cisco_acl_intp 0.0.2 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/README.md +64 -3
- data/cisco_acl_intp.gemspec +2 -2
- data/lib/cisco_acl_intp/ace.rb +9 -286
- data/lib/cisco_acl_intp/ace_ip.rb +24 -22
- data/lib/cisco_acl_intp/ace_other_qualifiers.rb +23 -6
- data/lib/cisco_acl_intp/ace_port.rb +37 -182
- data/lib/cisco_acl_intp/ace_port_opr.rb +251 -0
- data/lib/cisco_acl_intp/ace_port_opr_base.rb +138 -0
- data/lib/cisco_acl_intp/ace_proto.rb +133 -328
- data/lib/cisco_acl_intp/ace_proto_base.rb +163 -0
- data/lib/cisco_acl_intp/ace_srcdst.rb +30 -40
- data/lib/cisco_acl_intp/ace_tcp_flags.rb +9 -3
- data/lib/cisco_acl_intp/acl.rb +1 -251
- data/lib/cisco_acl_intp/acl_base.rb +1 -1
- data/lib/cisco_acl_intp/acl_utils.rb +120 -0
- data/lib/cisco_acl_intp/extended_ace.rb +149 -0
- data/lib/cisco_acl_intp/mono_function_acl.rb +161 -0
- data/lib/cisco_acl_intp/parser.rb +237 -395
- data/lib/cisco_acl_intp/parser.ry +85 -243
- data/lib/cisco_acl_intp/parser_api.rb +2 -2
- data/lib/cisco_acl_intp/single_acl_base.rb +137 -0
- data/lib/cisco_acl_intp/standard_ace.rb +105 -0
- data/lib/cisco_acl_intp/version.rb +1 -1
- data/spec/cisco_acl_intp/ace_ip_spec.rb +63 -0
- data/spec/cisco_acl_intp/ace_other_qualifier_spec.rb +52 -1
- data/spec/cisco_acl_intp/ace_port_operator_spec.rb +340 -0
- data/spec/cisco_acl_intp/ace_port_spec.rb +67 -217
- data/spec/cisco_acl_intp/ace_proto_spec.rb +118 -41
- data/spec/cisco_acl_intp/ace_spec.rb +38 -547
- data/spec/cisco_acl_intp/ace_srcdst_spec.rb +115 -226
- data/spec/cisco_acl_intp/ace_tcp_flags_spec.rb +36 -4
- data/spec/cisco_acl_intp/acl_base_spec.rb +2 -2
- data/spec/cisco_acl_intp/extended_ace_spec.rb +411 -0
- data/spec/cisco_acl_intp/extended_acl_spec.rb +265 -0
- data/spec/cisco_acl_intp/scanner_spec.rb +13 -12
- data/spec/cisco_acl_intp/standard_ace_spec.rb +77 -0
- data/spec/cisco_acl_intp/standard_acl_spec.rb +245 -0
- data/spec/conf/scanner_spec_data.yml +32 -0
- data/spec/spec_helper.rb +2 -2
- metadata +20 -4
- data/spec/cisco_acl_intp/acl_spec.rb +0 -525
|
@@ -2,14 +2,41 @@
|
|
|
2
2
|
require 'spec_helper'
|
|
3
3
|
|
|
4
4
|
describe AceSrcDstSpec do
|
|
5
|
+
describe '#==' do
|
|
6
|
+
before(:all) do
|
|
7
|
+
@sds1 = AceSrcDstSpec.new(
|
|
8
|
+
ipaddr: '192.168.4.2', wildcard: '0.0.0.255',
|
|
9
|
+
operator: :eq, port: AceTcpProtoSpec.new(88)
|
|
10
|
+
)
|
|
11
|
+
@sds2 = AceSrcDstSpec.new(
|
|
12
|
+
ipaddr: '192.168.4.2', netmask: 24,
|
|
13
|
+
operator: 'eq', port: AceTcpProtoSpec.new('88')
|
|
14
|
+
)
|
|
15
|
+
@sds3 = AceSrcDstSpec.new(
|
|
16
|
+
ipaddr: '192.168.4.2', wildcard: '0.0.0.255',
|
|
17
|
+
operator: 'lt', port: AceTcpProtoSpec.new(88)
|
|
18
|
+
)
|
|
19
|
+
@sds4 = AceSrcDstSpec.new(
|
|
20
|
