def testUnicastIPv6(self): self.naming.GetNetAddr('ANY').AndReturn([nacaddr.IP('::/0')]) self.mox.ReplayAll() acl = pcap.PcapFilter( policy.ParsePolicy(GOOD_HEADER_IN + UNICAST_TERM, self.naming), EXP_INFO) result = str(acl) self.failUnless('(dst net localhost and ((proto \\tcp)))' in result, 'did not find actual terms for unicast-term')
def testStandardTermHostIPv6(self): self.naming.GetNetAddr('SOME_HOST2').AndReturn( [nacaddr.IP('2001::3/128')]) self.naming.GetServiceByProto('HTTP', 'tcp').AndReturn(['80']) self.mox.ReplayAll() pol = policy.ParsePolicy(GOOD_HEADER_2 + GOOD_TERM_2, self.naming) acl = ciscoxr.CiscoXR(pol, EXP_INFO) expected = 'ipv6 access-list ipv6-test-filter' self.failUnless(expected in str(acl), '[%s]' % str(acl))
def testDscpWithByte(self): self.naming.GetNetAddr('SOME_HOST').AndReturn( [nacaddr.IP('10.0.0.0/8')]) self.mox.ReplayAll() srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp b111000;' in output, output)
def testInet6(self): self.naming.GetNetAddr.return_value = [ nacaddr.IP('10.0.0.0/8'), nacaddr.IP('2001:4860:8000::/33') ] acl = cisco.Cisco( policy.ParsePolicy(GOOD_INET6_HEADER + GOOD_TERM_8, self.naming), EXP_INFO) inet6_test1 = 'no ipv6 access-list inet6_acl' inet6_test2 = 'ipv6 access-list inet6_acl' inet6_test3 = 'permit tcp any 2001:4860:8000::/33' self.failUnless(inet6_test1 in str(acl), '[%s]' % str(acl)) self.failUnless(inet6_test2 in str(acl), '[%s]' % str(acl)) self.failUnless(re.search(inet6_test3, str(acl)), str(acl)) self.failIf('10.0.0.0' in str(acl), str(acl)) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testDscpWithByte(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] srx = junipersrx.JuniperSRX( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_10, self.naming), EXP_INFO) output = str(srx) self.failUnless('dscp b111000;' in output, output) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testBuildTokens(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] self.naming.GetServiceByProto.return_value = ['25'] pol1 = pcap.PcapFilter( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_TCP, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testBadStandardTerm(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + BAD_STANDARD_TERM_1, self.naming) self.assertRaises(cisco.StandardAclTermError, cisco.Cisco, pol, EXP_INFO) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testStandardFilterRange(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] pol = policy.ParsePolicy(BAD_STANDARD_HEADER_2 + GOOD_STANDARD_TERM_2, self.naming) self.assertRaises(cisco.UnsupportedCiscoAccessListError, cisco.Cisco, pol, EXP_INFO) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testNextIpv6(self): self.naming.GetNetAddr('TEST_NEXT').AndReturn( [nacaddr.IP('2001::/128')]) self.mox.ReplayAll() jcl = juniper.Juniper( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming), EXP_INFO) output = str(jcl) self.failUnless(('next-ip6 2001::/128;') in output)
def testNoIPv6InOutput(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('2620:0:1000::/40')] pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_1 + GOOD_STANDARD_TERM_2, self.naming) acl = cisco.Cisco(pol, EXP_INFO) self.failIf('::' in str(acl), '[%s]' % str(acl)) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testV4ToV4(self): self.naming.GetNetAddr.side_effect = [[ nacaddr.IP('10.0.0.1'), nacaddr.IP('10.0.0.2') ], [ nacaddr.IP('10.0.0.0/8'), nacaddr.IP('172.16.0.0/12'), nacaddr.IP('192.168.0.0/16') ]] source_addr, dest_addr = self.getSourceDestAddresses(MIXED_HEADER + V4_TO_V4) self.verifyAddressType(source_addr, 'Ipv4Address') self.verifyAddressType(dest_addr, 'Ipv4Address') self.naming.GetNetAddr.assert_has_calls( [mock.call('NTP_SERVERS'), mock.call('INTERNAL')])
def testOptimizedApplicationset(self): some_host = [nacaddr.IP('10.0.0.1/32', token='SOMEHOST')] foo = [nacaddr.IP('10.0.0.2/32', token='FOO')] foobar = [nacaddr.IP('10.0.0.3/32', token='FOOBAR')] self.naming.GetNetAddr.side_effect = [ some_host, foo, foobar, foobar, some_host ] self.naming.GetServiceByProto.side_effect = [['25', '25'], ['80', '80'], ['25', '25'], ['25', '25']] pol = policy.ParsePolicy( GOOD_HEADER + GOOD_TERM_2 + GOOD_TERM_20 + GOOD_TERM_12 + GOOD_HEADER_2 + GOOD_TERM_14, self.naming) output = str(junipersrx.JuniperSRX(pol, EXP_INFO)) self.failIf('dup-of-term-1-app' in output)
