cisco_acl_intp 0.0.1

data/spec/conf/extacl_objgrp_token_seq.yml

@@ -0,0 +1,36 @@
+- :testname: extacl_objgrp1_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    - action
+    - tcpudp_proto
+    - ip_spec_objgrp1
+    - null_port
+    - ip_spec_objgrp2
+    - null_port
+    - ext_acl_log_spec
+- :testname: extacl_objgrp2_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    - action
+    - tcp_proto
+    - ip_spec_objgrp1
+    - tcp_port_spec1
+    - ip_spec_objgrp2
+    - tcp_port_spec2
+    - ext_acl_log_spec
+- :testname: extacl_objgrp3_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    - action
+    - udp_proto
+    - ip_spec_objgrp1
+    - udp_port_spec1
+    - ip_spec_objgrp2
+    - udp_port_spec2
+    - ext_acl_log_spec

data/spec/conf/extacl_token_seq.yml

@@ -0,0 +1,88 @@
+- :testname: extacl_icmp_spec
+  :casedata: tokens1.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    # - dynamic_spec
+    - action
+    - icmp_proto
+    - ip_spec1
+    - ip_spec2
+    - icmp_qualifier
+    - ext_acl_log_spec
+- :testname: extacl_ip_spec
+  :casedata: tokens1.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    - dynamic_spec
+    - action
+    - ip_proto
+    - ip_spec1
+    - ip_spec2
+    - ext_acl_log_spec
+- :testname: extacl_tcp_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    # - dynamic_spec
+    - action
+    - tcp_proto
+    - ip_spec1
+    - tcp_port_spec1
+    - ip_spec2
+    - tcp_port_spec2
+    - ext_acl_log_spec
+- :testname: extacl_udp_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    # - dynamic_spec
+    - action
+    - udp_proto
+    - ip_spec1
+    - udp_port_spec1
+    - ip_spec2
+    - udp_port_spec2
+    - ext_acl_log_spec
+- :testname: extacl_options1_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    - action
+    - tcp_proto
+    - ip_spec1
+    - tcp_port_spec1
+    - ip_spec2
+    - tcp_port_spec2
+    - tcp_flags
+    - precedence
+    - time_range
+- :testname: extacl_options2_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    - action
+    - udp_proto
+    - ip_spec1
+    - udp_port_spec1
+    - ip_spec2
+    - udp_port_spec2
+    - dscp
+    - tos
+- :testname: extacl_tcpflag_spec
+  :casedata: tokens2.yml
+  :fieldseq:
+    - acl
+    - extacl_num
+    - action
+    - tcp_proto
+    - ip_spec1
+    - null_port
+    - ip_spec2
+    - null_port
+    - tcp_flags2