+
ipaddr: '192.168.4.3', wildcard: '0.0.0.255',
|
|
21
|
+
operator: 'eq', port: AceTcpProtoSpec.new(88)
|
|
22
|
+
)
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
it 'should be true when same ip/netmask/wildcard' do
|
|
26
|
+
(@sds1 == @sds2).should be_true
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it 'should be false when different operator' do
|
|
30
|
+
(@sds1 == @sds3).should be_false
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
it 'should be false when different ip' do
|
|
34
|
+
(@sds1 == @sds4).should be_false
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
|
|
5
38
|
describe '#to_s' do
|
|
6
39
|
context 'Normal case' do
|
|
7
|
-
before do
|
|
8
|
-
@p1 = AceTcpProtoSpec.new(
|
|
9
|
-
number: 80
|
|
10
|
-
)
|
|
11
|
-
end
|
|
12
|
-
|
|
13
40
|
it 'should be "192.168.3.0 0.0.0.127" without L4 port' do
|
|
14
41
|
sds = AceSrcDstSpec.new(
|
|
15
42
|
ipaddr: '192.168.3.3',
|
|
@@ -23,14 +50,13 @@ describe AceSrcDstSpec do
|
|
|
23
50
|
ipaddr: '192.168.3.3',
|
|
24
51
|
wildcard: '0.0.0.127',
|
|
25
52
|
operator: 'eq',
|
|
26
|
-
port:
|
|
53
|
+
port: AceTcpProtoSpec.new(80)
|
|
27
54
|
)
|
|
28
55
|
sds.to_s.should be_aclstr('192.168.3.0 0.0.0.127 eq www')
|
|
29
56
|
end
|
|
30
57
|
end
|
|
31
58
|
|
|
32
59
|
context 'Argument error case' do
|
|
33
|
-
|
|
34
60
|
it 'should be raise exception when :ipaddr not specified' do
|
|
35
61
|
lambda do
|
|
36
62
|
AceSrcDstSpec.new(
|
|
@@ -38,45 +64,24 @@ describe AceSrcDstSpec do
|
|
|
38
64
|
)
|
|
39
65
|
end.should raise_error(AclArgumentError)
|
|
40
66
|
end
|
|
41
|
-
|
|
42
67
|
## TBD, error handling must be written in detail
|
|
43
68
|
end
|
|
44
69
|
end
|
|
45
70
|
|
|
46
|
-
describe '#
|
|
71
|
+
describe '#contains?' do
|
|
72
|
+
def _srcdst(ip, opr, port)
|
|
73
|
+
ip_spec = AceIpSpec.new(ipaddr: ip)
|
|
74
|
+
port_spec = AceTcpProtoSpec.new(port)
|
|
75
|
+
AceSrcDstSpec.new(ip_spec: ip_spec, operator: opr, port: port_spec)
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
context 'port containing check' do
|
|
79
|
+
before(:all) do
|
|
80
|
+
ipaddr = AceIpSpec.new(ipaddr: '192.168.15.15', wildcard: '0.0.7.6')
|
|
81
|
+
@p1 = AceTcpProtoSpec.new(80)
|
|
82
|
+
@sds0 = AceSrcDstSpec.new(ip_spec: ipaddr)
|
|
83
|
+
@sds1 = AceSrcDstSpec.new(ip_spec: ipaddr, operator: :lt, port: @p1)
|
|
47
84
|
|
|
48
|
-
context 'with port unary operator: eq/neq/gt/lt' do
|
|
49
|
-
before do
|
|
50
|
-
ipaddr = AceIpSpec.new(
|
|
51
|
-
ipaddr: '192.168.15.15',
|
|
52
|
-
wildcard: '0.0.7.6'
|
|
53
|
-
)
|
|
54
|
-
@p1 = AceTcpProtoSpec.new(
|
|
55
|
-
number: 80
|
|
56
|
-
)
|
|
57
|
-
@sds0 = AceSrcDstSpec.new(
|
|
58
|
-
ip_spec: ipaddr
|
|
59
|
-
)
|
|
60
|
-
