cisco_acl_intp 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +2 -0
- data/.rubocop.yml +13 -0
- data/.travis.yml +3 -0
- data/.yardopts +4 -0
- data/Gemfile +19 -0
- data/LICENSE.txt +22 -0
- data/README.md +132 -0
- data/Rakefile +78 -0
- data/acl_examples/err-acl.txt +49 -0
- data/acl_examples/named-ext-acl.txt +12 -0
- data/acl_examples/named-std-acl.txt +6 -0
- data/acl_examples/numd-acl.txt +21 -0
- data/cisco_acl_intp.gemspec +31 -0
- data/lib/cisco_acl_intp/ace.rb +432 -0
- data/lib/cisco_acl_intp/ace_ip.rb +136 -0
- data/lib/cisco_acl_intp/ace_other_qualifiers.rb +102 -0
- data/lib/cisco_acl_intp/ace_port.rb +146 -0
- data/lib/cisco_acl_intp/ace_proto.rb +319 -0
- data/lib/cisco_acl_intp/ace_srcdst.rb +114 -0
- data/lib/cisco_acl_intp/ace_tcp_flags.rb +65 -0
- data/lib/cisco_acl_intp/acl.rb +272 -0
- data/lib/cisco_acl_intp/acl_base.rb +111 -0
- data/lib/cisco_acl_intp/parser.rb +3509 -0
- data/lib/cisco_acl_intp/parser.ry +1397 -0
- data/lib/cisco_acl_intp/scanner.rb +176 -0
- data/lib/cisco_acl_intp/scanner_special_token_handler.rb +66 -0
- data/lib/cisco_acl_intp/version.rb +5 -0
- data/lib/cisco_acl_intp.rb +9 -0
- data/spec/cisco_acl_intp/ace_ip_spec.rb +111 -0
- data/spec/cisco_acl_intp/ace_other_qualifier_spec.rb +63 -0
- data/spec/cisco_acl_intp/ace_port_spec.rb +214 -0
- data/spec/cisco_acl_intp/ace_proto_spec.rb +200 -0
- data/spec/cisco_acl_intp/ace_spec.rb +605 -0
- data/spec/cisco_acl_intp/ace_srcdst_spec.rb +296 -0
- data/spec/cisco_acl_intp/ace_tcp_flags_spec.rb +38 -0
- data/spec/cisco_acl_intp/acl_spec.rb +523 -0
- data/spec/cisco_acl_intp/cisco_acl_intp_spec.rb +7 -0
- data/spec/cisco_acl_intp/parser_spec.rb +53 -0
- data/spec/cisco_acl_intp/scanner_spec.rb +122 -0
- data/spec/conf/extacl_objgrp_token_seq.yml +36 -0
- data/spec/conf/extacl_token_seq.yml +88 -0
- data/spec/conf/extended_acl.yml +226 -0
- data/spec/conf/scanner_spec_data.yml +120 -0
- data/spec/conf/single_tokens.yml +235 -0
- data/spec/conf/stdacl_token_seq.yml +8 -0
- data/spec/conf/tokens1.yml +158 -0
- data/spec/conf/tokens2.yml +206 -0
- data/spec/parser_fullfill_patterns.rb +145 -0
- data/spec/spec_helper.rb +54 -0
- data/tools/check_acl.rb +48 -0
- metadata +159 -0
|
@@ -0,0 +1,296 @@
|
|
|
1
|
+
# -*- coding: utf-8 -*-
|
|
2
|
+
require 'spec_helper'
|
|
3
|
+
|
|
4
|
+
describe AceSrcDstSpec do
|
|
5
|
+
describe '#to_s' do
|
|
6
|
+
context 'Normal case' do
|
|
7
|
+
before do
|
|
8
|
+
@p1 = AceTcpProtoSpec.new(
|
|
9
|
+
number: 80
|
|
10
|
+
)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
it 'should be "192.168.3.0 0.0.0.127" without L4 port' do
|
|
14
|
+
sds = AceSrcDstSpec.new(
|
|
15
|
+
ipaddr: '192.168.3.3',
|
|
16
|
+
wildcard: '0.0.0.127'
|
|
17
|
+
)
|
|
18
|
+
sds.to_s.should be_aclstr('192.168.3.0 0.0.0.127')
