Пример #1
0
def init(name, raise_on_error=False):
    # clear object variables
    parser.object_dict.clear()
    # init firewall
    p_info['firewall'] = Firewall()
    p_info['firewall'].name = name
    p_info['firewall'].hostname = ntpath.basename(name)
    p_info['firewall'].type = 'Iptables'
    # create default acl
    p_info['firewall'].acl.append(ACL('INPUT'))
    p_info['firewall'].acl.append(ACL('FORWARD'))
    p_info['firewall'].acl.append(ACL('OUTPUT'))
    # init parser state
    p_info['current_interface_name'] = None
    p_info['used_object'] = set()
    p_info['default_policy'] = dict()
    p_info['default_policy']['INPUT'] = Action(True)
    p_info['default_policy']['FORWARD'] = Action(True)
    p_info['default_policy']['OUTPUT'] = Action(True)
    p_info['current_chain'] = None
    p_info['rule_id'] = 0
    p_info['rule_list'] = []
    p_info['rule_bind'] = dict()
    p_info['current_rule'] = Rule(p_info['rule_id'], None, [], [], [], [], [],
                                  Action(False))
    p_info['rule_bind'][p_info['rule_id']] = [None, None]
    p_info['current_table'] = None
    # raise on error option
    p_info['raise_on_error'] = raise_on_error
def p_acl_name_line(p):
    '''acl_name_line : FROM_ZONE WORD TO_ZONE WORD LBRACKET'''
    global current_acl, cptr
    cptr += 1
    if current_acl.name != None :
        p_info['firewall'].acl.append(current_acl)
    current_acl = ACL(None)
    current_acl.name = p[2] + '-' + p[4]
Пример #3
0
def p_acl_name_line(p):
    '''acl_name_line : FROM_ZONE WORD TO_ZONE WORD LBRACKET'''
    global current_acl, cptr
    cptr += 1
    if current_acl.name != None:
        p_info['firewall'].acl.append(current_acl)
    current_acl = ACL(None)
    current_acl.name = p[2] + '-' + p[4]
Пример #4
0
def finish():
    my_parser = IptablesParser()
    # select the 3 main nodes
    input_node = my_parser.get_node("INPUT")
    output_node = my_parser.get_node("OUTPUT")
    forward_node = my_parser.get_node("FORWARD")

    # create every path from the 3 nodes
    input_path_list = my_parser.create_all_path_from_node(input_node)
    output_path_list = my_parser.create_all_path_from_node(output_node)
    forward_path_list = my_parser.create_all_path_from_node(forward_node)

    # create the rules which correspond to the path list
    input_rules = my_parser.get_rules_from_path_list(input_path_list)
    output_rules = my_parser.get_rules_from_path_list(output_path_list)
    forward_rules = my_parser.get_rules_from_path_list(forward_path_list)

    # add the rule for default drop or accept
    input_rules.append(my_parser.get_general_rule(input_node))
    output_rules.append(my_parser.get_general_rule(output_node))
    forward_rules.append(my_parser.get_general_rule(forward_node))

    # create the fw
    acl_input = ACL("INPUT")
    acl_input.rules = input_rules
    acl_output = ACL("OUTPUT")
    acl_output.rules = output_rules
    acl_forward = ACL("FORWARD")
    acl_forward.rules = forward_rules
    new_fw = Firewall()
    new_fw.acl = [acl_input, acl_output, acl_forward]
    new_fw.hostname = my_parser.instance.filename
    new_fw.name = my_parser.instance.filename
    my_parser.instance.fw.append(new_fw)
Пример #5
0
def get_acl_by_name_2(firewall, acl_name):
    acl = firewall.get_acl_by_name(acl_name)
    if acl == None:
        acl = ACL(acl_name)
        for rule in firewall.unbounded_rules:
            print rule.name, acl_name
        acl.rules = [rule for rule in firewall.unbounded_rules if rule.name == acl_name]
        acl.firewall = firewall
        return acl
    else:
        return acl
Пример #6
0
def insert_rule():
    if p_info['policy_zone_src'] and p_info['policy_zone_dst']:
        acl = p_info['firewall'].get_acl_by_name(p_info['policy_zone_src'] +
                                                 '-' +
                                                 p_info['policy_zone_dst'])

