cisco_acl_intp 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +2 -0
- data/.rubocop.yml +13 -0
- data/.travis.yml +3 -0
- data/.yardopts +4 -0
- data/Gemfile +19 -0
- data/LICENSE.txt +22 -0
- data/README.md +132 -0
- data/Rakefile +78 -0
- data/acl_examples/err-acl.txt +49 -0
- data/acl_examples/named-ext-acl.txt +12 -0
- data/acl_examples/named-std-acl.txt +6 -0
- data/acl_examples/numd-acl.txt +21 -0
- data/cisco_acl_intp.gemspec +31 -0
- data/lib/cisco_acl_intp/ace.rb +432 -0
- data/lib/cisco_acl_intp/ace_ip.rb +136 -0
- data/lib/cisco_acl_intp/ace_other_qualifiers.rb +102 -0
- data/lib/cisco_acl_intp/ace_port.rb +146 -0
- data/lib/cisco_acl_intp/ace_proto.rb +319 -0
- data/lib/cisco_acl_intp/ace_srcdst.rb +114 -0
- data/lib/cisco_acl_intp/ace_tcp_flags.rb +65 -0
- data/lib/cisco_acl_intp/acl.rb +272 -0
- data/lib/cisco_acl_intp/acl_base.rb +111 -0
- data/lib/cisco_acl_intp/parser.rb +3509 -0
- data/lib/cisco_acl_intp/parser.ry +1397 -0
- data/lib/cisco_acl_intp/scanner.rb +176 -0
- data/lib/cisco_acl_intp/scanner_special_token_handler.rb +66 -0
- data/lib/cisco_acl_intp/version.rb +5 -0
- data/lib/cisco_acl_intp.rb +9 -0
- data/spec/cisco_acl_intp/ace_ip_spec.rb +111 -0
- data/spec/cisco_acl_intp/ace_other_qualifier_spec.rb +63 -0
- data/spec/cisco_acl_intp/ace_port_spec.rb +214 -0
- data/spec/cisco_acl_intp/ace_proto_spec.rb +200 -0
- data/spec/cisco_acl_intp/ace_spec.rb +605 -0
- data/spec/cisco_acl_intp/ace_srcdst_spec.rb +296 -0
- data/spec/cisco_acl_intp/ace_tcp_flags_spec.rb +38 -0
- data/spec/cisco_acl_intp/acl_spec.rb +523 -0
- data/spec/cisco_acl_intp/cisco_acl_intp_spec.rb +7 -0
- data/spec/cisco_acl_intp/parser_spec.rb +53 -0
- data/spec/cisco_acl_intp/scanner_spec.rb +122 -0
- data/spec/conf/extacl_objgrp_token_seq.yml +36 -0
- data/spec/conf/extacl_token_seq.yml +88 -0
- data/spec/conf/extended_acl.yml +226 -0
- data/spec/conf/scanner_spec_data.yml +120 -0
- data/spec/conf/single_tokens.yml +235 -0
- data/spec/conf/stdacl_token_seq.yml +8 -0
- data/spec/conf/tokens1.yml +158 -0
- data/spec/conf/tokens2.yml +206 -0
- data/spec/parser_fullfill_patterns.rb +145 -0
- data/spec/spec_helper.rb +54 -0
- data/tools/check_acl.rb +48 -0
- metadata +159 -0
@@ -0,0 +1,36 @@
|
|
1
|
+
- :testname: extacl_objgrp1_spec
|
2
|
+
:casedata: tokens2.yml
|
3
|
+
:fieldseq:
|
4
|
+
- acl
|
5
|
+
- extacl_num
|
6
|
+
- action
|
7
|
+
- tcpudp_proto
|
8
|
+
- ip_spec_objgrp1
|
9
|
+
- null_port
|
10
|
+
- ip_spec_objgrp2
|
11
|
+
- null_port
|
12
|
+
- ext_acl_log_spec
|
13
|
+
- :testname: extacl_objgrp2_spec
|
14
|
+
:casedata: tokens2.yml
|
15
|
+
:fieldseq:
|
16
|
+
- acl
|
17
|
+
- extacl_num
|
18
|
+
- action
|
19
|
+
- tcp_proto
|
20
|
+
- ip_spec_objgrp1
|
21
|
+
- tcp_port_spec1
|
22
|
+
- ip_spec_objgrp2
|
23
|
+
- tcp_port_spec2
