def testManySourceAndDestinationAddresses(self):
self.naming.GetNetAddr.side_effect = [[
nacaddr.IPv4('10.0.0.0/24'),
nacaddr.IPv4('10.1.0.0/24')
], [nacaddr.IPv4('172.16.0.0/24'),
nacaddr.IPv4('172.17.0.0/24')]]
acl = ipset.Ipset(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_3, self.naming),
EXP_INFO)
result = str(acl)
self.assertIn(
'create good-term-3-src hash:net family inet hashsize '
'4 maxelem 4', result)
self.assertIn(
'create good-term-3-dst hash:net family inet hashsize '
'4 maxelem 4', result)
self.assertIn('add good-term-3-src 10.0.0.0/24', result)
self.assertIn('add good-term-3-src 10.1.0.0/24', result)
self.assertIn('add good-term-3-dst 172.16.0.0/24', result)
self.assertIn('add good-term-3-dst 172.17.0.0/24', result)
self.assertIn('-m set --match-set good-term-3-src src', result)
self.assertIn('-m set --match-set good-term-3-dst dst', result)
self.assertNotIn('-s ', result)
self.assertNotIn('-d ', result)
self.naming.GetNetAddr.assert_has_calls(
[mock.call('INTERNAL'),
mock.call('EXTERNAL')])
def testMinimizePrefixes(self):
includes = ['1.0.0.0/8', '2.0.0.0/8']
excludes = ['1.1.1.1/32', '2.0.0.0/8', '3.3.3.3/32']
expected = ['1.0.0.0/8;', '1.1.1.1/32 except;']
unexpected = ['2.0.0.0/8;', '2.0.0.0/8 except;', '3.3.3.3/32']
self.naming.GetNetAddr.side_effect = [[
nacaddr.IPv4(ip) for ip in includes
], [nacaddr.IPv4(ip) for ip in excludes]]
jcl = juniper.Juniper(
policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_19, self.naming),
EXP_INFO)
output = str(jcl)
for result in expected:
self.failUnless(result in output,
'expected "%s" in %s' % (result, output))
for result in unexpected:
self.failIf(result in output,
'unexpected "%s" in %s' % (result, output))
self.naming.GetNetAddr.assert_has_calls(
[mock.call('INCLUDES'),
mock.call('EXCLUDES')])
def testAddressListExcludeCaseFour(self):
# IPv6 does not affect IPv4
superset = [nacaddr.IPv4('0.0.0.0/0')]
excludes = [nacaddr.IPv6('::/0')]
expected = [nacaddr.IPv4('0.0.0.0/0')]
self.assertListEqual(nacaddr.AddressListExclude(superset, excludes),
expected)
def testExcludeReturnsPolicy(self):
#
# In this test, we should get fewer lines of output by performing
# early return jumps on excluded addresses.
#
self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4('10.0.0.0/8')],
[nacaddr.IPv4('10.0.0.0/24')]]
self.naming.GetServiceByProto.return_value = ['80']
acl = iptables.Iptables(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('-P INPUT ACCEPT' in result,
'no default policy found.')
self.failUnless('-p tcp' in result, 'no protocol specification found.')
self.failUnless('-s ' in result, 'no source address found.')
self.failUnless('-s 10.0.0.0/24 -j RETURN' in result,
'expected address 10.0.0.0/24 not jumping to RETURN.')
self.failUnless('--sport 80 -s 10.0.0.0/8' in result,
'expected source address 10.0.0.0/8 not accepted.')
