def main(options): log.info("firewallconfigdecryptor %s" % FCD_VERSION) if options.debug: #or settings['General']['debug']: # TODO: fix this import logging logger = logging.getLogger("FCD") logger.setLevel(logging.DEBUG) #else: # log.info("No input file specified. Exiting") # raise SystemExit try: parse_input(options) #, timestamp,build_options=build_options, grid=options.grid) except ParserException, e: log.error("Unable to parse device configurations", exc_info=True) sys.exit()
def main(options): log.info("firewallconfigdecryptor %s" % FCD_VERSION) if options.debug: #or settings['General']['debug']: # TODO: fix this import logging logger = logging.getLogger("FCD") logger.setLevel(logging.DEBUG) #else: # log.info("No input file specified. Exiting") # raise SystemExit try: parse_input(options) #, timestamp,build_options=build_options, grid=options.grid) except ParserException,e: log.error("Unable to parse device configurations", exc_info=True) sys.exit()
def parse_input(options): """ validate and parse input high-level description file""" if options.config: log.info("Parsing device configuration files located in : %s" % (options.config)) InputParser().ParseDeviceConfigurations(options.config)
def ProcessStaticRoutes(self,firewalls, all_zones, file_contents): interface_gateways = dict() self.potential_route_errors = [] self.unallocated_gateways =[] # Extract any gateways from static routes for host in file_contents: for line in file_contents[host]: # TODO: check ^route (space) still works with asa p = re.search('^route ',line) q = re.search('^ip route ', line) if p: interface_name= line.split(' ')[1] network= ipaddr.IPv4Network("%s/%s" % (line.split(' ')[2],line.split(' ')[3])) gateway_ip=ipaddr.IPv4Address(line.split(' ')[4]) # Pragmatic choice of network directly connected to gateway (we don't have real gateway configs to verify) gateway = Gateway(gateway_ip, [network]) if not interface_gateways.has_key(gateway.ipaddress): interface_gateways[gateway.ipaddress] = gateway else: # Multiple routes for same gateway #..check non-redundant route is_redundant=False for existing_network in interface_gateways[gateway.ipaddress].network_addresses: if (existing_network == ipaddr.IPv4Network('0.0.0.0/0.0.0.0') or existing_network.__contains__(network)): self.potential_route_errors = [] if (not self.potential_route_errors.__contains__(line)): self.potential_route_errors.append(line) is_redundant= True break if not is_redundant: interface_gateways[gateway.ipaddress].network_addresses.append(network) #add if q: line=line.replace('ip route','') network= ipaddr.IPv4Network("%s/%s" % (line.split(' ')[1],line.split(' ')[2])) gateway_ip=ipaddr.IPv4Address(line.split(' ')[3]) # Pragmatic choice of network directly connected to gateway (we don't have real gateway configs to veify) gateway = Gateway(gateway_ip, [network]) if not interface_gateways.has_key(gateway.ipaddress): interface_gateways[gateway.ipaddress] = gateway else: # Multiple routes for same gateway #..check non-redundant route is_redundant=False for existing_network in interface_gateways[gateway.ipaddress].network_addresses: if (existing_network == ipaddr.IPv4Network('0.0.0.0/0.0.0.0') or existing_network.__contains__(network)): self.potential_route_errors = [] if (not self.potential_route_errors.__contains__(line)): self.potential_route_errors.append(line) is_redundant= True break if not is_redundant: interface_gateways[gateway.ipaddress].network_addresses.append(network) #append fw_zones=[] # Find the firewall zones for interfaces in all_zones.values(): if interfaces.has_key('management_data_interface'): fw_zones.append(interfaces['management_data_interface']) log.info("Linking Gateways to Zones..") # Link each gateway found to appropriate zone count=1 for gateway in interface_gateways.values(): existing_gateway=False for fw_zone in fw_zones: if fw_zone.ipaddress_list.__contains__(gateway.ipaddress): # Gateway is an existing firewall/router..no need to create new existing_gateway=True break if existing_gateway: continue gateway_allocated=False for interfaces in all_zones.values(): if gateway_allocated: break for zone in interfaces.values(): if gateway_allocated: break if zone.ContainsSubnetOrIpaddress(gateway.ipaddress): # gateway can potentially have ACLs and behave as a firewall #..so until we know more about it, treat it as a firewall and keep separate zone.AddGateway(gateway) gateway_allocated=True gateway_name="gw %s"%gateway.ipaddress if not all_zones.has_key(gateway_name): all_zones[gateway_name]=dict() # Gateway connected to respective zone via E0/0 all_zones[gateway_name]["Ethernet0/0"]= zone # Firewall-Zone connected to gateway via mdi all_zones[gateway_name]["management_data_interface"]=SecurityZone("fwz(%s)"%gateway_name,[ipaddr.IPv4Network("%s/%s"%(gateway.ipaddress,32))],gateway_name) # Networks (i.e. Unknown-Zones) connected to gateway via E0/1 unknown_zone_id="UZ%s"%count all_zones[gateway_name]["Ethernet0/1"]=SecurityZone(unknown_zone_id,gateway.network_addresses,gateway_name) count+=1 # Update firewalls list if not firewalls.has_key(gateway_name): firewalls[gateway_name]= Firewall(gateway_name) firewalls[gateway_name].interfaces["Ethernet0/0"]=FirewallInterface("Ethernet0/0","Ethernet0/0","gw_%s"%zone.zone_id,zone.ipaddress_list) firewalls[gateway_name].interfaces["Ethernet0/1"]=FirewallInterface("Ethernet0/1","Ethernet0/1","gw_%s"%unknown_zone_id,gateway.network_addresses) firewalls[gateway_name].interfaces["management_data_interface"]=FirewallInterface("management_data_interface","management_data_interface","management_data_interface",ipaddr.IPv4Network("%s/%s"%(gateway.ipaddress,32))) replace_ip=None excluded=None for ip in zone.ipaddress_list: if ip.__contains__(gateway.ipaddress): excluded=ip.address_exclude(ipaddr.IPv4Network("%s/32"%gateway.ipaddress)) replace_ip=ip break if replace_ip!=None: zone.ipaddress_list.remove(replace_ip) for ip in excluded: zone.ipaddress_list.append(ip) if (not gateway_allocated) and (not self.unallocated_gateways.__contains__(gateway.ipaddress)): self.unallocated_gateways.append(gateway.ipaddress)
def parse_input(options): """ validate and parse input high-level description file""" if options.config: log.info("Parsing device configuration files located in : %s"%(options.config)) InputParser().ParseDeviceConfigurations(options.config)