def L7FirewallProxy():
ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
f = components.HTTPFirewall(ctx.f, net, ctx)
p = components.AclWebProxy(ctx.p, net, ctx)
net.SetIsolationConstraint(a, [p, b])
net.SetIsolationConstraint(b, [p, a])
net.SetIsolationConstraint(c, [f])
net.SetIsolationConstraint(f, [p, c])
net.SetIsolationConstraint(p, [a, b, f])
f.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_c, ctx.ip_a)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(p, ctx.ip_p), \
(f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(f, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_p, p)])
net.RoutingTable(c, [(ctx.ip_a, f), \
(ctx.ip_b, f), \
(ctx.ip_c, c), \
(ctx.ip_p, f)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, f), \
(ctx.ip_p, p)])
net.Attach(a, b, c, p, f)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.f = f
self.p = p
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, c, p, f)
def AclProxyMultiFw ():
"""This is really just a version of ErroneousProxyMultiFw with AclFirewall. As shown by that function there really isn't a
way to violate isolation here. Here by using something that is path independent we can prove things without really having to deal
with any of the other things"""
ctx = components.Context(['a', 'b', 'c', 'p', 'f'], \
['ip_a', 'ip_b', 'ip_c', 'ip_p', 'ip_f'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
p = components.AclWebProxy(ctx.p, net, ctx)
f = components.AclFirewall(ctx.f, net, ctx)
net.SetIsolationConstraint (a, [p])
net.SetIsolationConstraint (b, [p])
net.SetIsolationConstraint (p, [a, b, f])
p.AddAcls([(ctx.ip_a, ctx.ip_b), (ctx.ip_b, ctx.ip_a)])
f.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_a, ctx.ip_c)])
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(p, ctx.ip_p), \
(f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
net.RoutingTable(f, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_p, p)])
net.RoutingTable(c, [(ctx.ip_a, f), \
(ctx.ip_b, f), \
(ctx.ip_c, c), \
(ctx.ip_p, f)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, f), \
(ctx.ip_p, p)])
net.Attach(a, b, c, p, f)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.p = p
self.f = f
self.check = components.PropertyChecker (ctx, net)
return TrivialReturn (net, ctx, a, b, c, p, f)
def FixedL7Proxy(sz):
assert (sz >= 1)
ctx_components = ['a', 's', 'p', 'f']
other_endhosts = ['e%d' % (e) for e in xrange(sz)]
ctx_components.extend(other_endhosts)
ctx_addresses = ['ip_%s' % (n) for n in ctx_components]
ctx = components.Context(ctx_components, \
ctx_addresses)
"""
I f****d up the naming this topology so it actually looks like
A
\
F----P--S
/
E0 .. E1
"""
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
s = components.EndHost(ctx.s, net, ctx)
f = components.HTTPFirewall(ctx.f, net, ctx)
p = components.AclWebProxy(ctx.p, net, ctx)
other_endhosts = [
components.EndHost(getattr(ctx, 'e%d' % (e)), net, ctx)
for e in xrange(sz)
]
net.SetIsolationConstraint(a, [f])
net.SetIsolationConstraint(s, [p])
net.SetIsolationConstraint(p, [s, f])
f.AddAcls([(ctx.ip_a, ctx.ip_s), (ctx.ip_s, ctx.ip_a)])
address_mappings = zip(map(lambda n: getattr(ctx, n), ctx_components),
map(lambda a: getattr(ctx, a), ctx_addresses))
net.setAddressMappings(address_mappings)
host_routing = [(ctx.ip_s, f), \
(ctx.ip_p, f)]
net.RoutingTable(a, host_routing)
for n in other_endhosts:
net.RoutingTable(n, host_routing)
firewall_routing = [(ctx.ip_a, a), \
(ctx.ip_p, p), \
(ctx.ip_s, p)]
firewall_routing.extend([(getattr(ctx, 'ip_%s' % (n.z3Node)), n)
for n in other_endhosts])
net.RoutingTable(f, firewall_routing)
nodes = [a, s, p, f]
nodes.extend(other_endhosts)
net.Attach(*nodes)
class TrivialReturn(object):
def __init__(self, net, ctx, a, s, p, f, others):
self.net = net
self.ctx = ctx
self.a = a
self.s = s
self.f = f
self.p = p
self.others = others
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, s, p, f, other_endhosts)
def L7FirewallProxyScalablePolicy (sz):
assert(sz >= 1)
ctx_components = ['a', 'c', 'p', 'f']
ctx_components.extend(['e%d'%(e) for e in xrange(sz)])
ctx_addresses = ['ip_%s'%(n) for n in ctx_components]
ctx = components.Context(ctx_components, \
ctx_addresses)
"""
I f****d up the naming this topology so it actually looks like
A
\
P----F--C
/
E0 .. E1
"""
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
#b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
f = components.HTTPFirewall(ctx.f, net, ctx)
p = components.AclWebProxy(ctx.p, net, ctx)
net.SetIsolationConstraint (a, [p])
#net.SetIsolationConstraint (b, [p, a])
net.SetIsolationConstraint (c, [f])
net.SetIsolationConstraint (f, [p, c])
#net.SetIsolationConstraint (p, [a, b, f])
f.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_c, ctx.ip_a)])
net.setAddressMappings([(a, ctx.ip_a), \
#(b, ctx.ip_b), \
(c, ctx.ip_c), \
(p, ctx.ip_p), \
(f, ctx.ip_f)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_c, p), \
(ctx.ip_p, p)])
#net.RoutingTable(b, [(ctx.ip_a, a), \
#(ctx.ip_b, b), \
#(ctx.ip_c, p), \
#(ctx.ip_p, p)])
net.RoutingTable(f, [(ctx.ip_a, p), \
(ctx.ip_c, c), \
(ctx.ip_p, p)])
net.RoutingTable(c, [(ctx.ip_a, f), \
(ctx.ip_c, c), \
(ctx.ip_p, f)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_c, f), \
(ctx.ip_p, p)])
net.Attach(a, c, p, f)
class TrivialReturn (object):
def __init__ (self, net, ctx, a, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.c = c
self.f = f
self.p = p
self.check = components.PropertyChecker (ctx, net)
return TrivialReturn (net, ctx, a, c, p, f)