|
24
|
+
- ext_acl_log_spec
|
25
|
+
- :testname: extacl_objgrp3_spec
|
26
|
+
:casedata: tokens2.yml
|
27
|
+
:fieldseq:
|
28
|
+
- acl
|
29
|
+
- extacl_num
|
30
|
+
- action
|
31
|
+
- udp_proto
|
32
|
+
- ip_spec_objgrp1
|
33
|
+
- udp_port_spec1
|
34
|
+
- ip_spec_objgrp2
|
35
|
+
- udp_port_spec2
|
36
|
+
- ext_acl_log_spec
|
@@ -0,0 +1,88 @@
|
|
1
|
+
- :testname: extacl_icmp_spec
|
2
|
+
:casedata: tokens1.yml
|
3
|
+
:fieldseq:
|
4
|
+
- acl
|
5
|
+
- extacl_num
|
6
|
+
# - dynamic_spec
|
7
|
+
- action
|
8
|
+
- icmp_proto
|
9
|
+
- ip_spec1
|
10
|
+
- ip_spec2
|
11
|
+
- icmp_qualifier
|
12
|
+
- ext_acl_log_spec
|
13
|
+
- :testname: extacl_ip_spec
|
14
|
+
:casedata: tokens1.yml
|
15
|
+
:fieldseq:
|
16
|
+
- acl
|
17
|
+
- extacl_num
|
18
|
+
- dynamic_spec
|
19
|
+
- action
|
20
|
+
- ip_proto
|
21
|
+
- ip_spec1
|
22
|
+
- ip_spec2
|
23
|
+
- ext_acl_log_spec
|
24
|
+
- :testname: extacl_tcp_spec
|
25
|
+
:casedata: tokens2.yml
|
26
|
+
:fieldseq:
|
27
|
+
- acl
|
28
|
+
- extacl_num
|
29
|
+
# - dynamic_spec
|
30
|
+
- action
|
31
|
+
- tcp_proto
|
32
|
+
- ip_spec1
|
33
|
+
- tcp_port_spec1
|
34
|
+
- ip_spec2
|
35
|
+
- tcp_port_spec2
|
36
|
+
- ext_acl_log_spec
|
37
|
+
- :testname: extacl_udp_spec
|
38
|
+
:casedata: tokens2.yml
|
39
|
+
:fieldseq:
|
40
|
+
- acl
|
41
|
+
- extacl_num
|
42
|
+
# - dynamic_spec
|
43
|
+
- action
|
44
|
+
- udp_proto
|
45
|
+
- ip_spec1
|
46
|
+
- udp_port_spec1
|
47
|
+
- ip_spec2
|
48
|
+
- udp_port_spec2
|
49
|
+
- ext_acl_log_spec
|
50
|
+
- :testname: extacl_options1_spec
|
51
|
+
:casedata: tokens2.yml
|
52
|
+
:fieldseq:
|
53
|
+
- acl
|
54
|
+
- extacl_num
|
55
|
+
- action
|
56
|
+
- tcp_proto
|
57
|
+
- ip_spec1
|
58
|
+
- tcp_port_spec1
|
59
|
+
- ip_spec2
|
60
|
+
- tcp_port_spec2
|
61
|
+
- tcp_flags
|
62
|
+
- precedence
|
63
|
+
- time_range
|
64
|
+
- :testname: extacl_options2_spec
|
65
|
+
:casedata: tokens2.yml
|
66
|
+
:fieldseq:
|
67
|
+
- acl
|
68
|
+
- extacl_num
|
69
|
+
- action
|
70
|
+
- udp_proto
|
71
|
+
- ip_spec1
|
72
|
+
- udp_port_spec1
|
73
|
+
- ip_spec2
|
74
|
+
- udp_port_spec2
|
75
|
+
- dscp
|
76
|
+
- tos
|
77
|
+
- :testname: extacl_tcpflag_spec
|
78
|
+
:casedata: tokens2.yml
|
79
|
+
:fieldseq:
|
80
|
+
- acl
|
81
|
+
- extacl_num
|
82
|
+
- action
|
83
|
+
- tcp_proto
|
84
|
+
- ip_spec1
|
85
|
+
- null_port
|
86
|
+
- ip_spec2
|
87
|
+
- null_port
|
88
|
+
- tcp_flags2
|
@@ -0,0 +1,226 @@
|
|
1
|
+
# Transit Access Control Lists: Filtering at Your Edge [IP Addressing Services] - Cisco Systems http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
|
2
|
+
- :name: "Anti-spoofing entries."
|
3
|
+
:symbol: extacl-deny-antispoof
|
4
|
+
:description: "Deny special-use address sources. Refer to RFC 3330 for additional special use addresses."
