cisco_acl_intp 0.0.2 → 0.0.3

data/lib/cisco_acl_intp/ace_srcdst.rb

@@ -1,5 +1,4 @@
 # -*- coding: utf-8 -*-
-
 require 'netaddr'
 require 'cisco_acl_intp/ace_ip'
 require 'cisco_acl_intp/ace_port'
@@ -9,7 +8,7 @@ require 'cisco_acl_intp/ace_tcp_flags'
 module CiscoAclIntp
   # IP Address and TCP/UDP Port Info
   # @todo Src/Dst takes Network Object Group or IP/wildcard.
-  #    object group is not implemented yet.
+  #    "object-group" is not implemented yet.
   class AceSrcDstSpec < AclContainerBase
     # @param [AceIpSpec] value IP address and Wildcard-mask
     # @return [AceIpSpec]
@@ -25,8 +24,9 @@ module CiscoAclIntp
     # @option opts [String] :ipaddr IP Address (dotted notation)
     # @option opts [String] :wildcard Wildcard mask
     #   (dotted/bit-flipped notation)
+    # @option opts [Integer] :netmask Subnet mask length (e.g. 24)
     # @option opts [AcePortSpec] :port_spec Port/Operator object
-    # @option opts [String] :operator Port operator
+    # @option opts [String, Symbol] :operator Port operator
     # @option opts [AceProtoSpecBase] :port port number (single/lower)
     #   (same as :begin_port, alias for unary operator)
     # @option opts [AceProtoSpecBase] :begin_port port number (single/lower)
@@ -52,52 +52,44 @@ module CiscoAclIntp
     # Generate string for Cisco IOS access list
     # @return [String]
     def to_s
-      sprintf('%s %s', @ip_spec, @port_spec)
+      format '%s %s', @ip_spec, @port_spec
     end
 
-    # Check address and port number matches this object or not.
-    # @param [String] address IP address (dotted notation)
-    # @param [Integer,String] port Port No./Name
+    # Check address and port number contains this object or not.
+    # @param [AceSrcDstSpec] other Conditions to compare
     # @return [Boolean]
     # @raise [AclArgumentError]
-    # @example Example of AceSrcDstSpec#matches?
-    #   AceSrcDstSpec#matches?('192.168.3.3') # /32 host and port any
-    #   AceSrcDstSpec#matches?('172.30.240.0/24', '80') # a subnet and port 80
-    #   AceSrcDstSpec#matches?('any', 'www') # any host and port 80
-    def matches?(address, port = nil)
-      if address
-        matches_address?(address) && matches_port?(port)
-      else
-        fail AclArgumentError, 'Not specified match target IP Addr'
-      end
+    def contains?(other)
+      contains_address?(other.ip_spec) &&
+        contains_port?(other.port_spec)
     end
 
     private
 
     # Check port match
-    # @param [Integer,String] port Port No.
+    # @param [AcePortSpec] port_spec TCP/UDP Port spec
     # @return [Boolean]
-    def matches_port?(port)
-      case port
-      when nil, 'any'
-        true
-      else
-        @port_spec.matches?(port)
-      end
+    def contains_port?(port_spec = nil)
+      port_spec = AcePortSpec.new(operator: :any) if port_spec.nil?
+      @port_spec.contains?(port_spec)
     end
 
-    # Check address match
-    # @param [String] address IP address (dotted notation)
+    # Check address match (by NetAddr)
+    # @param [AceIpSpec] ip_spec IP address spec.
     # @return [Boolean]
-    def matches_address?(address)
-      case address
-      when /(.+)\/(.+)/
-        # addr/mask or addr/mask-length notation
-        @ip_spec.contains?(address)
-      when '0.0.0.0', '0.0.0.0/0', 'any'
+    def contains_address?(ip_spec = nil)
+      case ip_spec
+      when nil # 'any', '0.0.0.0/0'
         true
       else
-        @ip_spec.matches?(address)
+        # IP match/contain checks are delegated to NetAddr
+        if @ip_spec.netmask.nil?
+          # check by wildcard
+          @ip_spec.matches?(ip_spec.ipaddr)
+        else
+          # check by CIDR(netmask)
+          @ip_spec.contains?(ip_spec.ipaddr)
+        end
       end
     end
 