        if not acl:
            acl = ACL(p_info['policy_zone_src'] + '-' +
                      p_info['policy_zone_dst'])
            p_info['firewall'].acl.append(acl)
            NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(
                acl, p_info['firewall'],
                p_info['firewall'].get_interface_by_name(
                    p_info['policy_zone_src']),
                p_info['firewall'].get_interface_by_name(
                    p_info['policy_zone_dst']))

        if p_info['index_rule'] != -1:
            acl.rules.insert(p_info['index_rule'], p_info['current_policy'])
        else:
            acl.rules.append(p_info['current_policy'])
    else:
        for acl in p_info['firewall'].acl:
            acl.rules.append(p_info['current_policy'])

    p_info['current_policy'] = Rule(0, "", [], [], [], [], [], False)
    p_info['policy_zone_src'] = None
    p_info['policy_zone_dst'] = None
    p_info['index_rule'] = -1
Пример #7
0
def finish_fw(acls):
    for fw in firewalls:
        p_info['firewall'] = Firewall()
        p_info['firewall'].name = p_info['name']
        p_info['firewall'].hostname = fw['name']
        p_info['firewall'].type = 'CheckPoint'
        p_info['firewall'].unused_objects = set(unused_objects)
        p_info['firewall'].dictionnary = dict(nd)
        if fw['ifaces']:
            for iface in fw['ifaces']:
                p_info['firewall'].interfaces.append(Interface(iface['name'], Ip(iface['ipaddr'], iface['netmask']),
                                                               iface['index']))

        for name, acl in acls.iteritems():
            if name == p_info['firewall'].hostname:
                newAcl = ACL(name)
                newAcl.rules = acl
                p_info['firewall'].acl.append(newAcl)

        p_info['firewall_list'].append(p_info['firewall'])
Пример #8
0
def add_rule(rule):
    acl = p_info['firewall'].get_acl_by_name(p_info['srcintf'] + '-' + p_info['dstintf'])

    if not acl:
        acl = ACL(p_info['srcintf'] + '-' + p_info['dstintf'])
        p_info['firewall'].acl.append(acl)
        NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl,
                                                          p_info['firewall'],
                                                          p_info['firewall'].get_interface_by_nameif(p_info['srcintf']),
                                                          p_info['firewall'].get_interface_by_nameif(p_info['dstintf']))

    acl.rules.append(rule)
Пример #9
0
def finish():
    my_parser = IptablesParser()
    # select the 3 main nodes
    input_node = my_parser.get_node("INPUT")
    output_node = my_parser.get_node("OUTPUT")
    forward_node = my_parser.get_node("FORWARD")

    # create every path from the 3 nodes
    input_path_list = my_parser.create_all_path_from_node(input_node)
    output_path_list = my_parser.create_all_path_from_node(output_node)
    forward_path_list = my_parser.create_all_path_from_node(forward_node)

    # create the rules which correspond to the path list
    input_rules = my_parser.get_rules_from_path_list(input_path_list)
    output_rules = my_parser.get_rules_from_path_list(output_path_list)
    forward_rules = my_parser.get_rules_from_path_list(forward_path_list)

    # add the rule for default drop or accept
    input_rules.append(my_parser.get_general_rule(input_node))
    output_rules.append(my_parser.get_general_rule(output_node))
    forward_rules.append(my_parser.get_general_rule(forward_node))

    # create the fw
    acl_input = ACL("INPUT")
    acl_input.rules = input_rules
    acl_output = ACL("OUTPUT")
    acl_output.rules = output_rules
    acl_forward = ACL("FORWARD")
    acl_forward.rules = forward_rules
    new_fw = Firewall()
    new_fw.acl = [acl_input, acl_output, acl_forward]
    new_fw.hostname = my_parser.instance.filename
    new_fw.name = my_parser.instance.filename
    new_fw.type = "Iptables"
    my_parser.instance.fw.append(new_fw)
Пример #10
0
def finish_fw(acls):
    for fw in firewalls:
        p_info['firewall'] = Firewall()
        p_info['firewall'].name = p_info['name']
        p_info['firewall'].hostname = fw['name']
        p_info['firewall'].type = 'CheckPoint'
        p_info['firewall'].unused_objects = set(unused_objects)
        p_info['firewall'].dictionnary = dict(nd)
        if fw['ifaces']:
            for iface in fw['ifaces']:
                p_info['firewall'].interfaces.append(
                    Interface(iface['name'],
                              Ip(iface['ipaddr'], iface['netmask']),
                              iface['index']))

