def init(name, raise_on_error=False):
# clear object variables
parser.object_dict.clear()
# init firewall
p_info['firewall'] = Firewall()
p_info['firewall'].name = name
p_info['firewall'].hostname = ntpath.basename(name)
p_info['firewall'].type = 'Iptables'
# create default acl
p_info['firewall'].acl.append(ACL('INPUT'))
p_info['firewall'].acl.append(ACL('FORWARD'))
p_info['firewall'].acl.append(ACL('OUTPUT'))
# init parser state
p_info['current_interface_name'] = None
p_info['used_object'] = set()
p_info['default_policy'] = dict()
p_info['default_policy']['INPUT'] = Action(True)
p_info['default_policy']['FORWARD'] = Action(True)
p_info['default_policy']['OUTPUT'] = Action(True)
p_info['current_chain'] = None
p_info['rule_id'] = 0
p_info['rule_list'] = []
p_info['rule_bind'] = dict()
p_info['current_rule'] = Rule(p_info['rule_id'], None, [], [], [], [], [],
Action(False))
p_info['rule_bind'][p_info['rule_id']] = [None, None]
p_info['current_table'] = None
# raise on error option
p_info['raise_on_error'] = raise_on_error
def p_acl_name_line(p):
'''acl_name_line : FROM_ZONE WORD TO_ZONE WORD LBRACKET'''
global current_acl, cptr
cptr += 1
if current_acl.name != None :
p_info['firewall'].acl.append(current_acl)
current_acl = ACL(None)
current_acl.name = p[2] + '-' + p[4]
def p_acl_name_line(p):
'''acl_name_line : FROM_ZONE WORD TO_ZONE WORD LBRACKET'''
global current_acl, cptr
cptr += 1
if current_acl.name != None:
p_info['firewall'].acl.append(current_acl)
current_acl = ACL(None)
current_acl.name = p[2] + '-' + p[4]
def finish():
my_parser = IptablesParser()
# select the 3 main nodes
input_node = my_parser.get_node("INPUT")
output_node = my_parser.get_node("OUTPUT")
forward_node = my_parser.get_node("FORWARD")
# create every path from the 3 nodes
input_path_list = my_parser.create_all_path_from_node(input_node)
output_path_list = my_parser.create_all_path_from_node(output_node)
forward_path_list = my_parser.create_all_path_from_node(forward_node)
# create the rules which correspond to the path list
input_rules = my_parser.get_rules_from_path_list(input_path_list)
output_rules = my_parser.get_rules_from_path_list(output_path_list)
forward_rules = my_parser.get_rules_from_path_list(forward_path_list)
# add the rule for default drop or accept
input_rules.append(my_parser.get_general_rule(input_node))
output_rules.append(my_parser.get_general_rule(output_node))
forward_rules.append(my_parser.get_general_rule(forward_node))
# create the fw
acl_input = ACL("INPUT")
acl_input.rules = input_rules
acl_output = ACL("OUTPUT")
acl_output.rules = output_rules
acl_forward = ACL("FORWARD")
acl_forward.rules = forward_rules
new_fw = Firewall()
new_fw.acl = [acl_input, acl_output, acl_forward]
new_fw.hostname = my_parser.instance.filename
new_fw.name = my_parser.instance.filename
my_parser.instance.fw.append(new_fw)
def get_acl_by_name_2(firewall, acl_name):
acl = firewall.get_acl_by_name(acl_name)
if acl == None:
acl = ACL(acl_name)
for rule in firewall.unbounded_rules:
print rule.name, acl_name
acl.rules = [rule for rule in firewall.unbounded_rules if rule.name == acl_name]
acl.firewall = firewall
return acl
else:
return acl
def insert_rule():
if p_info['policy_zone_src'] and p_info['policy_zone_dst']:
acl = p_info['firewall'].get_acl_by_name(p_info['policy_zone_src'] +
'-' +
p_info['policy_zone_dst'])
if not acl:
acl = ACL(p_info['policy_zone_src'] + '-' +
p_info['policy_zone_dst'])
p_info['firewall'].acl.append(acl)
NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(
acl, p_info['firewall'],
p_info['firewall'].get_interface_by_name(
p_info['policy_zone_src']),
p_info['firewall'].get_interface_by_name(
p_info['policy_zone_dst']))
if p_info['index_rule'] != -1:
acl.rules.insert(p_info['index_rule'], p_info['current_policy'])
else:
acl.rules.append(p_info['current_policy'])
else:
for acl in p_info['firewall'].acl:
acl.rules.append(p_info['current_policy'])
p_info['current_policy'] = Rule(0, "", [], [], [], [], [], False)
p_info['policy_zone_src'] = None
p_info['policy_zone_dst'] = None
p_info['index_rule'] = -1
def finish_fw(acls):
for fw in firewalls:
p_info['firewall'] = Firewall()
p_info['firewall'].name = p_info['name']
p_info['firewall'].hostname = fw['name']
p_info['firewall'].type = 'CheckPoint'
p_info['firewall'].unused_objects = set(unused_objects)
p_info['firewall'].dictionnary = dict(nd)
if fw['ifaces']:
for iface in fw['ifaces']:
p_info['firewall'].interfaces.append(Interface(iface['name'], Ip(iface['ipaddr'], iface['netmask']),
iface['index']))
for name, acl in acls.iteritems():
if name == p_info['firewall'].hostname:
newAcl = ACL(name)
newAcl.rules = acl
p_info['firewall'].acl.append(newAcl)
p_info['firewall_list'].append(p_info['firewall'])
def add_rule(rule):
acl = p_info['firewall'].get_acl_by_name(p_info['srcintf'] + '-' + p_info['dstintf'])
if not acl:
acl = ACL(p_info['srcintf'] + '-' + p_info['dstintf'])
p_info['firewall'].acl.append(acl)
NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl,
p_info['firewall'],
p_info['firewall'].get_interface_by_nameif(p_info['srcintf']),
p_info['firewall'].get_interface_by_nameif(p_info['dstintf']))
acl.rules.append(rule)
def finish():
my_parser = IptablesParser()
# select the 3 main nodes
input_node = my_parser.get_node("INPUT")
output_node = my_parser.get_node("OUTPUT")
forward_node = my_parser.get_node("FORWARD")
# create every path from the 3 nodes
input_path_list = my_parser.create_all_path_from_node(input_node)
output_path_list = my_parser.create_all_path_from_node(output_node)
forward_path_list = my_parser.create_all_path_from_node(forward_node)
# create the rules which correspond to the path list
input_rules = my_parser.get_rules_from_path_list(input_path_list)
output_rules = my_parser.get_rules_from_path_list(output_path_list)
forward_rules = my_parser.get_rules_from_path_list(forward_path_list)
# add the rule for default drop or accept
input_rules.append(my_parser.get_general_rule(input_node))
output_rules.append(my_parser.get_general_rule(output_node))
forward_rules.append(my_parser.get_general_rule(forward_node))
# create the fw
acl_input = ACL("INPUT")
acl_input.rules = input_rules
acl_output = ACL("OUTPUT")
acl_output.rules = output_rules
acl_forward = ACL("FORWARD")
acl_forward.rules = forward_rules
new_fw = Firewall()
new_fw.acl = [acl_input, acl_output, acl_forward]
new_fw.hostname = my_parser.instance.filename
new_fw.name = my_parser.instance.filename
new_fw.type = "Iptables"
my_parser.instance.fw.append(new_fw)
def finish_fw(acls):
for fw in firewalls:
p_info['firewall'] = Firewall()
p_info['firewall'].name = p_info['name']
p_info['firewall'].hostname = fw['name']
p_info['firewall'].type = 'CheckPoint'
p_info['firewall'].unused_objects = set(unused_objects)
p_info['firewall'].dictionnary = dict(nd)
