def testNoProtocol(self):
self.naming.GetNetAddr.return_value = TEST_IPS
acl = gce.GCE(
policy.ParsePolicy(GOOD_HEADER_MIXED + GOOD_TERM_NO_PROTOCOL,
self.naming), EXP_INFO)
self.assertIn('all', str(acl))
def test_nsxv_incorrectfiltertype(self):
pol = policy.ParsePolicy(nsxv_mocktest.POLICY_INCORRECT_FILTERTYPE,
self.defs)
self.assertRaises(nsxv.UnsupportedNsxvAccessListError,
nsxv.Nsxv(pol, 2))
def testBadIcmp(self):
acl = windows_advfirewall.WindowsAdvFirewall(
policy.ParsePolicy(GOOD_HEADER_OUT + BAD_TERM_ICMP, self.naming),
EXP_INFO)
self.assertRaises(aclgenerator.UnsupportedFilterError, str, acl)
def testProtocolCase(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_5,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('protocol [ icmp tcp ];' in output, output)
def testTrafficType(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('traffic-type unknown-unicast;' in output, output)
def testIcmpCode(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_35,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('icmp-code [ 3 4 ];' in output, output)
def testProtocolExcept(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_TERM_7,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('next-header-except tcp;' in output, output)
def testUnsupportedOptions(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + UNSUPPORTED_OPTION_TERM,
self.naming)
self.assertRaises(aclgenerator.UnsupportedFilterError,
paloaltofw.PaloAltoFW, pol, EXP_INFO)
def testNextAction(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + ACTION_NEXT_TERM, self.naming)
self.assertRaises(aclgenerator.UnsupportedFilterError,
paloaltofw.PaloAltoFW, pol, EXP_INFO)
def testNoAddrObj(self):
definitions = naming.Naming()
definitions._ParseLine('NET1 = 10.1.0.0/24', 'networks')
definitions._ParseLine('NET2 = 10.2.0.0/24', 'networks')
definitions._ParseLine('NET3 = 10.3.1.0/24', 'networks')
definitions._ParseLine(' 10.3.2.0/24', 'networks')
definitions._ParseLine('NET4 = 2001:db8:0:aa::/64', 'networks')
definitions._ParseLine(' 2001:db8:0:bb::/64', 'networks')
definitions._ParseLine('NET5 = NET3 NET4', 'networks')
POL = """
header {
target:: paloalto from-zone trust to-zone untrust %s no-addr-obj
}
term rule-1 {
%s
action:: accept
protocol:: tcp
}"""
T = """
source-address:: NET1
destination-address:: NET2 NET3
"""
pol = policy.ParsePolicy(POL % ("inet", T), definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(PATH_RULES +
"/entry[@name='rule-1']/source/member")
self.assertTrue(len(x) > 0, output)
addrs = {elem.text for elem in x}
self.assertEqual({"10.1.0.0/24"}, addrs, output)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1']/destination/member")
self.assertTrue(len(x) > 0, output)
addrs = {elem.text for elem in x}
self.assertEqual({"10.2.0.0/24", "10.3.1.0/24", "10.3.2.0/24"}, addrs,
output)
T = """
source-address:: NET4
"""
pol = policy.ParsePolicy(POL % ("inet6", T), definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(PATH_RULES +
"/entry[@name='rule-1']/source/member")
self.assertTrue(len(x) > 0, output)
addrs = {elem.text for elem in x}
self.assertEqual({"2001:db8:0:aa::/64", "2001:db8:0:bb::/64"}, addrs,
output)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1']/destination/member")
self.assertTrue(len(x) > 0, output)
addrs = {elem.text for elem in x}
self.assertEqual({"any"}, addrs, output)
T = """
destination-address:: NET5
"""
pol = policy.ParsePolicy(POL % ("mixed", T), definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(PATH_RULES +
"/entry[@name='rule-1']/source/member")
self.assertTrue(len(x) > 0, output)
addrs = {elem.text for elem in x}
self.assertEqual({"any"}, addrs, output)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1']/destination/member")
self.assertTrue(len(x) > 0, output)
addrs = {elem.text for elem in x}
self.assertEqual(
{
"10.3.1.0/24", "10.3.2.0/24", "2001:db8:0:aa::/64",
"2001:db8:0:bb::/64"
}, addrs, output)
POL = """
header {
target:: paloalto from-zone trust to-zone untrust inet no-addr-obj
}
term rule-1 {
source-address:: NET1 NET2
action:: accept
protocol:: tcp
}
header {
target:: paloalto from-zone trust to-zone untrust inet addr-obj
}
term rule-1 {
destination-address:: NET3