@sds1 = AceSrcDstSpec.new(
|
|
61
|
-
ip_spec: ipaddr,
|
|
62
|
-
operator: 'eq',
|
|
63
|
-
port: @p1
|
|
64
|
-
)
|
|
65
|
-
@sds2 = AceSrcDstSpec.new(
|
|
66
|
-
ip_spec: ipaddr,
|
|
67
|
-
operator: 'neq',
|
|
68
|
-
port: @p1
|
|
69
|
-
)
|
|
70
|
-
@sds3 = AceSrcDstSpec.new(
|
|
71
|
-
ip_spec: ipaddr,
|
|
72
|
-
operator: 'lt',
|
|
73
|
-
port: @p1
|
|
74
|
-
)
|
|
75
|
-
@sds4 = AceSrcDstSpec.new(
|
|
76
|
-
ip_spec: ipaddr,
|
|
77
|
-
operator: 'gt',
|
|
78
|
-
port: @p1
|
|
79
|
-
)
|
|
80
85
|
@ip_match = '192.168.9.11'
|
|
81
86
|
@ip_unmatch = '192.168.9.12'
|
|
82
87
|
@p1_match = 80
|
|
@@ -85,198 +90,99 @@ describe AceSrcDstSpec do
|
|
|
85
90
|
@p1_higher = 6633
|
|
86
91
|
end
|
|
87
92
|
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
@sds0.matches?(@ip_match, @p1_unmatch).should be_true
|
|
92
|
-
@sds0.matches?(@ip_match, @p1_lower).should be_true
|
|
93
|
-
@sds0.matches?(@ip_match, @p1_higher).should be_true
|
|
94
|
-
end
|
|
95
|
-
|
|
96
|
-
it 'should be false, when unmatch ip and "any" port' do
|
|
97
|
-
@sds0.matches?(@ip_unmatch, @p1_match).should be_false
|
|
98
|
-
@sds0.matches?(@ip_unmatch, @p1_unmatch).should be_false
|
|
99
|
-
@sds0.matches?(@ip_unmatch, @p1_lower).should be_false
|
|
100
|
-
@sds0.matches?(@ip_unmatch, @p1_higher).should be_false
|
|
101
|
-
end
|
|
93
|
+
it 'should be true when match ip and ANY port' do
|
|
94
|
+
@sds0.contains?(_srcdst(@ip_match, :eq, @p1_match)).should be_true
|
|
95
|
+
@sds0.contains?(_srcdst(@ip_match, :eq, @p1_unmatch)).should be_true
|
|
102
96
|
end
|
|
103
97
|
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
end
|
|
108
|
-
|
|
109
|
-
it 'should be false, with match ip and unmatch eq port' do
|
|
110
|
-
@sds1.matches?(@ip_match, @p1_unmatch).should be_false
|
|
111
|
-
end
|
|
112
|
-
|
|
113
|
-
it 'should be false, with unmatch ip and match eq port' do
|
|
114
|
-
@sds1.matches?(@ip_unmatch, @p1_match).should be_false
|
|
115
|
-
end
|
|
116
|
-
|
|
117
|
-
it 'should be false, with unmatch ip and unmatch eq port' do
|
|
118
|
-
@sds1.matches?(@ip_unmatch, @p1_unmatch).should be_false
|
|
119
|
-
end
|
|
98
|
+
it 'should be false when unmatch ip and ANY port' do
|
|
99
|
+
@sds0.contains?(_srcdst(@ip_unmatch, :eq, @p1_match)).should be_false
|
|
100
|
+
@sds0.contains?(_srcdst(@ip_unmatch, :eq, @p1_unmatch)).should be_false
|
|
120
101
|
end
|
|
121
102
|
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
end
|
|
126
|
-
|
|
127
|
-
it 'should be true, with match ip and unmatch eq port' do
|
|
128
|
-
@sds2.matches?(@ip_match, @p1_unmatch).should be_true
|
|
129
|
-
end
|
|
130
|
-
|
|
131
|
-
it 'should be false, with unmatch ip and match eq port' do
|
|
132
|
-
