cisco_acl_intp 0.0.3 → 0.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +3 -0
- data/.rubocop.yml +2 -2
- data/.travis.yml +4 -2
- data/Gemfile +7 -6
- data/README.md +23 -18
- data/Rakefile +11 -13
- data/cisco_acl_intp.gemspec +7 -7
- data/lib/cisco_acl_intp/acc.rb +111 -0
- data/lib/cisco_acl_intp/{ace.rb → ace_base.rb} +9 -8
- data/lib/cisco_acl_intp/{extended_ace.rb → ace_extended.rb} +8 -10
- data/lib/cisco_acl_intp/{standard_ace.rb → ace_standard.rb} +5 -5
- data/lib/cisco_acl_intp/acespec_base.rb +15 -0
- data/lib/cisco_acl_intp/{ace_ip.rb → acespec_ip.rb} +14 -22
- data/lib/cisco_acl_intp/{ace_other_qualifiers.rb → acespec_other_qualifiers.rb} +7 -7
- data/lib/cisco_acl_intp/{ace_port.rb → acespec_port.rb} +10 -13
- data/lib/cisco_acl_intp/{ace_port_opr.rb → acespec_port_opr.rb} +75 -73
- data/lib/cisco_acl_intp/{ace_port_opr_base.rb → acespec_port_opr_base.rb} +49 -34
- data/lib/cisco_acl_intp/{ace_proto.rb → acespec_proto.rb} +4 -4
- data/lib/cisco_acl_intp/{ace_proto_base.rb → acespec_proto_base.rb} +8 -8
- data/lib/cisco_acl_intp/{ace_srcdst.rb → acespec_srcdst.rb} +9 -8
- data/lib/cisco_acl_intp/{ace_tcp_flags.rb → acespec_tcp_flags.rb} +4 -4
- data/lib/cisco_acl_intp/acl.rb +1 -1
- data/lib/cisco_acl_intp/acl_base.rb +108 -80
- data/lib/cisco_acl_intp/{mono_function_acl.rb → acl_category_base.rb} +5 -5
- data/lib/cisco_acl_intp/acl_utils.rb +1 -1
- data/lib/cisco_acl_intp/parser.rb +388 -406
- data/lib/cisco_acl_intp/parser.ry +8 -3
- data/lib/cisco_acl_intp/parser_api.rb +4 -4
- data/lib/cisco_acl_intp/scanner.rb +8 -10
- data/lib/cisco_acl_intp/scanner_special_token_handler.rb +3 -3
- data/lib/cisco_acl_intp/version.rb +1 -1
- data/spec/cisco_acl_intp/{extended_ace_spec.rb → ace_extended_spec.rb} +157 -128
- data/spec/cisco_acl_intp/ace_spec.rb +21 -19
- data/spec/cisco_acl_intp/{standard_ace_spec.rb → ace_standard_spec.rb} +7 -11
- data/spec/cisco_acl_intp/{ace_ip_spec.rb → acespec_ip_spec.rb} +34 -34
- data/spec/cisco_acl_intp/{ace_other_qualifier_spec.rb → acespec_other_qualifier_spec.rb} +18 -18
- data/spec/cisco_acl_intp/acespec_port_operator_spec.rb +331 -0
- data/spec/cisco_acl_intp/{ace_port_spec.rb → acespec_port_spec.rb} +33 -33
- data/spec/cisco_acl_intp/{ace_proto_spec.rb → acespec_proto_spec.rb} +61 -61
- data/spec/cisco_acl_intp/{ace_srcdst_spec.rb → acespec_srcdst_spec.rb} +113 -54
- data/spec/cisco_acl_intp/{ace_tcp_flags_spec.rb → acespec_tcp_flags_spec.rb} +10 -10