action:: accept
protocol:: tcp
}"""
pol = policy.ParsePolicy(POL, definitions)
self.assertRaisesRegex(
paloaltofw.UnsupportedHeaderError,
'^Cannot mix addr-obj and no-addr-obj header '
'option in a single policy file$', paloaltofw.PaloAltoFW, pol,
EXP_INFO)
def testBadICMPv6Type(self):
pol = policy.ParsePolicy(GOOD_HEADER_MIXED + BAD_ICMPV6_TYPE_TERM,
self.naming)
self.assertRaises(paloaltofw.PaloAltoFWBadIcmpTypeError,
paloaltofw.PaloAltoFW, pol, EXP_INFO)
def testPanPorts(self):
POL = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
%s
action:: accept
}"""
T = """
protocol:: udp
destination-port:: NTP
"""
definitions = naming.Naming()
definitions._ParseLine('NTP = 123/tcp 123/udp', 'services')
definitions._ParseLine('DNS = 53/tcp 53/udp', 'services')
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "service-rule-1-udp"
path = "/entry[@name='%s']/protocol/udp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "123", output)
path = "/entry[@name='%s']/protocol/udp/source-port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertIsNone(x, output)
T = """
protocol:: udp
source-port:: NTP
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "service-rule-1-udp"
path = "/entry[@name='%s']/protocol/udp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
path = "/entry[@name='%s']/protocol/udp/source-port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "123", output)
T = """
protocol:: tcp
source-port:: NTP
destination-port:: NTP DNS
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "service-rule-1-tcp"
path = "/entry[@name='%s']/protocol/tcp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "53,123", output)
path = "/entry[@name='%s']/protocol/tcp/source-port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "123", output)
T = """
protocol:: tcp
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "any-tcp"
path = "/entry[@name='%s']/protocol/tcp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
path = "/entry[@name='%s']/protocol/tcp/source-port" % name
x = paloalto.config.find(PATH_SERVICE + path)
self.assertIsNone(x, output)
T = """
protocol:: tcp udp
"""
pol = policy.ParsePolicy(POL % T, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
name = "any-tcp"
path = "/entry[@name='%s']/protocol/tcp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
name = "any-udp"
path = "/entry[@name='%s']/protocol/udp/port" % name
x = paloalto.config.findtext(PATH_SERVICE + path)
self.assertEqual(x, "0-65535", output)
x = paloalto.config.findall(PATH_RULES +
"/entry[@name='rule-1']/service/member")
services = {elem.text for elem in x}
self.assertEqual({"any-tcp", "any-udp"}, services, output)
def testPanApplication(self):
POL1 = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
action:: accept
}"""
POL2 = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
pan-application:: %s
action:: accept
%s
}"""
APPS = [
{'app1'},
{'app1', 'app2'},
{'app1', 'app2', 'app3'},
]
POL3 = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
pan-application:: web-browsing
action:: accept%s
}"""
T0 = ''
T1 = """
protocol:: tcp
"""
T2 = """
protocol:: tcp
destination-port:: PORT1 PORT2
"""
POL4 = """
header {
target:: paloalto from-zone trust to-zone untrust %s
}
term rule-1 {
pan-application:: web-browsing
action:: accept
protocol:: %s
}"""
POL5 = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
pan-application:: web-browsing
action:: accept
protocol:: icmp
icmp-type:: echo-request
}"""
POL6 = """
header {
target:: paloalto from-zone trust to-zone untrust
}
term rule-1 {
pan-application:: web-browsing
protocol:: tcp icmp
destination-port:: PORT1
action:: accept
}"""
pol = policy.ParsePolicy(POL1, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(
PATH_RULES + "/entry[@name='rule-1']/application/member")
self.assertEqual(x, 'any', output)
for i, app in enumerate(APPS):
pol = policy.ParsePolicy(POL2 % (' '.join(app), ''), self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1']/application/member")
apps = {elem.text for elem in x}
self.assertEqual(APPS[i], apps, output)
for i, app in enumerate(APPS):
pol = policy.ParsePolicy(POL2 % (' '.join(app), 'protocol:: tcp'),
self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findall(