@sds2.matches?(@ip_unmatch, @p1_match).should be_false
|
|
133
|
-
end
|
|
134
|
-
|
|
135
|
-
it 'should be false, with unmatch ip and unmatch eq port' do
|
|
136
|
-
@sds2.matches?(@ip_unmatch, @p1_unmatch).should be_false
|
|
137
|
-
end
|
|
138
|
-
end
|
|
139
|
-
|
|
140
|
-
context 'lt' do
|
|
141
|
-
it 'should be true, with match ip lower eq port' do
|
|
142
|
-
@sds3.matches?(@ip_match, @p1_lower).should be_true
|
|
143
|
-
end
|
|
144
|
-
|
|
145
|
-
it 'should be false, with match ip and higher eq port' do
|
|
146
|
-
@sds3.matches?(@ip_match, @p1_higher).should be_false
|
|
147
|
-
end
|
|
148
|
-
|
|
149
|
-
it 'should be false, with unmatch ip and loser eq port' do
|
|
150
|
-
@sds3.matches?(@ip_unmatch, @p1_lower).should be_false
|
|
151
|
-
end
|
|
152
|
-
|
|
153
|
-
it 'should be false, with unmatch ip and higher eq port' do
|
|
154
|
-
@sds3.matches?(@ip_unmatch, @p1_higher).should be_false
|
|
155
|
-
end
|
|
156
|
-
end
|
|
157
|
-
|
|
158
|
-
context 'gt' do
|
|
159
|
-
it 'should be false, with match ip lower eq port' do
|
|
160
|
-
@sds4.matches?(@ip_match, @p1_lower).should be_false
|
|
161
|
-
end
|
|
162
|
-
|
|
163
|
-
it 'should be true, with match ip and higher eq port' do
|
|
164
|
-
@sds4.matches?(@ip_match, @p1_higher).should be_true
|
|
165
|
-
end
|
|
166
|
-
|
|
167
|
-
it 'should be false, with unmatch ip and loser eq port' do
|
|
168
|
-
@sds4.matches?(@ip_unmatch, @p1_lower).should be_false
|
|
169
|
-
end
|
|
170
|
-
|
|
171
|
-
it 'should be false, with unmatch ip and higher eq port' do
|
|
172
|
-
@sds4.matches?(@ip_unmatch, @p1_higher).should be_false
|
|
173
|
-
end
|
|
103
|
+
it 'should be true when match ip and contained port set' do
|
|
104
|
+
@sds1.contains?(_srcdst(@ip_match, :eq, @p1_lower)).should be_true
|
|
105
|
+
@sds1.contains?(_srcdst(@ip_match, :lt, @p1_match)).should be_true
|
|
174
106
|
end
|
|
175
107
|
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
@sds1.matches?(ip_any, @p1_match).should be_true
|
|
180
|
-
@sds1.matches?(ip_any, @p1_unmatch).should be_false
|
|
181
|
-
@sds2.matches?(ip_any, @p1_match).should be_false
|
|
182
|
-
@sds2.matches?(ip_any, @p1_unmatch).should be_true
|
|
183
|
-
@sds3.matches?(ip_any, @p1_lower).should be_true
|
|
184
|
-
@sds3.matches?(ip_any, @p1_higher).should be_false
|
|
185
|
-
@sds4.matches?(ip_any, @p1_lower).should be_false
|
|
186
|
-
@sds4.matches?(ip_any, @p1_higher).should be_true
|
|
187
|
-
end
|
|
188
|
-
end
|
|
108
|
+
it 'should be false when unmatch ip and contained port set' do
|
|
109
|
+
@sds1.contains?(_srcdst(@ip_unmatch, :eq, @p1_lower)).should be_false
|
|
110
|
+
@sds1.contains?(_srcdst(@ip_unmatch, :lt, @p1_match)).should be_false
|
|
189
111
|
end
|
|
190
112
|