|
5
|
+
:acl: |
|
6
|
+
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
|
7
|
+
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
|
8
|
+
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
|
9
|
+
access-list 110 deny ip host 255.255.255.255 any
|
10
|
+
:correct: true
|
11
|
+
- :name: "DHCP relays"
|
12
|
+
:symbol: extacl-permit-dhcprelay
|
13
|
+
:description: "The deny statement should not be configured on Dynamic Host Configuration Protocol (DHCP) relays."
|
14
|
+
:acl: |
|
15
|
+
access-list 110 deny ip host 0.0.0.0 any
|
16
|
+
:correct: true
|
17
|
+
- :name: "Filter RFC 1918 space."
|
18
|
+
:symbol: extacl-deny-rfc1918
|
19
|
+
:description: ""
|
20
|
+
:acl: |
|
21
|
+
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
|
22
|
+
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
|
23
|
+
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
|
24
|
+
:correct: true
|
25
|
+
- :name: "Permit Border Gateway Protocol (BGP) to the edge router."
|
26
|
+
:symbol: extacl-permit-bgp
|
27
|
+
:description: ""
|
28
|
+
:acl: |
|
29
|
+
access-list 110 permit tcp host 10.1.1.1 gt 1023 host 10.1.1.2 eq bgp
|
30
|
+
access-list 110 permit tcp host 10.1.1.1 eq bgp host 10.1.1.2 gt 1023
|
31
|
+
:correct: true
|
32
|
+
- :name: "Deny your space as source (as noted in RFC 2827)."
|
33
|
+
:symbol: extacl-permit-local
|
34
|
+
:description: ""
|
35
|
+
:acl: |
|
36
|
+
access-list 110 deny ip 192.168.201.0 0.0.0.255 any
|
37
|
+
:correct: true
|
38
|
+
- :name: "Explicitly permit return traffic."
|
39
|
+
:symbol: extacl-permit-icmp
|
40
|
+
:description: "Allow specific ICMP types."
|
41
|
+
:acl: |
|
42
|
+
access-list 110 permit icmp any any echo-reply
|
43
|
+
access-list 110 permit icmp any any unreachable
|
44
|
+
access-list 110 permit icmp any any time-exceeded
|
45
|
+
access-list 110 deny icmp any any
|
46
|
+
:correct: true
|
47
|
+
- :name: "DNS queries"
|
48
|
+
:symbol: extacl-permit-dnsquery
|
49
|
+
:description: ""
|
50
|
+
:acl: |
|
51
|
+
access-list 110 remark !--- These are outgoing DNS queries.
|
52
|
+
access-list 110 permit udp any eq domain host 192.168.201.104 gt 1023
|
53
|
+
access-list 110 remark !--- Permit older DNS queries and replies to primary DNS server.
|
54
|
+
access-list 110 permit udp any eq domain host 192.168.201.104 eq domain
|
55
|
+
:correct: true
|
56
|
+
- :name: "Permit legitimate business traffic."
|
57
|
+
:symbol: extacl-permit-business-traffic
|
58
|
+
:description: ""
|
59
|
+
:acl: |
|
60
|
+
access-list 110 permit tcp any 192.168.201.0 0.0.0.255 established
|
61
|
+
access-list 110 permit udp any range 1 1023 192.168.201.0 0.0.0.255 gt 1023
|
62
|
+
:correct: true
|
63
|
+
- :name: "Allow ftp data and multimedia connections."
|
64
|
+
:symbol: extacl-permit-ftpclient
|
65
|
+
:description: ""
|
66
|
+
:acl: |
|
67
|
+
access-list 110 remark !--- Allow FTP data connections.
|
68
|
+
access-list 110 permit tcp any eq ftp-data 192.168.201.0 0.0.0.255 gt 1023
|
69
|
+
access-list 110 remark !--- Allow TFTP data and multimedia connections.
|
70
|
+
access-list 110 permit udp any gt 1023 192.168.201.0 0.0.0.255 gt 1023
|
71
|
+
:correct: true
|
72
|
+
- :name: "Explicitly permit externally sourced traffic. (DNS)"
|
73
|
+
:symbol: extacl-permit-dns-server
|
74
|
+
:description: ""
|
75
|
+
:acl: |
|
76
|
+
access-list 110 remark !--- These are incoming DNS queries.
|
77
|
+
access-list 110 permit udp any gt 1023 host 192.168.201.104 eq domain
|
78
|
+
access-list 110 remark !--- Zone transfer DNS queries to primary DNS server.
