def __init__(self, ctx, net, a, f, endhosts):
self.ctx = ctx
self.net = net
self.a = a
self.firewalls = f
self.endhosts = endhosts
self.check = components.PropertyChecker(ctx, net)
def __init__ (self, outside, quarantine, fw, ctx, net): self.outside = outside self.quarantine = quarantine self.fw = fw self.ctx = ctx self.net = net self.check = components.PropertyChecker(ctx, net)
def __init__ (self, net, ctx, a, b, p):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.p = p
self.check = components.PropertyChecker (ctx, net)
def __init__ (self, net, ctx, **nodes):
self.net = net
self.ctx = ctx
for k, v in nodes.iteritems():
setattr(self, k, v)
self.participants = nodes.values()
self.check = components.PropertyChecker (ctx, net)
def __init__(self, outside, dmz, fw, ctx, net):
self.outside = outside
self.dmz = dmz
self.fw = fw
self.ctx = ctx
self.net = net
self.check = components.PropertyChecker(ctx, net)
def __init__(self, net, ctx, a, b, w0, w1):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.w0 = w0
self.w1 = w1
self.check = components.PropertyChecker(ctx, net)
def __init__ (self, net, ctx, a, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.c = c
self.f = f
self.p = p
self.check = components.PropertyChecker (ctx, net)
def __init__ (self, net, ctx, cc, f, endhosts):
self.net = net
self.ctx = ctx
self.cc = cc
self.f = f
self.s0 = s0
self.endhosts = endhosts
self.check = components.PropertyChecker (ctx, net)
def __init__(self, net, ctx, dpi_policy, comp, **nodes):
self.net = net
self.ctx = ctx
self.dpi_policy = dpi_policy
self.comp = comp
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
def __init__(self, net, ctx, e0, e1, **nodes):
self.net = net
self.ctx = ctx
self.e0 = e0
self.e1 = e1
for k, v in nodes.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker(ctx, net)
def __init__(self):
self.net = net
self.ctx = ctx
self.fws = fw_concrete
self.shunts = shunt_concrete
self.ids = ids_concrete
self.hosts = host_concrete
self.checker = components.PropertyChecker(ctx, net)
def __init__ (self, net, ctx, e0, e1, f, lsrrs):
self.net = net
self.ctx = ctx
self.e0 = e0
self.e1 = e1
self.f = f
self.lsrrs = lsrrs
self.check = components.PropertyChecker (ctx, net)
def __init__(self, net, ctx, a, b, l, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.l = l
self.f = f
self.check = components.PropertyChecker(ctx, net)
def __init__ (self, outside, firewalls, quarantine, hosts, dmz, ctx, net): self.outside = outside self.firewall = firewalls self.quarantine = quarantine self.hosts = hosts self.dmz = dmz self.ctx = ctx self.net = net self.check = components.PropertyChecker(ctx, net)
def __init__(self, net, ctx, a, b, c, d, fw):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.d = d
self.fw = fw
self.check = components.PropertyChecker(ctx, net)
def __init__(self, net, ctx, hosts, f0, f1, f2, f3):
self.net = net
self.ctx = ctx
self.f0 = f0
self.f1 = f1
self.f2 = f2
self.f3 = f3
self.hosts = hosts
self.check = components.PropertyChecker(ctx, net)
def __init__(self, net, ctx, a, s, p, f, others):
self.net = net
self.ctx = ctx
self.a = a
self.s = s
self.f = f
self.p = p
self.others = others
self.check = components.PropertyChecker(ctx, net)
def __init__(self):
self.outside = outside_concrete
self.hosts = host_concrete
self.firewalls = firewall_concrete
self.net = net
self.ctx = ctx
self.fabric = fabric_concrete[0]
self.checker = components.PropertyChecker(ctx, net)
self.sgroup = sgpolicy
def __init__(self, net, ctx, a, b, w0, w1, d, dpi_policy):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.d = d
