def testMatchDIP(self):
grepper = ACLGrepper(None, None, "224.1.156.12")
self.assertTrue(grepper.grep("10 permit udp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"))
self.assertFalse(grepper.grep("10 permit udp 10.221.224.120/29 eq 4711 224.2.3.102/16 eq 4711"))
self.assertFalse(grepper.grep("access-list aclXFG line 46 extended deny udp any any eq netbios-ns (hitcnt=920296) 0x4c3b867e"))
self.assertFalse(grepper.grep("just some random text"))
def testMatchSIP(self):
grepper = ACLGrepper("192.168.2.12")
self.assertTrue(grepper.grep("access-list acl762 line 2 extended permit ip 192.168.2.0 255.255.255.0 10.221.34.0 255.255.255.0 (hitcnt=9) 0xfe82efcc"))
self.assertFalse(grepper.grep("access-list acl762 line 2 extended permit ip 192.168.0.0 255.255.255.0 10.221.34.0 255.255.255.0 (hitcnt=9) 0xfe82efcc"))
self.assertFalse(grepper.grep("access-list aclXFG line 46 extended deny udp any any eq netbios-ns (hitcnt=920296) 0x4c3b867e"))
self.assertFalse(grepper.grep("just some random text"))
def testMatchICMP(self):
grepper = ACLGrepper(None, None, None, None, "icmp")
self.assertTrue(grepper.grep("10 permit ip 10.221.224.120/29 224.1.2.102/16"))
self.assertTrue(grepper.grep("10 permit icmp 10.221.224.120/29 224.1.2.102/16"))
self.assertFalse(grepper.grep("10 permit udp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"))
self.assertFalse(grepper.grep("10 permit tcp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"))
self.assertFalse(grepper.grep("just some random text"))
def testMatchReal(self):
grepper = ACLGrepper("10.221.216.201", "5401", "10.221.69.143", "1024")
self.assertTrue(
grepper.grep(
"permit tcp 10.221.216.200 0.0.0.1 range 5400 5413 host 10.221.69.143 gt 1023 established"
))
self.assertFalse(
grepper.grep(
"permit tcp 10.221.216.200 0.0.0.1 gt 1023 host 10.221.69.143 eq 22"
))
def testMatchAny(self):
grepper = ACLGrepper("192.168.2.12", None, None, None, None, True)
self.assertTrue(
grepper.grep(
"access-list aclXFG line 46 extended deny udp any any eq netbios-ns (hitcnt=920296) 0x4c3b867e"
))
self.assertTrue(
grepper.grep(
"access-list aclXFG line 46 extended deny udp any host 10.1.1.1 eq netbios-ns (hitcnt=920296) 0x4c3b867e"
))
self.assertFalse(
grepper.grep(
"access-list aclXFG line 46 extended deny udp host 10.1.1.1 any eq netbios-ns (hitcnt=920296) 0x4c3b867e"
))
def testNamedPorts(self):
grepper = ACLGrepper(None, "80", None, "22")
self.assertFalse(
grepper.grep(
"10 permit udp 10.221.224.120/29 eq ssh 224.1.2.102/16 eq telnet"
))
self.assertFalse(
grepper.grep(
"10 permit tcp 10.221.224.120/29 eq ftp 224.1.2.102/16 eq ssh")
)
self.assertTrue(
grepper.grep(
"10 permit tcp 10.221.224.120/29 eq www 224.1.2.102/16 eq ssh")
)
def testMatchTCP(self):
grepper = ACLGrepper(None, None, None, None, "tcp")
self.assertTrue(
grepper.grep("10 permit ip 10.221.224.120/29 224.1.2.102/16 "))
self.assertFalse(
grepper.grep("10 permit icmp 10.221.224.120/29 224.1.2.102/16"))
self.assertFalse(
grepper.grep(
"10 permit udp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"
))
self.assertTrue(
grepper.grep(
"10 permit tcp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"