|
79
|
+
access-list 110 permit tcp host 172.16.201.50 gt 1023 host 192.168.201.104 eq domain
|
80
|
+
access-list 110 remark !--- Permit older DNS zone transfers.
|
81
|
+
access-list 110 permit tcp host 172.16.201.50 eq domain host 192.168.201.104 eq domain
|
82
|
+
access-list 110 remark !--- Deny all other DNS traffic.
|
83
|
+
access-list 110 deny udp any any eq domain
|
84
|
+
access-list 110 deny tcp any any eq domain
|
85
|
+
:correct: true
|
86
|
+
- :name: "Explicitly permit externally sourced traffic. (VPN)"
|
87
|
+
:symbol: extacl-permit-vpn-server
|
88
|
+
:description: "Allow IPSec VPN traffic."
|
89
|
+
:acl: |
|
90
|
+
access-list 110 permit udp any host 192.168.201.100 eq isakmp
|
91
|
+
access-list 110 permit udp any host 192.168.201.100 eq non500-isakmp
|
92
|
+
access-list 110 permit esp any host 192.168.201.100
|
93
|
+
access-list 110 permit ahp any host 192.168.201.100
|
94
|
+
access-list 110 deny ip any host 192.168.201.100
|
95
|
+
:correct: true
|
96
|
+
- :name: "Explicitly permit externally sourced traffic. (Others)"
|
97
|
+
:symbol: extacl-permit-web-server
|
98
|
+
:description: "These are Internet-sourced connections to publicly accessible servers."
|
99
|
+
:acl: |
|
100
|
+
access-list 110 permit tcp any host 192.168.201.101 eq www
|
101
|
+
access-list 110 permit tcp any host 192.168.201.101 eq 443
|
102
|
+
access-list 110 permit tcp any host 192.168.201.102 eq ftp
|
103
|
+
:correct: true
|
104
|
+
- :name: "Explicitly permit externally sourced traffic. (FTP)"
|
105
|
+
:symbol: extacl-permit-ftp-server
|
106
|
+
:description: "Data connections to the FTP server are allowed by the permit established ACE. Allow PASV data connections to the FTP server."
|
107
|
+
:acl: |
|
108
|
+
access-list 110 permit tcp any gt 1023 host 192.168.201.102 gt 1023
|
109
|
+
access-list 110 permit tcp any host 192.168.201.103 eq smtp
|
110
|
+
:correct: true
|
111
|
+
- :name: "Explicitly deny all other traffic."
|
112
|
+
:symbol: extacl-deny-any
|
113
|
+
:description: ""
|
114
|
+
:acl: |
|
115
|
+
access-list 101 deny ip any any
|
116
|
+
:correct: true
|
117
|
+
#
|
118
|
+
# IP アクセス リストの設定 - Cisco Systems http://www.cisco.com/cisco/web/support/JP/100/1008/1008446_confaccesslists-j.html#reflexacl
|
119
|
+
# Configuring IP Access Lists - Cisco Systems http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
|
120
|
+
#
|
121
|
+
- :name: "Reflexive ACLs"
|
122
|
+
:symbol: extacl-reflexive
|
123
|
+
:description: ""
|
124
|
+
:acl: |
|
125
|
+
ip access-list extended inboundfilters
|
126
|
+
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
|
127
|
+
evaluate tcptraffic
|
128
|
+
!
|
129
|
+
ip access-list extended outboundfilters
|
130
|
+
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
|
131
|
+
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
|
132
|
+
!
|
133
|
+
:correct: true
|
134
|
+
- :name: "Time-Based ACLs Using Time Ranges"
|
135
|
+
:symbol: extacl-time-based
|
136
|
+
:description: ""
|
137
|
+
:acl: |
|
138
|
+
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range EVERYOTHERDAY
|
139
|
+
:correct: true
|
140
|
+
#
|
141
|
+
# used at home router
|
142
|
+
#
|
143
|
+
- :name: "My Home (1)"
|
144
|
+
:symbol: extacl-self-example1
|
145
|
+
:description: "outbound filter"
|
146
|
+
:acl: |
|
147
|
+
ip access-list extended GI0-OUT
|
148
|
+
deny ip any 10.0.0.0 0.255.255.255 log
|
149
|
+
deny ip any 172.16.0.0 0.15.255.255 log
|
150
|
+
deny ip any 0.0.0.0 0.255.255.255 log
|
151
|
+
deny ip any 127.0.0.0 0.255.255.255 log
|
152
|
+
deny ip any 192.0.2.0 0.0.0.255 log
|
153
|
+
deny ip any 169.254.0.0 0.0.255.255 log
|
154
|
+
deny ip any 224.0.0.0 31.255.255.255 log
|
155
|
+
deny tcp any any eq 135 log
|
156
|
+
deny udp any any eq 135 log
|
157
|
+
deny tcp any any range 137 139 log
|
158
|
+
deny udp any any range netbios-ns netbios-ss log
|
159
|
+
deny tcp any any eq 445 log
|
160
|
+
deny udp any any eq 445 log
|
161
|
+
deny tcp any eq 135 any log
|
162
|
+
deny udp any eq 135 any log
|
163
|
+
deny tcp any range 137 139 any log
|
164
|
+
deny udp any range netbios-ns netbios-ss any log
|
165
|
+
deny tcp any eq 445 any log
|
166
|
+
deny udp any eq 445 any log
|
167
|
+
deny tcp any any eq 6000 log
|
168
|
+
deny tcp any any eq 1433 log
|
169
|
+
remark vpn
|
170
|
+
permit udp any eq isakmp any
|
171
|
+
remark permit to 6to4
|
172
|
+
permit ip any 192.88.99.0 0.0.0.255
|
173
|
+
permit 41 any 192.88.99.0 0.0.0.255
|
174
|
+
remark permit any from inside to outside
|
175
|
+
permit icmp any any
|
176
|
+
permit ip any any reflect iptraffic timeout 300
|
177
|
+
deny ip any any log
|
178
|
+
!
|
179
|
+
:correct: true
|
180
|
+
- :name: "My Home (2)"
|
181
|
+
:symbol: extacl-self-example2
|
182
|
+
:description: "inbound filter"
|
183
|
+
:acl: |
|
184
|
+
ip access-list extended GI0-IN
|
185
|
+
deny ip 10.0.0.0 0.255.255.255 any log
|
186
|
+
deny ip 172.16.0.0 0.15.255.255 any log
|
187
|
+
deny ip 0.0.0.0 0.255.255.255 any log
|
188
|
+
deny ip 127.0.0.0 0.255.255.255 any log
|
189
|
+
deny ip 192.0.2.0 0.0.0.255 any log
|
190
|
+
deny ip 169.254.0.0 0.0.255.255 any log
|
191
|
+
deny ip 224.0.0.0 31.255.255.255 any log
|
192
|
+
deny tcp any any eq 135 log
|
193
|
+
deny udp any any eq 135 lo
|
194
|
+
deny tcp any any range 137 139 log
|
195
|
+
deny udp any any range netbios-ns netbios-ss log
|
196
|
+
deny tcp any any eq 445 log
|
197
|
+
deny udp any any eq 445 log
|
198
|
+
deny tcp any any eq 6000 log
|
199
|
+
deny tcp any any eq 1433 log
|
200
|
+
remark ospf
|
201
|
+
permit ospf 192.168.100.0 0.0.0.255 any
|
202
|
+
remark ihanet
|
203
|
+
permit gre any host 192.168.100.201
|
204
|
+
permit ipinip any host 192.168.100.201
|
205
|
+
remark vpn
|
206
|
+
permit esp any any
|
207
|
+
permit tcp any any eq 50
|
208
|
+
permit tcp any any eq 51
|
209
|
+
permit udp any any eq isakmp
|
210
|
+
permit udp any any eq 1701
|
211
|
+
remark ntp/dns
|
212
|
+
permit udp any eq ntp any
|
213
|
+
permit tcp any eq domain any
|
214
|
+
permit udp any eq domain any
|
215
|
+
remark ipv6
|
216
|
+
permit ip 192.88.99.0 0.0.0.255 any
|
217
|
+
permit 41 any any
|
218
|
+
remark home web server
|
219
|
+
permit tcp any any eq 80000
|
220
|
+
remark permit any from inside to outside
|
221
|
+
evaluate iptraffic
|
222
|
+
permit tcp any any established
|
223
|
+
permit icmp any any
|
224
|
+
deny ip any any log
|
225
|
+
!
|
226
|
+
:correct: false
|
@@ -0,0 +1,120 @@
|
|
1
|
+
- :test_description: "named std acl header"
|
2
|
+
:test_symbol: named_std_acl
|
3
|
+
:test_data:
|
4
|
+
- :line: "ip access-list standard remote-ipv4 "
|
5
|
+
:tokens:
|
6
|
+
- [ NAMED_ACL, "ip access-list" ] # acl header
|
7
|
+
- standard
|
8
|
+
- [ STRING, "remote-ipv4" ]
|
9
|
+
- :line: " remark hoge fuga aa" # remark
|
10
|
+
:tokens:
|
11
|
+
- remark
|
12
|
+
- [ STRING, "hoge fuga aa" ]
|
13
|
+
- :line: " permit 192.168.0.0 0.0.255.255 "
|
14
|
+
:tokens:
|
15
|
+
- permit
|
16
|
+
- [ IPV4_ADDR, 192.168.0.0 ]
|
17
|
+
- [ IPV4_ADDR, 0.0.255.255 ]
|
18
|
+
- :line: " remark ip access-list extended hogehoge" # remark
|
19
|
+
:tokens:
|
20
|
+
- remark
|
21
|
+
- [ STRING, "ip access-list extended hogehoge" ]
|
22
|
+
- :test_description: "named ext acl header"
|
23
|
+
:test_symbol: named_ext_acl
|
24
|
+
:test_data:
|
25
|
+
- :line: "ip access-list extended GI0-IN"
|
26
|
+
:tokens:
|
27
|
+
- [ NAMED_ACL, "ip access-list" ] # acl header
|
28
|
+
- extended
|
29
|
+
- [ STRING, GI0-IN ]
|
30
|
+
- :line: " deny ip 10.0.0.0 0.255.255.255 any log"
|
31
|
+
:tokens:
|
32
|
+
- deny
|
33
|
+
- ip
|
34
|
+
- [ IPV4_ADDR, 10.0.0.0 ]
|
35
|
+
- [ IPV4_ADDR, 0.255.255.255 ]
|
36
|
+
- any
|
37
|
+
- log
|
38
|
+
- :line: " deny ip 172.16.0.0 0.15.255.255 any log foobar"
|
39
|
+
:tokens:
|
40
|
+
- deny
|
41
|
+
- ip
|
42
|
+
- [ IPV4_ADDR, 172.16.0.0 ]
|
43
|
+
- [ IPV4_ADDR, 0.15.255.255 ]
|
44
|
+
- any
|
45
|
+
- log
|
46
|
+
- [ STRING, foobar ] # log (with cookie)
|
47
|
+
- :test_description: "special values"
|
48
|
+
:test_symbol: special_values
|
49
|
+
:test_data:
|
50
|
+
- :line: "permit 192.168.3.0/24 for-test"
|
51
|
+
:tokens:
|
52
|
+
- permit
|
53
|
+
- [ IPV4_ADDR, 192.168.3.0 ]
|
54
|
+
- '/'
|
55
|
+
- [ NUMBER, 24 ]
|
56
|
+
- for-test
|
57
|
+
- :test_description: "string arg tokens check"
|
58
|
+
:test_symbol: str_arg_tokens
|
59
|
+
:test_data:
|
60
|
+
- :line: " extended standard foobar"
|
61
|
+
:tokens:
|
62
|
+
- extended
|
63
|
+
- [ STRING, standard ]
|
64
|
+
- foobar
|
65
|
+
- :line: "abc standard log hoge"
|
66
|
+
:tokens:
|
67
|
+
- abc
|
68
|
+
- standard
|
69
|
+
- [ STRING, log ]
|
70
|
+
- hoge
|
71
|
+
- :line: "dynamic hogehoge"
|
72
|
+
:tokens:
|
73
|
+
- dynamic
|
74
|
+
- [ STRING, hogehoge ]
|
75
|
+
- :line: "log foobar"
|
76
|
+
:tokens:
|
77
|
+
- log
|
78
|
+
- [ STRING, foobar ]
|
79
|
+
- :line: "log-input abcde"
|
80
|
+
:tokens:
|
81
|
+
- log-input
|
82
|
+
- [ STRING, abcde ]
|
83
|
+
- :line: "foobar log"
|
84
|
+
:tokens:
|
85
|
+
- foobar
|
86
|
+
- log
|
87
|
+
- :line: "hogehoge log"
|
88
|
+
:tokens:
|
89
|
+
- hogehoge
|
90
|
+
- log
|
91
|
+
- :line: "time-range range-name"
|
92
|
+
:tokens:
|
93
|
+
- time-range
|
94
|
+
- [ STRING, range-name ]
