def p_addr_service_set_line_3(p):
'''service_set_line : START_PORT NUMBER'''
if p_info['range_port']:
object_dict[p_info['current_object']].append({'port_dst': Operator('RANGE', Port(p[2]), p_info['range_port'])})
p_info['range_port'] = None
else:
p_info['range_port'] = Port(p[2])
def p_service_plus_2(p):
'''service_plus : PLUS protocol SRC_PORT NUMBER HYPHEN NUMBER DST_PORT NUMBER HYPHEN NUMBER'''
p_info['current_object'].append(
{'service': Operator('EQ', Protocol(p[2]))})
p_info['current_object'].append(
{'src-port': Operator('RANGE', Port(p[4]), Port(p[6]))})
p_info['current_object'].append(
{'dst-port': Operator('RANGE', Port(p[8]), Port(p[10]))})
def p_port_destination_2(p):
'''port_destination : BANG PORT_DESTINATION port_list'''
for v1, v2 in p[3]:
if not v2:
p_info['current_rule'].port_dest.append(Operator('NEQ', Port(v1)))
else:
p_info['current_rule'].port_dest.append(
Operator('RANGE', Port(v1), Port(v2)).toggle())
def p_port_object_line_1(p):
'''port_object_line : PORT_OBJECT OP_EQ item'''
if p[3] in CiscoAsaPort.CiscoAsaPort:
object_dict[p_info['object_group_name']].append(
{'port': Operator('EQ', Port(CiscoAsaPort.CiscoAsaPort[p[3]]))})
else:
object_dict[p_info['object_group_name']].append(
{'port': Operator('EQ', Port(p[3]))})
def p_port_source_1(p):
'''port_source : PORT_SOURCE port_list'''
for v1, v2 in p[2]:
if not v2:
p_info['current_rule'].port_source.append(Operator('EQ', Port(v1)))
else:
p_info['current_rule'].port_source.append(
Operator('RANGE', Port(v1), Port(v2)))
def p_port_source_2(p):
'''port_source : BANG PORT_SOURCE port_list'''
for v1, v2 in p[3]:
if not v2:
p_info['current_rule'].port_source.append(Operator(
'NEQ', Port(v1)))
else:
p_info['current_rule'].port_source.append(
Operator('RANGE', Port(v1), Port(v2)).toggle())
def p_port_dst_line(p):
'''port_dst_line : PORT_DST COLON words'''
for port_dst in p[3].split(','):
if '-' in port_dst:
p_info['current_rule'].port_dest.append(
Operator('RANGE', Port(int(port_dst.split('-')[0])),
Port(int(port_dst.split('-')[1]))))
else:
p_info['current_rule'].port_dest.append(
Operator('EQ', Port(int(port_dst))))
def p_nat_rule_static1(p):
'''nat_rule_line : STATIC LPAREN WORD COMA WORD RPAREN TCP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR
| STATIC LPAREN WORD COMA WORD RPAREN UDP IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR
| STATIC LPAREN WORD COMA WORD RPAREN WORD IP_ADDR NUMBER IP_ADDR NUMBER NETMASK IP_ADDR
'''
in_iface = p_info['firewall'].get_interface_by_name(p[3])
out_iface = p_info['firewall'].get_interface_by_name(p[5])
rule = Nat_Rule(None, None, [Protocol(p[7])], [Ip(p[8], p[13])], [], [], [Port(int(p[9]))], [Ip(p[10], p[13])],
[Port(int(p[11]))], 'static', [out_iface], [in_iface])
p_info['firewall'].nat_rule_list.append(rule)
def get_all_flows(self):
for flow in self.liststore:
current_rule = Rule(None, None, [], [], [], [], [], Action(False))
try:
if isinstance(flow[0], str) and len(flow[0]) != 0:
current_rule.identifier = int(flow[0])
if isinstance(flow[1], str) and len(flow[1]) != 0:
protocols = flow[1].split(',')
for protocol in protocols:
current_rule.protocol.append(
Operator('EQ', Protocol(protocol)))
if isinstance(flow[2], str) and len(flow[2]) != 0:
ips = flow[2].split(',')
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_source.append(
Operator(
'EQ', Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_source.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[3], str) and len(flow[3]) != 0:
ports = flow[3].split(',')
for port in ports:
current_rule.port_source.append(
Operator('EQ', Port(int(port))))
if isinstance(flow[4], str) and len(flow[4]) != 0:
ips = flow[4].split(',')
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_dest.append(
Operator(
'EQ', Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_dest.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[5], str) and len(flow[5]) != 0:
ports = flow[5].split(',')
for port in ports:
current_rule.port_dest.append(
Operator('EQ', Port(int(port))))
if flow[6] == 'deny':
current_rule.action = Action(False)
elif flow[6] == 'accept':
current_rule.action = Action(True)
except KeyError:
print 'error' #
self.flows.append(current_rule)
def p_opt_service_3(p):
'''opt_service : SOURCE operator DESTINATION operator'''
res = []
p[2].v1 = Port(p[2].v1)
if p[2].v2:
p[2].v2 = Port(p[2].v2)
res.append({'source': p[2]})
p[4].v1 = Port(p[4].v1)
if p[4].v2:
p[4].v2 = Port(p[4].v2)
res.append({'destination': p[4]})
p[0] = res
def p_port_src_line(p):
'''port_src_line : PORT_SRC COLON words'''
for port_src in p[3].split(','):
if '-' in port_src:
p_info['current_rule'].port_source.append(
Operator(
'RANGE',
Port(int(port_src.split('-')[0]),
Port(int(port_src.split('-')[1])))))
else:
p_info['current_rule'].port_source.append(
Operator('EQ', Port(int(port_src))))
def get_rule_from_iptable_line(self, rule_line):
"""
get one iptable line and return a corresponding rule
This function need some improvement in order to manage every case
"""
action = Action(True) if rule_line[0] != "DROP" else Action(False)
if rule_line[3] == "anywhere":
ip_source = []
else:
if "/" not in rule_line[3]:
ip_source = [Operator("EQ", Ip(rule_line[3]))]
else:
ip_source = [
Operator(
'EQ',
Ip(rule_line[3].split('/')[0],
fromDec2Dotted(int(rule_line[3].split('/')[1]))))
]
if rule_line[4] == "anywhere":
ip_dest = []
else:
if "/" not in rule_line[4]:
ip_dest = [Operator("EQ", Ip(rule_line[4]))]
else:
ip_dest = [
Operator(
'EQ',
Ip(rule_line[4].split('/')[0],
fromDec2Dotted(int(rule_line[4].split('/')[1]))))
]
port_source = []
port_dest = []
protocol = [] if rule_line[1] == "all" else [
Operator("EQ", Protocol(rule_line[1]))
]
if len(rule_line) >= 7:
if "spt" in rule_line[6]:
port_source.append(Operator("EQ", Port(rule_line[6][4:-1])))
elif "dpt" in rule_line[6]:
port_dest.append(Operator("EQ", Port(rule_line[6][4:-1])))
elif "multiport" in rule_line:
tmp_idx = rule_line.index("multiport")
if rule_line[tmp_idx + 1] == "dports":
ports_dest_list = rule_line[tmp_idx + 2].split(",")
for tmp_port_dest in ports_dest_list:
port_dest.append(Operator("EQ", Port(tmp_port_dest)))
else:
tmp_line = ""
for tmp_elem in rule_line:
tmp_line += " " + tmp_elem
print tmp_line
return Rule(0, "", protocol, ip_source, port_source, ip_dest,
port_dest, action)
def toBDD(self, index):
"""Construct the ROBDD
Parameters
----------
index : int. Used for variable index in ROBDD.