if fw['ifaces']:
for iface in fw['ifaces']:
p_info['firewall'].interfaces.append(
Interface(iface['name'],
Ip(iface['ipaddr'], iface['netmask']),
iface['index']))
for name, acl in acls.iteritems():
if name == p_info['firewall'].hostname:
newAcl = ACL(name)
newAcl.rules = acl
p_info['firewall'].acl.append(newAcl)
p_info['firewall_list'].append(p_info['firewall'])
def p_access_group_line_1(p):
'''access_group_line : ACCESS_GROUP item IN INTERFACE item optitem
| ACCESS_GROUP item OUT INTERFACE item optitem'''
interface = p_info['firewall'].get_interface_by_name(p[5])
firewall = p_info['firewall']
acl = firewall.get_acl_by_name(p[2])
if not acl:
acl = ACL(p[2])
p_info['firewall'].acl.append(acl)
p_info['bounded_rules'].add(p[2])
NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl, firewall, interface, firewall)
NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl, firewall, firewall, interface)
def add_rule(rule):
for src_itf in p_info['srcintf']:
for dst_itf in p_info['dstintf']:
acl = p_info['firewall'].get_acl_by_name(src_itf + '-' + dst_itf)
if not acl:
acl = ACL(src_itf + '-' + dst_itf)
p_info['firewall'].acl.append(acl)
s_itf = None
d_itf = None
for itf, vdom_name in p_info['interface_list']:
if itf.nameif == src_itf:
s_itf = itf
elif itf.nameif == dst_itf:
d_itf = itf
NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(
acl, p_info['firewall'], s_itf, d_itf)
acl.rules.append(rule)
def get_acl(src, dst, firewall, name):
source = src.network if isinstance(src, Interface) else src
destination = dst.network if isinstance(dst, Interface) else dst
acl = NetworkGraph.NetworkGraph.NetworkGraph().get_acl_list(
source, destination, firewall)
# create acl name distinction with interface name
acl_name = name
acl_name += ' ' if isinstance(src, Interface) or isinstance(
dst, Interface) else ''
acl_name += src.name if isinstance(src, Interface) else ''
acl_name += '-' if isinstance(src, Interface) and isinstance(
dst, Interface) else ''
acl_name += dst.name if isinstance(dst, Interface) else ''
for a in acl:
if a.name == acl_name:
return a
# if no acl create it
acl = ACL(acl_name)
NetworkGraph.NetworkGraph.NetworkGraph().bind_acl(acl, firewall, src, dst)
return acl
def p_new_chain_cmd(p):
'''new_chain_cmd : NEW_CHAIN chain'''
if p_info['current_table'] == 'filter':
p_info['firewall'].acl.append(ACL(p[2]))
networks_set = []
services = []
services_set = []
current_service = {}
current_set = {}
policies = []
cptr = 0
zones = []
current_acl = ACL(None)
current_iface = Interface(None)
current_sub_iface = Interface(None)
ifaces = []
# Use for construct dictionary of object and object group
object_dict = {}
# Use for detect state
p_info = {
'firewall': Firewall(),
'current_policy': Rule(0, "", [], [], [], [], [], Action(False)),
'context_policy': Rule(0, "", [], [], [], [], [], Action(False)),
'policy_zone_src': None,
'policy_zone_dst': None,
def p_chain_line2(p):
'''chain_line : COLON chain DROP SQUARE_BRACKET NUMBER COLON NUMBER SQUARE_BRACKET'''
if p_info['current_table'] == 'filter' and not find_chain_by_name(p[2]):
p_info['firewall'].acl.append(ACL(p[2]))
p_info['default_policy'][p[2]] = Action(False)
def p_chain_line3(p):
'''chain_line : COLON chain WORD SQUARE_BRACKET NUMBER COLON NUMBER SQUARE_BRACKET'''
if p_info['current_table'] == 'filter' and not find_chain_by_name(p[2]):
p_info['firewall'].acl.append(ACL(p[2]))