def testAddressListExcludeCaseSix(self): # IPv6 does not affect IPv4 superset = [nacaddr.IPv6('0::ffff:0.0.0.0/96')] excludes = [nacaddr.IPv4('0.0.0.0/0')] expected = [nacaddr.IPv6('0::ffff:0.0.0.0/96')] self.assertListEqual(nacaddr.AddressListExclude(superset, excludes), expected)
def test_token_to_ips(self): expected_results = [(r'GOOGLE_DNS', [ nacaddr.IPv4('8.8.4.4/32'), nacaddr.IPv4('8.8.8.8/32'), nacaddr.IPv6('2001:4860:4860::8844/128'), nacaddr.IPv6('2001:4860:4860::8888/128') ])] options = Namespace(obj=('GOOGLE_DNS', ), ) results = get_nets(options.obj, self.db) self.assertEquals(results[0][0], expected_results[0][0]) self.assertEquals(set(results[0][1]), set(expected_results[0][1]))
def testTermAddressByteLength(self): """Tests the AddressByteLength function.""" pol = HEADER + GOOD_TERM_2 self.naming.GetNetAddr.return_value = [ nacaddr.IPv4('10.0.0.1/32'), nacaddr.IPv4('10.0.0.2/32'), nacaddr.IPv6('2001:4860:4860::8844/128'), nacaddr.IPv6('2001:4860:4860::8888/128')] ret = policy.ParsePolicy(pol, self.naming) term = ret.filters[0][1][0] self.assertEqual(2, term.AddressesByteLength([4])) self.assertEqual(8, term.AddressesByteLength([6])) self.assertEqual(10, term.AddressesByteLength())
def testAddressListExcludeCaseOne(self): # Small block eliminated by large block, and an extra block that stays. # For both IP versions. superset = [ nacaddr.IPv4('200.0.0.0/24'), nacaddr.IPv4('10.1.0.0/24'), nacaddr.IPv6('200::/56'), nacaddr.IPv6('10:1::/56') ] excludes = [nacaddr.IPv6('10::/16'), nacaddr.IPv4('10.0.0.0/8')] expected = [nacaddr.IPv4('200.0.0.0/24'), nacaddr.IPv6('200::/56')] self.assertListEqual(nacaddr.AddressListExclude(superset, excludes), expected)
def __init__(self, term, af): """Setup a new nftables term. Args: term: A policy.Term object af: The capirca address family for the term, "inet", "inet6", or "mixed" Raises: InvalidAddressFamily: if supplied target options are invalid. Note: AF of mixed requires kernel 3.15 or higher """ super(Term, self).__init__(term) self.term = term self.af = af if af == 'inet6': self.all_ips = nacaddr.IPv6('::/0') elif af == 'inet': self.all_ips = nacaddr.IPv4('0.0.0.0/0') elif af == 'mixed': # TODO(castagno): Need to add support for a mixed address family raise InvalidAddressFamily( 'Address family mixed is not supported yet') else: raise InvalidAddressFamily('Not a valid address family')
def __init__(self, term, filter_name, filter_action, af='inet'): """Setup a new term. Args: term: A policy.Term object to represent in windows_ipsec. filter_name: The name of the filter chan to attach the term to. filter_action: The default action of the filter. af: Which address family ('inet' or 'inet6') to apply the term to. Raises: UnsupportedFilterError: Filter is not supported. """ super(Term, self).__init__(term) self.term = term # term object self.filter = filter_name # actual name of filter self.default_action = filter_action self.options = [] self.af = af if af == 'inet6': self._all_ips = nacaddr.IPv6('::/0') else: self._all_ips = nacaddr.IPv4('0.0.0.0/0') self.term_name = '%s_%s' % (self.filter[:1], self.term.name)
