContentCacheReturn(net, ctx, a, b, c, d, cc, f)
def PolicyScaleNeg(naddress): nodes = ['a', 'b', 'f'] a_address = ['ip_a%d' % (a) for a in xrange(naddress)] b_address = ['ip_b%d' % (b) for b in xrange(naddress)] addresses = ['ip_f'] addresses.extend(a_address) addresses.extend(b_address) ctx = components.Context(nodes, addresses) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) f = components.AclFirewall(ctx.f, net, ctx) net.SetIsolationConstraint(f, [a, b]) net.SetGateway(a, f) net.SetGateway(b, f) a_addrs = map(lambda ad: getattr(ctx, ad), a_address) b_addrs = map(lambda ad: getattr(ctx, ad), b_address) net.setAddressMappings([(a, a_addrs), \ (b, b_addrs), \ (f, ctx.ip_f)]) f_routing_table = [(addr, a) for addr in a_addrs] f_routing_table.extend([(addr, b) for addr in b_addrs]) net.RoutingTable(f, f_routing_table) acls = list(itertools.product(a_addrs, b_addrs)) f.AddAcls(acls) net.Attach(a, b, f) class TrivialReturn(object): def __init__(self, net, ctx, a, b, f): self.net = net self.ctx = ctx self.a = a self.b = b self.f = f self.check = components.PropertyChecker(ctx, net) return TrivialReturn(net, ctx, a, b, f)
def withProxySat(): """ A proxy and a firewall. This results in a SAT result, i.e. the packet goes through since the proxy is used to send information through""" ctx = components.Context (['a', 'b', 'c', 'd', 'fw', 'p'],\ ['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f', 'ip_p']) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) c = components.EndHost(ctx.c, net, ctx) d = components.EndHost(ctx.d, net, ctx) fw = components.AclFirewall(ctx.fw, net, ctx) p = components.WebProxy(ctx.p, net, ctx) net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (c, ctx.ip_c), \ (d, ctx.ip_d), \ (fw, ctx.ip_f), \ (p, ctx.ip_p)]) addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f] net.RoutingTable(a, [(x, fw) for x in addresses]) net.RoutingTable(b, [(x, fw) for x in addresses]) net.RoutingTable(c, [(x, p) for x in addresses]) net.RoutingTable(d, [(x, p) for x in addresses]) net.RoutingTable(fw, [(ctx.ip_a, a), \ (ctx.ip_b, b), \ (ctx.ip_c, p), \ (ctx.ip_d, p), \ (ctx.ip_p, p)]) net.RoutingTable(p, [(ctx.ip_a, fw), \ (ctx.ip_b, fw), \ (ctx.ip_c, c), \ (ctx.ip_d, d), \ (ctx.ip_f, fw)]) fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)]) net.Attach(a, b, c, d, fw, p) endhosts = [a, b, c, d] check = components.PropertyChecker(ctx, net) return (endhosts, check)
def LSRRDenyFwExample(size): left_nodes = ['l_%d' % (l) for l in xrange(size)] right_nodes = ['r_%d' % (r) for r in xrange(size)] end_hosts = ['e0', 'e1'] firewalls = ['f0'] all_nodes = [] all_nodes.extend(left_nodes) all_nodes.extend(right_nodes) all_nodes.extend(end_hosts) all_nodes.extend(firewalls) addresses = ['ip_%s' % (n) for n in all_nodes] ctx = components.Context(all_nodes, addresses) net = components.Network(ctx) # Register something that tells us about LSR ip_lsr_field = components.LSRROption('ip_lsr', ctx) ctx.AddPolicy(ip_lsr_field) end_hosts = [ components.EndHost(getattr(ctx, e), net, ctx) for e in end_hosts ] [e0, e1] = end_hosts firewalls = [ components.AclFirewall(getattr(ctx, f), net, ctx) for f in firewalls ] left_nodes = [ components.LSRRRouter(getattr(ctx, l), ip_lsr_field, net, ctx) for l in left_nodes ] right_nodes = [ components.LSRRRouter(getattr(ctx, l), ip_lsr_field, net, ctx) for l in right_nodes ] all_node_objects = [] all_node_objects.extend(left_nodes) all_node_objects.extend(right_nodes) all_node_objects.extend(end_hosts) all_node_objects.extend(firewalls) addresses = [getattr(ctx, a) for a in addresses] address_map = [(o, a) for (o, a) in zip(all_node_objects, addresses)] net.setAddressMappings(address_map) #firewalls[0].AddAcls([(ctx.ip_e0, ctx.ip_e1), \ #(ctx.ip_e1, ctx.ip_e0)]) firewalls[0].AddAcls([(getattr(ctx, 'ip_%s' % (left_nodes[-1].z3Node)), getattr(ctx, 'ip_%s' % (right_nodes[-1].z3Node)))]) e0_routing_table = [(getattr(ctx, 'ip_%s' % (ol.z3Node)), ol) for ol in left_nodes] e0_routing_table.append((ctx.ip_e1, firewalls[0])) net.RoutingTable(e0, e0_routing_table) left_routing_table = [(getattr(ctx, 'ip_%s' % (orr.z3Node)), firewalls[0]) for orr in right_nodes] left_routing_table.append((ctx.ip_e0, e0)) for ol in left_nodes: net.RoutingTable(ol, left_routing_table) right_routing_table = [(getattr(ctx, 'ip_%s' % (ol.z3Node)), firewalls[0]) for ol in left_nodes] right_routing_table.append((ctx.ip_e1, e1)) for orr in right_nodes: net.RoutingTable(orr, right_routing_table) firewall_routing_table = [(a, o) for (a, o) in zip(addresses, all_node_objects)] net.RoutingTable(firewalls[0], firewall_routing_table) net.Attach(*all_node_objects) class LSRRReturn(object): def __init__(self, net, ctx, **nodes): self.net = net self.ctx = ctx for k, v in nodes.iteritems(): setattr(self, k, v) self.check = components.PropertyChecker(ctx, net) return LSRRReturn(net, ctx, **dict(zip(all_nodes, all_node_objects)))
def IMC(nservers): nodes = ['n%d' % i for i in xrange(nservers)] servers = list(nodes) nodes.append('lb1_o') nodes.append('lb2_o') lbs_out = ['lb1_o', 'lb2_o'] nodes.append('lb1_i') nodes.append('lb2_i') lbs_in = ['lb1_i', 'lb2_i'] nodes.append('dpi1') nodes.append('dpi2') dpis = ['dpi1', 'dpi2'] nodes.append('fw1_o') nodes.append('fw2_o') fws_out = ['fw1_o', 'fw2_o'] nodes.append('fw1_i') nodes.append('fw2_i') fws_in = ['fw1_i', 'fw2_i'] addresses = ['i_%s' % n for n in nodes] ctx = components.Context(nodes, addresses) net = components.Network(ctx) # Make nodes all_nodes = [] servers = [components.EndHost(getattr(ctx, s), net, ctx) for s in servers] all_nodes += servers lbs_out = [components.AllowAll(getattr(ctx, s), net, ctx) for s in lbs_out] all_nodes += lbs_out lbs_in = [components.AllowAll(getattr(ctx, s), net, ctx) for s in lbs_in] all_nodes += lbs_in dpis = [components.AllowAll(getattr(ctx, s), net, ctx) for s in dpis] all_nodes += dpis fws_out = [ components.AclFirewall(getattr(ctx, s), net, ctx) for s in fws_out ] all_nodes += fws_out fws_in = [ components.AclFirewall(getattr(ctx, s), net, ctx) for s in fws_in ] all_nodes += fws_in address_mapping = zip(nodes, addresses) address_mapping = map(lambda (n, a): (getattr(ctx, n), getattr(ctx, a)), \ address_mapping) net.Attach(*all_nodes) net.setAddressMappings(address_mapping) server_addresses = [getattr(ctx, 'i_%s' % s) for s in servers] # Server routing does not need to account for source. server_routing = [] for addr in server_addresses: server_routing.append( (addr, components.not_failed(lbs_out[0]), lbs_out[0])) server_routing.append( (addr, components.failed(lbs_out[0]), lbs_out[1])) for s in servers: net.RoutingTableWithFailure(s, server_routing) lb_out_routing = [] lb_in_routing = [] for (addr, server) in