self.naming.GetNetAddr.assert_has_calls(
[mock.call('INTERNAL'),
mock.call('OOB_NET')])
self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')
def testSourceDestExcludeFromAllIps(self):
source_network = []
source_exclude_network = [nacaddr.IPv4('192.168.0.0/27')]
destination_network = []
destination_exclude_network = [nacaddr.IPv4('10.0.0.0/27')]
self.mock_naming.GetNetAddr.side_effect = [source_network,
source_exclude_network,
destination_network,
destination_exclude_network]
nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_11,
self.mock_naming), EXP_INFO))
self.assertIn('ip saddr { 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/9, '
'192.128.0.0/11, 192.160.0.0/13, 192.168.0.32/27, '
'192.168.0.64/26, 192.168.0.128/25, 192.168.1.0/24, '
'192.168.2.0/23, 192.168.4.0/22, 192.168.8.0/21, '
'192.168.16.0/20, 192.168.32.0/19, 192.168.64.0/18, '
'192.168.128.0/17, 192.169.0.0/16, 192.170.0.0/15, '
'192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, '
'193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, '
'208.0.0.0/4, 224.0.0.0/3}', nft)
self.assertIn('ip daddr { 0.0.0.0/5, 8.0.0.0/7, 10.0.0.32/27, '
'10.0.0.64/26, 10.0.0.128/25, 10.0.1.0/24, 10.0.2.0/23, '
'10.0.4.0/22, 10.0.8.0/21, 10.0.16.0/20, 10.0.32.0/19, '
'10.0.64.0/18, 10.0.128.0/17, 10.1.0.0/16, 10.2.0.0/15, '
'10.4.0.0/14, 10.8.0.0/13, 10.16.0.0/12, 10.32.0.0/11, '
'10.64.0.0/10, 10.128.0.0/9, 11.0.0.0/8, 12.0.0.0/6, '
'16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1}', nft)
def testNextIP(self):
pol = HEADER_2 + GOOD_TERM_35
expected = nacaddr.IPv4('10.1.1.1/32')
self.naming.GetNetAddr('PROD_NETWRK').AndReturn([nacaddr.IPv4('10.0.0.0/8')])
self.naming.GetNetAddr('NEXT_IP').AndReturn([nacaddr.IPv4('10.1.1.1/32')])
self.mox.ReplayAll()
result = policy.ParsePolicy(pol, self.naming)
self.assertEqual(result.filters[0][1][0].next_ip[0], expected)
def testSingleSourceDestIp(self):
source_network = [nacaddr.IPv4('172.16.0.0/24')]
destination_network = [nacaddr.IPv4('10.0.0.0/24')]
self.mock_naming.GetNetAddr.side_effect = [source_network,
destination_network]
nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2,
self.mock_naming), EXP_INFO))
self.assertIn('ip saddr 172.16.0.0/24 ip daddr 10.0.0.0/24', nft)
def testShadingDetection(self):
pol2 = HEADER + GOOD_TERM_2 + GOOD_TERM_3
self.naming.GetNetAddr('PROD_NETWRK').AndReturn([nacaddr.IPv4('10.0.0.0/8')])
self.naming.GetNetAddr('PROD_NETWRK').AndReturn([nacaddr.IPv4('10.0.0.0/8')])
self.naming.GetServiceByProto('SMTP', 'tcp').AndReturn(['25'])
self.mox.ReplayAll()