def __init__(self, term, filter_name, trackstate, filter_action, af='inet', verbose=True): """Setup a new term. Args: term: A policy.Term object to represent in iptables. filter_name: The name of the filter chan to attach the term to. trackstate: Specifies if conntrack should be used for new connections. filter_action: The default action of the filter. af: Which address family ('inet' or 'inet6') to apply the term to. verbose: boolean if comments should be printed Raises: UnsupportedFilterError: Filter is not supported. """ super(Term, self).__init__(term) self.trackstate = trackstate self.term = term # term object self.filter = filter_name # actual name of filter self.default_action = filter_action self.options = [] self.af = af self.verbose = verbose if af == 'inet6': self._all_ips = nacaddr.IPv6('::/0') self._ACTION_TABLE['reject'] = ('-j REJECT --reject-with ' 'icmp6-adm-prohibited') else: self._all_ips = nacaddr.IPv4('0.0.0.0/0') self._ACTION_TABLE['reject'] = ('-j REJECT --reject-with ' 'icmp-host-prohibited') self.term_name = '%s_%s' % (self.filter[:1], self.term.name)
def testMixedAddresses(self): self.assertListEqual(self.defs.GetNetAddr('BING'), [nacaddr.IPv4('10.0.0.0/8'), nacaddr.IPv6('::FFFF:FFFF:FFFF:FFFF')]) # same thing but letting nacaddr decide which v4 or v6. self.assertListEqual(self.defs.GetNetAddr('BING'), [nacaddr.IP('10.0.0.0/8'), nacaddr.IP('::FFFF:FFFF:FFFF:FFFF')])
def testBridgeFilterInetType(self): self.naming.GetNetAddr('LOCALHOST').AndReturn([nacaddr.IPv4('127.0.0.1'), nacaddr.IPv6('::1/128')]) self.mox.ReplayAll() jcl = juniper.Juniper(policy.ParsePolicy( GOOD_HEADER_BRIDGE + GOOD_TERM_12, self.naming), EXP_INFO) output = str(jcl) self.failIf('::1/128' in output, output)
def test_token_to_ip_fail(self): expected_results = [(r'GOOGLE_DNS', [ nacaddr.IPv4('69.171.239.12/32'), nacaddr.IPv6('2a03:2880:fffe:c:face:b00c:0:35/128') ])] options = Namespace(obj=('GOOGLE_DNS', ), ) results = get_nets(options.obj, self.db) # the network object name should match, but not the IPs contained within self.assertEquals(results[0][0], expected_results[0][0]) self.assertNotEquals(set(results[0][1]), set(expected_results[0][1]))
def testBridgeFilterInetType(self): self.naming.GetNetAddr.return_value = [ nacaddr.IPv4('127.0.0.1'), nacaddr.IPv6('::1/128')] jcl = juniper.Juniper(policy.ParsePolicy( GOOD_HEADER_BRIDGE + GOOD_TERM_12, self.naming), EXP_INFO) output = str(jcl) self.failIf('::1/128' in output, output) self.naming.GetNetAddr.assert_called_once_with('LOCALHOST')
def testIPv6IcmpOrder(self): self.naming.GetNetAddr('IPV6_INTERNAL').InAnyOrder().AndReturn( [nacaddr.IPv6('fd87:6044:ac54:3558::/64')]) self.mox.ReplayAll() pol = policy.ParsePolicy(IPV6_HEADER_1 + ICMPV6_TERM_1, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless( '-s fd87:6044:ac54:3558::/64 -p ipv6-icmp -m icmp6' ' --icmpv6-type 1' in result, 'incorrect order of ICMPv6 match elements')
def testIPv6IcmpOrder(self): self.naming.GetNetAddr.return_value = [ nacaddr.IPv6('fd87:6044:ac54:3558::/64')] pol = policy.ParsePolicy(IPV6_HEADER_1 + ICMPV6_TERM_1, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-s fd87:6044:ac54:3558::/64 -p ipv6-icmp -m icmp6' ' --icmpv6-type 1' in result, 'incorrect order of ICMPv6 match elements') self.naming.GetNetAddr.assert_called_once_with('IPV6_INTERNAL')