PATH_RULES + "/entry[@name='rule-1']/application/member")
apps = {elem.text for elem in x}
self.assertEqual(APPS[i], apps, output)
pol = policy.ParsePolicy(POL3 % T0, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(PATH_RULES +
"/entry[@name='rule-1']/service/member")
self.assertEqual(x, 'application-default', output)
pol = policy.ParsePolicy(POL3 % T1, self.naming)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(PATH_RULES +
"/entry[@name='rule-1']/service/member")
self.assertEqual(x, 'any-tcp', output)
definitions = naming.Naming()
definitions._ParseLine('PORT1 = 8080/tcp', 'services')
definitions._ParseLine('PORT2 = 8081/tcp', 'services')
pol = policy.ParsePolicy(POL3 % T2, definitions)
paloalto = paloaltofw.PaloAltoFW(pol, EXP_INFO)
output = str(paloalto)
x = paloalto.config.findtext(PATH_RULES +
"/entry[@name='rule-1']/service/member")
self.assertEqual(x, 'service-rule-1-tcp', output)
regex = ('^Term rule-1 contains non tcp, udp protocols '
'with pan-application:')
pol = policy.ParsePolicy(POL4 % ('inet', 'tcp icmp'), self.naming)
self.assertRaisesRegex(paloaltofw.UnsupportedFilterError, regex,
paloaltofw.PaloAltoFW, pol, EXP_INFO)
pol = policy.ParsePolicy(POL4 % ('inet6', 'icmpv6'), self.naming)
self.assertRaisesRegex(paloaltofw.UnsupportedFilterError, regex,
paloaltofw.PaloAltoFW, pol, EXP_INFO)
pol = policy.ParsePolicy(POL5, self.naming)
self.assertRaisesRegex(paloaltofw.UnsupportedFilterError, regex,
paloaltofw.PaloAltoFW, pol, EXP_INFO)
self.assertRaisesRegex(
policy.MixedPortandNonPortProtos,
'^Term rule-1 contains mixed uses of protocols '
'with and without port numbers', policy.ParsePolicy, POL6,
definitions)
def testMaxAttribute(self):
self.naming.GetNetAddr.return_value = [nacaddr.IP('10.2.3.4/32')]
pol = policy.ParsePolicy(GOOD_HEADER_MAX_ATTRIBUTE_COUNT + GOOD_TERM_5,
self.naming)
acl = gce.GCE(pol, EXP_INFO)
self.assertIsNotNone(str(acl))
def testHopOptProtocol(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + HOPOPT_TERM,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('protocol hop-by-hop;' in output, output)
def testRoutingInstance(self):
jcl = juniper.Juniper(policy.ParsePolicy(
GOOD_HEADER + GOOD_TERM_13, self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('routing-instance EXTERNAL-NAT;' in output, output)
def testDefaultDeny(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + DEFAULT_TERM_1,
self.naming), EXP_INFO)
output = str(jcl)
self.failIf('from {' in output, output)
def testLossPriority(self):
jcl = juniper.Juniper(policy.ParsePolicy(
GOOD_HEADER + GOOD_TERM_14, self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('loss-priority low;' in output, output)
def testHopLimit(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER_V6 +
GOOD_TERM_V6_HOP_LIMIT,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('hop-limit 25;' in output, output)
def testForwardingClassExcept(self):
policy_text = GOOD_HEADER + GOOD_TERM_32
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('forwarding-class-except floop;' in output, output)
def testIcmpv6Except(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER_V6 + GOOD_TERM_20_V6,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('next-header-except icmpv6;' in output, output)
def testTrafficClassCount(self):
policy_text = GOOD_HEADER + GOOD_TERM_34
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('traffic-class-count floop;' in output, output)
def testEtherType(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_9,
self.naming), EXP_INFO)
output = str(jcl)
self.failUnless('ether-type arp;' in output, output)
def testFragmentOffset(self):
policy_text = GOOD_HEADER + FRAGOFFSET_TERM
jcl = juniper.Juniper(policy.ParsePolicy(policy_text, self.naming),
EXP_INFO)
output = str(jcl)
self.failUnless('fragment-offset 1-7;' in output, output)
def init_snapshot_from_acl(session,
pol,
definitions,
platform,
filename=None,
snapshot_name=None,
overwrite=False,
extra_args=None):
# type: (Session, Union[str, policy.Policy], Union[str, naming.Naming], str, Optional[str], Optional[str], bool, Optional[Dict[str, Any]]) -> str
"""
Initialize a snapshot containing a single host with the given ACL.