        for name, acl in acls.iteritems():
            if name == p_info['firewall'].hostname:
                newAcl = ACL(name)
                newAcl.rules = acl
                p_info['firewall'].acl.append(newAcl)

        p_info['firewall_list'].append(p_info['firewall'])
Пример #11
0
def p_access_group_line_1(p):
    '''access_group_line : ACCESS_GROUP item IN INTERFACE item optitem
                         | ACCESS_GROUP item OUT INTERFACE item optitem'''
    interface = p_info['firewall'].get_interface_by_name(p[5])
    firewall = p_info['firewall']

    acl = firewall.get_acl_by_name(p[2])

    if not acl:
        acl = ACL(p[2])
        p_info['firewall'].acl.append(acl)
        p_info['bounded_rules'].add(p[2])
        NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl, firewall, interface, firewall)
        NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl, firewall, firewall, interface)
Пример #12
0
def add_rule(rule):
    for src_itf in p_info['srcintf']:
        for dst_itf in p_info['dstintf']:
            acl = p_info['firewall'].get_acl_by_name(src_itf + '-' + dst_itf)

            if not acl:
                acl = ACL(src_itf + '-' + dst_itf)
                p_info['firewall'].acl.append(acl)
                s_itf = None
                d_itf = None
                for itf, vdom_name in p_info['interface_list']:
                    if itf.nameif == src_itf:
                        s_itf = itf
                    elif itf.nameif == dst_itf:
                        d_itf = itf
                NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(
                    acl, p_info['firewall'], s_itf, d_itf)

            acl.rules.append(rule)
Пример #13
0
def get_acl(src, dst, firewall, name):
    source = src.network if isinstance(src, Interface) else src
    destination = dst.network if isinstance(dst, Interface) else dst
    acl = NetworkGraph.NetworkGraph.NetworkGraph().get_acl_list(
        source, destination, firewall)
    # create acl name distinction with interface name
    acl_name = name
    acl_name += ' ' if isinstance(src, Interface) or isinstance(
        dst, Interface) else ''
    acl_name += src.name if isinstance(src, Interface) else ''
    acl_name += '-' if isinstance(src, Interface) and isinstance(
        dst, Interface) else ''
    acl_name += dst.name if isinstance(dst, Interface) else ''
    for a in acl:
        if a.name == acl_name:
            return a

    # if no acl create it
    acl = ACL(acl_name)
    NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl, firewall, src, dst)
    return acl
Пример #14
0
def p_new_chain_cmd(p):
    '''new_chain_cmd : NEW_CHAIN chain'''
    if p_info['current_table'] == 'filter':
        p_info['firewall'].acl.append(ACL(p[2]))
Пример #15
0
networks_set = []

services = []
services_set = []

current_service = {}

current_set = {}

policies = []

cptr = 0

zones = []

current_acl = ACL(None)

current_iface = Interface(None)
current_sub_iface = Interface(None)
ifaces = []

# Use for construct dictionary of object and object group
object_dict = {}

# Use for detect state
p_info = {
    'firewall': Firewall(),
    'current_policy': Rule(0, "", [], [], [], [], [], Action(False)),
    'context_policy': Rule(0, "", [], [], [], [], [], Action(False)),
    'policy_zone_src': None,
    'policy_zone_dst': None,
Пример #16
0
def p_chain_line2(p):
    '''chain_line : COLON chain DROP SQUARE_BRACKET NUMBER COLON NUMBER SQUARE_BRACKET'''
    if p_info['current_table'] == 'filter' and not find_chain_by_name(p[2]):
        p_info['firewall'].acl.append(ACL(p[2]))
        p_info['default_policy'][p[2]] = Action(False)
Пример #17
0
def p_chain_line3(p):
    '''chain_line : COLON chain WORD SQUARE_BRACKET NUMBER COLON NUMBER SQUARE_BRACKET'''
    if p_info['current_table'] == 'filter' and not find_chain_by_name(p[2]):
        p_info['firewall'].acl.append(ACL(p[2]))