def testBuildTokens(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/26')] jcl = juniper.Juniper( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming), EXP_INFO) st, sst = jcl._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testV6ToMixed(self): self.naming.GetNetAddr.side_effect = [ [nacaddr.IP('2001:4860:8000::/33')], [ nacaddr.IP('8.8.4.4'), nacaddr.IP('8.8.8.8'), nacaddr.IP('2001:4860:4860::8844'), nacaddr.IP('2001:4860:4860::8888') ] ] source_addr, dest_addr = self.getSourceDestAddresses(MIXED_HEADER + V6_TO_MIXED) self.verifyAddressType(source_addr, 'Ipv6Address') self.verifyAddressType(dest_addr, 'Ipv6Address') self.naming.GetNetAddr.assert_has_calls( [mock.call('SOME_HOST'), mock.call('GOOGLE_DNS')])
def testFailNextIpNetworkIP(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/26')] jcl = juniper.Juniper( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming), EXP_INFO) self.assertRaises(juniper.JuniperNextIpError, str, jcl) self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testStandardTermHost(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.1.1.1/32')] pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming) acl = ciscoxr.CiscoXR(pol, EXP_INFO) expected = 'ipv4 access-list test-filter' self.failUnless(expected in str(acl), '[%s]' % str(acl)) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def main(argv): parser = OptionParser() parser.add_option("-d", "--def", dest="defs", action="store", help="Network Definitions directory location", default="../def") parser.add_option("-i", "--ip", dest="ip", action="store", help="Return list of defintions containing this IP. " "Multiple IPs permitted.") parser.add_option("-t", "--token", dest="token", action="store", help="See if an IP is contained within this token." "Must be used in conjunction with --ip [addr].") parser.add_option("-c", "--cmp", dest="cmp", action="store_true", help="Compare two network definition tokens") (options, args) = parser.parse_args() db = naming.Naming(options.defs) if options.ip is not None and options.token is None: for arg in sys.argv[2:]: print "%s: " % arg rval = db.GetIpParents(arg) print rval if options.token is not None and options.ip is None: print "You must specify and IP Address with --ip [addr] to check." sys.exit(0) if options.token is not None and options.ip is not None: token = options.token ip = options.ip rval = db.GetIpParents(ip) if token in rval: print '%s is in %s' % (ip, token) else: print '%s is not in %s' % (ip, token) if options.cmp is not None: t1 = argv[2] t2 = argv[3] d1 = db.GetNet(t1) d2 = db.GetNet(t2) union = list(set(d1 + d2)) print 'Union of %s and %s:\n %s\n' % (t1, t2, union) print 'Diff of %s and %s:' % (t1, t2) for el in set(d1 + d2): el = nacaddr.IP(el) if el in d1 and el in d2: print ' %s' % el elif el in d1: print '+ %s' % el elif el in d2: print '- %s' % el
def testObjectGroup(self): ip_grp = ['object-group network ipv4 SOME_HOST'] ip_grp.append(' 10.0.0.0/8') ip_grp.append('exit') port_grp1 = ['object-group port 80-80'] port_grp1.append(' eq 80') port_grp1.append('exit') port_grp2 = ['object-group port 1024-65535'] port_grp2.append(' range 1024 65535') port_grp2.append('exit') self.naming.GetNetAddr.return_value = [ nacaddr.IP('10.0.0.0/8', token='SOME_HOST') ] self.naming.GetServiceByProto.return_value = ['80'] pol = policy.ParsePolicy( GOOD_OBJGRP_HEADER + GOOD_TERM_2 + GOOD_TERM_18, self.naming) acl = cisco.Cisco(pol, EXP_INFO) self.failUnless('\n'.join(ip_grp) in str(acl), '%s %s' % ('\n'.join(ip_grp), str(acl))) self.failUnless('\n'.join(port_grp1) in str(acl), '%s %s' % ('\n'.join(port_grp1), str(acl))) self.failUnless('\n'.join(port_grp2) in str(acl), '%s %s' % ('\n'.join(port_grp2), str(acl))) # Object-group terms should use the object groups created. self.failUnless( ' permit tcp any port-group 80-80 net-group SOME_HOST port-group' ' 1024-65535' in str(acl), str(acl)) self.failUnless( ' permit ip net-group SOME_HOST net-group SOME_HOST' in str(acl), str(acl)) # There should be no addrgroups that look like IP addresses. for addrgroup in re.findall(r'net-group ([a-f0-9.:/]+)', str(acl)): self.assertRaises(ValueError, nacaddr.IP(addrgroup)) self.naming.GetNetAddr.assert_has_calls( [mock.call('SOME_HOST'), mock.call('SOME_HOST')]) self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')
def testBuildWarningTokens(self): self.naming.GetNetAddr.side_effect = [[ nacaddr.IP('10.0.0.1'), nacaddr.IP('10.0.0.2') ], [ nacaddr.IP('10.0.0.0/8'), nacaddr.IP('172.16.0.0/12'), nacaddr.IP('192.168.0.0/16') ]] self.naming.GetServiceByProto.return_value = ['123'] pol1 = nsxv.Nsxv(policy.ParsePolicy(INET_FILTER_2, self.naming), 2) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS) self.naming.GetNetAddr.assert_has_calls( [mock.call('NTP_SERVERS'), mock.call('INTERNAL')])