@@ -106,13 +98,10 @@ module CiscoAclIntp
     # @return [AceIpSpec] IP address/Mask object
     # @see #initialize
     def define_ipspec
-      if @options.key?(:ip_spec)
+      if @options.key?(:ip_spec) # AceIpSpec Obj
         @options[:ip_spec]
       elsif @options.key?(:ipaddr)
-        AceIpSpec.new(
-          ipaddr: @options[:ipaddr],
-          wildcard: @options[:wildcard]
-        )
+        AceIpSpec.new(@options)
       else
         fail AclArgumentError, 'Not specified: ip spec'
       end
@@ -122,7 +111,8 @@ module CiscoAclIntp
     # @return [AcePortSpec] Port/Operator object
     # @see #initialize
     def define_portspec
-      if @options.key?(:port_spec)
+      if @options.key?(:port_spec) &&
+          @options[:port_spec].kind_of?(AcePortSpec)
         @options[:port_spec]
       elsif @options.key?(:operator)
         AcePortSpec.new(

data/lib/cisco_acl_intp/ace_tcp_flags.rb

@@ -40,8 +40,11 @@ module CiscoAclIntp
 
     def_delegators :@list, :push, :pop, :shift, :unshift, :size, :length
 
-    def initialize
-      @list = []
+    # Constructor
+    # @param [Array<AceTcpFlag>] list TCP Flag Objects
+    # @todo If the object that are same are included in the list?
+    def initialize(list = [])
+      @list = list
     end
 
     # Generate string for Cisco IOS access list
@@ -51,9 +54,12 @@ module CiscoAclIntp
     end
 
     # @param [AceTcpFlagList] other RHS Object
+    # @note Checked each entry in randum order.
     # @return [Boolean]
     def ==(other)
-      @list == other.list
+      @list.reduce(true) do |res, each|
+        res && other.list.include?(each)
+      end
     end
   end
 end # module

data/lib/cisco_acl_intp/acl.rb

@@ -1,259 +1,9 @@
 # -*- coding: utf-8 -*-
 
 require 'forwardable'
-require 'cisco_acl_intp/ace'
+require 'cisco_acl_intp/mono_function_acl'
 