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
it 'should be "192.168.3.0 eq www" with L4 port' do
|
|
22
|
+
sds = AceSrcDstSpec.new(
|
|
23
|
+
ipaddr: '192.168.3.3',
|
|
24
|
+
wildcard: '0.0.0.127',
|
|
25
|
+
operator: 'eq',
|
|
26
|
+
port: @p1
|
|
27
|
+
)
|
|
28
|
+
sds.to_s.should be_aclstr('192.168.3.0 0.0.0.127 eq www')
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
context 'Argument error case' do
|
|
33
|
+
|
|
34
|
+
it 'should be raise exception when :ipaddr not specified' do
|
|
35
|
+
lambda do
|
|
36
|
+
AceSrcDstSpec.new(
|
|
37
|
+
wildcard: '0.0.0.127'
|
|
38
|
+
)
|
|
39
|
+
end.should raise_error(AclArgumentError)
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
## TBD, error handling must be written in detail
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
describe '#matches?' do
|
|
47
|
+
|
|
48
|
+
context 'with port unary operator: eq/neq/gt/lt' do
|
|
49
|
+
before(:each) do
|
|
50
|
+
ipaddr = AceIpSpec.new(
|
|
51
|
+
ipaddr: '192.168.15.15',
|
|
52
|
+
wildcard: '0.0.7.6'
|
|
53
|
+
)
|
|
54
|
+
@p1 = AceTcpProtoSpec.new(
|
|
55
|
+
number: 80
|
|
56
|
+
)
|
|
57
|
+
@sds0 = AceSrcDstSpec.new(
|
|
58
|
+
ip_spec: ipaddr
|
|
59
|
+
)
|
|
60
|
+
@sds1 = AceSrcDstSpec.new(
|
|
61
|
+
ip_spec: ipaddr,
|
|
62
|
+
operator: 'eq',
|
|
63
|
+
port: @p1
|
|
64
|
+
)
|
|
65
|
+
@sds2 = AceSrcDstSpec.new(
|
|
66
|
+
ip_spec: ipaddr,
|
|
67
|
+
operator: 'neq',
|
|
68
|
+
port: @p1
|
|
69
|
+
)
|
|
70
|
+
@sds3 = AceSrcDstSpec.new(
|
|
71
|
+
ip_spec: ipaddr,
|
|
72
|
+
operator: 'lt',
|
|
73
|
+
port: @p1
|
|
74
|
+
)
|
|
75
|
+
@sds4 = AceSrcDstSpec.new(
|
|
76
|
+
ip_spec: ipaddr,
|
|
77
|
+
operator: 'gt',
|
|
78
|
+
port: @p1
|
|
79
|
+
)
|
|
80
|
+
@ip_match = '192.168.9.11'
|
|
81
|
+
@ip_unmatch = '192.168.9.12'
|
|
82
|
+
@p1_match = 80
|
|
83
|
+
@p1_unmatch = 88
|
|
84
|
+
@p1_lower = 22
|
|
85
|
+
@p1_higher = 6633
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
context 'with IP only entry' do
|
|
89
|
+
it 'should be true, when match ip and "any" port' do
|
|
90
|
+
@sds0.matches?(@ip_match, @p1_match).should be_true
|
|
91
|
+
@sds0.matches?(@ip_match, @p1_unmatch).should be_true
|
|
92
|
+
@sds0.matches?(@ip_match, @p1_lower).should be_true
|
|
93
|
+
@sds0.matches?(@ip_match, @p1_higher).should be_true
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
it 'should be false, when unmatch ip and "any" port' do
|
|
97
|
+
@sds0.matches?(@ip_unmatch, @p1_match).should be_false
|
|
98
|
+
@sds0.matches?(@ip_unmatch, @p1_unmatch).should be_false
|
|
99
|
+
@sds0.matches?(@ip_unmatch, @p1_lower).should be_false
|
|
100
|
+
@sds0.matches?(@ip_unmatch, @p1_higher).should be_false
|
|
101
|
+
end
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
context 'eq' do
|
|
105
|
+
it 'should be true, with match ip match eq port' do
|
|
106
|
+
@sds1.matches?(@ip_match, @p1_match).should be_true
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
it 'should be false, with match ip and unmatch eq port' do
|
|
110
|
+
@sds1.matches?(@ip_match, @p1_unmatch).should be_false
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
it 'should be false, with unmatch ip and match eq port' do
|
|
114
|
+
@sds1.matches?(@ip_unmatch, @p1_match).should be_false
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
it 'should be false, with unmatch ip and unmatch eq port' do
|
|
118
|
+
@sds1.matches?(@ip_unmatch, @p1_unmatch).should be_false
|
|
119
|
+
end
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
context 'neq' do
|
|
123
|
+
it 'should be false, with match ip match eq port' do
|
|
124
|
+
@sds2.matches?(@ip_match, @p1_match).should be_false
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
it 'should be true, with match ip and unmatch eq port' do
|
|
128
|
+
@sds2.matches?(@ip_match, @p1_unmatch).should be_true
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
it 'should be false, with unmatch ip and match eq port' do
|
|
132
|
+
@sds2.matches?(@ip_unmatch, @p1_match).should be_false
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
it 'should be false, with unmatch ip and unmatch eq port' do
|
|
136
|
+
@sds2.matches?(@ip_unmatch, @p1_unmatch).should be_false
|
|
137
|
+
end
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
context 'lt' do
|
|
141
|
+
it 'should be true, with match ip lower eq port' do
|
|
142
|
+
@sds3.matches?(@ip_match, @p1_lower).should be_true
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
it 'should be false, with match ip and higher eq port' do
|
|
146
|
+
@sds3.matches?(@ip_match, @p1_higher).should be_false
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
it 'should be false, with unmatch ip and loser eq port' do
|
|
150
|
+
@sds3.matches?(@ip_unmatch, @p1_lower).should be_false
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
it 'should be false, with unmatch ip and higher eq port' do
|
|
154
|
+
@sds3.matches?(@ip_unmatch, @p1_higher).should be_false
|
|
155
|
+
end
|
|
156
|
+
end
|
|
157
|
+
|
|
158
|
+
context 'gt' do
|
|
159
|
+
it 'should be false, with match ip lower eq port' do
|
|
160
|
+
@sds4.matches?(@ip_match, @p1_lower).should be_false
|
|
161
|
+
end
|
|
162
|
+
|
|
163
|
+
it 'should be true, with match ip and higher eq port' do
|
|
164
|
+
@sds4.matches?(@ip_match, @p1_higher).should be_true
|
|
165
|
+
end
|
|
166
|
+
|
|
167
|
+
it 'should be false, with unmatch ip and loser eq port' do
|
|
168
|
+
@sds4.matches?(@ip_unmatch, @p1_lower).should be_false
|
|
169
|
+
end
|
|
170
|
+
|
|
171
|
+
it 'should be false, with unmatch ip and higher eq port' do
|
|
172
|
+
@sds4.matches?(@ip_unmatch, @p1_higher).should be_false
|
|
173
|
+
end
|
|
174
|
+
end
|
|
175
|
+
|
|
176
|
+
end
|
|
177
|
+
|
|
178
|
+
context 'with operator: range' do
|
|
179
|
+
before(:each) do
|
|
180
|
+
p1 = AceTcpProtoSpec.new(
|
|
181
|
+
number: 80
|
|
182
|
+
)
|
|
183
|
+
p2 = AceTcpProtoSpec.new(
|
|
184
|
+
number: 1023
|
|
185
|
+
)
|
|
186
|
+
@sds = AceSrcDstSpec.new(
|
|
187
|
+
ipaddr: '192.168.15.15',
|
|
188
|
+
wildcard: '0.0.7.6',
|
|
189
|
+
operator: 'range',
|
|
190
|
+
begin_port: p1,
|
|
191
|
+
end_port: p2
|
|
192
|
+
)
|
|
193
|
+
@ip_match = '192.168.9.11'
|
|
194
|
+
@ip_unmatch = '192.168.9.12'
|
|
195
|
+
@p_in = 512
|
|
196
|
+
@p_out_lower = 23
|
|
197
|
+
@p_out_higher = 6633
|
|
198
|
+
end
|
|
199
|
+
|
|
200
|
+
it 'should be true, with match ip in range port' do
|
|
201
|
+
@sds.matches?(@ip_match, @p_in).should be_true
|
|
202
|
+
end
|
|
203
|
+
|
|
204
|
+
it 'should be false, with match ip and out of range port (lower)' do
|
|
205
|
+
@sds.matches?(@ip_match, @p_out_lower).should be_false
|
|
206
|
+
end
|
|
207
|
+
|
|
208
|
+
it 'should be false, with match ip and out of range port (higher)' do
|
|
209
|
+
@sds.matches?(@ip_match, @p_out_higher).should be_false
|
|
210
|
+
end
|
|
211
|
+
|
|
212
|
+
it 'should be false, with unmatch ip match in range port' do
|
|
213
|
+
@sds.matches?(@ip_unmatch, @p_in).should be_false
|
|
214
|
+
end
|
|
215
|
+
|
|
216
|
+
it 'should be false, with unmatch ip and out of range port (lower)' do
|
|
217
|
+
@sds.matches?(@ip_unmatch, @p_out_lower).should be_false
|
|
218
|
+
end
|
|
219
|
+
|
|
220
|
+
it 'should be false, with unmatch ip and out of range port (higher)' do
|
|
221
|
+
@sds.matches?(@ip_unmatch, @p_out_higher).should be_false
|
|
222
|
+
end
|
|
223
|
+
end
|
|
224
|
+
|
|
225
|
+
context 'with ip or port any' do
|
|
226
|
+
before do
|
|
227
|
+
ip_any = AceIpSpec.new(
|
|
228
|
+
ipaddr: '0.0.0.0',
|
|
229
|
+
wildcard: '255.255.255.255'
|
|
230
|
+
)
|
|
231
|
+
port_any = AcePortSpec.new(
|
|
232
|
+
operator: 'any'
|
|
233
|
+
)
|
|
234
|
+
ip1 = AceIpSpec.new(
|
|
235
|
+
ipaddr: '192.168.15.15',
|
|
236
|
+
wildcard: '0.0.7.6'
|
|
237
|
+
)
|
|
238
|
+
port_range = AcePortSpec.new(
|
|
239
|
+
operator: 'range',
|
|
240
|
+
begin_port: AceTcpProtoSpec.new(
|
|
241
|
+
number: 80
|
|
242
|
+
),
|
|
243
|
+
end_port: AceTcpProtoSpec.new(
|
|
244
|
+
number: 1023
|
|
245
|
+
)
|
|
246
|
+
)
|
|
247
|
+
@sds1 = AceSrcDstSpec.new(
|
|
248
|
+
ip_spec: ip_any,
|
|
249
|
+
port_spec: port_range
|
|
250
|
+
)
|
|
251
|
+
@sds2 = AceSrcDstSpec.new(
|
|
252
|
+
ip_spec: ip1,
|
|
253
|
+
port_spec: port_any
|
|
254
|
+
)
|
|
255
|
+
@sds3 = AceSrcDstSpec.new(
|
|
256
|
+
ip_spec: ip_any,
|
|
257
|
+
port_spec: port_any
|
|
258
|
+
)
|
|
259
|
+
@ip_match = '192.168.9.11'
|
|
260
|
+
@ip_unmatch = '192.168.9.12'
|
|
261
|
+
@p_match = 512
|
|
262
|
+
@p_unmatch = 6633
|
|
263
|
+
end
|
|
264
|
+
|
|
265
|
+
it 'should be true, for any ip' do
|
|
266
|
+
@sds1.matches?(@ip_match, @p_match).should be_true
|
|
267
|
+
@sds1.matches?(@ip_unmatch, @p_match).should be_true
|
|
268
|
+
end
|
|
269
|
+
|
|
270
|
+
it 'should be false, for any ip with unmatch port' do
|
|
271
|
+
@sds1.matches?(@ip_match, @p_unmatch).should be_false
|
|
272
|
+
@sds1.matches?(@ip_unmatch, @p_unmatch).should be_false
|
|
273
|
+
end
|
|
274
|
+
|
|
275
|
+
it 'should be true, for any port' do
|
|
276
|
+
@sds2.matches?(@ip_match, @p_match).should be_true
|
|
277
|
+
@sds2.matches?(@ip_match, @p_unmatch).should be_true
|
|
278
|
+
end
|
|
279
|
+
|
|
280
|
+
it 'should be false, for any port with unmatch ip' do
|
|
281
|
+
@sds2.matches?(@ip_unmatch, @p_match).should be_false
|
|
282
|
+
@sds2.matches?(@ip_unmatch, @p_unmatch).should be_false
|
|
283
|
+
end
|
|
284
|
+
|
|
285
|
+
it 'should be true, for any ip and any port' do
|
|
286
|
+
@sds3.matches?(@ip_match, @p_match).should be_true
|
|
287
|
+
@sds3.matches?(@ip_match, @p_unmatch).should be_true
|
|
288
|
+
@sds3.matches?(@ip_unmatch, @p_match).should be_true
|
|
289
|
+
@sds3.matches?(@ip_unmatch, @p_unmatch).should be_true
|
|
290
|
+
end
|
|
291
|
+
|
|
292
|
+
end
|
|
293
|
+
|
|
294
|
+
end # describe matches?
|
|
295
|
+
|
|
296
|
+
end # describe AceSrcDstSpec
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# -*- coding: utf-8 -*-
|
|
2
|
+
require 'spec_helper'
|
|
3
|
+
|
|
4
|
+
describe AceTcpFlag do
|
|
5
|
+
describe '#to_s' do
|
|
6
|
+
|
|
7
|
+
it 'should be make tcp flags' do
|
|
8
|
+
flag = AceTcpFlag.new('established')
|
|
9
|
+
flag.to_s.should be_aclstr('established')
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
describe AceTcpFlagList do
|
|
15
|
+
describe '#to_s' do
|
|
16
|
+
|
|
17
|
+
before do
|
|
18
|
+
@f1 = AceTcpFlag.new('syn')
|
|
19
|
+
@f2 = AceTcpFlag.new('ack')
|
|
20
|
+
@f3 = AceTcpFlag.new('established')
|
|
21
|
+
@list = AceTcpFlagList.new
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
it 'should be size 0 when empty list' do
|
|
25
|
+
@list.size.should be_zero
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
it 'should count-up size when added AceTcpFlag objects' do
|
|
29
|
+
@list.push @f1
|
|
30
|
+
@list.size.should eq 1
|
|
31
|
+
@list.push @f2
|
|
32
|
+
@list.size.should eq 2
|
|
33
|
+
@list.push @f3
|
|
34
|
+
@list.size.should eq 3
|
|
35
|
+
@list.to_s.should be_aclstr('syn ack established')
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|