self.dpi_policy = dpi_policy
self.w0 = w0
self.w1 = w1
self.check = components.PropertyChecker(ctx, net)
def __init__(self, net, ctx, a, b, c, p, f):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.c = c
self.p = p
self.f = f
self.check = components.PropertyChecker(ctx, net)
self.participants = [a, b, p]
def __init__(self):
self.net = net
self.ctx = ctx
self.a = a
self.b = b
self.m = m
self.fw = fw
self.check = components.PropertyChecker(ctx, net)
self.other_mb = other_permbox_pm
self.other_eh = other_endhosts_eh
def __init__(self):
self.servers = servers
self.lbs_out = lbs_out
self.lbs_in = lbs_in
self.fws_out = fws_out
self.fws_in = fws_in
self.dpis = dpis
self.ctx = ctx
self.network = net
self.check = components.PropertyChecker(ctx, net)
self.addresses = dict([(str(x), y) for (x, y) in address_mapping])
def TwoLearningFw():
""" A proxy and two firewalls. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw1', 'fw2', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f1', 'ip_f2', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw1 = components.AclFirewall(ctx.fw1, net, ctx)
fw2 = components.AclFirewall(ctx.fw2, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw1, ctx.ip_f1), \
(fw2, ctx.ip_f2), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f1, ctx.ip_f2]
net.RoutingTable(a, [(x, fw1) for x in addresses])
net.RoutingTable(b, [(x, fw1) for x in addresses])
net.RoutingTable(c, [(x, fw2) for x in addresses])
net.RoutingTable(d, [(x, fw2) for x in addresses])
net.RoutingTable(fw1, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p), \
(ctx.ip_f2, p)])
net.RoutingTable(fw2, [(ctx.ip_a, p), \
(ctx.ip_b, p), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f1, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw1), \
(ctx.ip_b, fw1), \
(ctx.ip_c, fw2), \
(ctx.ip_d, fw2), \
(ctx.ip_f1, fw1), \
(ctx.ip_f2, fw2)])
fw1.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
fw2.AddAcls([(ctx.ip_c, ctx.ip_a), (ctx.ip_d, ctx.ip_b)])
net.Attach(a, b, c, d, fw1, fw2, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def dpiFw():
"""DPI Firewall. Everything is UNSAT since no bad packets make it through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f'])
dpi_policy = components.DPIPolicy('hate_bad')
ctx.AddPolicy(dpi_policy)
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.IPS(dpi_policy, ctx.fw, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, fw) for x in addresses])
net.RoutingTable(d, [(x, fw) for x in addresses])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, c), \
(ctx.ip_d, d)])
#fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_c, ctx.ip_a), (ctx.ip_b, ctx.ip_d), (ctx.ip_d, ctx.ip_b)])
fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
net.Attach(a, b, c, d, fw)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return dict(ctx=ctx,
net=net,
endhosts=endhosts,
policy=dpi_policy,
check=check)
def withProxySat():
""" A proxy and a firewall. This results in a SAT result, i.e. the packet goes through
since the proxy is used to send information through"""
ctx = components.Context (['a', 'b', 'c', 'd', 'fw', 'p'],\
['ip_a', 'ip_b', 'ip_c', 'ip_d', 'ip_f', 'ip_p'])
net = components.Network(ctx)
a = components.EndHost(ctx.a, net, ctx)
b = components.EndHost(ctx.b, net, ctx)
c = components.EndHost(ctx.c, net, ctx)
d = components.EndHost(ctx.d, net, ctx)
fw = components.AclFirewall(ctx.fw, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.setAddressMappings([(a, ctx.ip_a), \
(b, ctx.ip_b), \
(c, ctx.ip_c), \
(d, ctx.ip_d), \
(fw, ctx.ip_f), \
(p, ctx.ip_p)])
