def testTableSameLongNameDiffFilter(self): prod_network = nacaddr.IP('10.0.0.0/8') prod_network.parent_token = 'PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME' self.naming.GetNetAddr.return_value = [prod_network] self.naming.GetServiceByProto.return_value = ['53'] acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER_DIRECTIONAL + LONG_NAME_TERM_DNS_TCP + GOOD_HEADER_DIRECTIONAL + LONG_NAME_TERM_DNS_UDP, self.naming), EXP_INFO) result = str(acl) self.assertIn( 'table <PROD_NETWORK_EXTREAMLY_LONG_VER> {10.0.0.0/8}', result, 'did not find shortened name in header.') self.assertIn( 'pass out quick proto { tcp } from { any } to ' '{ <PROD_NETWORK_EXTREAMLY_LONG_VER> } ' 'port { 53 } flags S/SA keep state', result, 'did not find actual TCP term for multiple-name') self.assertIn( 'pass out quick proto { udp } from { any } to ' '{ <PROD_NETWORK_EXTREAMLY_LONG_VER> } ' 'port { 53 } keep state', result, 'did not find actual UDP for multiple-name') self.naming.GetNetAddr.assert_has_calls([ mock.call('PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME'), mock.call('PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME')]) self.naming.GetServiceByProto.assert_has_calls([ mock.call('DNS', 'tcp'), mock.call('DNS', 'udp')])
def testTableCreation(self): prod_network = nacaddr.IP('10.0.0.0/8') prod_network.parent_token = 'PROD_NETWORK' corp_internal_one = nacaddr.IP('100.96.0.1/11', strict=False) corp_internal_one.parent_token = 'CORP_INTERNAL' corp_internal_two = nacaddr.IP('172.16.0.0/16') corp_internal_two.parent_token = 'CORP_INTERNAL' self.naming.GetNetAddr.side_effect = [ [prod_network], [corp_internal_one, corp_internal_two]] self.naming.GetServiceByProto.return_value = ['25'] acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + MULTIPLE_NAME_TERM, self.naming), EXP_INFO) result = str(acl) self.assertIn( 'table <PROD_NETWORK> {10.0.0.0/8}', result, 'did not find PROD_NETWORKtable in header') self.assertIn( 'table <CORP_INTERNAL> {100.96.0.0/11,\\\n' '172.16.0.0/16}', result, 'did not find CORP_INTERNAL table in header') self.assertIn( 'pass quick proto { tcp } from { <CORP_INTERNAL> } to ' '{ <PROD_NETWORK> } port { 25 } flags S/SA keep state', result, 'did not find actual term for multiple-name') self.naming.GetNetAddr.assert_has_calls([ mock.call('PROD_NETWORK'), mock.call('CORP_INTERNAL')]) self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testNextTerm(self): acl = packetfilter.PacketFilter( policy.ParsePolicy(GOOD_HEADER + NEXT_TERM, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term next', result, 'did not find comment for next') self.assertIn('pass from { any } to { any } flags S/SA keep state\n', result, 'did not find actual term for next-term')
def testBuildWarningTokens(self): pol1 = packetfilter.PacketFilter( policy.ParsePolicy(GOOD_HEADER + GOOD_WARNING_TERM, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEqual(st, SUPPORTED_TOKENS) self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
def testExpiredTerm2(self, mock_warn): packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + EXPIRED_TERM2, self.naming), EXP_INFO) mock_warn.assert_called_once_with( 'WARNING: Term %s in policy %s is expired and ' 'will not be rendered.', 'expired_test2', 'test-filter')
def testMultilineComment(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + MULTILINE_COMMENT, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term multiline-comment', result, 'did not find comment for multiline-comment') self.assertIn('# This is a\n# multiline comment', result, 'did not find multiline comment for multiline-comment')
def testIcmp(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + GOOD_TERM_ICMP, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term good-term-icmp', result, 'did not find comment for good-term-icmp') self.assertIn( 'pass quick proto { icmp } from { any } to { any } keep state\n', result, 'did not find actual term for good-term-icmp')