|
95
|
+
- :line: "reflect reflect-name "
|
96
|
+
:tokens:
|
97
|
+
- reflect
|
98
|
+
- [ STRING, reflect-name ]
|
99
|
+
- :line: "evaluate evaluate-name"
|
100
|
+
:tokens:
|
101
|
+
- evaluate
|
102
|
+
- [ STRING, evaluate-name ]
|
103
|
+
- :line: "object-group grpname"
|
104
|
+
:tokens:
|
105
|
+
- object-group
|
106
|
+
- [ STRING, grpname ]
|
107
|
+
- :line: "object-group network hoge"
|
108
|
+
:tokens:
|
109
|
+
- object-group
|
110
|
+
- network
|
111
|
+
- [ STRING, hoge ]
|
112
|
+
- :line: "object-group service ffff"
|
113
|
+
:tokens:
|
114
|
+
- object-group
|
115
|
+
- service
|
116
|
+
- [ STRING, ffff ]
|
117
|
+
- :line: "group-object nested-obj-name"
|
118
|
+
:tokens:
|
119
|
+
- group-object
|
120
|
+
- [ STRING, nested-obj-name ]
|
@@ -0,0 +1,235 @@
|
|
1
|
+
- ipv6
|
2
|
+
- permit
|
3
|
+
- deny
|
4
|
+
- timeout
|
5
|
+
- established
|
6
|
+
- syn
|
7
|
+
- ack
|
8
|
+
- fin
|
9
|
+
- psh
|
10
|
+
- urg
|
11
|
+
- rst
|
12
|
+
- '+syn'
|
13
|
+
- '-syn'
|
14
|
+
- '+ack'
|
15
|
+
- '-ack'
|
16
|
+
- '+fin'
|
17
|
+
- '-fin'
|
18
|
+
- '+psh'
|
19
|
+
- '-psh'
|
20
|
+
- '+urg'
|
21
|
+
- '-urg'
|
22
|
+
- '+rst'
|
23
|
+
- '-rst'
|
24
|
+
- match-all
|
25
|
+
- match-any
|
26
|
+
- ahp
|
27
|
+
- eigrp
|
28
|
+
- esp
|
29
|
+
- gre
|
30
|
+
- icmp
|
31
|
+
- igmp
|
32
|
+
- ipinip
|
33
|
+
- ip
|
34
|
+
- nos
|
35
|
+
- ospf
|
36
|
+
- pcf
|
37
|
+
- pim
|
38
|
+
- tcp
|
39
|
+
- udp
|
40
|
+
- fragments
|
41
|
+
- log-input
|
42
|
+
- log-update
|
43
|
+
- log
|
44
|
+
- threshold
|
45
|
+
- time-range
|
46
|
+
- administratively-prohibited
|
47
|
+
- alternate-address
|
48
|
+
- conversion-error
|
49
|
+
- dod-host-prohibited
|
50
|
+
- dod-net-prohibited
|
51
|
+
- echo-reply
|
52
|
+
- echo
|
53
|
+
- general-parameter-problem
|
54
|
+
- host-isolated
|
55
|
+
- mobile-redirect
|
56
|
+
- net-redirect
|
57
|
+
- net-tos-redirect
|
58
|
+
- net-unreachable
|
59
|
+
- network-unknown
|
60
|
+
- no-room-for-option
|
61
|
+
- option-missing
|
62
|
+
- packet-too-big
|
63
|
+
- parameter-problem
|
64
|
+
- port-unreachable
|
65
|
+
- precedence-unreachable
|
66
|
+
- protocol-unreachable
|
67
|
+
- host-precedence-unreachable
|
68
|
+
- host-redirect
|
69
|
+
- host-tos-redirect
|
70
|
+
- host-unknown
|
71
|
+
- host-unreachable
|
72
|
+
- information-reply
|
73
|
+
- information-request
|
74
|
+
- mask-reply
|
75
|
+
- mask-request
|
76
|
+
- reassembly-timeout
|
77
|
+
- redirect
|
78
|
+
- router-advertisement
|
79
|
+
- router-solicitation
|
80
|
+
- source-quench
|
81
|
+
- source-route-failed
|
82
|
+
- time-exceeded
|
83
|
+
- timestamp-reply
|
84
|
+
- timestamp-request
|
85
|
+
- traceroute
|
86
|
+
- ttl-exceeded
|
87
|
+
- unreachable
|
88
|
+
- beyond-scope
|
89
|
+
- destination-unreachable
|
90
|
+
- echo-request