))
self.assertFalse(grepper.grep("just some random text"))
def testPortsOnly(self):
grepper = ACLGrepper(None, "4711", None, "124")
self.assertFalse(
grepper.grep(
"10 permit udp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"
))
self.assertFalse(
grepper.grep(
"10 permit tcp 10.221.224.120/29 eq 124 224.1.2.102/16 eq 124")
)
self.assertTrue(
grepper.grep(
"10 permit tcp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 124"
))
self.assertTrue(
grepper.grep(
"10 permit tcp 10.221.224.120/29 224.1.2.102/16 eq 124"))
self.assertTrue(
grepper.grep(
"10 permit tcp 10.221.224.120/29 eq 4711 224.1.2.102/16"))
self.assertTrue(
grepper.grep("10 permit tcp 10.221.224.120/29 224.1.2.102/16"))
def testMatchDIP(self):
grepper = ACLGrepper(None, None, "224.1.156.12")
self.assertTrue(
grepper.grep(
"10 permit udp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"
))
self.assertFalse(
grepper.grep(
"10 permit udp 10.221.224.120/29 eq 4711 224.2.3.102/16 eq 4711"
))
self.assertFalse(
grepper.grep(
"access-list aclXFG line 46 extended deny udp any any eq netbios-ns (hitcnt=920296) 0x4c3b867e"
))
self.assertFalse(grepper.grep("just some random text"))
def testMatchSIP(self):
grepper = ACLGrepper("192.168.2.12")
self.assertTrue(
grepper.grep(
"access-list acl762 line 2 extended permit ip 192.168.2.0 255.255.255.0 10.221.34.0 255.255.255.0 (hitcnt=9) 0xfe82efcc"
))
self.assertFalse(
grepper.grep(
"access-list acl762 line 2 extended permit ip 192.168.0.0 255.255.255.0 10.221.34.0 255.255.255.0 (hitcnt=9) 0xfe82efcc"
))
self.assertFalse(
grepper.grep(
"access-list aclXFG line 46 extended deny udp any any eq netbios-ns (hitcnt=920296) 0x4c3b867e"
))
self.assertFalse(grepper.grep("just some random text"))
def testMatchSPort(self):
grepper = ACLGrepper("192.168.2.12", "123")
# any
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 any 224.0.0.102/32 eq 4711"))
# eq
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 eq 4711 224.0.0.102/32 eq 4711"))
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 eq 123 224.0.0.102/32 eq 4711"))
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 eq 4711 224.0.0.102/32 eq 123"))
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 eq 88 99 123 125 224.0.0.102/32 eq 4711"))
# neq
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 neq 4711 224.0.0.102/32 neq 4711"))
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 neq 123 224.0.0.102/32 neq 4711"))
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 neq 4711 224.0.0.102/32 neq 123"))
# gt
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 gt 123 224.0.0.102/32 eq 4711"))
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 gt 122 224.0.0.102/32 eq 4711"))
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 gt 4711 224.0.0.102/32 gt 90"))
# lt
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 lt 123 224.0.0.102/32 eq 4711"))
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 lt 124 224.0.0.102/32 lt 4711"))
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 lt 100 224.0.0.102/32 lt 900"))
# range
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 range 100 120 123 224.0.0.102/32 eq 4711"))
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 range 130 150 123 224.0.0.102/32 eq 4711"))
self.assertTrue(grepper.grep("10 permit udp 192.168.2.0/24 range 100 140 123 224.0.0.102/32 eq 4711"))
self.assertFalse(grepper.grep("10 permit udp 192.168.2.0/24 range 100 120 123 224.0.0.102/32 range 100 150"))
self.assertFalse(grepper.grep("just some random text"))
def testMatchAny(self):
grepper = ACLGrepper("192.168.2.12", None, None, None, None, True)
self.assertTrue(grepper.grep("access-list aclXFG line 46 extended deny udp any any eq netbios-ns (hitcnt=920296) 0x4c3b867e"))
self.assertTrue(grepper.grep("access-list aclXFG line 46 extended deny udp any host 10.1.1.1 eq netbios-ns (hitcnt=920296) 0x4c3b867e"))
self.assertFalse(grepper.grep("access-list aclXFG line 46 extended deny udp host 10.1.1.1 any eq netbios-ns (hitcnt=920296) 0x4c3b867e"))
def testNoICMPWhenPortGivenEvenIfAny(self):
grepper = ACLGrepper(None, "80", None, "80", "any")
self.assertFalse(
grepper.grep("10 permit icmp 10.221.224.120/29 224.1.2.102/16"))
def testMatchReal(self):
grepper = ACLGrepper("10.221.216.201", "5401", "10.221.69.143", "1024")
self.assertTrue(grepper.grep("permit tcp 10.221.216.200 0.0.0.1 range 5400 5413 host 10.221.69.143 gt 1023 established"))
self.assertFalse(grepper.grep("permit tcp 10.221.216.200 0.0.0.1 gt 1023 host 10.221.69.143 eq 22"))
def testNamedPorts(self):
grepper = ACLGrepper(None, "80", None, "22")
self.assertFalse(grepper.grep("10 permit udp 10.221.224.120/29 eq ssh 224.1.2.102/16 eq telnet"))
self.assertFalse(grepper.grep("10 permit tcp 10.221.224.120/29 eq ftp 224.1.2.102/16 eq ssh"))
self.assertTrue(grepper.grep("10 permit tcp 10.221.224.120/29 eq www 224.1.2.102/16 eq ssh"))
def testNoICMPWhenPortGivenEvenIfAny(self):
grepper = ACLGrepper(None, "80", None, "80", "any")
self.assertFalse(grepper.grep("10 permit icmp 10.221.224.120/29 224.1.2.102/16"))
def setUp(self):
# the parameters do not matter for the generic tests
self.ag = ACLGrepper()
class patterns(unittest.TestCase):
def setUp(self):
# the parameters do not matter for the generic tests
self.ag = ACLGrepper()
def testIpToBits(self):
# go over range
for x in range(0, 256):
ip = ("%d.%d.%d.%d" % (x, x, x, x))
value = x * 0x1000000 + x * 0x10000 + x * 0x100 + x
self.assertEqual(value, self.ag.ip_to_bits(ip))
# corner cases
self.assertRaises(ValueError, self.ag.ip_to_bits, "256.0.0.0")
self.assertRaises(ValueError, self.ag.ip_to_bits, "a")
self.assertRaises(ValueError, self.ag.ip_to_bits, "")
def testIpMaskPair(self):
# check values
self.assertEqual((0x0a000000, 0xff000000),
self.ag.ip_and_mask_to_pair("10.0.0.0 255.0.0.0"))
self.assertEqual(
(0xc0a80200, 0xfffffc00),
self.ag.ip_and_mask_to_pair("192.168.2.0 255.255.252.0"))
# separator should not matter
self.assertEqual(
self.ag.ip_and_mask_to_pair("192.168.2.0 255.255.255.0"),
self.ag.ip_and_mask_to_pair("192.168.2.0/255.255.255.0"))
# equivalent subnet mask and wildcard mask
self.assertEqual(
self.ag.ip_and_mask_to_pair("192.168.2.0 255.255.255.0"),
self.ag.ip_and_mask_to_pair("192.168.2.0 0.0.0.255"))
