def TrivialProxy():
ctx = components.Context(['a', 'b', 'p'], \
['ip_a', 'ip_b', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(p, ctx.ip_p)])
net.RoutingTable(a, [(ctx.ip_a, a), \
(ctx.ip_b, p), \
(ctx.ip_p, p)])
net.RoutingTable(b, [(ctx.ip_a, p), \
(ctx.ip_b, b), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_p, p)])
net.Attach(a, b, p)
class TrivialReturn(object):
def __init__(self, net, ctx, a, b, p):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.p = p
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, b, p)
def TwoLearningFw():
""" A proxy and two firewalls. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw1', 'fw2', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f1', 'ip_f2', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw1 = components.AclFirewall(ctx.fw1, net, ctx)
fw2 = components.AclFirewall(ctx.fw2, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw1, ctx.ip_f1), \
(fw2, ctx.ip_f2), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f1, ctx.ip_f2]
net.RoutingTable(a, [(x, fw1) for x in addresses])
net.RoutingTable(b, [(x, fw1) for x in addresses])
net.RoutingTable(c, [(x, fw2) for x in addresses])
net.RoutingTable(d, [(x, fw2) for x in addresses])
net.RoutingTable(fw1, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p), \
(ctx.ip_f2, p)])
net.RoutingTable(fw2, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f1, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw1), \
(ctx.ip_b, fw1), \
(ctx.ip_c, fw2), \
(ctx.ip_d, fw2), \
(ctx.ip_f1, fw1), \
(ctx.ip_f2, fw2)])
fw1.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
fw2.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_d, ctx.ip_b)])
net.Attach(a, b, c, d, fw1, fw2, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def withProxySat():
""" A proxy and a firewall. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.AclFirewall(ctx.fw, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, p) for x in addresses])
net.RoutingTable(d, [(x, p) for x in addresses])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw), \
(ctx.ip_b, fw), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f, fw)])
fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
net.Attach(a, b, c, d, fw, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def TrivialPolicyTest():
"""This policy test just uses a simple scheme of the following form:
A - fw1 - p - fw2 - B
C - fw3 /
src, dest are strings representing the source and destination between which we
want to test isolation between"""
nodes = ['A', 'fw1', 'p', 'fw2', 'B', 'C', 'fw3']
addresses = map(lambda n: 'a_%s' % (n), nodes)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
nodes_dict = {n: getattr(ctx, n) for n in nodes}
address_dict = {a: getattr(ctx, a) for a in addresses}
net.setAddressMappings([(nodes_dict[n], address_dict['a_%s' % (n)])
for n in nodes])
# TODO: For now we cheat and just care about only one set. We can deal with several of them later
A = components.EndHost(ctx.A, net, ctx)
B = components.EndHost(ctx.B, net, ctx)
fw1 = components.AclFirewall(ctx.fw1, net, ctx)
fw2 = components.AclFirewall(ctx.fw2, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.SetGateway(A, fw1)
net.SetGateway(B, fw2)
net.RoutingTable(fw1, [(ctx.a_A, A), (ctx.a_B, p), (ctx.a_p, p),
(ctx.a_C, p)])
net.RoutingTable(fw2, [(ctx.a_B, B), (ctx.a_p, p), (ctx.a_A, p),
(ctx.a_C, p)])
net.RoutingTable(p, [(ctx.a_B, fw2), (ctx.a_A, fw1)])
fw1.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)])
fw2.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)])
net.SetIsolationConstraint(fw1, [A, p])
net.SetIsolationConstraint(fw2, [B, p])
net.SetIsolationConstraint(p, [fw1, fw2, ctx.fw3])
import z3
n0 = z3.Const('__triv_node_0', ctx.node)
n1 = z3.Const('__triv_node_1', ctx.node)
p0 = z3.Const('__triv_packet_0', ctx.packet)
# This is a part of policy?
net.Attach(A, B, fw1, fw2, p)
check = components.PropertyChecker(ctx, net)
check.AddExternalConstraints( \
z3.ForAll([n0, n1, p0], \
z3.Implies( \
z3.And(ctx.send(n0, n1, p0),\
z3.Or(n0 == ctx.C.z3Node, \
n0 == ctx.fw3.z3Node)), \
z3.Not(ctx.packet.origin(p0) == ctx.A.z3Node))))
check.AddExternalConstraints( \
z3.ForAll([n0, n1, p0], \
z3.Implies( \
z3.And(ctx.send(n0, n1, p0),\
z3.Or(n0 == ctx.C.z3Node, \
n0 == ctx.fw3.z3Node)), \
z3.Not(z3.Or(ctx.packet.src(p0) == ctx.a_A, ctx.packet.src(p0) == ctx.a_B)))))
res = check.CheckIsolationProperty(A, B)
return res, check, ctx
def L7FirewallProxyScale(sz):
assert (sz >= 1)
ctx_components = ['a', 's', 'p', 'f']
other_endhosts = ['e%d' % (e) for e in xrange(sz)]
ctx_components.extend(other_endhosts)
ctx_addresses = ['ip_%s' % (n) for n in ctx_components]
ctx = components.Context(ctx_components, \
ctx_addresses)
"""
I f****d up the naming this topology so it actually looks like
A
\
F----P--S
/
E0 .. E1
NOTE NOTE NOTE
In this case F is a proxy, P is a firewall because you know why the hell not
"""
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
s = components.EndHost(ctx.s, net, ctx)
f = components.WebProxy(ctx.f, net, ctx)
p = components.HTTPFirewall(ctx.p, net, ctx)
other_endhosts = [
components.EndHost(getattr(ctx, 'e%d' % (e)), net, ctx)
for e in xrange(sz)
]
net.SetIsolationConstraint(a, [f])
net.SetIsolationConstraint(s, [p])
net.SetIsolationConstraint(p, [s, f])
p.AddAcls([(ctx.ip_a, ctx.ip_s), (ctx.ip_s, ctx.ip_a)])
address_mappings = zip(map(lambda n: getattr(ctx, n), ctx_components),
map(lambda a: getattr(ctx, a), ctx_addresses))
net.setAddressMappings(address_mappings)
host_routing = [(ctx.ip_s, f), \
(ctx.ip_p, f)]
net.RoutingTable(a, host_routing)
for n in other_endhosts:
net.RoutingTable(n, host_routing)
firewall_routing = [(ctx.ip_a, a), \
(ctx.ip_p, p), \
(ctx.ip_s, p)]
firewall_routing.extend([(getattr(ctx, 'ip_%s' % (n.z3Node)), n)
for n in other_endhosts])
net.RoutingTable(f, firewall_routing)
nodes = [a, s, p, f]
nodes.extend(other_endhosts)
net.Attach(*nodes)
class TrivialReturn(object):
def __init__(self, net, ctx, a, s, p, f, others):
self.net = net
self.ctx = ctx
self.a = a
self.s = s
self.f = f
self.p = p
self.others = others
self.check = components.PropertyChecker(ctx, net)
return TrivialReturn(net, ctx, a, s, p, f, other_endhosts)