def testFlags(self): acl = packetfilter.PacketFilter( policy.ParsePolicy(GOOD_HEADER + FLAGS_TERM, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term flags', result, 'did not find comment for flags') self.assertIn( 'pass quick proto { tcp } from { any } to { any } ' 'flags SF/SF', result, 'did not find actual term for flags')
def testNextLogTerm(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + NEXT_LOG_TERM, self.naming), EXP_INFO) result = str(acl) self.failUnless('# term next-log' in result, 'did not find comment for next-log') self.failUnless( 'pass log from { any } to { any } flags S/SA keep state\n' in result, 'did not find actual term for next-log-term')
def testIcmpv6(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + GOOD_TERM_ICMPV6, self.naming), EXP_INFO) result = str(acl) self.failUnless('# term good-term-icmpv6' in result, 'did not find comment for good-term-icmpv6') self.failUnless( 'pass quick proto { ipv6-icmp } from { any } to { any } keep state\n' in result, 'did not find actual term for good-term-icmpv6')
def testIcmpTypes(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + GOOD_TERM_ICMP_TYPES, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term good-term-icmp-types', result, 'did not find comment for good-term-icmp-types') self.assertIn( 'block drop quick proto { icmp } from { any } to { any } ' 'icmp-type { 0, 3, 11 }', result, 'did not find actual term for good-term-icmp-types')
def testTcpEstablished(self): acl = packetfilter.PacketFilter( policy.ParsePolicy(GOOD_HEADER + TCP_GOOD_ESTABLISHED_TERM, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term tcp-established-good', result, 'did not find comment for tcp-established-good') self.assertIn( 'pass quick proto { tcp } from { any } to { any } flags A/A keep state', result, 'did not find actual term for udp-established')
def testUdpStatelessEstablished(self): acl = packetfilter.PacketFilter( policy.ParsePolicy(GOOD_HEADER_STATELESS + UDP_ESTABLISHED_TERM, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term udp-established', result, 'did not find comment for udp-established') self.assertIn( 'pass quick proto { udp } from { any } to { any } no state', result, 'did not find actual term for udp-established')
def testMultiprotocol(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + MULTIPLE_PROTOCOLS_TERM, self.naming), EXP_INFO) result = str(acl) self.failUnless('# term multi-proto' in result, 'did not find comment for multi-proto') self.failUnless( 'pass quick proto { tcp udp icmp } from { any } to { any } keep state\n' in result, 'did not find actual term for multi-proto')
def testStatefulBlock(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + DENY_TERM_TCP, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term deny-term-tcp', result, 'did not find comment for udp-established') self.assertIn( 'block drop quick proto { tcp } from { any } to { any } flags S/SA', result, 'did not find actual term for deny-term-tcp')
def testStatelessEstablished(self): acl = packetfilter.PacketFilter( policy.ParsePolicy(GOOD_HEADER_STATELESS + TCP_STATE_TERM, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term tcp-established-only', result, 'did not find comment for tcp-established-only') self.assertIn( 'pass quick proto { tcp } from { any } to { any } flags A/A no state', result, 'did not find actual term for tcp-established-only')
def testInet6(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER_INET6 + GOOD_TERM_LOG, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term good-term-log', result, 'did not find comment for good-term-log') self.assertIn( 'pass quick log inet6 proto { tcp } from { any } to { any } flags S/SA ' 'keep state\n', result, 'did not find actual term for good-term-log')
def testExpiringTerm(self, mock_info): exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO) mock_info.assert_called_once_with( 'INFO: Term %s in policy %s expires in ' 'less than two weeks.', 'is_expiring', 'test-filter')
def testLog(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + GOOD_TERM_LOG, self.naming), EXP_INFO) result = str(acl) self.failUnless('# term good-term-log' in result, 'did not find comment for good-term-log') self.failUnless( 'pass quick log proto { tcp } from { any } to { any } flags S/SA ' 'keep state\n' in result, 'did not find actual term for good-term-log')
def testBuildTokens(self): ip = nacaddr.IP('10.0.0.0/8') ip.parent_token = 'PROD_NETWORK' self.naming.GetNetAddr.return_value = [ip] self.naming.GetServiceByProto.return_value = ['25'] pol1 = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + GOOD_TERM_TCP, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEqual(st, SUPPORTED_TOKENS) self.assertEqual(sst, SUPPORTED_SUB_TOKENS)
def testMultipleHeader(self): acl = packetfilter.PacketFilter( policy.ParsePolicy( GOOD_HEADER_STATELESS + GOOD_TERM_LOG + GOOD_HEADER_INET6 + GOOD_TERM_ICMP, self.naming), EXP_INFO) result = str(acl) self.assertIn( 'pass quick log proto { tcp } from { any } to { any } no state', result, 'did not find actual term for good-term-log') self.assertIn( 'pass quick inet6 proto { icmp } from { any } to { any } no state', result, 'did not find actual term for good-term-icmp')
def testPortRange(self): self.naming.GetServiceByProto.return_value = ['12345-12354'] acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + PORTRANGE_TERM, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term portrange', result, 'did not find comment for portrange') self.assertIn( 'pass quick proto { tcp } from { any } to { any } ' 'port { 12345:12354 }', result, 'did not find actual term for portrange') self.naming.GetServiceByProto.assert_called_once_with( 'HIGH_PORTS', 'tcp')
def testStateless(self): ip = nacaddr.IP('10.0.0.0/8') ip.parent_token = 'PROD_NETWORK' self.naming.GetNetAddr.return_value = [ip] self.naming.GetServiceByProto.return_value = ['25'] acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER_STATELESS + GOOD_TERM_TCP, self.naming), EXP_INFO) result = str(acl) self.failUnless('# term good-term-tcp' in result, 'did not find comment for good-term-tcp') self.failUnless( 'pass quick proto { tcp } from { any } to { <PROD_NETWORK> } port ' '{ 25 } no state' in result, 'did not find actual term for good-term-tcp') self.naming.GetNetAddr.assert_called_once_with('PROD_NETWORK') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testDirectional(self): ip = nacaddr.IP('10.0.0.0/8') ip.parent_token = 'PROD_NETWORK' self.naming.GetNetAddr.return_value = [ip] self.naming.GetServiceByProto.return_value = ['25'] acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER_DIRECTIONAL + GOOD_TERM_TCP, self.naming), EXP_INFO) result = str(acl) self.assertIn('# term good-term-tcp', result, 'did not find comment for good-term-tcp') self.assertIn( 'pass out quick proto { tcp } from { any } to { <PROD_NETWORK> } port ' '{ 25 }', result, 'did not find actual term for good-term-tcp') self.naming.GetNetAddr.assert_called_once_with('PROD_NETWORK') self.naming.GetServiceByProto.assert_called_once_with('SMTP', 'tcp')
def testTableNameShortened(self): prod_network = nacaddr.IP('10.0.0.0/8') prod_network.parent_token = 'PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME' self.naming.GetNetAddr.return_value = [prod_network] self.naming.GetServiceByProto.return_value = ['53'] acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER_DIRECTIONAL + LONG_NAME_TERM_DNS_TCP, self.naming), EXP_INFO) result = str(acl) self.failUnless( 'table <PROD_NETWORK_EXTREAMLY_LONG_VER> {10.0.0.0/8}' in result, 'did not find shortened name in header.') self.failUnless( 'pass out quick proto { tcp } from { any } to ' '{ <PROD_NETWORK_EXTREAMLY_LONG_VER> } ' 'port { 53 } flags S/SA keep state' in result, 'did not find actual term for multiple-name') self.naming.GetNetAddr.assert_called_once_with( 'PROD_NETWORK_EXTREAMLY_LONG_VERY_NO_GOOD_NAME') self.naming.GetServiceByProto.assert_called_once_with('DNS', 'tcp')
