cisco_acl_intp 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +2 -0
- data/.rubocop.yml +13 -0
- data/.travis.yml +3 -0
- data/.yardopts +4 -0
- data/Gemfile +19 -0
- data/LICENSE.txt +22 -0
- data/README.md +132 -0
- data/Rakefile +78 -0
- data/acl_examples/err-acl.txt +49 -0
- data/acl_examples/named-ext-acl.txt +12 -0
- data/acl_examples/named-std-acl.txt +6 -0
- data/acl_examples/numd-acl.txt +21 -0
- data/cisco_acl_intp.gemspec +31 -0
- data/lib/cisco_acl_intp/ace.rb +432 -0
- data/lib/cisco_acl_intp/ace_ip.rb +136 -0
- data/lib/cisco_acl_intp/ace_other_qualifiers.rb +102 -0
- data/lib/cisco_acl_intp/ace_port.rb +146 -0
- data/lib/cisco_acl_intp/ace_proto.rb +319 -0
- data/lib/cisco_acl_intp/ace_srcdst.rb +114 -0
- data/lib/cisco_acl_intp/ace_tcp_flags.rb +65 -0
- data/lib/cisco_acl_intp/acl.rb +272 -0
- data/lib/cisco_acl_intp/acl_base.rb +111 -0
- data/lib/cisco_acl_intp/parser.rb +3509 -0
- data/lib/cisco_acl_intp/parser.ry +1397 -0
- data/lib/cisco_acl_intp/scanner.rb +176 -0
- data/lib/cisco_acl_intp/scanner_special_token_handler.rb +66 -0
- data/lib/cisco_acl_intp/version.rb +5 -0
- data/lib/cisco_acl_intp.rb +9 -0
- data/spec/cisco_acl_intp/ace_ip_spec.rb +111 -0
- data/spec/cisco_acl_intp/ace_other_qualifier_spec.rb +63 -0
- data/spec/cisco_acl_intp/ace_port_spec.rb +214 -0
- data/spec/cisco_acl_intp/ace_proto_spec.rb +200 -0
- data/spec/cisco_acl_intp/ace_spec.rb +605 -0
- data/spec/cisco_acl_intp/ace_srcdst_spec.rb +296 -0
- data/spec/cisco_acl_intp/ace_tcp_flags_spec.rb +38 -0
- data/spec/cisco_acl_intp/acl_spec.rb +523 -0
- data/spec/cisco_acl_intp/cisco_acl_intp_spec.rb +7 -0
- data/spec/cisco_acl_intp/parser_spec.rb +53 -0
- data/spec/cisco_acl_intp/scanner_spec.rb +122 -0
- data/spec/conf/extacl_objgrp_token_seq.yml +36 -0
- data/spec/conf/extacl_token_seq.yml +88 -0
- data/spec/conf/extended_acl.yml +226 -0
- data/spec/conf/scanner_spec_data.yml +120 -0
- data/spec/conf/single_tokens.yml +235 -0
- data/spec/conf/stdacl_token_seq.yml +8 -0
- data/spec/conf/tokens1.yml +158 -0
- data/spec/conf/tokens2.yml +206 -0
- data/spec/parser_fullfill_patterns.rb +145 -0
- data/spec/spec_helper.rb +54 -0
- data/tools/check_acl.rb +48 -0
- metadata +159 -0
@@ -0,0 +1,36 @@
|
|
1
|
+
- :testname: extacl_objgrp1_spec
|
2
|
+
:casedata: tokens2.yml
|
3
|
+
:fieldseq:
|
4
|
+
- acl
|
5
|
+
- extacl_num
|
6
|
+
- action
|
7
|
+
- tcpudp_proto
|
8
|
+
- ip_spec_objgrp1
|
9
|
+
- null_port
|
10
|
+
- ip_spec_objgrp2
|
11
|
+
- null_port
|
12
|
+
- ext_acl_log_spec
|
13
|
+
- :testname: extacl_objgrp2_spec
|
14
|
+
:casedata: tokens2.yml
|
15
|
+
:fieldseq:
|
16
|
+
- acl
|
17
|
+
- extacl_num
|
18
|
+
- action
|
19
|
+
- tcp_proto
|
20
|
+
- ip_spec_objgrp1
|
21
|
+
- tcp_port_spec1
|
22
|
+
- ip_spec_objgrp2
|
23
|
+
- tcp_port_spec2
|
24
|
+
- ext_acl_log_spec
|
25
|
+
- :testname: extacl_objgrp3_spec
|
26
|
+
:casedata: tokens2.yml
|
27
|
+
:fieldseq:
|
28
|
+
- acl
|
29
|
+
- extacl_num
|
30
|
+
- action
|
31
|
+
- udp_proto
|
32
|
+
- ip_spec_objgrp1
|
33
|
+
- udp_port_spec1
|
34
|
+
- ip_spec_objgrp2
|
35
|
+
- udp_port_spec2
|
36
|
+
- ext_acl_log_spec
|
@@ -0,0 +1,88 @@
|
|
1
|
+
- :testname: extacl_icmp_spec
|
2
|
+
:casedata: tokens1.yml
|
3
|
+
:fieldseq:
|
4
|
+
- acl
|
5
|
+
- extacl_num
|
6
|
+
# - dynamic_spec
|
7
|
+
- action
|
8
|
+
- icmp_proto
|
9
|
+
- ip_spec1
|
10
|
+
- ip_spec2
|
11
|
+
- icmp_qualifier
|
12
|
+
- ext_acl_log_spec
|
13
|
+
- :testname: extacl_ip_spec
|
14
|
+
:casedata: tokens1.yml
|
15
|
+
:fieldseq:
|
16
|
+
- acl
|
17
|
+
- extacl_num
|
18
|
+
- dynamic_spec
|
19
|
+
- action
|
20
|
+
- ip_proto
|
21
|
+
- ip_spec1
|
22
|
+
- ip_spec2
|
23
|
+
- ext_acl_log_spec
|
24
|
+
- :testname: extacl_tcp_spec
|
25
|
+
:casedata: tokens2.yml
|
26
|
+
:fieldseq:
|
27
|
+
- acl
|
28
|
+
- extacl_num
|
29
|
+
# - dynamic_spec
|
30
|
+
- action
|
31
|
+
- tcp_proto
|
32
|
+
- ip_spec1
|
33
|
+
- tcp_port_spec1
|
34
|
+
- ip_spec2
|
35
|
+
- tcp_port_spec2
|
36
|
+
- ext_acl_log_spec
|
37
|
+
- :testname: extacl_udp_spec
|
38
|
+
:casedata: tokens2.yml
|
39
|
+
:fieldseq:
|
40
|
+
- acl
|
41
|
+
- extacl_num
|
42
|
+
# - dynamic_spec
|
43
|
+
- action
|
44
|
+
- udp_proto
|
45
|
+
- ip_spec1
|
46
|
+
- udp_port_spec1
|
47
|
+
- ip_spec2
|
48
|
+
- udp_port_spec2
|
49
|
+
- ext_acl_log_spec
|
50
|
+
- :testname: extacl_options1_spec
|
51
|
+
:casedata: tokens2.yml
|
52
|
+
:fieldseq:
|
53
|
+
- acl
|
54
|
+
- extacl_num
|
55
|
+
- action
|
56
|
+
- tcp_proto
|
57
|
+
- ip_spec1
|
58
|
+
- tcp_port_spec1
|
59
|
+
- ip_spec2
|
60
|
+
- tcp_port_spec2
|
61
|
+
- tcp_flags
|
62
|
+
- precedence
|
63
|
+
- time_range
|
64
|
+
- :testname: extacl_options2_spec
|
65
|
+
:casedata: tokens2.yml
|
66
|
+
:fieldseq:
|
67
|
+
- acl
|
68
|
+
- extacl_num
|
69
|
+
- action
|
70
|
+
- udp_proto
|
71
|
+
- ip_spec1
|
72
|
+
- udp_port_spec1
|
73
|
+
- ip_spec2
|
74
|
+
- udp_port_spec2
|
75
|
+
- dscp
|
76
|
+
- tos
|
77
|
+
- :testname: extacl_tcpflag_spec
|
78
|
+
:casedata: tokens2.yml
|
79
|
+
:fieldseq:
|
80
|
+
- acl
|
81
|
+
- extacl_num
|
82
|
+
- action
|
83
|
+
- tcp_proto
|
84
|
+
- ip_spec1
|
85
|
+
- null_port
|
86
|
+
- ip_spec2
|
87
|
+
- null_port
|
88
|
+
- tcp_flags2
|
@@ -0,0 +1,226 @@
|
|
1
|
+
# Transit Access Control Lists: Filtering at Your Edge [IP Addressing Services] - Cisco Systems http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
|
2
|
+
- :name: "Anti-spoofing entries."
|
3
|
+
:symbol: extacl-deny-antispoof
|
4
|
+
:description: "Deny special-use address sources. Refer to RFC 3330 for additional special use addresses."
|
5
|
+
:acl: |
|
6
|
+
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
|
7
|
+
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
|
8
|
+
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
|
9
|
+
access-list 110 deny ip host 255.255.255.255 any
|
10
|
+
:correct: true
|
11
|
+
- :name: "DHCP relays"
|
12
|
+
:symbol: extacl-permit-dhcprelay
|
13
|
+
:description: "The deny statement should not be configured on Dynamic Host Configuration Protocol (DHCP) relays."
|
14
|
+
:acl: |
|
15
|
+
access-list 110 deny ip host 0.0.0.0 any
|
16
|
+
:correct: true
|
17
|
+
- :name: "Filter RFC 1918 space."
|
18
|
+
:symbol: extacl-deny-rfc1918
|
19
|
+
:description: ""
|
20
|
+
:acl: |
|
21
|
+
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
|
22
|
+
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
|
23
|
+
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
|
24
|
+
:correct: true
|
25
|
+
- :name: "Permit Border Gateway Protocol (BGP) to the edge router."
|
26
|
+
:symbol: extacl-permit-bgp
|
27
|
+
:description: ""
|
28
|
+
:acl: |
|
29
|
+
access-list 110 permit tcp host 10.1.1.1 gt 1023 host 10.1.1.2 eq bgp
|
30
|
+
access-list 110 permit tcp host 10.1.1.1 eq bgp host 10.1.1.2 gt 1023
|
31
|
+
:correct: true
|
32
|
+
- :name: "Deny your space as source (as noted in RFC 2827)."
|
33
|
+
:symbol: extacl-permit-local
|
34
|
+
:description: ""
|
35
|
+
:acl: |
|
36
|
+
access-list 110 deny ip 192.168.201.0 0.0.0.255 any
|
37
|
+
:correct: true
|
38
|
+
- :name: "Explicitly permit return traffic."
|
39
|
+
:symbol: extacl-permit-icmp
|
40
|
+
:description: "Allow specific ICMP types."
|
41
|
+
:acl: |
|
42
|
+
access-list 110 permit icmp any any echo-reply
|
43
|
+
access-list 110 permit icmp any any unreachable
|
44
|
+
access-list 110 permit icmp any any time-exceeded
|
45
|
+
access-list 110 deny icmp any any
|
46
|
+
:correct: true
|
47
|
+
- :name: "DNS queries"
|
48
|
+
:symbol: extacl-permit-dnsquery
|
49
|
+
:description: ""
|
50
|
+
:acl: |
|
51
|
+
access-list 110 remark !--- These are outgoing DNS queries.
|
52
|
+
access-list 110 permit udp any eq domain host 192.168.201.104 gt 1023
|
53
|
+
access-list 110 remark !--- Permit older DNS queries and replies to primary DNS server.
|
54
|
+
access-list 110 permit udp any eq domain host 192.168.201.104 eq domain
|
55
|
+
:correct: true
|
56
|
+
- :name: "Permit legitimate business traffic."
|
57
|
+
:symbol: extacl-permit-business-traffic
|
58
|
+
:description: ""
|
59
|
+
:acl: |
|
60
|
+
access-list 110 permit tcp any 192.168.201.0 0.0.0.255 established
|
61
|
+
access-list 110 permit udp any range 1 1023 192.168.201.0 0.0.0.255 gt 1023
|
62
|
+
:correct: true
|
63
|
+
- :name: "Allow ftp data and multimedia connections."
|
64
|
+
:symbol: extacl-permit-ftpclient
|
65
|
+
:description: ""
|
66
|
+
:acl: |
|
67
|
+
access-list 110 remark !--- Allow FTP data connections.
|
68
|
+
access-list 110 permit tcp any eq ftp-data 192.168.201.0 0.0.0.255 gt 1023
|
69
|
+
access-list 110 remark !--- Allow TFTP data and multimedia connections.
|
70
|
+
access-list 110 permit udp any gt 1023 192.168.201.0 0.0.0.255 gt 1023
|
71
|
+
:correct: true
|
72
|
+
- :name: "Explicitly permit externally sourced traffic. (DNS)"
|
73
|
+
:symbol: extacl-permit-dns-server
|
74
|
+
:description: ""
|
75
|
+
:acl: |
|
76
|
+
access-list 110 remark !--- These are incoming DNS queries.
|
77
|
+
access-list 110 permit udp any gt 1023 host 192.168.201.104 eq domain
|
78
|
+
access-list 110 remark !--- Zone transfer DNS queries to primary DNS server.
|
79
|
+
access-list 110 permit tcp host 172.16.201.50 gt 1023 host 192.168.201.104 eq domain
|
80
|
+
access-list 110 remark !--- Permit older DNS zone transfers.
|
81
|
+
access-list 110 permit tcp host 172.16.201.50 eq domain host 192.168.201.104 eq domain
|
82
|
+
access-list 110 remark !--- Deny all other DNS traffic.
|
83
|
+
access-list 110 deny udp any any eq domain
|
84
|
+
access-list 110 deny tcp any any eq domain
|
85
|
+
:correct: true
|
86
|
+
- :name: "Explicitly permit externally sourced traffic. (VPN)"
|
87
|
+
:symbol: extacl-permit-vpn-server
|
88
|
+
:description: "Allow IPSec VPN traffic."
|
89
|
+
:acl: |
|
90
|
+
access-list 110 permit udp any host 192.168.201.100 eq isakmp
|
91
|
+
access-list 110 permit udp any host 192.168.201.100 eq non500-isakmp
|
92
|
+
access-list 110 permit esp any host 192.168.201.100
|
93
|
+
access-list 110 permit ahp any host 192.168.201.100
|
94
|
+
access-list 110 deny ip any host 192.168.201.100
|
95
|
+
:correct: true
|
96
|
+
- :name: "Explicitly permit externally sourced traffic. (Others)"
|
97
|
+
:symbol: extacl-permit-web-server
|
98
|
+
:description: "These are Internet-sourced connections to publicly accessible servers."
|
99
|
+
:acl: |
|
100
|
+
access-list 110 permit tcp any host 192.168.201.101 eq www
|
101
|
+
access-list 110 permit tcp any host 192.168.201.101 eq 443
|
102
|
+
access-list 110 permit tcp any host 192.168.201.102 eq ftp
|
103
|
+
:correct: true
|
104
|
+
- :name: "Explicitly permit externally sourced traffic. (FTP)"
|
105
|
+
:symbol: extacl-permit-ftp-server
|
106
|
+
:description: "Data connections to the FTP server are allowed by the permit established ACE. Allow PASV data connections to the FTP server."
|
107
|
+
:acl: |
|
108
|
+
access-list 110 permit tcp any gt 1023 host 192.168.201.102 gt 1023
|
109
|
+
access-list 110 permit tcp any host 192.168.201.103 eq smtp
|
110
|
+
:correct: true
|
111
|
+
- :name: "Explicitly deny all other traffic."
|
112
|
+
:symbol: extacl-deny-any
|
113
|
+
:description: ""
|
114
|
+
:acl: |
|
115
|
+
access-list 101 deny ip any any
|
116
|
+
:correct: true
|
117
|
+
#
|
118
|
+
# IP アクセス リストの設定 - Cisco Systems http://www.cisco.com/cisco/web/support/JP/100/1008/1008446_confaccesslists-j.html#reflexacl
|
119
|
+
# Configuring IP Access Lists - Cisco Systems http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
|
120
|
+
#
|
121
|
+
- :name: "Reflexive ACLs"
|
122
|
+
:symbol: extacl-reflexive
|
123
|
+
:description: ""
|
124
|
+
:acl: |
|
125
|
+
ip access-list extended inboundfilters
|
126
|
+
permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
|
127
|
+
evaluate tcptraffic
|
128
|
+
!
|
129
|
+
ip access-list extended outboundfilters
|
130
|
+
permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
|
131
|
+
permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
|
132
|
+
!
|
133
|
+
:correct: true
|
134
|
+
- :name: "Time-Based ACLs Using Time Ranges"
|
135
|
+
:symbol: extacl-time-based
|
136
|
+
:description: ""
|
137
|
+
:acl: |
|
138
|
+
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range EVERYOTHERDAY
|
139
|
+
:correct: true
|
140
|
+
#
|
141
|
+
# used at home router
|
142
|
+
#
|
143
|
+
- :name: "My Home (1)"
|
144
|
+
:symbol: extacl-self-example1
|
145
|
+
:description: "outbound filter"
|
146
|
+
:acl: |
|
147
|
+
ip access-list extended GI0-OUT
|
148
|
+
deny ip any 10.0.0.0 0.255.255.255 log
|
149
|
+
deny ip any 172.16.0.0 0.15.255.255 log
|
150
|
+
deny ip any 0.0.0.0 0.255.255.255 log
|
151
|
+
deny ip any 127.0.0.0 0.255.255.255 log
|
152
|
+
deny ip any 192.0.2.0 0.0.0.255 log
|
153
|
+
deny ip any 169.254.0.0 0.0.255.255 log
|
154
|
+
deny ip any 224.0.0.0 31.255.255.255 log
|
155
|
+
deny tcp any any eq 135 log
|
156
|
+
deny udp any any eq 135 log
|
157
|
+
deny tcp any any range 137 139 log
|
158
|
+
deny udp any any range netbios-ns netbios-ss log
|
159
|
+
deny tcp any any eq 445 log
|
160
|
+
deny udp any any eq 445 log
|
161
|
+
deny tcp any eq 135 any log
|
162
|
+
deny udp any eq 135 any log
|
163
|
+
deny tcp any range 137 139 any log
|
164
|
+
deny udp any range netbios-ns netbios-ss any log
|
165
|
+
deny tcp any eq 445 any log
|
166
|
+
deny udp any eq 445 any log
|
167
|
+
deny tcp any any eq 6000 log
|
168
|
+
deny tcp any any eq 1433 log
|
169
|
+
remark vpn
|
170
|
+
permit udp any eq isakmp any
|
171
|
+
remark permit to 6to4
|
172
|
+
permit ip any 192.88.99.0 0.0.0.255
|
173
|
+
permit 41 any 192.88.99.0 0.0.0.255
|
174
|
+
remark permit any from inside to outside
|
175
|
+
permit icmp any any
|
176
|
+
permit ip any any reflect iptraffic timeout 300
|
177
|
+
deny ip any any log
|
178
|
+
!
|
179
|
+
:correct: true
|
180
|
+
- :name: "My Home (2)"
|
181
|
+
:symbol: extacl-self-example2
|
182
|
+
:description: "inbound filter"
|
183
|
+
:acl: |
|
184
|
+
ip access-list extended GI0-IN
|
185
|
+
deny ip 10.0.0.0 0.255.255.255 any log
|
186
|
+
deny ip 172.16.0.0 0.15.255.255 any log
|
187
|
+
deny ip 0.0.0.0 0.255.255.255 any log
|
188
|
+
deny ip 127.0.0.0 0.255.255.255 any log
|
189
|
+
deny ip 192.0.2.0 0.0.0.255 any log
|
190
|
+
deny ip 169.254.0.0 0.0.255.255 any log
|
191
|
+
deny ip 224.0.0.0 31.255.255.255 any log
|
192
|
+
deny tcp any any eq 135 log
|
193
|
+
deny udp any any eq 135 lo
|
194
|
+
deny tcp any any range 137 139 log
|
195
|
+
deny udp any any range netbios-ns netbios-ss log
|
196
|
+
deny tcp any any eq 445 log
|
197
|
+
deny udp any any eq 445 log
|
198
|
+
deny tcp any any eq 6000 log
|
199
|
+
deny tcp any any eq 1433 log
|
200
|
+
remark ospf
|
201
|
+
permit ospf 192.168.100.0 0.0.0.255 any
|
202
|
+
remark ihanet
|
203
|
+
permit gre any host 192.168.100.201
|
204
|
+
permit ipinip any host 192.168.100.201
|
205
|
+
remark vpn
|
206
|
+
permit esp any any
|
207
|
+
permit tcp any any eq 50
|
208
|
+
permit tcp any any eq 51
|
209
|
+
permit udp any any eq isakmp
|
210
|
+
permit udp any any eq 1701
|
211
|
+
remark ntp/dns
|
212
|
+
permit udp any eq ntp any
|
213
|
+
permit tcp any eq domain any
|
214
|
+
permit udp any eq domain any
|
215
|
+
remark ipv6
|
216
|
+
permit ip 192.88.99.0 0.0.0.255 any
|
217
|
+
permit 41 any any
|
218
|
+
remark home web server
|
219
|
+
permit tcp any any eq 80000
|
220
|
+
remark permit any from inside to outside
|
221
|
+
evaluate iptraffic
|
222
|
+
permit tcp any any established
|
223
|
+
permit icmp any any
|
224
|
+
deny ip any any log
|
225
|
+
!