|
91
|
+
- flow-label
|
92
|
+
- mld-reduction
|
93
|
+
- mld-report
|
94
|
+
- next-header
|
95
|
+
- parameter-option
|
96
|
+
- renum-command
|
97
|
+
- renum-result
|
98
|
+
- renum-seq-number
|
99
|
+
- router-renumbering
|
100
|
+
- undetermined-transport
|
101
|
+
- nd-na
|
102
|
+
- nd-ns
|
103
|
+
- header
|
104
|
+
- hop-limit
|
105
|
+
- mld-query
|
106
|
+
- no-admin
|
107
|
+
- no-route
|
108
|
+
- routing
|
109
|
+
- sequence
|
110
|
+
- flash-override
|
111
|
+
- precedence
|
112
|
+
- critical
|
113
|
+
- flash
|
114
|
+
- immediate
|
115
|
+
- internet
|
116
|
+
- priority
|
117
|
+
- routine
|
118
|
+
- network
|
119
|
+
- tos
|
120
|
+
- max-reliability
|
121
|
+
- max-throughput
|
122
|
+
- min-delay
|
123
|
+
- min-monetary-cost
|
124
|
+
- normal
|
125
|
+
- bgp
|
126
|
+
- chargen
|
127
|
+
- cmd
|
128
|
+
- daytime
|
129
|
+
- domain
|
130
|
+
- drip
|
131
|
+
- exec
|
132
|
+
- finger
|
133
|
+
- ftp-data
|
134
|
+
- ftp
|
135
|
+
- gopher
|
136
|
+
- hostname
|
137
|
+
- ident
|
138
|
+
- irc
|
139
|
+
- klogin
|
140
|
+
- kshell
|
141
|
+
- login
|
142
|
+
- lpd
|
143
|
+
- nntp
|
144
|
+
- pim-auto-rp
|
145
|
+
- pop2
|
146
|
+
- pop3
|
147
|
+
- smtp
|
148
|
+
- tacacs
|
149
|
+
- telnet
|
150
|
+
- uucp
|
151
|
+
- whois
|
152
|
+
- www
|
153
|
+
- biff
|
154
|
+
- bootpc
|
155
|
+
- bootps
|
156
|
+
- dnsix
|
157
|
+
- isakmp
|
158
|
+
- mobile-ip
|
159
|
+
- nameserver
|
160
|
+
- netbios-dgm
|
161
|
+
- netbios-ns
|
162
|
+
- netbios-ss
|
163
|
+
- non500-isakmp
|
164
|
+
- ntp
|
165
|
+
- pim-auto-rp
|
166
|
+
- rip
|
167
|
+
- snmp
|
168
|
+
- snmptrap
|
169
|
+
- syslog
|
170
|
+
- tftp
|
171
|
+
- who
|
172
|
+
- xdmcp
|
173
|
+
- discard
|
174
|
+
- echo
|
175
|
+
- sunrpc
|
176
|
+
- talk
|
177
|
+
- time
|
178
|
+
- dscp
|
179
|
+
- af11
|
180
|
+
- af12
|
181
|
+
- af13
|
182
|
+
- af21
|
183
|
+
- af22
|
184
|
+
- af23
|
185
|
+
- af31
|
186
|
+
- af32
|
187
|
+
- af33
|
188
|
+
- af41
|
189
|
+
- af42
|
190
|
+
- af43
|
191
|
+
- cs1
|
192
|
+
- cs2
|
193
|
+
- cs3
|
194
|
+
- cs4
|
195
|
+
- cs5
|
196
|
+
- cs6
|
197
|
+
- cs7
|
198
|
+
- default
|
199
|
+
- ef
|
200
|
+
- option
|
201
|
+
- add-ext
|
202
|
+
- any-options
|
203
|
+
- com-security
|
204
|
+
- dps
|
205
|
+
- encode
|
206
|
+
- eool
|
207
|
+
- ext-ip
|
208
|
+
- ext-security
|
209
|
+
- finn
|
210
|
+
- imitd
|
211
|
+
- lsr
|
212
|
+
- mtup
|
213
|
+
- mtur
|
214
|
+
- no-op
|
215
|
+
- nsapa
|
216
|
+
- record-route
|
217
|
+
- route-alert
|
218
|
+
- sdb
|
219
|
+
- security
|
220
|
+
- ssr
|
221
|
+
- stream-id
|
222
|
+
- timestamp
|
223
|
+
- ump
|
224
|
+
- visa
|
225
|
+
- zsu
|
226
|
+
- tcp-udp
|
227
|
+
- source
|
228
|
+
- group-object
|
229
|
+
- eq
|
230
|
+
- neq
|
231
|
+
- gt
|
232
|
+
- lt
|
233
|
+
- range
|
234
|
+
- any
|
235
|
+
- host
|