addresses = [ctx.ip_a, ctx.ip_b, ctx.ip_c, ctx.ip_d, ctx.ip_f]
net.RoutingTable(a, [(x, fw) for x in addresses])
net.RoutingTable(b, [(x, fw) for x in addresses])
net.RoutingTable(c, [(x, p) for x in addresses])
net.RoutingTable(d, [(x, p) for x in addresses])
net.RoutingTable(fw, [(ctx.ip_a, a), \
(ctx.ip_b, b), \
(ctx.ip_c, p), \
(ctx.ip_d, p), \
(ctx.ip_p, p)])
net.RoutingTable(p, [(ctx.ip_a, fw), \
(ctx.ip_b, fw), \
(ctx.ip_c, c), \
(ctx.ip_d, d), \
(ctx.ip_f, fw)])
fw.AddAcls([(ctx.ip_a, ctx.ip_c), (ctx.ip_b, ctx.ip_d)])
net.Attach(a, b, c, d, fw, p)
endhosts = [a, b, c, d]
check = components.PropertyChecker(ctx, net)
return (endhosts, check)
def __init__(self):
self.net = net
self.ctx = ctx
self.fws = fw_concrete
self.shunts = shunt_concrete
self.ids = ids_concrete
self.pub = host_concrete[:npub]
self.priv = host_concrete[npub:npub + npriv]
self.quarantine = host_concrete[npub + npriv:]
self.checker = components.PropertyChecker(ctx, net)
self.sgpolicy = sgpolicy
self.fabric = fabric_concrete[0]
self.peers = peering_concrete
self.nodes = []
self.nodes.extend(self.fws)
self.nodes.extend(self.shunts)
self.nodes.extend(self.ids)
self.nodes.extend(self.pub)
self.nodes.extend(self.priv)
self.nodes.extend(self.quarantine)
self.nodes.extend(self.peers)
def TrivialPolicyTest():
"""This policy test just uses a simple scheme of the following form:
A - fw1 - p - fw2 - B
C - fw3 /
src, dest are strings representing the source and destination between which we
want to test isolation between"""
nodes = ['A', 'fw1', 'p', 'fw2', 'B', 'C', 'fw3']
addresses = map(lambda n: 'a_%s' % (n), nodes)
ctx = components.Context(nodes, addresses)
net = components.Network(ctx)
nodes_dict = {n: getattr(ctx, n) for n in nodes}
address_dict = {a: getattr(ctx, a) for a in addresses}
net.setAddressMappings([(nodes_dict[n], address_dict['a_%s' % (n)])
for n in nodes])
# TODO: For now we cheat and just care about only one set. We can deal with several of them later
A = components.EndHost(ctx.A, net, ctx)
B = components.EndHost(ctx.B, net, ctx)
fw1 = components.AclFirewall(ctx.fw1, net, ctx)
fw2 = components.AclFirewall(ctx.fw2, net, ctx)
p = components.WebProxy(ctx.p, net, ctx)
net.SetGateway(A, fw1)
net.SetGateway(B, fw2)
net.RoutingTable(fw1, [(ctx.a_A, A), (ctx.a_B, p), (ctx.a_p, p),
(ctx.a_C, p)])
net.RoutingTable(fw2, [(ctx.a_B, B), (ctx.a_p, p), (ctx.a_A, p),
(ctx.a_C, p)])
net.RoutingTable(p, [(ctx.a_B, fw2), (ctx.a_A, fw1)])
fw1.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)])
fw2.AddAcls([(ctx.a_A, ctx.a_B), (ctx.a_B, ctx.a_A)])
net.SetIsolationConstraint(fw1, [A, p])
net.SetIsolationConstraint(fw2, [B, p])
net.SetIsolationConstraint(p, [fw1, fw2, ctx.fw3])
import z3
n0 = z3.Const('__triv_node_0', ctx.node)
n1 = z3.Const('__triv_node_1', ctx.node)
p0 = z3.Const('__triv_packet_0', ctx.packet)
# This is a part of policy?
net.Attach(A, B, fw1, fw2, p)
check = components.PropertyChecker(ctx, net)
check.AddExternalConstraints( \
z3.ForAll([n0, n1, p0], \
z3.Implies( \
z3.And(ctx.send(n0, n1, p0),\
z3.Or(n0 == ctx.C.z3Node, \
n0 == ctx.fw3.z3Node)), \
z3.Not(ctx.packet.origin(p0) == ctx.A.z3Node))))
check.AddExternalConstraints( \
z3.ForAll([n0, n1, p0], \
z3.Implies( \
z3.And(ctx.send(n0, n1, p0),\
z3.Or(n0 == ctx.C.z3Node, \
n0 == ctx.fw3.z3Node)), \
z3.Not(z3.Or(ctx.packet.src(p0) == ctx.a_A, ctx.packet.src(p0) == ctx.a_B)))))
res = check.CheckIsolationProperty(A, B)
return res, check, ctx
def __init__ (self, net, ctx, **objdict):
self.net = net
self.ctx = ctx
for k, v in objdict.iteritems():
setattr(self, k, v)
self.check = components.PropertyChecker (ctx, net)