Return
------
Return the computed ROBDD
"""
if self.operator == 'LT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(0, self.v1.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(0, self.v1.ip | ~self.v1.mask & 0xFFFFFFFF,
index)
elif isinstance(self.v1, Port):
return Port.range2bdd(0, self.v1.get_value(), index)
else:
return self.v1.toBDD(index)
elif self.operator == 'GT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(), 2**8 - 1, index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask, 2**32 - 1,
index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), 2**16 - 1, index)
else:
return self.v1.toBDD(index)
elif self.operator == 'EQ':
return self.v1.toBDD(index)
elif self.operator == 'NEQ':
return negate_bdd(self.v1.toBDD(index))
elif self.operator == 'RANGE':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(),
self.v2.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask,
self.v2.ip | ~self.v2.mask & 0xFFFFFFFF,
index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), self.v2.get_value(),
index)
else:
return self.v1.toBDD(index)
else:
return self.v1.toBDD(index)
def fill_service(app, protocols, _protocols, _dest_ports, dest_ports):
for service in services:
if service['name'] == app:
if service.has_key('protocol'):
if service['protocol'] not in protocols:
protocols.append(service['protocol'])
_protocols.append(
Operator('EQ', Protocol(service['protocol'])))
if service.has_key('port'):
_dest_ports.append(Operator('EQ', Port(int(service['port']))))
if service.has_key('lport') and service.has_key('rport'):
_dest_ports.append(
Operator('RANGE', Port(int(service['lport'])),
Port(int(service['rport']))))
def merge_port(self, ports_list):
"""
return a list with all common element present in each list of port
"""
len_ports_list = len(ports_list)
for idx, ports in enumerate(ports_list):
if idx + 1 <= len_ports_list - 1:
tmp_list = None
if len(ports_list[idx]) == 0:
continue
elif len(ports_list[idx + 1]) == 0:
ports_list[idx + 1] = ports_list[idx]
continue
for port1 in ports_list[idx]:
for port2 in ports_list[idx + 1]:
if port1.operator == "EQ" and port2.operator == "EQ":
if port1.v1.port == port2.v1.port:
tmp_list = tmp_list.append(
port1) if tmp_list is not None else [
port1
]
break
elif port1.operator == "RANGE" and port2.operator == "EQ":
if port1.v1.port < port2.v1.port < port1.v2.port:
tmp_list.append(port2)
elif port1.operator == "EQ" and port2.operator == "RANGE":
if port2.v1.port < port1.v1.port < port2.v2.port:
tmp_list.append(port1)
elif port1.operator == "RANGE" and port2.operator == "RANGE":
p1v1 = port1.v1.port
p1v2 = port1.v2.port
p2v1 = port2.v1.port
p2v2 = port2.v2.port
if p1v1 < p2v1 < p1v2 and p1v1 < p2v2 < p1v2:
tmp_list.append(port2)
elif p1v1 < p2v1 < p1v2 and p1v2 < p2v2:
tmp_list.append(
Operator("RANGE", Port(p2v1), Port(p1v2)))
elif p2v1 < p1v1 and p1v1 < p2v2 < p1v2:
tmp_list.append(
Operator("RANGE", Port(p1v1), Port(p2v2)))
elif p2v1 < p1v1 < p2v2 and p2v1 < p1v2 < p2v2:
tmp_list.append(port1)
ports_list[idx + 1] = tmp_list
if tmp_list == None:
ports_list[len(ports_list) - 1] = None
break
return ports_list[len(ports_list) - 1]
def p_service_set_line_3_1(p):
'''service_set_line : SET PROTOCOL WORD'''
if p[3].lower() in ('ftp', 'http'):
object_dict[p_info['current_object']].append(
{'port_dst': Operator('EQ', Port(p[3].lower()))})
else:
object_dict[p_info['current_object']].append(
{'protocol': Operator('EQ', Protocol(p[3].lower()))})
def fill_obj_dict_serv1(obj):
if nd.has_key(obj['name']):
if obj.has_key('portL'):
nd[obj['name']].append({
obj['name']:
Operator('RANGE', Port(obj['portL']), Port(obj['portR']))
})
elif obj.has_key('port'):
nd[obj['name']].append(
{obj['name']: Operator('EQ', Port(obj['port']))})
else:
nd[obj['name']] = list()
if obj.has_key('portL'):
if obj['portR'] == 'infinite':
nd[obj['name']].append(
{obj['name']: Operator('GT', Port(obj['portL']))})
else:
nd[obj['name']].append({
obj['name']:
Operator('RANGE', Port(obj['portL']), Port(obj['portR']))
})
elif obj.has_key('port'):
nd[obj['name']].append(
{obj['name']: Operator('EQ', Port(obj['port']))})
else:
pass #print obj ????????????????????????????????
def toBDD(self, index):
"""Construct the ROBDD
Parameters
----------
index : int. Used for variable index in ROBDD.