# same protocol, same saddr, shaded term defines a port.
self.assertRaises(policy.ShadingError, policy.ParsePolicy, pol2,
self.naming, shade_check=True)
def test_token_to_ips(self):
expected_results = [(r'GOOGLE_DNS', [
nacaddr.IPv4('8.8.4.4/32'),
nacaddr.IPv4('8.8.8.8/32'),
nacaddr.IPv6('2001:4860:4860::8844/128'),
nacaddr.IPv6('2001:4860:4860::8888/128')
])]
options = Namespace(obj=('GOOGLE_DNS', ), )
results = get_nets(options.obj, self.db)
self.assertEquals(results[0][0], expected_results[0][0])
self.assertEquals(set(results[0][1]), set(expected_results[0][1]))
def testGoodAddrExcludes(self):
pol = HEADER + GOOD_TERM_27
self.naming.GetNetAddr('PROD_NETWRK').InAnyOrder().AndReturn(
[nacaddr.IPv4('10.0.0.0/8')])
self.naming.GetNetAddr('PROD_EH').InAnyOrder().AndReturn(
[nacaddr.IPv4('10.62.0.0/15')])
self.mox.ReplayAll()
ret = policy.ParsePolicy(pol, self.naming)
_, terms = ret.filters[0]
self.assertEquals(terms[0].address_exclude[0],
nacaddr.IPv4('10.62.0.0/15'))
def testAddressCleanupCorrect(self):
unoptimized_addr = [nacaddr.IPv4('10.16.128.6/32', token='FOO'),
nacaddr.IPv4('10.16.128.7/32', token='BAR')]
self.naming.GetNetAddr.return_value = unoptimized_addr
pol = policy.ParsePolicy(HEADER + GOOD_TERM_2, self.naming)
term = pol.filters[0][1][0]
self.assertEqual(nacaddr.CollapseAddrList(unoptimized_addr),
term.source_address)
pol = policy.ParsePolicy(HEADER_SRX + GOOD_TERM_2, self.naming)
term = pol.filters[0][1][0]
self.assertEqual(nacaddr.CollapseAddrListPreserveTokens(unoptimized_addr),
term.source_address)
def testNextIP(self):
pol = HEADER_2 + GOOD_TERM_35
expected = nacaddr.IPv4('10.1.1.1/32')
self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4('10.0.0.0/8')],
[nacaddr.IPv4('10.1.1.1/32')]]
result = policy.ParsePolicy(pol, self.naming)
self.assertEqual(result.filters[0][1][0].next_ip[0], expected)
self.naming.GetNetAddr.assert_has_calls(
[mock.call('PROD_NETWRK'),
mock.call('NEXT_IP')])
def testTermAddressByteLength(self):
"""Tests the AddressByteLength function."""
pol = HEADER + GOOD_TERM_2
self.naming.GetNetAddr.return_value = [
nacaddr.IPv4('10.0.0.1/32'), nacaddr.IPv4('10.0.0.2/32'),
nacaddr.IPv6('2001:4860:4860::8844/128'),
nacaddr.IPv6('2001:4860:4860::8888/128')]
ret = policy.ParsePolicy(pol, self.naming)
term = ret.filters[0][1][0]
self.assertEqual(2, term.AddressesByteLength([4]))
self.assertEqual(8, term.AddressesByteLength([6]))
self.assertEqual(10, term.AddressesByteLength())
def testManySourceAddresses(self):
self.naming.GetNetAddr('INTERNAL').InAnyOrder().AndReturn(
[nacaddr.IPv4('10.0.0.0/24'), nacaddr.IPv4('10.1.0.0/24')])
self.mox.ReplayAll()
acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1,
self.naming), EXP_INFO)
result = str(acl)
self.assertIn('create good-term-1-src hash:net family inet hashsize'
' 4 maxelem 4', result)
self.assertIn('add good-term-1-src 10.0.0.0/24', result)
self.assertIn('add good-term-1-src 10.1.0.0/24', result)
self.assertIn('-m set --match-set good-term-1-src src', result)
self.assertNotIn('-s ', result)
def testAddressListExcludeCaseOne(self):