zip(server_addresses, servers): lb_in_routing.append((addr, server)) lb_out_routing.append( (addr, components.not_failed(fws_out[0]), fws_out[0])) lb_out_routing.append( (addr, components.failed(fws_out[0]), fws_out[1])) for lb in lbs_in: net.RoutingTable(lb, lb_in_routing) for lb in lbs_out: net.RoutingTableWithFailure(lb, lb_out_routing) fw_out_routing = [] fw_in_routing = [] dpi_routing = [] for addr in server_addresses: fw_in_routing.append( (addr, components.not_failed(lbs_in[0]), lbs_in[0])) fw_in_routing.append((addr, components.failed(lbs_in[0]), lbs_in[1])) fw_out_routing.append((addr, components.not_failed(dpis[0]), dpis[0])) fw_out_routing.append((addr, components.failed(dpis[0]), dpis[1])) dpi_routing.append((addr, components.failed(fws_in[0]), fws_in[1])) dpi_routing.append((addr, components.not_failed(fws_in[0]), fws_in[0])) for fw in fws_out: net.RoutingTableWithFailure(fw, fw_out_routing) for fw in fws_in: net.RoutingTableWithFailure(fw, fw_in_routing) for dpi in dpis: net.RoutingTableWithFailure(dpi, dpi_routing) class IMCTopo(object): def __init__(self): self.servers = servers self.lbs_out = lbs_out self.lbs_in = lbs_in self.fws_out = fws_out self.fws_in = fws_in self.dpis = dpis self.ctx = ctx self.network = net self.check = components.PropertyChecker(ctx, net) self.addresses = dict([(str(x), y) for (x, y) in address_mapping]) return IMCTopo()
def TrivialPolicyTest(): """This policy test just uses a simple scheme of the following form: A - fw1 - p - fw2 - B C - fw3 / src, dest are strings representing the source and destination between which we want to test isolation between""" nodes = ['A', 'fw1', 'p', 'fw2', 'B', 'C', 'fw3'] addresses = map(lambda n: 'a_%s' % (n), nodes) ctx = components.Context(nodes, addresses) net = components.Network(ctx) nodes_dict = {n: getattr(ctx, n) for n in nodes} address_dict = {a: getattr(ctx, a) for a in addresses} net.setAddressMappings([(nodes_dict[n], address_dict['a_%s' % (n)]) for n in nodes]) # TODO: For now we cheat and just care about only one set. We can deal with several of them later A = components.EndHost(ctx.A, net, ctx) B = components.EndHost(ctx.B, net, ctx) fw1 = components.AclFirewall(ctx.fw1, net, ctx) fw2 = components.AclFirewall(ctx.fw2, net, ctx) p = components.WebProxy(ctx.p, net, ctx) net.SetGateway(A, fw1) net.SetGateway(B, fw2) net.RoutingTable(fw1, [(ctx.a_A, A), (ctx.a_B, p), (ctx.a_p, p), (ctx.a_C, p)]) net.RoutingTable(fw2, [(ctx.a_B, B), (ctx.a_p, p), (ctx.a_A, p), (ctx.a_C, p)]) net.RoutingTable(p, [(ctx.a_B, fw2), (ctx.a_A, fw1)]) fw1.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)]) fw2.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)]) net.SetIsolationConstraint(fw1, [A, p]) net.SetIsolationConstraint(fw2, [B, p]) net.SetIsolationConstraint(p, [fw1, fw2, ctx.fw3]) import z3 n0 = z3.Const('__triv_node_0', ctx.node) n1 = z3.Const('__triv_node_1', ctx.node) p0 = z3.Const('__triv_packet_0', ctx.packet) # This is a part of policy? net.Attach(A, B, fw1, fw2, p) check = components.PropertyChecker(ctx, net) check.AddExternalConstraints( \ z3.ForAll([n0, n1, p0], \ z3.Implies( \ z3.And(ctx.send(n0, n1, p0),\ z3.Or(n0 == ctx.C.z3Node, \ n0 == ctx.fw3.z3Node)), \ z3.Not(ctx.packet.origin(p0) == ctx.A.z3Node)))) check.AddExternalConstraints( \ z3.ForAll([n0, n1, p0], \ z3.Implies( \ z3.And(ctx.send(n0, n1, p0),\ z3.Or(n0 == ctx.C.z3Node, \ n0 == ctx.fw3.z3Node)), \ z3.Not(z3.Or(ctx.packet.src(p0) == ctx.a_A, ctx.packet.src(p0) == ctx.a_B))))) res = check.CheckIsolationProperty(A, B) return res, check, ctx