def RenderFile(base_directory, input_file, output_directory, definitions, exp_info, write_files): """Render a single file. Args: base_directory: The base directory to look for acls. input_file: the name of the input policy file. output_directory: the directory in which we place the rendered file. definitions: the definitions from naming.Naming(). exp_info: print a info message when a term is set to expire in that many weeks. write_files: a list of file tuples, (output_file, acl_text), to write """ logging.debug('rendering file: %s into %s', input_file, output_directory) pol = None jcl = False acl = False asacl = False aacl = False bacl = False eacl = False gca = False gcefw = False ips = False ipt = False spd = False nsx = False pcap_accept = False pcap_deny = False pf = False srx = False jsl = False nft = False win_afw = False xacl = False paloalto = False try: with open(input_file) as f: conf = f.read() logging.debug('opened and read %s', input_file) except IOError as e: logging.warning('bad file: \n%s', e) raise try: pol = policy.ParsePolicy(conf, definitions, optimize=FLAGS.optimize, base_dir=base_directory, shade_check=FLAGS.shade_check) except policy.ShadingError as e: logging.warning('shading errors for %s:\n%s', input_file, e) return except (policy.Error, naming.Error): raise ACLParserError( 'Error parsing policy file %s:\n%s%s' % (input_file, sys.exc_info()[0], sys.exc_info()[1])) platforms = set() for header in pol.headers: platforms.update(header.platforms) if 'juniper' in platforms: jcl = copy.deepcopy(pol) if 'cisco' in platforms: acl = copy.deepcopy(pol) if 'ciscoasa' in platforms: asacl = copy.deepcopy(pol) if 'brocade' in platforms: bacl = copy.deepcopy(pol) if 'arista' in platforms: eacl = copy.deepcopy(pol) if 'aruba' in platforms: aacl = copy.deepcopy(pol) if 'ipset' in platforms: ips = copy.deepcopy(pol) if 'iptables' in platforms: ipt = copy.deepcopy(pol) if 'nsxv' in platforms: nsx = copy.deepcopy(pol) if 'packetfilter' in platforms: pf = copy.deepcopy(pol) if 'pcap' in platforms: pcap_accept = copy.deepcopy(pol) pcap_deny = copy.deepcopy(pol) if 'speedway' in platforms: spd = copy.deepcopy(pol) if 'srx' in platforms: srx = copy.deepcopy(pol) if 'srxlo' in platforms: jsl = copy.deepcopy(pol) if 'windows_advfirewall' in platforms: win_afw = copy.deepcopy(pol) if 'ciscoxr' in platforms: xacl = copy.deepcopy(pol) if 'nftables' in platforms: nft = copy.deepcopy(pol) if 'gce' in platforms: gcefw = copy.deepcopy(pol) if 'paloalto' in platforms: paloalto = copy.deepcopy(pol) if 'cloudarmor' in platforms: gca = copy.deepcopy(pol) if not output_directory.endswith('/'): output_directory += '/' try: if jcl: acl_obj = juniper.Juniper(jcl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if srx: acl_obj = junipersrx.JuniperSRX(srx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if acl: acl_obj = cisco.Cisco(acl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if asacl: acl_obj = ciscoasa.CiscoASA(asacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if aacl: acl_obj = aruba.Aruba(aacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if bacl: acl_obj = brocade.Brocade(bacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if eacl: acl_obj = arista.Arista(eacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ips: acl_obj = ipset.Ipset(ips, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if ipt: acl_obj = iptables.Iptables(ipt, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nsx: acl_obj = nsxv.Nsxv(nsx, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if spd: acl_obj = speedway.Speedway(spd, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_accept: acl_obj = pcap.PcapFilter(pcap_accept, exp_info) RenderACL(str(acl_obj), '-accept' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pcap_deny: acl_obj = pcap.PcapFilter(pcap_deny, exp_info, invert=True) RenderACL(str(acl_obj), '-deny' + acl_obj.SUFFIX, output_directory, input_file, write_files) if pf: acl_obj = packetfilter.PacketFilter(pf, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if win_afw: acl_obj = windows_advfirewall.WindowsAdvFirewall(win_afw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if jsl: acl_obj = srxlo.SRXlo(jsl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if xacl: acl_obj = ciscoxr.CiscoXR(xacl, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if nft: acl_obj = nftables.Nftables(nft, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gcefw: acl_obj = gce.GCE(gcefw, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if paloalto: acl_obj = paloaltofw.PaloAltoFW(paloalto, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) if gca: acl_obj = cloudarmor.CloudArmor(gca, exp_info) RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory, input_file, write_files) # TODO(robankeny) add additional errors. except (juniper.Error, junipersrx.Error, cisco.Error, ipset.Error, iptables.Error, speedway.Error, pcap.Error, aclgenerator.Error, aruba.Error, nftables.Error, gce.Error, cloudarmor.Error) as e: raise ACLGeneratorError('Error generating target ACL for %s:\n%s' % (input_file, e))
def get_acl(inputs): """Generates an ACL using Capirca. Args: inputs: Module parameters. Returns: ACL string. """ header_base = ''' header { comment:: "$comment" target:: $platform $options } ''' result = "" # Create copy of input options removing any spaces inputs['options_copy'] = [ str(elem).replace(" ", "") for elem in inputs['filter_options'] ] # Add from/to-zone to 'paloalto' and 'srx'. if inputs['platform'] in ('paloalto' 'srx'): if len(inputs['options_copy']) < 2: raise AnsibleError( "The number of options for {0} is less than 2".format( inputs['platform'])) inputs['options_copy'][0] = "from-zone " + inputs['options_copy'][0] inputs['options_copy'][1] = "to-zone " + inputs['options_copy'][1] # Create option string for header inputs['options'] = ' '.join( [str(elem) for elem in inputs['options_copy']]) header_template = Template(header_base) header = header_template.safe_substitute(inputs) defs = naming.Naming(inputs['def_folder']) terms = open(inputs['pol_file']).read() pol = policy.ParsePolicy(header + '\n' + terms, defs, optimize=True) # Exp info in weeks EXP_INFO = 2 # List from https://github.com/google/capirca/blob/master/capirca/aclgen.py#L202 # Does Python have a Switch statement? if inputs['platform'] == 'juniper': result = juniper.Juniper(pol, EXP_INFO) elif inputs['platform'] == 'cisco': result = cisco.Cisco(pol, EXP_INFO) elif inputs['platform'] == 'ciscoasa': result = ciscoasa.CiscoASA(pol, EXP_INFO) elif inputs['platform'] == 'brocade': result = brocade.Brocade(pol, EXP_INFO) elif inputs['platform'] == 'arista': result = arista.Arista(pol, EXP_INFO) elif inputs['platform'] == 'aruba': result = aruba.Aruba(pol, EXP_INFO) elif inputs['platform'] == 'ipset': result = ipset.Ipset(pol, EXP_INFO) elif inputs['platform'] == 'iptables': result = iptables.Iptables(pol, EXP_INFO) elif inputs['platform'] == 'nsxv': result = nsxv.Nsxv(pol, EXP_INFO) elif inputs['platform'] == 'packetfilter': result = packetfilter.PacketFilter(pol, EXP_INFO) elif inputs['platform'] == 'pcap': result = pcap.PcapFilter(pol, EXP_INFO) elif inputs['platform'] == 'speedway': result = speedway.Speedway(pol, EXP_INFO) elif inputs['platform'] == 'srx': result = junipersrx.JuniperSRX(pol, EXP_INFO) elif inputs['platform'] == 'srxlo': result = srxlo.SRXlo(pol, EXP_INFO) elif inputs['platform'] == 'windows_advfirewall': result = windows_advfirewall.WindowsAdvFirewall(pol, EXP_INFO) elif inputs['platform'] == 'ciscoxr': result = ciscoxr.CiscoXR(pol, EXP_INFO) elif inputs['platform'] == 'nftables': result = nftables.Nftables(pol, EXP_INFO) elif inputs['platform'] == 'gce': result = gce.GCE(pol, EXP_INFO) elif inputs['platform'] == 'paloalto': result = paloaltofw.PaloAltoFW(pol, EXP_INFO) elif inputs['platform'] == 'cloudarmor': result = cloudarmor.CloudArmor(pol, EXP_INFO) return str(result)
def testBadProtoError(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + BAD_PROTO_TERM, self.naming), EXP_INFO) self.assertRaises(packetfilter.UnsupportedProtoError, str, acl)
def testBadFlags(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + TCP_BAD_ESTABLISHED_TERM, self.naming), EXP_INFO) self.assertRaises(aclgenerator.UnsupportedFilterError, str, acl)
def testInvalidFlags(self): acl = packetfilter.PacketFilter(policy.ParsePolicy( GOOD_HEADER + INVALID_FLAGS_TERM, self.naming), EXP_INFO) self.assertRaises(aclgenerator.UnsupportedFilterError, str, acl)