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
@sds1.matches?(@ip_match, port_any).should be_true
|
|
195
|
-
@sds1.matches?(@ip_unmatch, port_any).should be_false
|
|
196
|
-
@sds2.matches?(@ip_match, port_any).should be_true
|
|
197
|
-
@sds2.matches?(@ip_unmatch, port_any).should be_false
|
|
198
|
-
@sds3.matches?(@ip_match, port_any).should be_true
|
|
199
|
-
@sds3.matches?(@ip_unmatch, port_any).should be_false
|
|
200
|
-
@sds4.matches?(@ip_match, port_any).should be_true
|
|
201
|
-
@sds4.matches?(@ip_unmatch, port_any).should be_false
|
|
202
|
-
end
|
|
203
|
-
end
|
|
113
|
+
it 'should be false when match ip and not-contained port set' do
|
|
114
|
+
@sds1.contains?(_srcdst(@ip_match, :eq, @p1_match)).should be_false
|
|
115
|
+
@sds1.contains?(_srcdst(@ip_match, :lt, @p1_higher)).should be_false
|
|
204
116
|
end
|
|
205
117
|
end
|
|
206
118
|
|
|
207
|
-
context '
|
|
119
|
+
context 'subnet containing check' do
|
|
208
120
|
before do
|
|
209
|
-
ipaddr = AceIpSpec.new(
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
)
|
|
213
|
-
|
|
214
|
-
number: 80
|
|
215
|
-
)
|
|
216
|
-
@sds0 = AceSrcDstSpec.new(
|
|
217
|
-
ip_spec: ipaddr
|
|
218
|
-
)
|
|
219
|
-
@sds1 = AceSrcDstSpec.new(
|
|
220
|
-
ip_spec: ipaddr,
|
|
221
|
-
operator: 'eq',
|
|
222
|
-
port: @p1
|
|
223
|
-
)
|
|
121
|
+
ipaddr = AceIpSpec.new(ipaddr: '192.168.15.15', wildcard: '0.0.0.127')
|
|
122
|
+
@p1 = AceTcpProtoSpec.new('www')
|
|
123
|
+
@sds0 = AceSrcDstSpec.new(ip_spec: ipaddr)
|
|
124
|
+
@sds1 = AceSrcDstSpec.new(ip_spec: ipaddr, operator: 'eq', port: @p1)
|
|
125
|
+
|
|
224
126
|
@ip_contained1 = '192.168.15.16/26'
|
|
225
127
|
@ip_not_contained1 = '192.168.15.0/24'
|
|
226
128
|
@ip_contained2 = '192.168.15.16/255.255.255.192'
|
|
227
129
|
@ip_not_contained2 = '192.168.15.0/255.255.255.0'
|
|
228
130
|
@p1_match = 80
|
|
229
131
|
@ip_error1 = '192.168.15.16 mask 26'
|
|
230
|
-
@ip_error2 = '192.168.15.16 255.255.255.192'
|
|
132
|
+
# @ip_error2 = '192.168.15.16 255.255.255.192'
|
|
231
133
|
end
|
|
232
134
|
|
|
233
135
|
it 'should be true when contained (length)' do
|
|
234
|
-
@sds0.
|
|
235
|
-
@sds1.
|
|
136
|
+
@sds0.contains?(_srcdst(@ip_contained1, :eq, @p1_match)).should be_true
|
|
137
|
+
@sds1.contains?(_srcdst(@ip_contained1, :eq, @p1_match)).should be_true
|
|
236
138
|
end
|
|
237
139
|
|
|
238
140
|
it 'should be true when contained (bitmask)' do
|
|
239
|
-
@sds0.
|
|
240
|
-
@sds1.
|
|
141
|
+
@sds0.contains?(_srcdst(@ip_contained2, :eq, @p1_match)).should be_true
|
|
142
|
+
@sds1.contains?(_srcdst(@ip_contained2, :eq, @p1_match)).should be_true
|
|
241
143
|
end
|
|
242
144
|
|
|
243
145
|
it 'should be false when not contained (length)' do
|
|
244
|
-
@sds0.
|
|
245
|
-
|
|
146
|
+
@sds0.contains?(
|
|
147
|
+
_srcdst(@ip_not_contained1, :eq, @p1_match)
|
|
148
|
+
).should be_false
|
|
149
|
+
@sds1.contains?(
|
|
150
|
+
_srcdst(@ip_not_contained1, :eq, @p1_match)
|
|
151
|
+
).should be_false
|
|
246
152
|
end
|
|
247
153
|
|
|
248
154
|
it 'should be false when not contained (bitmask)' do
|
|
249
|
-
@sds0.
|
|
250
|
-
|
|
155
|
+
@sds0.contains?(
|
|
156
|
+
_srcdst(@ip_not_contained2, :eq, @p1_match)
|
|
157
|
+
).should be_false
|
|
158
|
+
@sds1.contains?(
|
|
159
|
+
_srcdst(@ip_not_contained2, :eq, @p1_match)
|
|
160
|
+
).should be_false
|
|
251
161
|
end
|
|
252
162
|
|
|
253
163
|
it 'should be raised error when invalid subnet notation' do
|
|
254
164
|
lambda do
|
|
255
|
-
@sds0.
|
|
165
|
+
@sds0.contains?(_srcdst(@ip_error1, :eq, @p1_match))
|
|
256
166
|
end.should raise_error(NetAddr::ValidationError)
|
|
257
167
|
|
|
258
168
|
lambda do
|
|
259
|
-
@sds1.
|
|
169
|
+
@sds1.contains?(_srcdst(@ip_error1, :eq, @p1_match))
|
|
260
170
|
end.should raise_error(NetAddr::ValidationError)
|
|
261
171
|
|
|
262
|
-
lambda do
|
|
263
|
-
|
|
264
|
-
end.should raise_error(NetAddr::ValidationError)
|
|
172
|
+
# lambda do
|
|
173
|
+
# @sds0.contains?(_srcdst(@ip_error2, :eq, @p1_match)).should be_false
|
|
174
|
+
# end.should raise_error(NetAddr::ValidationError)
|
|
265
175
|
|
|
266
|
-
lambda do
|
|
267
|
-
|
|
268
|
-
end.should raise_error(NetAddr::ValidationError)
|
|
176
|
+
# lambda do
|
|
177
|
+
# @sds1.contains?(_srcdst(@ip_error2, :eq, @p1_match)).should be_false
|
|
178
|
+
# end.should raise_error(NetAddr::ValidationError)
|
|
269
179
|
end
|
|
270
180
|
end
|
|
271
181
|
|
|
272
182
|
context 'with operator: range' do
|
|
273
183
|
before(:each) do
|
|
274
|
-
p1 = AceTcpProtoSpec.new(
|
|
275
|
-
|
|
276
|
-
)
|
|
277
|
-
p2 = AceTcpProtoSpec.new(
|
|
278
|
-
number: 1023
|
|
279
|
-
)
|
|
184
|
+
p1 = AceTcpProtoSpec.new(80)
|
|
185
|
+
p2 = AceTcpProtoSpec.new(1023)
|
|
280
186
|
@sds = AceSrcDstSpec.new(
|
|
281
187
|
ipaddr: '192.168.15.15',
|
|
282
188
|
wildcard: '0.0.7.6',
|
|
@@ -292,27 +198,16 @@ describe AceSrcDstSpec do
|
|
|
292
198
|
end
|
|
293
199
|
|
|
294
200
|
it 'should be true, with match ip in range port' do
|
|
295
|
-
@sds.
|
|
201
|
+
@sds.contains?(_srcdst(@ip_match, :eq, @p_in)).should be_true
|
|
296
202
|
end
|
|
297
203
|
|
|
298
|
-
it 'should be false, with match ip and out of range port
|
|
299
|
-
@sds.