# full bits -> interpret as host TODO: is this correct?
self.assertEqual(
(0x0a020304, 0xffffffff),
self.ag.ip_and_mask_to_pair("10.2.3.4 255.255.255.255"))
# no bits -> host
self.assertEqual((0x0a010101, 0xffffffff),
self.ag.ip_and_mask_to_pair("10.1.1.1/0.0.0.0"))
def testIpCidrPair(self):
# check values
self.assertEqual((0x0a000000, 0xff000000),
self.ag.ip_and_cidr_to_pair("10.0.0.0/8"))
self.assertEqual((0xc0a80200, 0xfffffc00),
self.ag.ip_and_cidr_to_pair("192.168.2.0/22"))
def testIpInNet(self):
self.assertTrue(self.ag.ip_in_net(0x0a010101,
(0x0a000000, 0xff000000)))
self.assertFalse(
self.ag.ip_in_net(0x0a010101, (0x0a000000, 0xffffff00)))
def testMatchSPort(self):
grepper = ACLGrepper("192.168.2.12", "123")
# any
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 any 224.0.0.102/32 eq 4711"))
# eq
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 eq 4711 224.0.0.102/32 eq 4711"))
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 eq 123 224.0.0.102/32 eq 4711"))
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 eq 4711 224.0.0.102/32 eq 123"))
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 eq 88 99 123 125 224.0.0.102/32 eq 4711"
))
# neq
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 neq 4711 224.0.0.102/32 neq 4711"
))
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 neq 123 224.0.0.102/32 neq 4711")
)
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 neq 4711 224.0.0.102/32 neq 123")
)
# gt
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 gt 123 224.0.0.102/32 eq 4711"))
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 gt 122 224.0.0.102/32 eq 4711"))
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 gt 4711 224.0.0.102/32 gt 90"))
# lt
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 lt 123 224.0.0.102/32 eq 4711"))
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 lt 124 224.0.0.102/32 lt 4711"))
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 lt 100 224.0.0.102/32 lt 900"))
# range
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 range 100 120 123 224.0.0.102/32 eq 4711"
))
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 range 130 150 123 224.0.0.102/32 eq 4711"
))
self.assertTrue(
grepper.grep(
"10 permit udp 192.168.2.0/24 range 100 140 123 224.0.0.102/32 eq 4711"
))
self.assertFalse(
grepper.grep(
"10 permit udp 192.168.2.0/24 range 100 120 123 224.0.0.102/32 range 100 150"
))
self.assertFalse(grepper.grep("just some random text"))
def testPortsOnly(self):
grepper = ACLGrepper(None, "4711", None, "124")
self.assertFalse(grepper.grep("10 permit udp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 4711"))
self.assertFalse(grepper.grep("10 permit tcp 10.221.224.120/29 eq 124 224.1.2.102/16 eq 124"))
self.assertTrue(grepper.grep("10 permit tcp 10.221.224.120/29 eq 4711 224.1.2.102/16 eq 124"))
def setUp(self):
# the parameters do not matter for the generic tests
self.ag = ACLGrepper()
class patterns(unittest.TestCase):
def setUp(self):
# the parameters do not matter for the generic tests
self.ag = ACLGrepper()
def testIpToBits(self):
# go over range
for x in range(0,256):
ip = ("%d.%d.%d.%d" % (x,x,x,x))
value = x * 0x1000000 + x * 0x10000 + x * 0x100 + x
self.assertEqual(value, self.ag.ip_to_bits(ip))
# corner cases
self.assertRaises(ValueError, self.ag.ip_to_bits, "256.0.0.0")
self.assertRaises(ValueError, self.ag.ip_to_bits, "a")
self.assertRaises(ValueError, self.ag.ip_to_bits, "")
def testIpMaskPair(self):
# check values
self.assertEqual((0x0a000000, 0xff000000), self.ag.ip_and_mask_to_pair("10.0.0.0 255.0.0.0"))
self.assertEqual((0xc0a80200, 0xfffffc00), self.ag.ip_and_mask_to_pair("192.168.2.0 255.255.252.0"))
# separator should not matter
self.assertEqual(self.ag.ip_and_mask_to_pair("192.168.2.0 255.255.255.0"), self.ag.ip_and_mask_to_pair("192.168.2.0/255.255.255.0"))
# equivalent subnet mask and wildcard mask
self.assertEqual(self.ag.ip_and_mask_to_pair("192.168.2.0 255.255.255.0"), self.ag.ip_and_mask_to_pair("192.168.2.0 0.0.0.255"))
# full bits -> interpret as host TODO: is this correct?
self.assertEqual((0x0a020304, 0xffffffff), self.ag.ip_and_mask_to_pair("10.2.3.4 255.255.255.255"))
# no bits -> host
self.assertEqual((0x0a010101, 0xffffffff), self.ag.ip_and_mask_to_pair("10.1.1.1/0.0.0.0"))
def testIpCidrPair(self):
# check values
self.assertEqual((0x0a000000, 0xff000000), self.ag.ip_and_cidr_to_pair("10.0.0.0/8"))
self.assertEqual((0xc0a80200, 0xfffffc00), self.ag.ip_and_cidr_to_pair("192.168.2.0/22"))
def testIpInNet(self):
self.assertTrue(self.ag.ip_in_net(0x0a010101, (0x0a000000, 0xff000000)))
self.assertFalse(self.ag.ip_in_net(0x0a010101, (0x0a000000, 0xffffff00)))