data/spec/conf/extended_acl.yml

@@ -0,0 +1,226 @@
+# Transit Access Control Lists: Filtering at Your Edge [IP Addressing Services] - Cisco Systems http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
+- :name: "Anti-spoofing entries."
+  :symbol: extacl-deny-antispoof
+  :description: "Deny special-use address sources. Refer to RFC 3330 for additional special use addresses."
+  :acl: |
+    access-list 110 deny ip 127.0.0.0 0.255.255.255 any
+    access-list 110 deny ip 192.0.2.0 0.0.0.255 any
+    access-list 110 deny ip 224.0.0.0 31.255.255.255 any
+    access-list 110 deny ip host 255.255.255.255 any
+  :correct: true
+- :name: "DHCP relays"
+  :symbol: extacl-permit-dhcprelay
+  :description: "The deny statement should not be configured on Dynamic Host Configuration Protocol (DHCP) relays."
+  :acl: |
+    access-list 110 deny ip host 0.0.0.0 any
+  :correct: true
+- :name: "Filter RFC 1918 space."
+  :symbol: extacl-deny-rfc1918
+  :description: ""
+  :acl: |
+    access-list 110 deny ip 10.0.0.0 0.255.255.255 any
+    access-list 110 deny ip 172.16.0.0 0.15.255.255 any
+    access-list 110 deny ip 192.168.0.0 0.0.255.255 any
+  :correct: true
+- :name: "Permit Border Gateway Protocol (BGP) to the edge router."
+  :symbol: extacl-permit-bgp
+  :description: ""
+  :acl: |
+    access-list 110 permit tcp host 10.1.1.1 gt 1023 host 10.1.1.2 eq bgp
+    access-list 110 permit tcp host 10.1.1.1 eq bgp host 10.1.1.2 gt 1023
+  :correct: true
+- :name: "Deny your space as source (as noted in RFC 2827)."
+  :symbol: extacl-permit-local
+  :description: ""
+  :acl: |
+    access-list 110 deny   ip 192.168.201.0 0.0.0.255 any
+  :correct: true
+- :name: "Explicitly permit return traffic."
+  :symbol: extacl-permit-icmp
+  :description: "Allow specific ICMP types."
+  :acl: |
+    access-list 110 permit icmp any any echo-reply
+    access-list 110 permit icmp any any unreachable
+    access-list 110 permit icmp any any time-exceeded
+    access-list 110 deny   icmp any any
+  :correct: true
+- :name: "DNS queries"
+  :symbol: extacl-permit-dnsquery
+  :description: ""
+  :acl: |
+    access-list 110 remark !--- These are outgoing DNS queries.
+    access-list 110 permit udp any eq domain host 192.168.201.104 gt 1023
+    access-list 110 remark !--- Permit older DNS queries and replies to primary DNS server.
+    access-list 110 permit udp any eq domain host 192.168.201.104 eq domain
+  :correct: true
+- :name: "Permit legitimate business traffic."
+  :symbol: extacl-permit-business-traffic
+  :description: ""
+  :acl: |
+    access-list 110 permit tcp any 192.168.201.0 0.0.0.255 established
+    access-list 110 permit udp any range 1 1023 192.168.201.0 0.0.0.255 gt 1023
+  :correct: true
+- :name: "Allow ftp data and multimedia connections."
+  :symbol: extacl-permit-ftpclient
+  :description: ""
+  :acl: |
+    access-list 110 remark !--- Allow FTP data connections.
+    access-list 110 permit tcp any eq ftp-data 192.168.201.0 0.0.0.255 gt 1023
+    access-list 110 remark !--- Allow TFTP data and multimedia connections.
+    access-list 110 permit udp any gt 1023 192.168.201.0 0.0.0.255 gt 1023
+  :correct: true
+- :name: "Explicitly permit externally sourced traffic. (DNS)"
+  :symbol: extacl-permit-dns-server
+  :description: ""
+  :acl: |
+    access-list 110 remark !--- These are incoming DNS queries.
+    access-list 110 permit udp any gt 1023 host 192.168.201.104 eq domain
+    access-list 110 remark !--- Zone transfer DNS queries to primary DNS server.
+    access-list 110 permit tcp host 172.16.201.50 gt 1023 host 192.168.201.104 eq domain
+    access-list 110 remark !--- Permit older DNS zone transfers.
+    access-list 110 permit tcp host 172.16.201.50 eq domain host 192.168.201.104 eq domain
+    access-list 110 remark  !--- Deny all other DNS traffic.
+    access-list 110 deny   udp any any eq domain
+    access-list 110 deny   tcp any any eq domain
+  :correct: true
+- :name: "Explicitly permit externally sourced traffic. (VPN)"
+  :symbol: extacl-permit-vpn-server
+  :description: "Allow IPSec VPN traffic."
+  :acl: |
+    access-list 110 permit udp any host 192.168.201.100 eq isakmp
+    access-list 110 permit udp any host 192.168.201.100 eq non500-isakmp
+    access-list 110 permit esp any host 192.168.201.100
+    access-list 110 permit ahp any host 192.168.201.100
+    access-list 110 deny   ip any host 192.168.201.100
+  :correct: true
+- :name: "Explicitly permit externally sourced traffic. (Others)"
+  :symbol: extacl-permit-web-server
+  :description: "These are Internet-sourced connections to publicly accessible servers."
+  :acl: |