Return
------
Return the computed ROBDD
"""
if self.operator == 'LT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(0, self.v1.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(0, self.v1.ip | ~self.v1.mask & 0xFFFFFFFF, index)
elif isinstance(self.v1, Port):
return Port.range2bdd(0, self.v1.get_value(), index)
else:
return self.v1.toBDD(index)
elif self.operator == 'GT':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(), 2**8 - 1, index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask, 2**32 - 1, index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), 2**16 - 1, index)
else:
return self.v1.toBDD(index)
elif self.operator == 'EQ':
return self.v1.toBDD(index)
elif self.operator == 'NEQ':
return negate_bdd(self.v1.toBDD(index))
elif self.operator == 'RANGE':
if isinstance(self.v1, Protocol):
return Protocol.range2bdd(self.v1.get_value(), self.v2.get_value(), index)
elif isinstance(self.v1, Ip):
return Ip.range2bdd(self.v1.ip & self.v1.mask, self.v2.ip | ~self.v2.mask & 0xFFFFFFFF, index)
elif isinstance(self.v1, Port):
return Port.range2bdd(self.v1.get_value(), self.v2.get_value(), index)
else:
return self.v1.toBDD(index)
else:
return self.v1.toBDD(index)
def resolve_predefined_juniper(name, policy):
values = JuniperNetscreenPort.JuniperNetscreenPort[name]
for v1, v2 in values:
if v1 == 'protocol':
policy.protocol.append(Operator('EQ', Protocol(v2)))
policy.protocol_name.append(name)
else:
port = policy.port_source if v1 == 'src' else policy.port_dest
port_name = policy.port_source_name if v1 == 'src' else policy.port_dest_name
port_name.append(name)
if isinstance(v2, str):
res = v2.split('-')
port.append(Operator('RANGE', Port(res[0]), Port(res[1])))
if isinstance(v2, list):
for i in v2:
port.append(Operator('EQ', Port(i)))
else:
port.append(Operator('EQ', Port(v2)))
def finish_serv(s):
tmpObj = resolve(s)
if tmpObj['type'] in {
'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp', 'igmp',
'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf'
}:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(tmpObj['type'].lower())))
if tmpObj.has_key('port'):
p_info['current_rule'].port_dest.append(
Operator('EQ', Port(tmpObj['port'])))
elif tmpObj.has_key('portL'):
if tmpObj['portR'] == 'infinite':
p_info['current_rule'].port_dest.append(
Operator('GT', Port(tmpObj['portL'])))
else:
p_info['current_rule'].port_dest.append(
Operator('RANGE', Port(tmpObj['portL']),
Port(tmpObj['portR'])))
elif tmpObj['type'] in {'group', 'Group'}:
for member in tmpObj['members']:
subTmpOBj = resolve(member)
if subTmpOBj['type'] in {
'udp', 'UDP', 'Udp', 'tcp', 'Tcp', 'TCP', 'icmp', 'Icmp',
'igmp', 'Igmp', 'Gre', 'gre', 'GRE', 'ospf', 'OSPF', 'Ospf'
}:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(subTmpOBj['type'].lower())))
if subTmpOBj.has_key('port'):
p_info['current_rule'].port_dest.append(
Operator('EQ', Port(subTmpOBj['port'])))
elif subTmpOBj.has_key('portL'):
p_info['current_rule'].port_dest.append(
Operator('RANGE', Port(subTmpOBj['portL']),
Port(subTmpOBj['portR'])))
elif tmpObj['type'] in {'other', 'Other'}:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(tmpObj['protocol'])))
elif tmpObj['type'] in {'Rpc', 'rpc'}:
p_info['current_rule'].port_dest.append(
Operator('EQ', Port(tmpObj['port'])))
def try_resolve_service(name):
if re.search('icmp6', name, re.I) or re.search('ping', name, re.I):
p_info['current_rule'].protocol.append(Operator(
'EQ', Protocol('icmp')))
return True
try:
# try port
p_info['current_rule'].port_dest.append(Operator('EQ', Port(name)))
p_info['current_rule'].protocol.append(Operator('EQ', Protocol('tcp')))
except socket.error:
# not a port, try protocol
try:
p_info['current_rule'].protocol.append(