|
226
|
+
:correct: false
|
@@ -0,0 +1,120 @@
|
|
1
|
+
- :test_description: "named std acl header"
|
2
|
+
:test_symbol: named_std_acl
|
3
|
+
:test_data:
|
4
|
+
- :line: "ip access-list standard remote-ipv4 "
|
5
|
+
:tokens:
|
6
|
+
- [ NAMED_ACL, "ip access-list" ] # acl header
|
7
|
+
- standard
|
8
|
+
- [ STRING, "remote-ipv4" ]
|
9
|
+
- :line: " remark hoge fuga aa" # remark
|
10
|
+
:tokens:
|
11
|
+
- remark
|
12
|
+
- [ STRING, "hoge fuga aa" ]
|
13
|
+
- :line: " permit 192.168.0.0 0.0.255.255 "
|
14
|
+
:tokens:
|
15
|
+
- permit
|
16
|
+
- [ IPV4_ADDR, 192.168.0.0 ]
|
17
|
+
- [ IPV4_ADDR, 0.0.255.255 ]
|
18
|
+
- :line: " remark ip access-list extended hogehoge" # remark
|
19
|
+
:tokens:
|
20
|
+
- remark
|
21
|
+
- [ STRING, "ip access-list extended hogehoge" ]
|
22
|
+
- :test_description: "named ext acl header"
|
23
|
+
:test_symbol: named_ext_acl
|
24
|
+
:test_data:
|
25
|
+
- :line: "ip access-list extended GI0-IN"
|
26
|
+
:tokens:
|
27
|
+
- [ NAMED_ACL, "ip access-list" ] # acl header
|
28
|
+
- extended
|
29
|
+
- [ STRING, GI0-IN ]
|
30
|
+
- :line: " deny ip 10.0.0.0 0.255.255.255 any log"
|
31
|
+
:tokens:
|
32
|
+
- deny
|
33
|
+
- ip
|
34
|
+
- [ IPV4_ADDR, 10.0.0.0 ]
|
35
|
+
- [ IPV4_ADDR, 0.255.255.255 ]
|
36
|
+
- any
|
37
|
+
- log
|
38
|
+
- :line: " deny ip 172.16.0.0 0.15.255.255 any log foobar"
|
39
|
+
:tokens:
|
40
|
+
- deny
|
41
|
+
- ip
|
42
|
+
- [ IPV4_ADDR, 172.16.0.0 ]
|
43
|
+
- [ IPV4_ADDR, 0.15.255.255 ]
|
44
|
+
- any
|
45
|
+
- log
|
46
|
+
- [ STRING, foobar ] # log (with cookie)
|
47
|
+
- :test_description: "special values"
|
48
|
+
:test_symbol: special_values
|
49
|
+
:test_data:
|
50
|
+
- :line: "permit 192.168.3.0/24 for-test"
|
51
|
+
:tokens:
|
52
|
+
- permit
|
53
|
+
- [ IPV4_ADDR, 192.168.3.0 ]
|
54
|
+
- '/'
|
55
|
+
- [ NUMBER, 24 ]
|
56
|
+
- for-test
|
57
|
+
- :test_description: "string arg tokens check"
|
58
|
+
:test_symbol: str_arg_tokens
|
59
|
+
:test_data:
|
60
|
+
- :line: " extended standard foobar"
|
61
|
+
:tokens:
|
62
|
+
- extended
|
63
|
+
- [ STRING, standard ]
|
64
|
+
- foobar
|
65
|
+
- :line: "abc standard log hoge"
|
66
|
+
:tokens:
|
67
|
+
- abc
|
68
|
+
- standard
|
69
|
+
- [ STRING, log ]
|
70
|
+
- hoge
|
71
|
+
- :line: "dynamic hogehoge"
|
72
|
+
:tokens:
|
73
|
+
- dynamic
|
74
|
+
- [ STRING, hogehoge ]
|
75
|
+
- :line: "log foobar"
|
76
|
+
:tokens:
|
77
|
+
- log
|
78
|
+
- [ STRING, foobar ]
|
79
|
+
- :line: "log-input abcde"
|
80
|
+
:tokens:
|
81
|
+
- log-input
|
82
|
+
- [ STRING, abcde ]
|
83
|
+
- :line: "foobar log"
|
84
|
+
:tokens:
|
85
|
+
- foobar
|
86
|
+
- log
|
87
|
+
- :line: "hogehoge log"
|
88
|
+
:tokens:
|
89
|
+
- hogehoge
|
90
|
+
- log
|
91
|
+
- :line: "time-range range-name"
|
92
|
+
:tokens:
|
93
|
+
- time-range
|
94
|
+
- [ STRING, range-name ]
|
95
|
+
- :line: "reflect reflect-name "
|
96
|
+
:tokens:
|
97
|
+
- reflect
|
98
|
+
- [ STRING, reflect-name ]
|
99
|
+
- :line: "evaluate evaluate-name"
|
100
|
+
:tokens:
|
101
|
+
- evaluate
|
102
|
+
- [ STRING, evaluate-name ]
|
103
|
+
- :line: "object-group grpname"
|
104
|
+
:tokens:
|
105
|
+
- object-group
|
106
|
+
- [ STRING, grpname ]
|
107
|
+
- :line: "object-group network hoge"
|
108
|
+
:tokens:
|
109
|
+
- object-group
|
110
|
+
- network
|
111
|
+
- [ STRING, hoge ]
|
112
|
+
- :line: "object-group service ffff"
|
113
|
+
:tokens:
|
114
|
+
- object-group
|
115
|
+
- service
|
116
|
+
- [ STRING, ffff ]
|
117
|
+
- :line: "group-object nested-obj-name"
|
118
|
+
:tokens:
|
119
|
+
- group-object
|
120
|
+
- [ STRING, nested-obj-name ]
|
@@ -0,0 +1,235 @@
|
|
1
|
+
- ipv6
|
2
|
+
- permit
|
3
|
+
- deny
|
4
|
+
- timeout
|
5
|
+
- established
|
6
|
+
- syn
|
7
|
+
- ack
|
8
|
+
- fin
|
9
|
+
- psh
|
10
|
+
- urg
|
11
|
+
- rst
|
12
|
+
- '+syn'
|
13
|
+
- '-syn'
|
14
|
+
- '+ack'
|
15
|
+
- '-ack'
|
16
|
+
- '+fin'
|
17
|
+
- '-fin'
|
18
|
+
- '+psh'
|
19
|
+
- '-psh'
|
20
|
+
- '+urg'
|
21
|
+
- '-urg'
|
22
|
+
- '+rst'
|
23
|
+
- '-rst'
|
24
|
+
- match-all
|
25
|
+
- match-any
|
26
|
+
- ahp
|
27
|
+
- eigrp
|
28
|
+
- esp
|
29
|
+
- gre
|
30
|
+
- icmp
|
31
|
+
- igmp
|
32
|
+
- ipinip
|
33
|
+
- ip
|
34
|
+
- nos
|
35
|
+
- ospf
|
36
|
+
- pcf
|
37
|
+
- pim
|
38
|
+
- tcp
|
39
|
+
- udp
|
40
|
+
- fragments
|
41
|
+
- log-input
|
42
|
+
- log-update
|
43
|
+
- log
|
44
|
+
- threshold
|
45
|
+
- time-range
|
46
|
+
- administratively-prohibited
|
47
|
+
- alternate-address
|
48
|
+
- conversion-error
|
49
|
+
- dod-host-prohibited
|
50
|
+
- dod-net-prohibited
|
51
|
+
- echo-reply
|
52
|
+
- echo
|
53
|
+
- general-parameter-problem
|
54
|
+
- host-isolated
|
55
|
+
- mobile-redirect
|
56
|
+
- net-redirect
|
57
|
+
- net-tos-redirect
|
58
|
+
- net-unreachable
|
59
|
+
- network-unknown
|
60
|
+
- no-room-for-option
|
61
|
+
- option-missing
|
62
|
+
- packet-too-big
|
63
|
+
- parameter-problem
|
64
|
+
- port-unreachable
|
65
|
+
- precedence-unreachable
|
66
|
+
- protocol-unreachable
|
67
|
+
- host-precedence-unreachable
|
68
|
+
- host-redirect
|
69
|
+
- host-tos-redirect
|
70
|
+
- host-unknown
|
71
|
+
- host-unreachable
|
72
|
+
- information-reply
|
73
|
+
- information-request
|
74
|
+
- mask-reply
|
75
|
+
- mask-request
|
76
|
+
- reassembly-timeout
|
77
|
+
- redirect
|
78
|
+
- router-advertisement
|
79
|
+
- router-solicitation
|
80
|
+
- source-quench
|
81
|
+
- source-route-failed
|
82
|
+
- time-exceeded
|
83
|
+
- timestamp-reply
|
84
|
+
- timestamp-request
|
85
|
+
- traceroute
|
86
|
+
- ttl-exceeded
|
87
|
+
- unreachable
|
88
|
+
- beyond-scope
|
89
|
+
- destination-unreachable
|
90
|
+
- echo-request
|
91
|
+
- flow-label
|
92
|
+
- mld-reduction
|
93
|
+
- mld-report
|
94
|
+
- next-header
|
95
|
+
- parameter-option
|
96
|
+
- renum-command
|
97
|
+
- renum-result
|
98
|
+
- renum-seq-number
|
99
|
+
- router-renumbering
|
100
|
+
- undetermined-transport
|
101
|
+
- nd-na
|
102
|
+
- nd-ns
|
103
|
+
- header
|
104
|
+
- hop-limit
|
105
|
+
- mld-query
|
106
|
+
- no-admin
|
107
|
+
- no-route
|
108
|
+
- routing
|
109
|
+
- sequence
|
110
|
+
- flash-override
|
111
|
+
- precedence
|
112
|
+
- critical
|
113
|
+
- flash
|
114
|
+
- immediate
|
115
|
+
- internet
|
116
|
+
- priority
|
117
|
+
- routine
|
118
|
+
- network
|
119
|
+
- tos
|
120
|
+
- max-reliability
|
121
|
+
- max-throughput
|
122
|
+
- min-delay
|
123
|
+
- min-monetary-cost
|
124
|
+
- normal
|
125
|
+
- bgp
|
126
|
+
- chargen
|
127
|
+
- cmd
|
128
|
+
- daytime
|
129
|
+
- domain
|
130
|
+
- drip
|
131
|
+
- exec
|
132
|
+
- finger
|
133
|
+
- ftp-data
|
134
|
+
- ftp
|
135
|
+
- gopher
|
136
|
+
- hostname
|
137
|
+
- ident
|
138
|
+
- irc
|
139
|
+
- klogin
|
140
|
+
- kshell
|
141
|
+
- login
|
142
|
+
- lpd
|
143
|
+
- nntp
|
144
|
+
- pim-auto-rp
|
145
|
+
- pop2
|
146
|
+
- pop3
|
147
|
+
- smtp
|
148
|
+
- tacacs
|
149
|
+
- telnet
|
150
|
+
- uucp
|
151
|
+
- whois
|
152
|
+
- www
|
153
|
+
- biff
|
154
|
+
- bootpc
|
155
|
+
- bootps
|
156
|
+
- dnsix
|
157
|
+
- isakmp
|
158
|
+
- mobile-ip
|
159
|
+
- nameserver
|
160
|
+
- netbios-dgm
|
161
|
+
- netbios-ns
|
162
|
+
- netbios-ss
|
163
|
+
- non500-isakmp
|
164
|
+
- ntp
|
165
|
+
- pim-auto-rp
|
166
|
+
- rip
|
167
|
+
- snmp
|
168
|
+
- snmptrap
|
169
|
+
- syslog
|
170
|
+
- tftp
|
171
|
+
- who
|
172
|
+
- xdmcp
|
173
|
+
- discard
|
174
|
+
- echo
|
175
|
+
- sunrpc
|
176
|
+
- talk
|
177
|
+
- time
|
178
|
+
- dscp
|
179
|
+
- af11
|
180
|
+
- af12
|
181
|
+
- af13
|
182
|
+
- af21
|
183
|
+
- af22
|
184
|
+
- af23
|
185
|
+
- af31
|
186
|
+
- af32
|
187
|
+
- af33
|
188
|
+
- af41
|
189
|
+
- af42
|
190
|
+
- af43
|
191
|
+
- cs1
|
192
|
+
- cs2
|
193
|
+
- cs3
|
194
|
+
- cs4
|
195
|
+
- cs5
|
196
|
+
- cs6
|
197
|
+
- cs7
|
198
|
+
- default
|
199
|
+
- ef
|
200
|
+
- option
|
201
|
+
- add-ext
|
202
|
+
- any-options
|
203
|
+
- com-security
|
204
|
+
- dps
|
205
|
+
- encode
|
206
|
+
- eool
|
207
|
+
- ext-ip
|
208
|
+
- ext-security
|
209
|
+
- finn
|
210
|
+
- imitd
|
211
|
+
- lsr
|
212
|
+
- mtup
|
213
|
+
- mtur
|
214
|
+
- no-op
|
215
|
+
- nsapa
|
216
|
+
- record-route
|
217
|
+
- route-alert
|
218
|
+
- sdb
|
219
|
+
- security
|
220
|
+
- ssr
|
221
|
+
- stream-id
|
222
|
+
- timestamp
|
223
|
+
- ump
|
224
|
+
- visa
|
225
|
+
- zsu
|
226
|
+
- tcp-udp
|
227
|
+
- source
|
228
|
+
- group-object
|
229
|
+
- eq
|
230
|
+
- neq
|
231
|
+
- gt
|
232
|
+
- lt
|
233
|
+
- range
|
234
|
+
- any
|
235
|
+
- host
|