def permuteTest(other_nodes): main_complex = ['a', 'b', 'm', 'fw'] other_endhosts = ['e%d' % (i) for i in xrange(other_nodes)] other_permboxes = ['m%d' % (i) for i in xrange(other_nodes)] nodes = [] nodes.extend(main_complex) nodes.extend(other_endhosts) nodes.extend(other_permboxes) main_eh_addresses = ['ip_a', 'ip_b'] main_mb_addresses = [ 'ip_m%d' % (i) for i in xrange(0, 2 * other_nodes + 1) ] other_mb_addresses = ['ip_om%d' % (i) for i in xrange(0, other_nodes)] other_eh_addresses = ['ip_%s' % (e) for e in other_endhosts] addresses = ['ip_f'] addresses.extend(main_eh_addresses) addresses.extend(other_eh_addresses) addresses.extend(main_mb_addresses) addresses.extend(other_mb_addresses) ctx = components.Context (nodes,\ addresses) net = components.Network(ctx) a = components.EndHost(ctx.a, net, ctx) b = components.EndHost(ctx.b, net, ctx) main_mb_addresses = map(lambda ad: getattr(ctx, ad), main_mb_addresses) other_eh_addresses = map(lambda ad: getattr(ctx, ad), other_eh_addresses) other_mb_addresses = map(lambda ad: getattr(ctx, ad), other_mb_addresses) main_eh_addresses = map(lambda ad: getattr(ctx, ad), main_eh_addresses) other_addresses = [] other_addresses.extend(other_mb_addresses) other_addresses.extend(other_eh_addresses) other_addresses.append(ctx.ip_a) m = components.PermutationMiddlebox(ctx.m, \ main_mb_addresses, \ other_addresses, \ net, \ ctx) fw = components.AclFirewall(ctx.fw, net, ctx) to_register = [a, b, m, fw] net.setAddressMappings([(a, ctx.ip_a), \ (b, ctx.ip_b), \ (fw, ctx.ip_f), \ (m, main_mb_addresses)]) net.SetGateway(a, m) net.SetGateway(b, fw) other_endhosts = map(lambda eh: getattr(ctx, eh), other_endhosts) other_endhosts_eh = map(lambda eh: components.EndHost(eh, net, ctx), other_endhosts) net.setAddressMappings(zip(other_endhosts_eh, other_eh_addresses)) to_register.extend(other_endhosts_eh) other_permboxes = map(lambda eh: getattr(ctx, eh), other_permboxes) other_pm_alt_addr = [] other_pm_alt_addr.extend(other_eh_addresses) other_pm_alt_addr.extend(main_eh_addresses) other_permbox_addr_zip = zip(other_permboxes, other_mb_addresses) other_permbox_pm = map(lambda(n, a): components.PermutationMiddlebox(n, [a], other_pm_alt_addr, net, ctx), \ other_permbox_addr_zip) net.setAddressMappings(other_permbox_addr_zip) to_register.extend(other_permbox_pm) universal_routing = zip(other_eh_addresses, other_permbox_pm) universal_routing.append((ctx.ip_a, m)) universal_routing.append((ctx.ip_b, m)) for (node, mb) in zip(other_endhosts_eh, other_permbox_pm): net.RoutingTable(mb, universal_routing) net.SetGateway(node, mb) universal_routing = zip(other_eh_addresses, other_permbox_pm) m_routing = [] m_routing.extend(universal_routing) m_routing.extend([(ctx.ip_a, a), (ctx.ip_b, fw)]) net.RoutingTable(m, m_routing) from itertools import repeat f_routing = [] f_routing = zip(other_eh_addresses, repeat(m)) f_routing.extend([(ctx.ip_a, m), (ctx.ip_b, b), (ctx.ip_m0, m)]) net.RoutingTable(fw, f_routing) fw.AddAcls([(ctx.ip_a, ctx.ip_b)]) fw.AddAcls(zip(main_mb_addresses, repeat(ctx.ip_b))) net.Attach(*to_register) class PReturn(object): def __init__(self): self.net = net self.ctx = ctx self.a = a self.b = b self.m = m self.fw = fw self.check = components.PropertyChecker(ctx, net) self.other_mb = other_permbox_pm self.other_eh = other_endhosts_eh return PReturn()