# Small block eliminated by large block, and an extra block that stays.
# For both IP versions.
superset = [
nacaddr.IPv4('200.0.0.0/24'),
nacaddr.IPv4('10.1.0.0/24'),
nacaddr.IPv6('200::/56'),
nacaddr.IPv6('10:1::/56')
]
excludes = [nacaddr.IPv6('10::/16'), nacaddr.IPv4('10.0.0.0/8')]
expected = [nacaddr.IPv4('200.0.0.0/24'), nacaddr.IPv6('200::/56')]
self.assertListEqual(nacaddr.AddressListExclude(superset, excludes),
expected)
def testManyDestinationAddresses(self):
self.naming.GetNetAddr('EXTERNAL').InAnyOrder().AndReturn(
[nacaddr.IPv4('172.16.0.0/24'), nacaddr.IPv4('172.17.0.0/24')])
self.mox.ReplayAll()
acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2,
self.naming), EXP_INFO)
result = str(acl)
self.assertIn('create good-term-2-dst hash:net family inet hashsize '
'4 maxelem 4', result)
self.assertIn('add good-term-2-dst 172.16.0.0/24', result)
self.assertIn('add good-term-2-dst 172.17.0.0/24', result)
self.assertIn('-m set --match-set good-term-2-dst dst', result)
self.assertNotIn('-s ', result)
def testOneSourceAndDestinationAddress(self):
self.naming.GetNetAddr('INTERNAL').InAnyOrder().AndReturn(
[nacaddr.IPv4('10.0.0.0/8')])
self.naming.GetNetAddr('EXTERNAL').InAnyOrder().AndReturn(
[nacaddr.IPv4('172.16.0.0/12')])
self.mox.ReplayAll()
acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_3,
self.naming), EXP_INFO)
result = str(acl)
self.assertIn('-s 10.0.0.0/8', result)
self.assertIn('-d 172.16.0.0/12', result)
self.assertNotIn('-m set --match-set good-term-3-src src', result)
self.assertNotIn('-m set --match-set good-term-3-dst dst', result)
def testGoodAddrExcludes(self):
pol = HEADER + GOOD_TERM_27
self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4('10.0.0.0/8')],
[nacaddr.IPv4('10.62.0.0/15')]]
ret = policy.ParsePolicy(pol, self.naming)
_, terms = ret.filters[0]
self.assertEquals(terms[0].address_exclude[0],
nacaddr.IPv4('10.62.0.0/15'))
self.naming.GetNetAddr.assert_has_calls(
[mock.call('PROD_NETWRK'),
mock.call('PROD_EH')], any_order=True)
def testDsmoExclude(self):
big = nacaddr.IPv4('0.0.0.0/1')
ip1 = nacaddr.IPv4('192.168.0.64/27')
ip2 = nacaddr.IPv4('192.168.1.64/27')
terms = (GOOD_TERM_18_SRC, GOOD_TERM_18_DST)
for _ in terms:
self.naming.GetNetAddr('INTERNAL').AndReturn([big])
self.naming.GetNetAddr('SOME_HOST').AndReturn([ip1, ip2])
self.mox.ReplayAll()
for term in terms:
jcl = juniper.Juniper(policy.ParsePolicy(GOOD_DSMO_HEADER + term,
self.naming), EXP_INFO)
self.failUnless('192.168.0.64/255.255.254.224 except;' in str(jcl))
def testShadingDetection(self):
pol2 = HEADER + GOOD_TERM_2 + GOOD_TERM_3
self.naming.GetNetAddr.side_effect = [
[nacaddr.IPv4('10.0.0.0/8')], [nacaddr.IPv4('10.0.0.0/8')]]
self.naming.GetServiceByProto.return_value = ['25']