Operator('EQ', Protocol(name)))
except socket.error:
# not a port or a protocol
return False
return True
def p_port_dst_line(p):
'''port_dst_line : PORT_DST COLON WORD'''
p_info['current_rule'].port_dest.append(Operator('EQ', Port(p[3])))
def p_port_src_line(p):
'''port_src_line : PORT_SRC COLON WORD'''
p_info['current_rule'].port_source.append(Operator('EQ', Port(p[3])))
def p_port_service_3(p):
'''port_service : NUMBER MINUS NUMBER COLON NUMBER MINUS NUMBER'''
object_dict[p_info['current_object']].append(
{'port_dst': Operator('RANGE', Port(p[1]), Port(p[3]))})
object_dict[p_info['current_object']].append(
{'port_src': Operator('RANGE', Port(p[5]), Port(p[7]))})
def p_port_service_1(p):
'''port_service : NUMBER'''
object_dict[p_info['current_object']].append(
{'port_dst': Operator('EQ', Port(p[1]))})
def p_opt_protocol_dst_1(p):
'''opt_protocol_dst : DST_PORT NUMBER HYPHEN NUMBER
| DST_PORT NUMBER HYPHEN NUMBER TIMEOUT NUMBER
| DST_PORT NUMBER HYPHEN NUMBER TIMEOUT NEVER'''
p_info['current_object'].append(
{'dst-port': Operator('RANGE', Port(p[2]), Port(p[4]))})
def p_port_dest_1(p):
'''port_dest : operator'''
p[1].v1 = Port(p[1].v1)
if p[1].v2 is not None:
p[1].v2 = Port(p[1].v2)
p_info['current_rule'].port_dest.append(p[1])
def p_port_object_line_2(p):
'''port_object_line : PORT_OBJECT OP_RANGE NUMBER NUMBER'''
object_dict[p_info['object_group_name']].append({'port': Operator('RANGE', Port(p[3]), Port(p[4]))})
def p_opt_service_2(p):
'''opt_service : DESTINATION operator'''
p[2].v1 = Port(p[2].v1)
if p[2].v2:
p[2].v2 = Port(p[2].v2)
p[0] = [{'destination': p[2]}]
def p_opt_service_1(p):
'''opt_service : SOURCE operator'''
p[2].v1 = Port(p[2].v1)
if p[2].v2:
p[2].v2 = Port(p[2].v2)
p[0] = [{'source': p[2]}]
def get_all_flows(self):
"""
this function is intend to retrieve the flows in the matrix
table as Rules, and return them into a list (of Rule class instance)
"""
print(self.liststore)
for flow in self.liststore:
current_rule = Rule(None, None, [], [], [], [], [], Action(False))
try:
if isinstance(flow[0], str) and len(flow[0]) != 0:
current_rule.identifier = int(flow[0])
if isinstance(flow[1], str) and len(flow[1]) != 0:
protocols = flow[1].replace(' ', '').split(',')
for protocol in protocols:
current_rule.protocol.append(
Operator('EQ', Protocol(protocol)))
if isinstance(flow[2], str) and len(flow[2]) != 0:
ips = flow[2].split(',')
if "-" in ips:
ip1 = ips[:ip.index("-")]
ip2 = ips[ip.index("-") + 1:]
current_rule.ip_source.append(
Operator('RANGE', Ip(ip1, ip2)))
else:
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_source.append(
Operator(
'EQ',
Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_source.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[3], str) and len(flow[3]) != 0:
ports = flow[3].split(',')
for port in ports:
current_rule.port_source.append(
Operator('EQ', Port(int(port))))
if isinstance(flow[4], str) and len(flow[4]) != 0:
ips = flow[4].split(',')
if "-" in ips:
ip1 = ips[:ip.index("-")]
ip2 = ips[ip.index("-") + 1:]
current_rule.ip_source.append(
Operator('RANGE', Ip(ip1, ip2)))
else:
for ip in ips:
if '/' in ip:
mask = ip[ip.index('/') + 1:]
ip = ip[:ip.index('/')]
current_rule.ip_dest.append(
Operator(
'EQ',
Ip(ip,
self.fromDec2Dotted(int(mask)))))
else:
current_rule.ip_dest.append(
Operator('EQ', Ip(ip, '255.255.255.255')))
if isinstance(flow[5], str) and len(flow[5]) != 0:
ports = flow[5].split(',')
for port in ports:
current_rule.port_dest.append(
Operator('EQ', Port(int(port))))
if flow[6] == 'deny':
current_rule.action = Action(False)
elif flow[6] == 'accept':
current_rule.action = Action(True)
except KeyError:
print 'error'
self.flows.append(current_rule)