 module CiscoAclIntp
-  # Single access-list container base
-  class SingleAclBase < AclContainerBase
-    extend Forwardable
-    include Enumerable
-
-    # @return [String] name ACL name,
-    #   when numbered acl, /\d+/ string
-    attr_reader :name
-    # Some Enumerable included methods returns Array of ACE objects
-    # (e.g. sort),the returned Array was used as ACE object by
-    # overwrite accessor 'list'.
-    # @return [Array<AceBase>] list ACE object Array
-    attr_accessor :list
-    # @return [String, Symbol] acl_type ACL type
-    attr_reader :acl_type
-    # @return [String, Symbol] name_type ACL name type
-    attr_reader :name_type
-
-    def_delegators :@list, :each # for Enumerable
-    def_delegators :@list, :push, :pop, :shift, :unshift
-    def_delegators :@list, :size, :length
-
-    # Increment number of ACL sequence number
-    SEQ_NUM_DIV = 10
-
-    # Constructor
-    # @param [String] name ACL name
-    # @return [SingleAclBase]
-    def initialize(name)
-      @name = name
-      @list = []
-      @seq_number = 0
-
-      @acl_type = nil # :standard or :extended
-      @name_type = nil # :named or :numbered
-    end
-
-    # duplicate ACE list
-    # @param [Array<AceBase>] list List of ACE
-    # @return [SingleAclBase]
-    def dup_with_list(list)
-      acl = dup
-      acl.list = list.dup
-      acl
-    end
-
-    # Add ACE to ACL (push with sequence number)
-    # @param [AceBase] ace ACE object
-    def add_entry(ace)
-      # 'ace' is AceBase Object
-      # it will be ExtendedAce/StandardAce/RemarkAce/EvaluateAce
-      ace.seq_number? ||
-        ace.seq_number = (@list.length + 1) * SEQ_NUM_DIV
-      @list.push ace
-    end
-
-    # Renumber ACL by list sequence
-    def renumber
-      # re-numbering seq_number of each entry
-      @list.reduce(SEQ_NUM_DIV) do |number, each|
-        each.seq_number = number
-        number + SEQ_NUM_DIV
-      end
-    end
-
-    # @return [Boolean]
-    def ==(other)
-      if @acl_type &&
-          @name_type &&
-          @acl_type == other.acl_type &&
-          @name_type == other.name_type
-        @list == other.list
-      end
-    end
-
-    # Search matched ACE from list
-    # @param [Hash] opts Options (target packet info)
-    # @option [String, Symbol] protocol L3/L4 protocol name
-    #   (allows :tcp, :udp and :icmp)
-    # @option [String] src_ip Source IP Address
-    # @option [Integer,String] src_port Source Port No./Name
-    # @option [String] dst_ip Destination IP Address
-    # @option [Integer,String] dst_port Destination Port No./Name
-    # @return [AceBase] Matched ACE object or nil(not found)
-    # @raise [AclArgumentError]
-    def search_ace(opts)
-      @list.find { |each| each.matches?(opts) }
-    end
-
-    # acl string clean-up (override)
-    # @param [String] str ACL string.
-    # @return [String]
-    def clean_acl_string(str)
-      str =~ /remark/ ? str : super
-    end
-  end
-
-  ############################################################
-
-  # Features for Extended ACL
-  # @todo Does it have to raise error if add_entry called with
-  #   StandardAce?
-  module ExtAcl
-    # Generate a Extended ACE by parameters
-    #   and Add it to ACL
-    # @param [Hash] opts Options to create {ExtendedAce}
-    def add_entry_by_params(opts)
-      ace = ExtendedAce.new opts
-      add_entry ace
-    end
-  end
-
-  # Features for Standard ACL