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
it 'should be false, with match ip and out of range port (higher)' do
|
|
303
|
-
@sds.matches?(@ip_match, @p_out_higher).should be_false
|
|
204
|
+
it 'should be false, with match ip and out of range port' do
|
|
205
|
+
@sds.contains?(_srcdst(@ip_match, :eq, @p_out_lower)).should be_false
|
|
206
|
+
@sds.contains?(_srcdst(@ip_match, :eq, @p_out_higher)).should be_false
|
|
304
207
|
end
|
|
305
208
|
|
|
306
209
|
it 'should be false, with unmatch ip match in range port' do
|
|
307
|
-
@sds.
|
|
308
|
-
end
|
|
309
|
-
|
|
310
|
-
it 'should be false, with unmatch ip and out of range port (lower)' do
|
|
311
|
-
@sds.matches?(@ip_unmatch, @p_out_lower).should be_false
|
|
312
|
-
end
|
|
313
|
-
|
|
314
|
-
it 'should be false, with unmatch ip and out of range port (higher)' do
|
|
315
|
-
@sds.matches?(@ip_unmatch, @p_out_higher).should be_false
|
|
210
|
+
@sds.contains?(_srcdst(@ip_unmatch, :eq, @p_in)).should be_false
|
|
316
211
|
end
|
|
317
212
|
end
|
|
318
213
|
|
|
@@ -331,12 +226,8 @@ describe AceSrcDstSpec do
|
|
|
331
226
|
)
|
|
332
227
|
port_range = AcePortSpec.new(
|
|
333
228
|
operator: 'range',
|
|
334
|
-
begin_port: AceTcpProtoSpec.new(
|
|
335
|
-
|
|
336
|
-
),
|
|
337
|
-
end_port: AceTcpProtoSpec.new(
|
|
338
|
-
number: 1023
|
|
339
|
-
)
|
|
229
|
+
begin_port: AceTcpProtoSpec.new(80),
|
|
230
|
+
end_port: AceTcpProtoSpec.new(1023)
|
|
340
231
|
)
|
|
341
232
|
@sds1 = AceSrcDstSpec.new(
|
|
342
233
|
ip_spec: ip_any,
|
|
@@ -357,34 +248,32 @@ describe AceSrcDstSpec do
|
|
|
357
248
|
end
|
|
358
249
|
|
|
359
250
|
it 'should be true, for any ip' do
|
|
360
|
-
@sds1.
|
|
361
|
-
@sds1.
|
|
251
|
+
@sds1.contains?(_srcdst(@ip_match, :eq, @p_match)).should be_true
|
|
252
|
+
@sds1.contains?(_srcdst(@ip_unmatch, :eq, @p_match)).should be_true
|
|
362
253
|
end
|
|
363
254
|
|
|
364
255
|
it 'should be false, for any ip with unmatch port' do
|
|
365
|
-
@sds1.
|
|
366
|
-
@sds1.
|
|
256
|
+
@sds1.contains?(_srcdst(@ip_match, :eq, @p_unmatch)).should be_false
|
|
257
|
+
@sds1.contains?(_srcdst(@ip_unmatch, :eq, @p_unmatch)).should be_false
|
|
367
258
|
end
|
|
368
259
|
|
|
369
260
|
it 'should be true, for any port' do
|
|
370
|
-
@sds2.
|
|
371
|
-
@sds2.
|
|
261
|
+
@sds2.contains?(_srcdst(@ip_match, :eq, @p_match)).should be_true
|
|
262
|
+
@sds2.contains?(_srcdst(@ip_match, :eq, @p_unmatch)).should be_true
|
|
372
263
|
end
|
|
373
264
|
|
|
374
265
|
it 'should be false, for any port with unmatch ip' do
|
|
375
|
-
@sds2.
|
|
376
|
-
@sds2.
|
|
266
|
+
@sds2.contains?(_srcdst(@ip_unmatch, :eq, @p_match)).should be_false
|
|
267
|
+
@sds2.contains?(_srcdst(@ip_unmatch, :eq, @p_unmatch)).should be_false
|
|
377
268
|
end
|
|
378
269
|
|
|
379
270
|
it 'should be true, for any ip and any port' do
|
|
380
|
-
@sds3.
|
|
381
|
-
@sds3.
|
|
382
|
-
@sds3.
|
|
383
|
-
@sds3.