def testCollapsing(self): ip1 = nacaddr.IPv4('1.1.0.0/24', 'foo') ip2 = nacaddr.IPv4('1.1.1.0/24', 'foo') ip3 = nacaddr.IPv4('1.1.2.0/24', 'baz') ip4 = nacaddr.IPv4('1.1.3.0/24') ip5 = nacaddr.IPv4('1.1.4.0/24') # stored in no particular order b/c we want CollapseAddr to call [].sort # and we want that sort to call nacaddr.IP.__cmp__() on our array members ip6 = nacaddr.IPv4('1.1.0.0/22') # check that addreses are subsumed properlly. collapsed = nacaddr.CollapseAddrList([ip1, ip2, ip3, ip4, ip5, ip6]) self.assertEqual(len(collapsed), 2) # test that the comments are collapsed properlly, and that comments aren't # added to addresses that have no comments. self.assertListEqual([collapsed[0].text, collapsed[1].text], ['foo, baz', '']) self.assertListEqual( collapsed, [nacaddr.IPv4('1.1.0.0/22'), nacaddr.IPv4('1.1.4.0/24')]) # test that two addresses are supernet'ed properlly collapsed = nacaddr.CollapseAddrList([ip1, ip2]) self.assertEqual(len(collapsed), 1) self.assertEqual(collapsed[0].text, 'foo') self.assertListEqual(collapsed, [nacaddr.IPv4('1.1.0.0/23')]) ip_same1 = ip_same2 = nacaddr.IPv4('1.1.1.1/32') self.assertListEqual(nacaddr.CollapseAddrList([ip_same1, ip_same2]), [ip_same1]) ip1 = nacaddr.IPv6('::2001:1/100') ip2 = nacaddr.IPv6('::2002:1/120') ip3 = nacaddr.IPv6('::2001:1/96') # test that ipv6 addresses are subsumed properlly. collapsed = nacaddr.CollapseAddrList([ip1, ip2, ip3]) self.assertListEqual(collapsed, [ip3])
def __init__(self, term, af): """Setup a new nftables term. Args: term: A policy.Term object af: The address family for the term, "inet" or "inet6" """ super(Term, self).__init__(term) self.term = term self.af = af if af == 'inet6': self.all_ips = nacaddr.IPv6('::/0') else: self.all_ips = nacaddr.IPv4('0.0.0.0/0')
def testNoVerboseV6(self): addr_list = list() for octet in range(0, 256): net = nacaddr.IPv6('2001:db8:1010:' + str(octet) + '::64/64') addr_list.append(net) self.naming.GetNetAddr.return_value = addr_list self.naming.GetServiceByProto.return_value = ['25'] jcl = juniper.Juniper( policy.ParsePolicy( GOOD_NOVERBOSE_V6_HEADER + GOOD_TERM_1 + GOOD_TERM_COMMENT, self.naming), EXP_INFO) self.failUnless('2001:db8:1010:90::/61;' in str(jcl)) self.failUnless('COMMENT' not in str(jcl)) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testAddressListExcludeCaseThree(self): # Two blocks off both ends of a large block. superset = [ nacaddr.IPv4('200.0.0.0/24'), nacaddr.IPv4('10.0.0.0/8'), nacaddr.IPv6('200::/56'), nacaddr.IPv6('10::/16') ] excludes = [ nacaddr.IPv6('10::/18'), nacaddr.IPv6('10:c000::/18'), nacaddr.IPv4('10.0.0.0/10'), nacaddr.IPv4('10.192.0.0/10') ] expected = [ nacaddr.IPv4('10.64.0.0/10'), nacaddr.IPv4('10.128.0.0/10'), nacaddr.IPv4('200.0.0.0/24'), nacaddr.IPv6('10:4000::/18'), nacaddr.IPv6('10:8000::/18'), nacaddr.IPv6('200::/56') ] self.assertListEqual(nacaddr.AddressListExclude(superset, excludes), expected)
def testInet6Address(self): self.assertListEqual( self.defs.GetNetAddr('BAZ'), [nacaddr.IPv6('::FFFF:FFFF:FFFF:FFFF'), nacaddr.IPv6('::1/128')])
def setUp(self): self.addr1 = nacaddr.IPv4('10.0.0.0/8', 'The 10 block') self.addr2 = nacaddr.IPv6('DEAD:BEEF:BABE:FACE:DEAF:FEED:C0DE:F001/64', 'An IPv6 Address')