+    access-list 110 permit tcp any host 192.168.201.101 eq www
+    access-list 110 permit tcp any host 192.168.201.101 eq 443
+    access-list 110 permit tcp any host 192.168.201.102 eq ftp
+  :correct: true
+- :name: "Explicitly permit externally sourced traffic. (FTP)"
+  :symbol: extacl-permit-ftp-server
+  :description: "Data connections to the FTP server are allowed by the permit established ACE. Allow PASV data connections to the FTP server."
+  :acl: |
+    access-list 110 permit tcp any gt 1023 host 192.168.201.102 gt 1023
+    access-list 110 permit tcp any host 192.168.201.103 eq smtp
+  :correct: true
+- :name: "Explicitly deny all other traffic."
+  :symbol: extacl-deny-any
+  :description: ""
+  :acl: |
+    access-list 101 deny ip any any
+  :correct: true
+#
+# IP アクセス リストの設定 - Cisco Systems http://www.cisco.com/cisco/web/support/JP/100/1008/1008446_confaccesslists-j.html#reflexacl
+# Configuring IP Access Lists - Cisco Systems http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
+#
+- :name: "Reflexive ACLs"
+  :symbol: extacl-reflexive
+  :description: ""
+  :acl: |
+    ip access-list extended inboundfilters
+     permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
+     evaluate tcptraffic
+    !
+    ip access-list extended outboundfilters
+     permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 
+     permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
+    !
+  :correct: true
+- :name: "Time-Based ACLs Using Time Ranges"
+  :symbol: extacl-time-based
+  :description: ""
+  :acl: |
+    access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range EVERYOTHERDAY
+  :correct: true
+#
+# used at home router
+#
+- :name: "My Home (1)"
+  :symbol: extacl-self-example1
+  :description: "outbound filter"
+  :acl: |
+    ip access-list extended GI0-OUT
+     deny   ip any 10.0.0.0 0.255.255.255 log
+     deny   ip any 172.16.0.0 0.15.255.255 log
+     deny   ip any 0.0.0.0 0.255.255.255 log
+     deny   ip any 127.0.0.0 0.255.255.255 log
+     deny   ip any 192.0.2.0 0.0.0.255 log
+     deny   ip any 169.254.0.0 0.0.255.255 log
+     deny   ip any 224.0.0.0 31.255.255.255 log
+     deny   tcp any any eq 135 log
+     deny   udp any any eq 135 log
+     deny   tcp any any range 137 139 log
+     deny   udp any any range netbios-ns netbios-ss log
+     deny   tcp any any eq 445 log
+     deny   udp any any eq 445 log
+     deny   tcp any eq 135 any log
+     deny   udp any eq 135 any log
+     deny   tcp any range 137 139 any log
+     deny   udp any range netbios-ns netbios-ss any log
+     deny   tcp any eq 445 any log
+     deny   udp any eq 445 any log
+     deny   tcp any any eq 6000 log
+     deny   tcp any any eq 1433 log
+     remark vpn
+     permit udp any eq isakmp any
+     remark permit to 6to4
+     permit ip any 192.88.99.0 0.0.0.255
+     permit 41 any 192.88.99.0 0.0.0.255
+     remark permit any from inside to outside
+     permit icmp any any
+     permit ip any any reflect iptraffic timeout 300
+     deny   ip any any log
+    !
+  :correct: true
+- :name: "My Home (2)"
+  :symbol: extacl-self-example2
+  :description: "inbound filter"
+  :acl: |
+    ip access-list extended GI0-IN
+     deny   ip 10.0.0.0 0.255.255.255 any log
+     deny   ip 172.16.0.0 0.15.255.255 any log
+     deny   ip 0.0.0.0 0.255.255.255 any log
+     deny   ip 127.0.0.0 0.255.255.255 any log
+     deny   ip 192.0.2.0 0.0.0.255 any log
+     deny   ip 169.254.0.0 0.0.255.255 any log
+     deny   ip 224.0.0.0 31.255.255.255 any log
+     deny   tcp any any eq 135 log
+     deny   udp any any eq 135 lo
+     deny   tcp any any range 137 139 log
+     deny   udp any any range netbios-ns netbios-ss log
+     deny   tcp any any eq 445 log
+     deny   udp any any eq 445 log
+     deny   tcp any any eq 6000 log
+     deny   tcp any any eq 1433 log
+     remark ospf
+     permit ospf 192.168.100.0 0.0.0.255 any
+     remark ihanet
+     permit gre any host 192.168.100.201
+     permit ipinip any host 192.168.100.201
+     remark vpn
+     permit esp any any
+     permit tcp any any eq 50
+     permit tcp any any eq 51
+     permit udp any any eq isakmp
+     permit udp any any eq 1701
+     remark ntp/dns
+     permit udp any eq ntp any
+     permit tcp any eq domain any
+     permit udp any eq domain any
+     remark ipv6
+     permit ip 192.88.99.0 0.0.0.255 any
+     permit 41 any any
+     remark home web server
+     permit tcp any any eq 80000
+     remark permit any from inside to outside
+     evaluate iptraffic 
+     permit tcp any any established
+     permit icmp any any
+     deny   ip any any log
+    !
+  :correct: false

data/spec/conf/scanner_spec_data.yml

@@ -0,0 +1,120 @@
+- :test_description: "named std acl header"
+  :test_symbol: named_std_acl
+  :test_data:
+  - :line: "ip access-list standard remote-ipv4  "
+    :tokens:
+      - [ NAMED_ACL, "ip access-list" ] # acl header
+      - standard
+      - [ STRING, "remote-ipv4" ]
+  - :line: " remark hoge fuga aa" # remark
+    :tokens:
+      - remark
+      - [ STRING, "hoge fuga aa" ]
+  - :line: " permit 192.168.0.0 0.0.255.255  "
+    :tokens:
+      - permit
+      - [ IPV4_ADDR, 192.168.0.0 ]
+      - [ IPV4_ADDR, 0.0.255.255 ]
+  - :line: " remark ip access-list extended hogehoge" # remark
+    :tokens:
+      - remark
+      - [ STRING, "ip access-list extended hogehoge" ]
+- :test_description: "named ext acl header"
+  :test_symbol: named_ext_acl
+  :test_data:
+  - :line: "ip access-list extended GI0-IN"
+    :tokens:
+      - [ NAMED_ACL, "ip access-list" ] # acl header
+      - extended
+      - [ STRING, GI0-IN ]
+  - :line: " deny   ip 10.0.0.0 0.255.255.255 any log"
+    :tokens:
+      - deny
+      - ip
+      - [ IPV4_ADDR, 10.0.0.0 ]
+      - [ IPV4_ADDR, 0.255.255.255 ]
+      - any
+      - log
+  - :line: " deny   ip 172.16.0.0 0.15.255.255 any log foobar"
+    :tokens:
+      - deny
+      - ip
+      - [ IPV4_ADDR, 172.16.0.0 ]
+      - [ IPV4_ADDR, 0.15.255.255 ]
+      - any
+      - log
+      - [ STRING, foobar ] # log (with cookie)
+- :test_description: "special values"
+  :test_symbol: special_values
+  :test_data:
+  - :line: "permit 192.168.3.0/24 for-test"
+    :tokens:
+      - permit
+      - [ IPV4_ADDR, 192.168.3.0 ]
+      - '/'
+      - [ NUMBER, 24 ]
+      - for-test
+- :test_description: "string arg tokens check"
+  :test_symbol: str_arg_tokens
+  :test_data:
+  - :line: " extended standard foobar"
+    :tokens:
+      - extended
+      - [ STRING, standard ]
+      - foobar
+  - :line: "abc standard log hoge"
+    :tokens:
+      - abc
+      - standard
+      - [ STRING, log ]
+      - hoge
+  - :line: "dynamic hogehoge"
+    :tokens:
+      - dynamic
+      - [ STRING, hogehoge ]
+  - :line: "log foobar"
+    :tokens:
+      - log
+      - [ STRING, foobar ]
+  - :line: "log-input abcde"
+    :tokens:
+      - log-input
+      - [ STRING, abcde ]
+  - :line: "foobar log"
+    :tokens:
+      - foobar
+      - log
+  - :line: "hogehoge log"
+    :tokens:
+      - hogehoge
+      - log
+  - :line: "time-range range-name"
+    :tokens:
+      - time-range
+      - [ STRING,  range-name ]
+  - :line: "reflect reflect-name "
+    :tokens:
+      - reflect
+      - [ STRING, reflect-name ]
+  - :line: "evaluate evaluate-name"
+    :tokens:
+      - evaluate
+      - [ STRING, evaluate-name ]
+  - :line: "object-group grpname"
+    :tokens:
+      - object-group
+      - [ STRING, grpname ]
+  - :line: "object-group network hoge"
+    :tokens:
+      - object-group
+      - network
+      - [ STRING, hoge ]
+  - :line: "object-group service ffff"
+    :tokens:
+      - object-group
+      - service
+      - [ STRING, ffff ]
+  - :line: "group-object nested-obj-name"
+    :tokens:
+      - group-object
+      - [ STRING, nested-obj-name ]

data/spec/conf/single_tokens.yml

@@ -0,0 +1,235 @@
+- ipv6
+- permit
+- deny
+- timeout
+- established
+- syn
+- ack
+- fin
+- psh
+- urg
+- rst
+- '+syn'
+- '-syn'
+- '+ack'
+- '-ack'
+- '+fin'
+- '-fin'
+- '+psh'
+- '-psh'
+- '+urg'
+- '-urg'
+- '+rst'
+- '-rst'
+- match-all
+- match-any
+- ahp
+- eigrp
+- esp
+- gre
+- icmp
+- igmp
+- ipinip
+- ip
+- nos
+- ospf
+- pcf
+- pim
+- tcp
+- udp
+- fragments
+- log-input
+- log-update
+- log
+- threshold
+- time-range
+- administratively-prohibited
+- alternate-address
+- conversion-error
+- dod-host-prohibited
+- dod-net-prohibited
+- echo-reply
+- echo
+- general-parameter-problem
+- host-isolated
+- mobile-redirect
+- net-redirect
+- net-tos-redirect
+- net-unreachable
+- network-unknown
+- no-room-for-option
+- option-missing
+- packet-too-big
+- parameter-problem
+- port-unreachable
+- precedence-unreachable
+- protocol-unreachable
+- host-precedence-unreachable
+- host-redirect
+- host-tos-redirect
+- host-unknown
+- host-unreachable
+- information-reply
+- information-request
+- mask-reply
+- mask-request
+- reassembly-timeout
+- redirect
+- router-advertisement
+- router-solicitation
+- source-quench
+- source-route-failed
+- time-exceeded
+- timestamp-reply
+- timestamp-request
+- traceroute
+- ttl-exceeded
+- unreachable
+- beyond-scope
+- destination-unreachable
+- echo-request
+- flow-label
+- mld-reduction
+- mld-report
+- next-header
+- parameter-option
+- renum-command
+- renum-result
+- renum-seq-number
+- router-renumbering
+- undetermined-transport
+- nd-na
+- nd-ns
+- header
+- hop-limit
+- mld-query
+- no-admin
+- no-route
+- routing
+- sequence
+- flash-override
+- precedence
+- critical
+- flash
+- immediate
+- internet
+- priority
+- routine
+- network
+- tos
+- max-reliability
+- max-throughput
+- min-delay
+- min-monetary-cost
+- normal
+- bgp
+- chargen
+- cmd
+- daytime
+- domain
+- drip
+- exec
+- finger
+- ftp-data
+- ftp
+- gopher
+- hostname
+- ident
+- irc
+- klogin
+- kshell
+- login
+- lpd
+- nntp
+- pim-auto-rp
+- pop2
+- pop3
+- smtp
+- tacacs
+- telnet
+- uucp
+- whois
+- www
+- biff
+- bootpc
+- bootps
+- dnsix
+- isakmp
+- mobile-ip
+- nameserver
+- netbios-dgm
+- netbios-ns
+- netbios-ss
+- non500-isakmp
+- ntp
+- pim-auto-rp
+- rip
+- snmp
+- snmptrap
+- syslog
+- tftp
+- who
+- xdmcp
+- discard
+- echo
+- sunrpc
+- talk
+- time
+- dscp
+- af11
+- af12
+- af13
+- af21
+- af22
+- af23
+- af31
+- af32
+- af33
+- af41
+- af42
+- af43
+- cs1
+- cs2
+- cs3
+- cs4
+- cs5
+- cs6
+- cs7
+- default
+- ef
+- option
+- add-ext
+- any-options
+- com-security
+- dps
+- encode
+- eool
+- ext-ip
+- ext-security
+- finn
+- imitd
+- lsr
+- mtup
+- mtur
+- no-op
+- nsapa
+- record-route
+- route-alert
+- sdb
+- security
+- ssr
+- stream-id
+- timestamp
+- ump
+- visa
+- zsu
+- tcp-udp
+- source
+- group-object
+- eq
+- neq
+- gt
+- lt
+- range
+- any
+- host

data/spec/conf/stdacl_token_seq.yml

@@ -0,0 +1,8 @@
+- :testname: stdacl_spec
+  :casedata: tokens1.yml
+  :fieldseq:
+    - acl
+    - stdacl_num
+    - action
+    - ip_spec1
+    - std_acl_log_spec