-  # @todo Does it have to raise error if add_entry called with
-  #   ExtendedAce?
-  module StdAcl
-    # Generate a Standard ACE by parameters
-    #   and Add it to ACL
-    # @param [Hash] opts Options to create {StandardAce}
-    def add_entry_by_params(opts)
-      ace = StandardAce.new opts
-      add_entry ace
-    end
-  end
-
-  ############################################################
-
-  # Named ACL container base
-  class NamedAcl < SingleAclBase
-    # check acl type,Named ACL or not?
-    # @return [Boolean]
-    def named_acl?
-      true
-    end
-
-    # check acl type, Numbered ACL or not?
-    # @return [Boolean]
-    def numbered_acl?
-      false
-    end
-
-    # Generate ACL header string
-    # @return [String] ACL header string
-    def header_string
-      sprintf(
-        '%s %s %s',
-        tag_header('ip access-list'),
-        tag_type(@acl_type),
-        tag_name(@name)
-      )
-    end
-
-    # Generate ACL line string
-    # @param [AceBase] entry ACE object
-    def line_string(entry)
-      # add indent
-      sprintf(' %s', clean_acl_string(entry.to_s))
-    end
-
-    # Generate string for Cisco IOS access list
-    # @return [String]
-    def to_s
-      strings = @list.each_with_object([header_string]) do |entry, strlist|
-        strlist.push line_string(entry)
-      end
-      strings.join("\n")
-    end
-  end
-
-  # Numbered ACL container base
-  class NumberedAcl < SingleAclBase
-    # @return [Integer] Access list number
-    attr_reader :number
-
-    # check acl type,Named ACL or not?
-    # @return [Boolean]
-    def named_acl?
-      false
-    end
-
-    # check acl type, Numbered ACL or not?
-    # @return [Boolean]
-    def numbered_acl?
-      true
-    end
-
-    # Constructor
-    # @param [String, Integer] name ACL number
-    # @raise [AclArgumentError]
-    # @return [NumberedAcl]
-    # @todo It ought to do something about assignment operator...
-    #   (attr_reader)
-    def initialize(name)
-      super
-      case name
-      when Fixnum
-        set_name_and_number(name.to_s, name)
-      when String
-        validate_name_by_string(name)
-      else
-        fail AclArgumentError, 'acl number error'
-      end
-    end
-
-    # Generate ACL header string
-    # @return [String] ACL header string
-    def header_string
-      sprintf(
-        '%s %s',
-        tag_header('access-list'),
-        tag_name(@name)
-      )
-    end
-
-    # Generate ACL line string
-    # @param [AceBase] entry ACE object
-    def line_string(entry)
-      clean_acl_string(sprintf('%s %s', header_string, entry))
-    end
-
-    # Generate string for Cisco IOS access list
-    # @return [String]
-    def to_s
-      strings = @list.each_with_object([]) do |entry, strlist|
-        strlist.push line_string(entry)
-      end
-      strings.join("\n")
-    end
-
-    private
-
-    # validate instance variables
-    # @param [String] name ACL Name
-    def validate_name_by_string(name)
-      if name =~ /\A\d+\Z/
-        set_name_and_number(name, name.to_i)
-      else
-        fail AclArgumentError, 'acl number string is not integer'
-      end
-    end
-
-    # Set instance variables
-    def set_name_and_number(name, number)
-      @name = name
-      @number = number
-    end
-  end
-
-  ############################################################
-
   # Named extended ACL container
   class NamedExtAcl < NamedAcl
     include ExtAcl