def testNamedStandard(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] pol = policy.ParsePolicy(GOOD_STANDARD_HEADER_2 + GOOD_STANDARD_TERM_2, self.naming) acl = cisco.Cisco(pol, EXP_INFO) expected = 'ip access-list standard FOO' self.failUnless(expected in str(acl), '[%s]' % str(acl)) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST')
def testInterfaceSpecificHeader(self): self.naming.GetNetAddr('SOME_HOST').AndReturn( [nacaddr.IP('10.0.0.0/8')]) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() jcl = juniper.Juniper( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_1, self.naming), EXP_INFO) output = str(jcl) self.failUnless('interface-specific;' in output, output)
def testBuildWarningTokens(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::3/128')] self.naming.GetServiceByProto.return_value = ['80'] pol1 = ciscoxr.CiscoXR( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_3, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testNextIpv6(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('2001::/128')] jcl = juniper.Juniper( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming), EXP_INFO) output = str(jcl) self.failUnless(('next-ip6 2001::/128;') in output) self.naming.GetNetAddr.assert_called_once_with('TEST_NEXT')
def testBadFilterType(self): self.naming.GetNetAddr.return_value = [nacaddr.IP('10.0.0.0/8')] self.naming.GetServiceByProto.return_value = ['25'] pol = policy.ParsePolicy(BAD_HEADER_2 + GOOD_TERM_1, self.naming) self.assertRaises(aclgenerator.UnsupportedAF, juniper.Juniper, pol, EXP_INFO) self.naming.GetNetAddr.assert_called_once_with('SOME_HOST') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testNextIpFormat(self): self.naming.GetNetAddr('TEST_NEXT').AndReturn([nacaddr.IP('10.1.1.1/32')]) self.mox.ReplayAll() jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_28, self.naming), EXP_INFO) output = str(jcl) self.failUnless( (' then {\n' ' next-ip 10.1.1.1/32;\n' ' }') in output)
def testDsmo(self): addr_list = list() for octet in range(0, 256): net = nacaddr.IP('192.168.' + str(octet) + '.64/27') addr_list.append(net) self.naming.GetNetAddr('SOME_HOST').AndReturn(addr_list) self.mox.ReplayAll() acl = cisco.Cisco( policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_8, self.naming), EXP_INFO) self.failUnless('permit 6 any 192.168.0.64 0.0.255.31' in str(acl))
def testPolicy(self): self.naming.GetNetAddr('PROD_NET').AndReturn( [nacaddr.IP('10.0.0.0/8')]) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() acl = windows_ipsec.WindowsIPSec( policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_TCP, self.naming), EXP_INFO) result = str(acl) self.failUnless(['policy name=test-filter-policy assign=yes'], result, 'header')
def testTableDuplicateShortNameError(self): prod_network = nacaddr.IP('10.0.0.0/8') prod_network.parent_token = 'PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME' prod_network_two = nacaddr.IP('172.0.0.1/8') prod_network_two.parent_token = 'PROD_NETWORK_EXTREAMLY_LONG_VERY_GOOD_NAME' self.naming.GetNetAddr( 'PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME').AndReturn( [prod_network]) self.naming.GetNetAddr( 'PROD_NETWORK_EXTREAMLY_LONG_VERY_GOOD_NAME').AndReturn( [prod_network_two]) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() self.assertRaises( packetfilter.DuplicateShortenedTableName, packetfilter.PacketFilter.__init__, packetfilter.PacketFilter.__new__(packetfilter.PacketFilter), policy.ParsePolicy( GOOD_HEADER_DIRECTIONAL + DUPLICATE_LONG_NAME_TERM, self.naming), EXP_INFO)
def testDsmo(self): addr_list = list() for octet in range(0, 256): net = nacaddr.IP('192.168.' + str(octet) + '.64/27') addr_list.append(net) self.naming.GetNetAddr('SOME_HOST').AndReturn(addr_list) self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25']) self.mox.ReplayAll() jcl = juniper.Juniper(policy.ParsePolicy(GOOD_DSMO_HEADER + GOOD_TERM_1, self.naming), EXP_INFO) self.failUnless('192.168.0.64/255.255.0.224;' in str(jcl))
def testOptions(self): self.naming.GetNetAddr('SOME_HOST').AndReturn([nacaddr.IP('10.0.0.0/8')]) self.naming.GetServiceByProto('HTTP', 'tcp').AndReturn(['80']) self.mox.ReplayAll() jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_2, self.naming), EXP_INFO) output = str(jcl) self.failUnless('destination-port 1024-65535;' in output, output) # Verify that tcp-established; doesn't get duplicated if both 'established' # and 'tcp-established' options are included in term self.assertEquals(output.count('tcp-established;'), 1)