:param session: the Pybatfish session in which the snapshot is created.
:type session: a :py:class:~pybatfish.client.session.Session object
:param pol: a Capirca Policy object, or the path to the Capirca policy file.
:type pol: capirca.lib.policy.Policy or str
:param definitions: a Capirca Naming definitions object, or the path to the
Capirca definitions folder.
:type definitions: capirca.lib.naming.Naming or str
:param platform: the RANCID router.db name for the device platform,
i.e., "cisco-nx", "arista", "f5", or "cisco-xr" for above examples.
See https://www.shrubbery.net/rancid/man/router.db.5.html
:type platform: str
:param filename: name of the configuration file created, 'config' by
default. This is used as the default hostname in Batfish for the created
device.
:type filename: str
:param filename: name of the configuration file created, 'config' by
default.
:type filename: str
:param snapshot_name: name of the snapshot to initialize
:type snapshot_name: str
:param overwrite: whether or not to overwrite an existing snapshot with
the same name.
:type overwrite: bool
:param extra_args: extra arguments to be passed to the parse command
:type extra_args: dict
"""
definitions = _init_definitions(definitions)
if not isinstance(pol, policy.Policy):
with open(pol, 'r') as pol_file:
pol_text = pol_file.read()
pol_dir = os.path.dirname(pol)
# Capirca can optimize ACL outputs, but this is not well-documented.
# Since we will likely be using Batfish to analyze the "raw" Capirca
# config, disable optimization.
optimize = False
pol = policy.ParsePolicy(pol_text,
definitions,
base_dir=pol_dir,
optimize=optimize)
file_text = _get_acl_text(pol, platform)
return session.init_snapshot_from_text(file_text,
filename=filename,
platform=platform,
snapshot_name=snapshot_name,
overwrite=overwrite,
extra_args=extra_args)
def testTTL(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_21,
self.naming), EXP_INFO)
output = str(jcl)
self.assertTrue('ttl 10;' in output)
def test_nsxv_optionkywd(self):
pol = policy.ParsePolicy(nsxv_mocktest.POLICY_OPTION_KYWD, self.defs)
self.assertRaises(nsxv.NsxvAclTermError, str(nsxv.Nsxv(pol, 2)))
def testBuildWarningTokens(self):
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28,
self.naming), EXP_INFO)
st, sst = jcl._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def RenderFile(input_file, output_directory, definitions,
exp_info, write_files):
"""Render a single file.
Args:
input_file: the name of the input policy file.
output_directory: the directory in which we place the rendered file.
definitions: the definitions from naming.Naming().
exp_info: print a info message when a term is set to expire
in that many weeks.