# same protocol, same saddr, shaded term defines a port.
self.assertRaises(policy.ShadingError, policy.ParsePolicy, pol2,
self.naming, shade_check=True)
self.naming.GetNetAddr.assert_has_calls([
mock.call('PROD_NETWRK'),
mock.call('PROD_NETWRK')])
self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testIsSupernet(self):
addrs1 = [nacaddr.IPv4('10.0.1.7/32'), nacaddr.IPv4('10.0.1.2/32')]
addrs2 = [nacaddr.IPv4('10.0.1.0/24')]
addrs3 = [nacaddr.IPv4('10.0.1.7/32'), nacaddr.IPv4('10.1.1.2/32')]
addrs4 = [nacaddr.IPv4('192.168.1.1/32', nacaddr.IPv4('172.0.0.1/32'))]
addrs5 = [nacaddr.IPv4('192.168.1.1/24'), nacaddr.IPv4('10.0.1.0/24')]
self.assertTrue(nacaddr.IsSuperNet(addrs2, addrs1))
self.assertFalse(nacaddr.IsSuperNet(addrs2, addrs3))
self.assertFalse(nacaddr.IsSuperNet(addrs2, addrs4))
self.assertFalse(nacaddr.IsSuperNet(addrs2, addrs5))
self.assertTrue(nacaddr.IsSuperNet(addrs5, addrs2))
def testSourceDestExclude(self):
source_network = [nacaddr.IPv4('192.168.0.0/24')]
source_exclude_network = [nacaddr.IPv4('192.168.0.0/27')]
destination_network = [nacaddr.IPv4('10.0.0.0/24')]
destination_exclude_network = [nacaddr.IPv4('10.0.0.0/27')]
self.mock_naming.GetNetAddr.side_effect = [source_network,
source_exclude_network,
destination_network,
destination_exclude_network]
nft = str(nftables.Nftables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_11,
self.mock_naming), EXP_INFO))
self.assertIn('ip saddr { 192.168.0.32/27, 192.168.0.64/26, '
'192.168.0.128/25}', nft)
self.assertIn('ip daddr { 10.0.0.32/27, 10.0.0.64/26, '
'10.0.0.128/25}', nft)
def testManySourceAddresses(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IPv4('10.0.0.0/24'), nacaddr.IPv4('10.1.0.0/24')]
acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1,
self.naming), EXP_INFO)
result = str(acl)
self.assertIn('create good-term-1-src hash:net family inet hashsize'
' 4 maxelem 4', result)
self.assertIn('add good-term-1-src 10.0.0.0/24', result)
self.assertIn('add good-term-1-src 10.1.0.0/24', result)
self.assertIn('-m set --match-set good-term-1-src src', result)
self.assertNotIn('-s ', result)
self.naming.GetNetAddr.assert_called_once_with('INTERNAL')
def testManyDestinationAddresses(self):
self.naming.GetNetAddr.return_value = [
nacaddr.IPv4('172.16.0.0/24'), nacaddr.IPv4('172.17.0.0/24')]
acl = ipset.Ipset(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2,
self.naming), EXP_INFO)
result = str(acl)
self.assertIn('create good-term-2-dst hash:net family inet hashsize '
'4 maxelem 4', result)
self.assertIn('add good-term-2-dst 172.16.0.0/24', result)
self.assertIn('add good-term-2-dst 172.17.0.0/24', result)
self.assertIn('-m set --match-set good-term-2-dst dst', result)
self.assertNotIn('-s ', result)
self.naming.GetNetAddr.assert_called_once_with('EXTERNAL')
def __init__(self, term, filter_name, trackstate, filter_action, af='inet',
verbose=True):
"""Setup a new term.
Args:
term: A policy.Term object to represent in iptables.
filter_name: The name of the filter chan to attach the term to.
trackstate: Specifies if conntrack should be used for new connections.
filter_action: The default action of the filter.
af: Which address family ('inet' or 'inet6') to apply the term to.
verbose: boolean if comments should be printed
Raises:
UnsupportedFilterError: Filter is not supported.
"""
super(Term, self).__init__(term)
self.trackstate = trackstate
self.term = term # term object
self.filter = filter_name # actual name of filter
self.default_action = filter_action
self.options = []
self.af = af
self.verbose = verbose
if af == 'inet6':
self._all_ips = nacaddr.IPv6('::/0')
self._ACTION_TABLE['reject'] = ('-j REJECT --reject-with '
'icmp6-adm-prohibited')
else:
self._all_ips = nacaddr.IPv4('0.0.0.0/0')
self._ACTION_TABLE['reject'] = ('-j REJECT --reject-with '
'icmp-host-prohibited')
self.term_name = '%s_%s' % (self.filter[:1], self.term.name)
def testLargeTermSplitIgnoreV6(self):
ips = list(
nacaddr.IP('2620:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
mo_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
mo_ips.append(nacaddr.IP(ip))
counter += 1
ips = list(
nacaddr.IP('2720:0:1000:3103:eca0:2c09:6b32:e000/119').
iter_subnets(new_prefix=128))
ips.append(nacaddr.IPv4('10.0.0.1/32'))
prodcolos_ips = []
counter = 0
for ip in ips:
if counter % 2 == 0:
prodcolos_ips.append(nacaddr.IP(ip))
counter += 1
self.naming.GetNetAddr.side_effect = [mo_ips, prodcolos_ips]
self.naming.GetServiceByProto.return_value = ['25']
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_14, self.naming)
srx = junipersrx.JuniperSRX(pol, EXP_INFO)
self.assertEqual(len(srx.policy.filters[0][1]), 1)
def __init__(self, term, filter_name, filter_action, af='inet'):
"""Setup a new term.
Args:
term: A policy.Term object to represent in windows_ipsec.
filter_name: The name of the filter chan to attach the term to.
filter_action: The default action of the filter.
af: Which address family ('inet' or 'inet6') to apply the term to.
Raises:
UnsupportedFilterError: Filter is not supported.
"""
super(Term, self).__init__(term)
self.term = term # term object
self.filter = filter_name # actual name of filter
self.default_action = filter_action
self.options = []
self.af = af
if af == 'inet6':
self._all_ips = nacaddr.IPv6('::/0')
else:
self._all_ips = nacaddr.IPv4('0.0.0.0/0')
self.term_name = '%s_%s' % (self.filter[:1], self.term.name)
def __init__(self, term, af):
"""Setup a new nftables term.
Args:
term: A policy.Term object
af: The capirca address family for the term, "inet", "inet6", or "mixed"
Raises:
InvalidAddressFamily: if supplied target options are invalid.
Note: AF of mixed requires kernel 3.15 or higher
"""
super(Term, self).__init__(term)
self.term = term
self.af = af
if af == 'inet6':
self.all_ips = nacaddr.IPv6('::/0')
elif af == 'inet':
self.all_ips = nacaddr.IPv4('0.0.0.0/0')
elif af == 'mixed':
# TODO(castagno): Need to add support for a mixed address family
raise InvalidAddressFamily(
'Address family mixed is not supported yet')
else:
raise InvalidAddressFamily('Not a valid address family')
def testOptionsContains(self):
# Tests "contains" testing of the options field. A term without set options
# contains one which has them set.
pol = HEADER + GOOD_TERM_2 + GOOD_TERM_29
self.naming.GetNetAddr('PROD_NETWRK').InAnyOrder().AndReturn(
[nacaddr.IPv4('10.0.0.0/8')])
self.naming.GetNetAddr('PROD_NETWRK').InAnyOrder().AndReturn(
[nacaddr.IPv4('10.0.0.0/8')])
self.mox.ReplayAll()
ret = policy.ParsePolicy(pol, self.naming, shade_check=False)
self.assertEqual(len(ret.filters), 1)
_, terms = ret.filters[0]
self.assertTrue(terms[1] in terms[0], '\n' + str(terms[0]) + '\n' +
str(terms[1]))
self.assertFalse(terms[0] in terms[1], '\n' + str(terms[1]) + '\n' +
str(terms[0]))
def testOneSourceAndDestinationAddress(self):
self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4('10.0.0.0/8')],
[nacaddr.IPv4('172.16.0.0/12')]]
acl = ipset.Ipset(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_3, self.naming),
EXP_INFO)
result = str(acl)
self.assertIn('-s 10.0.0.0/8', result)
self.assertIn('-d 172.16.0.0/12', result)
self.assertNotIn('-m set --match-set good-term-3-src src', result)
self.assertNotIn('-m set --match-set good-term-3-dst dst', result)
self.naming.GetNetAddr.assert_has_calls(
[mock.call('INTERNAL'),
mock.call('EXTERNAL')])