- data/spec/cisco_acl_intp/acl_base_spec.rb +14 -12
- data/spec/cisco_acl_intp/{extended_acl_spec.rb → acl_extended_spec.rb} +28 -28
- data/spec/cisco_acl_intp/{standard_acl_spec.rb → acl_standard_spec.rb} +24 -23
- data/spec/cisco_acl_intp/cisco_acl_intp_spec.rb +1 -1
- data/spec/cisco_acl_intp/parser_spec.rb +12 -12
- data/spec/cisco_acl_intp/scanner_spec.rb +31 -36
- data/spec/parser_fullfill_patterns.rb +6 -7
- data/spec/spec_helper.rb +6 -6
- data/tools/check_acl.rb +1 -1
- metadata +60 -59
- data/lib/cisco_acl_intp/single_acl_base.rb +0 -137
- data/spec/cisco_acl_intp/ace_port_operator_spec.rb +0 -340
@@ -230,9 +230,14 @@ udp_srcdst_spec: objgrp_srcdst_spec udp_port_spec
|
|
230
230
|
named_acl: std_named_acl_header std_named_acl_entry_list
|
231
231
|
| ext_named_acl_header ext_named_acl_entry_list
|
232
232
|
# Notice:
|
233
|
-
#
|
234
|
-
#
|
235
|
-
#
|
233
|
+
#
|
234
|
+
# If an error exists in ACL header, parser cannot
|
235
|
+
# create 'body' object for add ACL entries that come
|
236
|
+
# next of header. Then parser cannot parse any ACL
|
237
|
+
# entries and cannot recover its error. When ACL
|
238
|
+
# header is correct, parser add ACL entires to 'body'
|
239
|
+
# if each entry can read. (parse and add all correct
|
240
|
+
# ACL entries.)
|
236
241
|
|
237
242
|
std_named_acl_header: NAMED_ACL 'standard' STRING eos
|
238
243
|
{
|
@@ -111,7 +111,7 @@ module CiscoAclIntp
|
|
111
111
|
@silent_mode = @debug_print || opts[:silent] || false
|
112
112
|
|
113
113
|
@color_mode = opts[:color] || :none
|
114
|
-
|
114
|
+
AccessControlContainer.color_mode = @color_mode
|
115
115
|
|
116
116
|
@err_handler = ParserErrorHandler.new
|
117
117
|
@err_handler.reset_count
|
@@ -134,7 +134,7 @@ module CiscoAclIntp
|
|
134
134
|
filename
|
135
135
|
else
|
136
136
|
@err_handler.count
|
137
|
-
|
137
|
+
raise AclError, "File: #{filename} not found."
|
138
138
|
end
|
139
139
|
end
|
140
140
|
end
|
@@ -152,13 +152,13 @@ module CiscoAclIntp
|
|
152
152
|
aclstr
|
153
153
|
else
|
154
154
|
@err_handler.count
|
155
|
-
|
155
|
+
raise AclError, "Argment: #{aclstr} not found."
|
156
156
|
end
|
157
157
|
end
|
158
158
|
end
|
159
159
|
|
160
160
|
# Syntax error handler
|
161
|
-
def on_error(tok, val,
|
161
|
+
def on_error(tok, val, _vstack)
|
162
162
|
errstr = format(
|
163
163
|
'%s, near value: %s, (token: %s)',
|
164
164
|
err_pos_str, val, token_to_str(tok)
|
@@ -18,7 +18,7 @@ module CiscoAclIntp
|
|
18
18
|
# @param [File] file File IO object
|
19
19
|
# @return [Array] Scanned tokens array (Queue)
|
20
20
|
def scan_file(file)
|
21
|
-
run_scaner(file) do
|
21
|
+
run_scaner(file) do
|
22
22
|
# no-op
|
23
23
|
end
|
24
24
|
end
|
@@ -72,9 +72,9 @@ module CiscoAclIntp
|
|
72
72
|
# @param [Integer] aclnum ACL number
|
73
73
|
# @return [Array] Token list
|
74
74
|
def check_numd_acl_type(aclnum)
|
75
|
-
if (1..99).
|
75
|
+
if (1..99).cover?(aclnum) || (1300..1999).cover?(aclnum)
|
76
76
|
[:NUMD_STD_ACL, aclnum]
|
77
|
-
elsif (100..199).