data/lib/cisco_acl_intp/acl_base.rb

@@ -53,7 +53,7 @@ module CiscoAclIntp
       when :term
         TERM_COLOR_TABLE[tag]
       when :html
-        %Q{<span class="acltag_#{tag.to_s}">}
+        %Q(<span class="acltag_#{tag}">)
       else
         ''
       end

data/lib/cisco_acl_intp/acl_utils.rb

@@ -0,0 +1,120 @@
+# -*- coding: utf-8 -*-
+require 'cisco_acl_intp/extended_ace'
+
+module CiscoAclIntp
+  # Extended Ace utilities for ace search
+  module AceSearchUtility
+    module_function
+
+    # Select protocol spec class for tcp/udp.
+    # @param [String] proto Protocol name.
+    # @return [Class] Class name.
+    def select_proto_class(proto)
+      case proto
+      when 'tcp'
+        AceTcpProtoSpec
+      when 'udp'
+        AceUdpProtoSpec
+      end
+    end
+
+    # @param [String] proto Protocol name.
+    # @param [Integer, String] port Port No./Name.
+    # @return [AceTcpProtoSpec, AceUdpProtoSpec] TCP/UDP port object.
+    def generate_port_obj(proto, port = nil)
+      port.nil? ? nil : select_proto_class(proto).new(port)
+    end
+
+    # Generate port spec by protocol
+    # @param [String] proto Protocol name.
+    # @param [String, Symbol] opr Port operator.
+    # @param [Integer, String] begin_port Port No./Name.
+    # @param [Integer, String] end_port Port No./Name.
+    # @return [AcePortSpec] Port spec.
+    def port_spec_by_protocol(proto, opr, begin_port = nil, end_port = nil)
+      if opr.nil?
+        AcePortSpec.new(operator: :any) # any
+      else
+        AcePortSpec.new(
+          operator: opr,
+          begin_port: generate_port_obj(proto, begin_port),
+          end_port: generate_port_obj(proto, end_port)
+        )
+      end
+    end
+
+    # Generate Src/Dst search condition
+    # @param [AceIpProtoSpec] proto IP protocol info
+    # @param [String] ip IP address info
+    # @param [String, Symbol] opr Port operator
+    # @param [Integer, String] begin_port Port No./Name.
+    # @param [Integer, String] end_port Port No./Name.
+    def srcdst_condition(proto, ip, opr, begin_port = nil, end_port = nil)
+      case proto.name
+      when 'tcp', 'udp'
+        AceSrcDstSpec.new(
+          ipaddr: ip,
+          port_spec: port_spec_by_protocol(
+            proto.name, opr, begin_port, end_port
+          )
+        )
+      else
+        # if L3 protocol is not tcp/udp, it did not need port condition
+        AceSrcDstSpec.new(ipaddr: ip)
+      end
+    end
+
+    # Generate hash key to slice
+    # @param [Symbol] pt Prefix of key
+    # @param [Symbol] key Postfix of key
+    # @return [Symbol]
+    def ptkey(pt, key)
+      [pt.to_s, key.to_s].join('_').intern
+    end
+
+    # Generate list of values sliced hash (args of srcdst_condition)
+    # @param [AceIpProtoSpec] proto_cond IP protocol condition
+    # @param [Symbol] pt Prefix of key
+    # @param [Hash] opts Option hash for slice
+    def slice_contains_opts(proto_cond, pt, opts)
+      [
+        proto_cond,
+        opts[ptkey(pt, :ip)],
+        opts[ptkey(pt, :operator)],
+        (opts[ptkey(pt, :port)] || opts[ptkey(pt, :begin_port)]),
+        opts[ptkey(pt, :end_port)]
+      ]
+    end
+
+    # Generate ACE components
+    # @param [Hash] opts Options (target packet info)
+    # @see options is same as ExtendedAce#contains?
+    # @return [Array<AceIpProtoSpec, AceSrcDstSpec, AceSrcDstSpec>]
+    def search_conditions(opts)
+      proto_cond = AceIpProtoSpec.new(opts[:protocol])
+      [
+        proto_cond,
+        srcdst_condition(*slice_contains_opts(proto_cond, :src, opts)),
+        srcdst_condition(*slice_contains_opts(proto_cond, :dst, opts))
+      ]
+    end
+
+    # Generate ACE search(contains?) conditions
+    # @param [Hash] opts Options (target packet info)
+    # @see options is same as ExtendedAce#contains?
+    # @return [ExtendedAce]
+    def target_ace(opts)
+      (proto_cond, src_cond, dst_cond) = search_conditions(opts)
+      ExtendedAce.new(
+        action: 'permit', protocol: proto_cond.name,
+        src: src_cond, dst: dst_cond
+      )
+    end
+  end
+end # module
+
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End:

data/lib/cisco_acl_intp/extended_ace.rb

@@ -0,0 +1,149 @@
+# -*- coding: utf-8 -*-
+require 'cisco_acl_intp/standard_ace'
+
+module CiscoAclIntp
+  # ACE for extended access list
+  class ExtendedAce < StandardAce
+    # @param [AceIpProtoSpec] value L3/L4 protocol
+    # @return [AceIpProtoSpec]
+    attr_accessor :protocol
+
+    # @param [AceSrcDstSpec] value Destination spec object
+    # @return [AceSrcDstSpec]
+    attr_accessor :dst_spec
+
+    # @param [AceTcpFlagList] value
+    #   TCP flags (used when '@protocol':tcp)
+    # @return [AceTcpFlagList]
+    attr_accessor :tcp_flags
+
+    # @param [AceOtherQualifierList] value
+    #   TCP other qualifier list object (used when '@protocol':tcp)
+    # @return [AceOtherQualifierList]
+    attr_accessor :tcp_other_qualifiers
+
+    # Option,
+    # :src and :dst can handle multiple types of object generation,
+    # so that the argments can takes hash of AceSrcDstSpec.new or
+    # AceSrcDstSpec instance.
+    # :protocol and so on. (AceIpProtoSpec Object)
+    #
+    # about :protocol, it has specification of name and number
+    # (specified in internal of parser).
+    # basically, it is OK that specify only name.
+    # (does it convert name <=> number each oether?)
+    # (does it use number?
+    #
+
+    # Constructor
+    # @param [Hash] opts Options
+    # @option opts [String] :protocol L3/L4 protocol
+    # @option opts [Integer] :number Protocol/Port number
+    # @option opts [String] :action Action
+    # @option opts [AceSrcDstSpec] :src Source spec object
+    # @option opts [Hash] :src Source spec parmeters
+    # @option opts [AceSrcDstSpec] :dst Destination spec object
+    # @option opts [Hash] :dst Destination spec parmeters
+    # @option opts [AceTcpFlagList] :tcp_port_qualifier
+    #   TCP Flags object
+    # @raise [AclArgumentError]
+    # @return [ExtendACE]
+    def initialize(opts)
+      super
+      @options = opts
+      @protocol = define_protocol
+      @dst_spec = define_dst_spec
+      @tcp_flags = define_tcp_flags
+      @tcp_other_qualifiers = nil # not yet.
+    end
+
+    # @param [ExtendACE] other RHS object
+    # @return [Boolean]
+    def ==(other)
+      @action == other.action &&
+        @protocol == other.protocol &&
+        @src_spec == other.src_spec &&
+        @dst_spec == other.dst_spec &&
+        @tcp_flags == other.tcp_flags
+      ## does it need to compare? : tcp_other_qualifiers
+    end
+
+    # Generate string for Cisco IOS access list
+    # @return [String]
+    def to_s
+      format(
+        '%s %s %s %s %s %s',
+        tag_action(@action.to_s),
+        tag_protocol(@protocol.to_s),
+        @src_spec,
+        @dst_spec,
+        @tcp_flags,
+        @tcp_other_qualifiers
+     )
+    end
+
+    # Search matched ACE
+    # @param [ExtendedAce] other Target ACE
+    # @return [Boolean] Matched or not
+    # @see SingleAceBase#search_ace
+    def contains?(other)
+      super(other) &&
+        @protocol.contains?(other.protocol) &&
+        @dst_spec.contains?(other.dst_spec)
+    end
+
+    private
+
+    # Set instance variables
+    # return [AceIpProtoSpec] IP protocol object
+    # raise [AclArgumentError]
+    def define_protocol
+      if @options.key?(:protocol)
+        protocol = @options[:protocol]
+        case protocol
+        when AceIpProtoSpec
+          protocol
+        else
+          AceIpProtoSpec.new(protocol)
+        end
+      else
+        fail AclArgumentError, 'Not specified IP protocol'
+      end
+    end
+
+    # Set instance variables
+    # @return [AceSrcDstSpec] Destination spec object
+    # @raise [AclArgumentError]
+    def define_dst_spec
+      if @options.key?(:dst)
+        dst = @options[:dst]
+        case dst
+        when Hash
+          AceSrcDstSpec.new(dst)
+        when AceSrcDstSpec
+          dst
+        else
+          fail AclArgumentError, 'Dst spec: unknown class'
+        end
+      else
+        fail AclArgumentError, 'Not specified dst spec'
+      end
+    end
+
+    # Set instance variables
+    # @return [AceOtherQualifierList]
+    def define_tcp_flags
+      if @protocol.name == 'tcp' && @options.key?(:tcp_flags_qualifier)
+        @options[:tcp_flags_qualifier]
+      else
+        nil
+      end
+    end
+  end
+end # module
+
+### Local variables:
+### mode: Ruby
+### coding: utf-8-unix
+### indent-tabs-mode: nil
+### End: