def p_service_set_line_3_4(p):
'''service_set_line : SET PROTOCOL TCP_UDP_SCTP'''
object_dict[p_info['current_object']].append(
{'protocol': Operator('EQ', Protocol('tcp'))})
object_dict[p_info['current_object']].append(
{'protocol': Operator('EQ', Protocol('udp'))})
object_dict[p_info['current_object']].append(
{'protocol': Operator('EQ', Protocol('sctp'))})
def fill_obj_dict_serv2(obj):
if nd.has_key(obj['name']):
nd[obj['name']].append(
{obj['name']: Operator('EQ', Protocol(obj['protocol']))})
else:
nd[obj['name']] = list()
nd[obj['name']].append(
{obj['name']: Operator('EQ', Protocol(obj['protocol']))})
def fill_obj_dict_serv3(obj):
if nd.has_key(obj['name']):
nd[obj['name']].append(
{obj['name']: Operator('EQ', Protocol(obj['type'].lower()))})
else:
nd[obj['name']] = list()
nd[obj['name']].append(
{obj['name']: Operator('EQ', Protocol(obj['type'].lower()))})
def toBDD(self, index):
"""Construct the ROBDD
Parameters
----------
index : int. Used for variable index in ROBDD.
Return
------
Return the computed ROBDD
"""
if self.operator == 'LT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(0, self.v1.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(0, self.v1.ip | ~self.v1.mask & 0xFFFFFFFF,
index)
elif isinstance(self.v1, Port):
return Port.range2bdd(0, self.v1.get_value(), index)
else:
return self.v1.toBDD(index)
elif self.operator == 'GT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(), 2**8 - 1, index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask, 2**32 - 1,
index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), 2**16 - 1, index)
else:
return self.v1.toBDD(index)
elif self.operator == 'EQ':
return self.v1.toBDD(index)
elif self.operator == 'NEQ':
return negate_bdd(self.v1.toBDD(index))
elif self.operator == 'RANGE':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(),
self.v2.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask,
self.v2.ip | ~self.v2.mask & 0xFFFFFFFF,
index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), self.v2.get_value(),
index)
else:
return self.v1.toBDD(index)
else:
return self.v1.toBDD(index)
def p_policy_set_line_10(p):
'''policy_set_line : SET PERMIT_ANY_HOST WORD
| SET PERMIT_STUN_HOST WORD'''
if get_state() == 'policy':
if re.search('enable', p[3], re.I):
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol('udp')))
def resolve(name, policy, src_dst=None):
if name not in object_dict:
if name not in JuniperNetscreenPort.JuniperNetscreenPort:
if 'ICMP' in name or name in ('Traceroute', 'PING'):
policy.protocol.append(Operator('EQ', Protocol('icmp')))
policy.protocol_name.append(name)
else:
print 'Critical: %s not found in dictionary' % name
raise SyntaxError
else:
resolve_predefined_juniper(name, policy)
else:
p_info['used_object'].add(name)
values = object_dict[name]
for elem in values:
for k1, v1 in elem.items():
if k1 == 'object':
resolve(v1, policy, src_dst)
elif k1 == 'address':
if src_dst == 'src':
policy.ip_source.append(v1)
policy.ip_source_name.append(name)
else:
policy.ip_dest.append(v1)
policy.ip_dest_name.append(name)
elif k1 == 'service':
policy.protocol.append(v1)
policy.protocol_name.append(name)
elif k1 == 'src-port':
policy.port_source.append(v1)
policy.port_source_name.append(name)
elif k1 == 'dst-port':
policy.port_dest.append(v1)
policy.port_dest_name.append(name)
def p_protocol_object_line(p):
'''protocol_object_line : PROTOCOL_OBJECT item
| PROTOCOL_OBJECT TCP
| PROTOCOL_OBJECT UDP
| PROTOCOL_OBJECT ICMP
| PROTOCOL_OBJECT ICMP6'''
object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol(p[2]))})
def p_service_set_line_3_1(p):
'''service_set_line : SET PROTOCOL WORD'''
if p[3].lower() in ('ftp', 'http'):
object_dict[p_info['current_object']].append(
{'port_dst': Operator('EQ', Port(p[3].lower()))})
else:
object_dict[p_info['current_object']].append(
{'protocol': Operator('EQ', Protocol(p[3].lower()))})
def p_service_plus_2(p):
'''service_plus : PLUS protocol SRC_PORT NUMBER HYPHEN NUMBER DST_PORT NUMBER HYPHEN NUMBER'''
p_info['current_object'].append(
{'service': Operator('EQ', Protocol(p[2]))})
p_info['current_object'].append(
{'src-port': Operator('RANGE', Port(p[4]), Port(p[6]))})
p_info['current_object'].append(
{'dst-port': Operator('RANGE', Port(p[8]), Port(p[10]))})
def toBDD(self, index):
"""Construct the ROBDD
Parameters
----------
index : int. Used for variable index in ROBDD.
Return
------
Return the computed ROBDD
"""
if self.operator == 'LT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(0, self.v1.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(0, self.v1.ip | ~self.v1.mask & 0xFFFFFFFF, index)
elif isinstance(self.v1, Port):
return Port.range2bdd(0, self.v1.get_value(), index)
else:
return self.v1.toBDD(index)
elif self.operator == 'GT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(), 2**8 - 1, index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask, 2**32 - 1, index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), 2**16 - 1, index)
else:
return self.v1.toBDD(index)
elif self.operator == 'EQ':
return self.v1.toBDD(index)
elif self.operator == 'NEQ':
return negate_bdd(self.v1.toBDD(index))
elif self.operator == 'RANGE':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(), self.v2.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask, self.v2.ip | ~self.v2.mask & 0xFFFFFFFF, index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), self.v2.get_value(), index)
else:
return self.v1.toBDD(index)
else:
return self.v1.toBDD(index)
def try_resolve_service(name):
if re.search('icmp6', name, re.I) or re.search('ping', name, re.I):
p_info['current_rule'].protocol.append(Operator(
'EQ', Protocol('icmp')))
return True
try:
# try port
p_info['current_rule'].port_dest.append(Operator('EQ', Port(name)))
p_info['current_rule'].protocol.append(Operator('EQ', Protocol('tcp')))
except socket.error:
# not a port, try protocol
try:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(name)))
except socket.error:
# not a port or a protocol
return False
return True
def p_nat_rule_static1(p):
'''nat_rule_line : STATIC LPAREN WORD COMA WORD RPAREN TCP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR
| STATIC LPAREN WORD COMA WORD RPAREN UDP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR
| STATIC LPAREN WORD COMA WORD RPAREN WORD IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR
'''
in_iface = p_info['firewall'].get_interface_by_name(p[3])
out_iface = p_info['firewall'].get_interface_by_name(p[5])
rule = Nat_Rule(None, None, [Protocol(p[7])], [Ip(p[8], p[13])], [], [], [Port(int(p[9]))], [Ip(p[10], p[13])],
[Port(int(p[11]))], 'static', [out_iface], [in_iface])
p_info['firewall'].nat_rule_list.append(rule)
def get_all_flows(self):
for flow in self.liststore:
current_rule = Rule(None, None, [], [], [], [], [], Action(False))
try:
if isinstance(flow[0], str) and len(flow[0]) != 0:
current_rule.identifier = int(flow[0])
if isinstance(flow[1], str) and len(flow[1]) != 0:
protocols = flow[1].split(',')
for protocol in protocols:
current_rule.protocol.append(
Operator('EQ', Protocol(protocol)))
if isinstance(flow[2], str) and len(flow[2]) != 0:
ips = flow[2].split(',')
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_source.append(
Operator(
'EQ', Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_source.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[3], str) and len(flow[3]) != 0:
ports = flow[3].split(',')
for port in ports:
current_rule.port_source.append(
Operator('EQ', Port(int(port))))
if isinstance(flow[4], str) and len(flow[4]) != 0:
ips = flow[4].split(',')
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_dest.append(
Operator(
'EQ', Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_dest.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[5], str) and len(flow[5]) != 0:
ports = flow[5].split(',')
for port in ports:
current_rule.port_dest.append(
Operator('EQ', Port(int(port))))
if flow[6] == 'deny':
current_rule.action = Action(False)
elif flow[6] == 'accept':
current_rule.action = Action(True)
except KeyError:
print 'error' #
self.flows.append(current_rule)
def finish_serv(s):
tmpObj = resolve(s)
if tmpObj['type'] in {
'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp', 'igmp',
'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf'
}:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(tmpObj['type'].lower())))
if tmpObj.has_key('port'):
p_info['current_rule'].port_dest.append(
Operator('EQ', Port(tmpObj['port'])))
elif tmpObj.has_key('portL'):
if tmpObj['portR'] == 'infinite':
p_info['current_rule'].port_dest.append(
Operator('GT', Port(tmpObj['portL'])))
else:
p_info['current_rule'].port_dest.append(
Operator('RANGE', Port(tmpObj['portL']),
Port(tmpObj['portR'])))
elif tmpObj['type'] in {'group', 'Group'}:
for member in tmpObj['members']:
subTmpOBj = resolve(member)
if subTmpOBj['type'] in {
'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp',
'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf'
}:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(subTmpOBj['type'].lower())))
if subTmpOBj.has_key('port'):
p_info['current_rule'].port_dest.append(
Operator('EQ', Port(subTmpOBj['port'])))
elif subTmpOBj.has_key('portL'):
p_info['current_rule'].port_dest.append(
Operator('RANGE', Port(subTmpOBj['portL']),
Port(subTmpOBj['portR'])))
elif tmpObj['type'] in {'other', 'Other'}:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(tmpObj['protocol'])))
elif tmpObj['type'] in {'Rpc', 'rpc'}:
p_info['current_rule'].port_dest.append(
Operator('EQ', Port(tmpObj['port'])))
def get_rule_from_iptable_line(self, rule_line):
"""
get one iptable line and return a corresponding rule
This function need some improvement in order to manage every case
"""
action = Action(True) if rule_line[0] != "DROP" else Action(False)
if rule_line[3] == "anywhere":
ip_source = []
else:
if "/" not in rule_line[3]:
ip_source = [Operator("EQ", Ip(rule_line[3]))]
else:
ip_source = [
Operator(
'EQ',
Ip(rule_line[3].split('/')[0],
fromDec2Dotted(int(rule_line[3].split('/')[1]))))
]
if rule_line[4] == "anywhere":
ip_dest = []
else:
if "/" not in rule_line[4]:
ip_dest = [Operator("EQ", Ip(rule_line[4]))]
else:
ip_dest = [
Operator(
'EQ',
Ip(rule_line[4].split('/')[0],
fromDec2Dotted(int(rule_line[4].split('/')[1]))))
]
port_source = []
port_dest = []
protocol = [] if rule_line[1] == "all" else [
Operator("EQ", Protocol(rule_line[1]))
]
if len(rule_line) >= 7:
if "spt" in rule_line[6]:
port_source.append(Operator("EQ", Port(rule_line[6][4:-1])))
elif "dpt" in rule_line[6]:
port_dest.append(Operator("EQ", Port(rule_line[6][4:-1])))
elif "multiport" in rule_line:
tmp_idx = rule_line.index("multiport")
if rule_line[tmp_idx + 1] == "dports":
ports_dest_list = rule_line[tmp_idx + 2].split(",")
for tmp_port_dest in ports_dest_list:
port_dest.append(Operator("EQ", Port(tmp_port_dest)))
else:
tmp_line = ""
for tmp_elem in rule_line:
tmp_line += " " + tmp_elem
print tmp_line
return Rule(0, "", protocol, ip_source, port_source, ip_dest,
port_dest, action)
def fill_service(app, protocols, _protocols, _dest_ports, dest_ports):
for service in services:
if service['name'] == app:
if service.has_key('protocol'):
if service['protocol'] not in protocols:
protocols.append(service['protocol'])
_protocols.append(
Operator('EQ', Protocol(service['protocol'])))
if service.has_key('port'):
_dest_ports.append(Operator('EQ', Port(int(service['port']))))
if service.has_key('lport') and service.has_key('rport'):
_dest_ports.append(
Operator('RANGE', Port(int(service['lport'])),
Port(int(service['rport']))))
def export_rules(fw, out_dir):
# export operator to string
def op_to_string(op):
res = ", ".join([x.to_string() for x in op])
if res == "":
res = "ANY"
return res
# for each acl in acl list of the firewall
for acl in fw.acl:
with open(out_dir + "/rules_" + acl.name, 'ab+') as csvfile:
rule_writer = csv.writer(csvfile,
delimiter=';',
quotechar='|',
quoting=csv.QUOTE_MINIMAL)
if not acl.rules:
rule_writer.writerow(["NO RULES"])
continue
for rule in acl.rules:
proto_res = []
port_dest_res = []
if not rule.protocol:
proto_res.append("IP")
else:
for op_proto in rule.protocol:
for proto in op_proto.get_services():
proto_res.append(Protocol(proto).to_string())
if not rule.port_dest:
port_dest_res.append("ANY")
else:
for op_port_dst in rule.port_dest:
port_dest_res.append(op_port_dst.to_string())
# delete duplicate
proto_res = list(set(proto_res))
port_dest_res = list(set(port_dest_res))
for proto in proto_res:
for port_dst in port_dest_res:
rule_writer.writerow([
rule.identifier, rule.name, proto,
op_to_string(rule.ip_source),
op_to_string(rule.port_source),
op_to_string(rule.ip_dest), port_dst,
"permit" if rule.action else "deny"
])
def resolve_predefined_juniper(name, policy):
values = JuniperNetscreenPort.JuniperNetscreenPort[name]
for v1, v2 in values:
if v1 == 'protocol':
policy.protocol.append(Operator('EQ', Protocol(v2)))
policy.protocol_name.append(name)
else:
port = policy.port_source if v1 == 'src' else policy.port_dest
port_name = policy.port_source_name if v1 == 'src' else policy.port_dest_name
port_name.append(name)
if isinstance(v2, str):
res = v2.split('-')
port.append(Operator('RANGE', Port(res[0]), Port(res[1])))
if isinstance(v2, list):
for i in v2:
port.append(Operator('EQ', Port(i)))
else:
port.append(Operator('EQ', Port(v2)))
def p_service_set_line_3_2(p):
'''service_set_line : SET PROTOCOL_NUMBER NUMBER'''
object_dict[p_info['current_object']].append(
{'protocol': Operator('EQ', Protocol(p[3]))})
def p_protocol_1(p):
'''protocol : PROTOCOL item'''
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(get_value(p[2]))))
def p_protocol_2(p):
'''protocol : BANG PROTOCOL item'''
p_info['current_rule'].protocol.append(
Operator('NEQ', Protocol(get_value(p[3]))))
def p_protocol_1(p):
'''protocol : item'''
p_info['current_rule'].protocol.append(Operator('EQ', Protocol(p[1])))
def p_tcp_udp_2(p):
'''tcp_udp : UDP'''
p_info['current_rule'].protocol.append(Operator('EQ', Protocol('udp')))
p[0] = p[1]
def p_rule_3(p):
'''rule : action ICMP user_arg security_arg address_source security_arg address_dest icmp_arg log access_option'''
p_info['current_rule'].protocol.append(Operator('EQ', Protocol('icmp')))
def p_service_object_line_4(p):
'''service_object_line : SERVICE_OBJECT ICMP6 optitem'''
object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol(p[2]))})
def p_service_object_line_2(p):
'''service_object_line : SERVICE_OBJECT object_tcp_udp opt_service'''
object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol(p[2]))})
for i in p[3]:
object_dict[p_info['object_group_name']].append(i)
def p_icmp_object_line(p):
'''icmp_object_line : ICMP_OBJECT item'''
object_dict[p_info['object_group_name']].append({'protocol': Operator('EQ', Protocol('icmp'))})
def p_service_set_line_6(p):
'''service_set_line : SET UDP_PORTRANGE port_services'''
object_dict[p_info['current_object']].append(
{'protocol': Operator('EQ', Protocol('UDP'))})
def p_service_line_3(p):
'''service_line : SERVICE ICMP optitem'''
object_dict[p_info['object_name']].append({'protocol': Operator('EQ', Protocol(p[2]))})
def p_protocol_line(p):
'''protocol_line : PROTOCOL COLON WORD'''
p_info['current_rule'].protocol.append(Operator('EQ', Protocol(p[3])))
def p_object_group_line_2(p):
'''object_group_line : OBJECT_GROUP SERVICE item object_opt_tcp_udp'''
object_dict[p[3]] = []
p_info['object_group_name'] = p[3]
if p[4]:
object_dict[p[3]].append({'protocol': Operator('EQ', Protocol(p[4]))})