|
77
|
+
elsif (100..199).cover?(aclnum) || (2000..2699).cover?(aclnum)
|
78
78
|
[:NUMD_EXT_ACL, aclnum]
|
79
79
|
else
|
80
80
|
[:UNKNOWN, "access-list #{aclnum}"]
|
@@ -109,7 +109,7 @@ module CiscoAclIntp
|
|
109
109
|
when @ss.scan(/(\d+\.\d+\.\d+\.\d+)\s/)
|
110
110
|
## IP Address
|
111
111
|
@line_queue.push [:IPV4_ADDR, @ss[1]]
|
112
|
-
when @ss.scan(
|
112
|
+
when @ss.scan(%r{(\d+\.\d+\.\d+\.\d+)(\/)(\d+)\s})
|
113
113
|
## IP Address of 'ip/mask' notation
|
114
114
|
@line_queue.push [:IPV4_ADDR, @ss[1]]
|
115
115
|
@line_queue.push ['/', @ss[2]]
|
@@ -144,13 +144,11 @@ module CiscoAclIntp
|
|
144
144
|
# @return [Boolean] if line matched tokens
|
145
145
|
def scan_match_arg_tokens
|
146
146
|
@arg_tokens.each do |(str, length)|
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
end
|
151
|
-
@line_queue.push [:STRING, @ss[length]] # last element
|
152
|
-
break
|
147
|
+
next unless @ss.scan(/#{str}/)
|
148
|
+
(1...length).each do |idx|
|
149
|
+
@line_queue.push token_list(@ss[idx])
|
153
150
|
end
|
151
|
+
@line_queue.push [:STRING, @ss[length]] # last element
|
154
152
|
end
|
155
153
|
@ss.matched?
|
156
154
|
end
|
@@ -6,7 +6,7 @@ module CiscoAclIntp
|
|
6
6
|
module SpecialTokenHandler
|
7
7
|
# STRING token regexp:
|
8
8
|
# first letter is alphabet or digit
|
9
|
-
STR_REGEXP = '[a-zA-Z\d]\S*'
|
9
|
+
STR_REGEXP = '[a-zA-Z\d]\S*'.freeze
|
10
10
|
|
11
11
|
# Tokens that takes string parameter
|
12
12
|
STRING_ARG_TOKENS = [
|
@@ -24,13 +24,13 @@ module CiscoAclIntp
|
|
24
24
|
['object-group', 'service', :word],
|
25
25
|
['object-group', :word], # longest match
|
26
26
|
['group-object', :word]
|
27
|
-
]
|
27
|
+
].freeze
|
28
28
|
|
29
29
|
# Conversion table of string-tokens
|
30
30
|
SYMBOL_TO_REGEXPSTR = {
|
31
31
|
word: ['(', STR_REGEXP, ')'].join,
|
32
32
|
leftover: '(.*)$'
|
33
|
-
}
|
33
|
+
}.freeze
|
34
34
|
|
35
35
|
# Convert STRING_ARG_TOKENS to Regexp string
|
36
36
|
# @param [Array] set Special tokens set
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# -*- coding: utf-8 -*-
|
2
2
|
require 'spec_helper'
|
3
3
|
|
4
|
-
def
|
4
|
+
def _build_target(opts)
|
5
5
|
ExtendedAce.new(
|
6
6
|
action: (opts[:target] || 'permit'),
|
7
7
|
protocol: (opts[:protocol] || 'tcp'),
|
@@ -40,7 +40,7 @@ describe ExtendedAce do
|
|
40
40
|
src: @src,
|
41
41
|
dst: @dst
|
42
42
|
)
|
43
|
-
ea.to_s.
|
43
|
+
expect(ea.to_s).to be_aclstr(
|
44
44
|
'permit tcp 192.168.8.9 0.0.7.6 host 192.168.30.3 range 1024 65535'
|
45
45
|
)
|
46
46
|
end
|
@@ -52,11 +52,10 @@ describe ExtendedAce do
|
|
52
52
|
src: @src,
|
53
53
|
dst: @dst
|
54
54
|
)
|
55
|
-
ea.to_s.
|
55
|
+
expect(ea.to_s).to be_aclstr(
|
56
56
|
'deny tcp 192.168.8.9 0.0.7.6 host 192.168.30.3 range 1024 65535'
|
57
57
|
)
|
58
58
|
end
|
59
|
-
|
60
59
|
end
|
61
60
|
|
62
61
|
context 'Argument error case' do
|
@@ -75,45 +74,44 @@ describe ExtendedAce do
|
|
75
74
|
end
|
76
75
|
|
77
76
|
it 'should be rased exception when :action not specified' do
|
78
|
-
|
77
|
+
expect do
|
79
78
|
ExtendedAce.new(
|
80
79
|
protocol: 'tcp',
|
81
80
|
src: @src,
|
82
81
|
dst: @dst
|
83
82
|
)
|
84
|
-
end.
|
83
|
+
end.to raise_error(AclArgumentError)
|
85
84
|
end
|
86
85
|
|
87
86
|
it 'should be rased exception when :protocol not specified' do
|
88
|
-
|
87
|
+
expect do
|
89
88
|
ExtendedAce.new(
|
90
89
|
action: 'deny',
|
91
90
|
src: @src,
|
92
91
|
dst: @dst
|
93
92
|
)
|
94
|
-
end.
|
93
|
+
end.to raise_error(AclArgumentError)
|
95
94
|
end
|
96
95
|
|
97
96
|
it 'should be rased exception when :src not specified' do
|
98
|
-
|
97
|
+
expect do
|
99
98
|
ExtendedAce.new(
|
100
99
|
action: 'deny',
|
101
100
|
protocol: 'tcp',
|
102
101
|
dst: @dst
|
103
102
|
)
|
104
|
-
end.
|
103
|
+
end.to raise_error(AclArgumentError)
|
105
104
|
end
|
106
105
|
|
107
106
|
it 'should be rased exception when :dst not specified' do
|
108
|
-
|
107
|
+
expect do
|
109
108
|
ExtendedAce.new(
|
110
109
|
action: 'deny',
|
111
110
|
protocol: 'tcp',
|
112
111
|
src: @src
|
113
112
|
)
|
114
|
-
end.
|
113
|
+
end.to raise_error(AclArgumentError)
|
115
114
|
end
|
116
|
-
|
117
115
|
end
|
118
116
|
end
|
119
117
|
|
@@ -193,13 +191,12 @@ describe ExtendedAce do
|
|
193
191
|
# run test
|
194
192
|
it teststr do
|
195
193
|
if eres
|
196
|
-
@ea.contains?(
|
194
|
+
expect(@ea.contains?(_build_target(eopts))).to be_truthy
|
197
195
|
else
|
198
|
-
@ea.contains?(
|
196
|
+
expect(@ea.contains?(_build_target(eopts))).to be_falsey
|
199
197
|
end
|
200
198
|
end # it
|
201
199
|
end # tests.each
|
202
|
-
|
203
200
|
end # context full spec test
|
204
201
|
|
205
202
|
context 'ANY ip/port port exists case' do
|
@@ -245,160 +242,192 @@ describe ExtendedAce do
|
|
245
242
|
ea = ExtendedAce.new(
|
246
243
|
action: 'permit', protocol: 'tcp', src: @src1, dst: @dst0
|
247
244
|
)
|
248
|
-
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
253
|
-
|
254
|
-
|
255
|
-
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
245
|
+
expect(
|
246
|
+
ea.contains?(
|
247
|
+
_build_target(
|
248
|
+
protocol: 'tcp',
|
249
|
+
src_operator: :eq,
|
250
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
251
|
+
dst_operator: :eq,
|
252
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
253
|
+
))).to be_truthy
|
254
|
+
expect(
|
255
|
+
ea.contains?(
|
256
|
+
_build_target(
|
257
|
+
protocol: 'tcp',
|
258
|
+
src_operator: :eq,
|
259
|
+
src_ip: @src_ip_unmatch, src_port: @src_port_match,
|
260
|
+
dst_operator: :eq,
|
261
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
262
|
+
))).to be_truthy
|
262
263
|
end
|
263
264
|
|
264
265
|
it 'should be false when any source ip and unmatch port' do
|
265
266
|
ea = ExtendedAce.new(
|
266
267
|
action: 'permit', protocol: 'tcp', src: @src1, dst: @dst0
|
267
268
|
)
|
268
|
-
|
269
|
-
|
270
|
-
|
271
|
-
|
272
|
-
|
273
|
-
|
274
|
-
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
|
281
|
-
|
269
|
+
expect(
|
270
|
+
ea.contains?(
|
271
|
+
_build_target(
|
272
|
+
protocol: 'tcp',
|
273
|
+
src_operator: :eq,
|
274
|
+
src_ip: @src_ip_match, src_port: @src_port_unmatch,
|
275
|
+
dst_operator: :eq,
|
276
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
277
|
+
))).to be_falsey
|
278
|
+
expect(
|
279
|
+
ea.contains?(
|
280
|
+
_build_target(
|
281
|
+
protocol: 'tcp',
|
282
|
+
src_operator: :eq,
|
283
|
+
src_ip: @src_ip_unmatch, src_port: @src_port_unmatch,
|
284
|
+
dst_operator: :eq,
|
285