write_files: a list of file tuples, (output_file, acl_text), to write
"""
logging.debug('rendering file: %s into %s', input_file,
output_directory)
pol = None
jcl = False
acl = False
asacl = False
aacl = False
bacl = False
eacl = False
gca = False
gcefw = False
ips = False
ipt = False
spd = False
nsx = False
pcap_accept = False
pcap_deny = False
pf = False
srx = False
jsl = False
nft = False
win_afw = False
xacl = False
paloalto = False
try:
conf = open(input_file).read()
logging.debug('opened and read %s', input_file)
except IOError as e:
logging.warn('bad file: \n%s', e)
raise
try:
pol = policy.ParsePolicy(
conf, definitions, optimize=FLAGS.optimize,
base_dir=FLAGS.base_directory, shade_check=FLAGS.shade_check)
except policy.ShadingError as e:
logging.warn('shading errors for %s:\n%s', input_file, e)
return
except (policy.Error, naming.Error):
raise ACLParserError('Error parsing policy file %s:\n%s%s' % (
input_file, sys.exc_info()[0], sys.exc_info()[1]))
platforms = set()
for header in pol.headers:
platforms.update(header.platforms)
if 'juniper' in platforms:
jcl = copy.deepcopy(pol)
if 'cisco' in platforms:
acl = copy.deepcopy(pol)
if 'ciscoasa' in platforms:
asacl = copy.deepcopy(pol)
if 'brocade' in platforms:
bacl = copy.deepcopy(pol)
if 'arista' in platforms:
eacl = copy.deepcopy(pol)
if 'aruba' in platforms:
aacl = copy.deepcopy(pol)
if 'ipset' in platforms:
ips = copy.deepcopy(pol)
if 'iptables' in platforms:
ipt = copy.deepcopy(pol)
if 'nsxv' in platforms:
nsx = copy.deepcopy(pol)
if 'packetfilter' in platforms:
pf = copy.deepcopy(pol)
if 'pcap' in platforms:
pcap_accept = copy.deepcopy(pol)
pcap_deny = copy.deepcopy(pol)
if 'speedway' in platforms:
spd = copy.deepcopy(pol)
if 'srx' in platforms:
srx = copy.deepcopy(pol)
if 'srxlo' in platforms:
jsl = copy.deepcopy(pol)
if 'windows_advfirewall' in platforms:
win_afw = copy.deepcopy(pol)
if 'ciscoxr' in platforms:
xacl = copy.deepcopy(pol)
if 'nftables' in platforms:
nft = copy.deepcopy(pol)
if 'gce' in platforms:
gcefw = copy.deepcopy(pol)
if 'paloalto' in platforms:
paloalto = copy.deepcopy(pol)
if 'cloudarmor' in platforms:
gca = copy.deepcopy(pol)
if not output_directory.endswith('/'):
output_directory += '/'
try:
if jcl:
acl_obj = juniper.Juniper(jcl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if srx:
acl_obj = junipersrx.JuniperSRX(srx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if acl:
acl_obj = cisco.Cisco(acl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if asacl:
acl_obj = ciscoasa.CiscoASA(asacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if aacl:
acl_obj = aruba.Aruba(aacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if bacl:
acl_obj = brocade.Brocade(bacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if eacl:
acl_obj = arista.Arista(eacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ips:
acl_obj = ipset.Ipset(ips, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if ipt:
acl_obj = iptables.Iptables(ipt, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nsx:
acl_obj = nsxv.Nsxv(nsx, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if spd:
acl_obj = speedway.Speedway(spd, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pcap_accept:
acl_obj = pcap.PcapFilter(pcap_accept, exp_info)
RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pcap_deny:
acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True)
RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory,
input_file, write_files)
if pf:
acl_obj = packetfilter.PacketFilter(pf, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if win_afw:
acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if jsl:
acl_obj = srxlo.SRXlo(jsl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if xacl:
acl_obj = ciscoxr.CiscoXR(xacl, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if nft:
acl_obj = nftables.Nftables(nft, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if gcefw:
acl_obj = gce.GCE(gcefw, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if paloalto:
acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
if gca:
acl_obj = cloudarmor.CloudArmor(gca, exp_info)
RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
input_file, write_files)
# TODO(robankeny) add additional errors.
except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error,
iptables.Error, speedway.Error, pcap.Error,
aclgenerator.Error, aruba.Error, nftables.Error, gce.Error,
cloudarmor.Error) as e:
raise ACLGeneratorError(
'Error generating target ACL for %s:\n%s' % (input_file, e))
def testIgmpInet6(self):
self.naming.GetNetAddr.return_value = TEST_IPS
acl = gce.GCE(
policy.ParsePolicy(GOOD_HEADER_INET6 + GOOD_TERM_IGMP,
self.naming), EXP_INFO)
self.assertNotIn('2', str(acl))