|
|
271
|
+
@sds3.contains?(_srcdst(@ip_match, :eq, @p_match)).should be_true
|
|
272
|
+
@sds3.contains?(_srcdst(@ip_match, :eq, @p_unmatch)).should be_true
|
|
273
|
+
@sds3.contains?(_srcdst(@ip_unmatch, :eq, @p_match)).should be_true
|
|
274
|
+
@sds3.contains?(_srcdst(@ip_unmatch, :eq, @p_unmatch)).should be_true
|
|
384
275
|
end
|
|
385
|
-
|
|
386
276
|
end
|
|
387
277
|
|
|
388
|
-
end # describe
|
|
389
|
-
|
|
278
|
+
end # describe contains?
|
|
390
279
|
end # describe AceSrcDstSpec
|
|
@@ -3,18 +3,29 @@ require 'spec_helper'
|
|
|
3
3
|
|
|
4
4
|
describe AceTcpFlag do
|
|
5
5
|
describe '#to_s' do
|
|
6
|
+
before do
|
|
7
|
+
@flag = AceTcpFlag.new('established')
|
|
8
|
+
@flag1 = AceTcpFlag.new('established')
|
|
9
|
+
@flag2 = AceTcpFlag.new('rst')
|
|
10
|
+
end
|
|
6
11
|
|
|
7
12
|
it 'should be make tcp flags' do
|
|
8
|
-
flag
|
|
9
|
-
|
|
13
|
+
@flag.to_s.should be_aclstr('established')
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
it 'should be true when same flag' do
|
|
17
|
+
(@flag == @flag1).should be_true
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
it 'should not false when different flag' do
|
|
21
|
+
(@flag == @flag2).should be_false
|
|
10
22
|
end
|
|
11
23
|
end
|
|
12
24
|
end
|
|
13
25
|
|
|
14
26
|
describe AceTcpFlagList do
|
|
15
27
|
describe '#to_s' do
|
|
16
|
-
|
|
17
|
-
before do
|
|
28
|
+
before(:all) do
|
|
18
29
|
@f1 = AceTcpFlag.new('syn')
|
|
19
30
|
@f2 = AceTcpFlag.new('ack')
|
|
20
31
|
@f3 = AceTcpFlag.new('established')
|
|
@@ -35,4 +46,25 @@ describe AceTcpFlagList do
|
|
|
35
46
|
@list.to_s.should be_aclstr('syn ack established')
|
|
36
47
|
end
|
|
37
48
|
end
|
|
49
|
+
|
|
50
|
+
describe '#==' do
|
|
51
|
+
before(:all) do
|
|
52
|
+
@f1 = AceTcpFlag.new('syn')
|
|
53
|
+
@f2 = AceTcpFlag.new('ack')
|
|
54
|
+
@f3 = AceTcpFlag.new('established')
|
|
55
|
+
@f4 = AceTcpFlag.new('fin')
|
|
56
|
+
|
|
57
|
+
@list1 = AceTcpFlagList.new([@f1, @f2, @f3])
|
|
58
|
+
@list2 = AceTcpFlagList.new([@f3, @f1, @f2])
|
|
59
|
+
@list3 = AceTcpFlagList.new([@f2, @f4, @f1])
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
it 'should be true when same list' do
|
|
63
|
+
(@list1 == @list2).should be_true
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
it 'should be false when different list' do
|
|
67
|
+
(@list1 == @list3).should be_false
|
|
68
|
+
end
|
|
69
|
+
end
|
|
38
70
|
end
|
|
@@ -12,7 +12,7 @@ describe 'AclContainerBase' do
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def to_s_with_tag(tag)
|
|
15
|
-
instance_eval("tag_#{tag
|
|
15
|
+
instance_eval("tag_#{tag}(@str)")
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def to_s_with_cleaning
|
|
@@ -34,7 +34,7 @@ describe 'AclContainerBase' do
|
|
|
34
34
|
it 'should be colored string when mode html' do
|
|
35
35
|
AclContainerBase.color_mode = :html
|
|
36
36
|
tag = :header
|
|
37
|
-
matchstr = "span.*acltag_#{tag
|
|
37
|
+
matchstr = "span.*acltag_#{tag}.*teststr.*span"
|
|
38
38
|
@mock.to_s_with_tag(tag).should match(/#{matchstr}/)
|
|
39
39
|
AclContainerBase.color_mode = :none
|
|
40
40
|
end
|