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
286
|
+
))).to be_falsey
|
282
287
|
end
|
283
288
|
|
284
289
|
it 'should be true when any source port' do
|
285
290
|
ea = ExtendedAce.new(
|
286
291
|
action: 'permit', protocol: 'tcp', src: @src2, dst: @dst0
|
287
292
|
)
|
288
|
-
|
289
|
-
|
290
|
-
|
291
|
-
|
292
|
-
|
293
|
-
|
294
|
-
|
295
|
-
|
296
|
-
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
|
301
|
-
|
293
|
+
expect(
|
294
|
+
ea.contains?(
|
295
|
+
_build_target(
|
296
|
+
protocol: 'tcp',
|
297
|
+
src_operator: :eq,
|
298
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
299
|
+
dst_operator: :eq,
|
300
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
301
|
+
))).to be_truthy
|
302
|
+
expect(
|
303
|
+
ea.contains?(
|
304
|
+
_build_target(
|
305
|
+
protocol: 'tcp',
|
306
|
+
src_operator: :eq,
|
307
|
+
src_ip: @src_ip_match, src_port: @src_port_unmatch,
|
308
|
+
dst_operator: :eq,
|
309
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
310
|
+
))).to be_truthy
|
302
311
|
end
|
303
312
|
|
304
313
|
it 'should be false when any source port and unmatch ip' do
|
305
314
|
ea = ExtendedAce.new(
|
306
315
|
action: 'permit', protocol: 'tcp', src: @src2, dst: @dst0
|
307
316
|
)
|
308
|
-
|
309
|
-
|
310
|
-
|
311
|
-
|
312
|
-
|
313
|
-
|
314
|
-
|
315
|
-
|
316
|
-
|
317
|
-
|
318
|
-
|
319
|
-
|
320
|
-
|
321
|
-
|
317
|
+
expect(
|
318
|
+
ea.contains?(
|
319
|
+
_build_target(
|
320
|
+
protocol: 'tcp',
|
321
|
+
src_operator: :eq,
|
322
|
+
src_ip: @src_ip_unmatch, src_port: @src_port_match,
|
323
|
+
dst_operator: :eq,
|
324
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
325
|
+
))).to be_falsey
|
326
|
+
expect(
|
327
|
+
ea.contains?(
|
328
|
+
_build_target(
|
329
|
+
protocol: 'tcp',
|
330
|
+
src_operator: :eq,
|
331
|
+
src_ip: @src_ip_unmatch, src_port: @src_port_unmatch,
|
332
|
+
dst_operator: :eq,
|
333
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
334
|
+
))).to be_falsey
|
322
335
|
end
|
323
336
|
|
324
337
|
it 'should be true when any destination ip' do
|
325
338
|
ea = ExtendedAce.new(
|
326
339
|
action: 'permit', protocol: 'tcp', src: @src0, dst: @dst1
|
327
340
|
)
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
|
332
|
-
|
333
|
-
|
334
|
-
|
335
|
-
|
336
|
-
|
337
|
-
|
338
|
-
|
339
|
-
|
340
|
-
|
341
|
-
|
341
|
+
expect(
|
342
|
+
ea.contains?(
|
343
|
+
_build_target(
|
344
|
+
protocol: 'tcp',
|
345
|
+
src_operator: :eq,
|
346
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
347
|
+
dst_operator: :eq,
|
348
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
349
|
+
))).to be_truthy
|
350
|
+
expect(
|
351
|
+
ea.contains?(
|
352
|
+
_build_target(
|
353
|
+
protocol: 'tcp',
|
354
|
+
src_operator: :eq,
|
355
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
356
|
+
dst_operator: :eq,
|
357
|
+
dst_ip: @dst_ip_unmatch, dst_port: @dst_port_match
|
358
|
+
))).to be_truthy
|
342
359
|
end
|
343
360
|
|
344
361
|
it 'should be false when any destination ip and unmatch port' do
|
345
362
|
ea = ExtendedAce.new(
|
346
363
|
action: 'permit', protocol: 'tcp', src: @src0, dst: @dst1
|
347
364
|
)
|
348
|
-
|
349
|
-
|
350
|
-
|
351
|
-
|
352
|
-
|
353
|
-
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
|
365
|
+
expect(
|
366
|
+
ea.contains?(
|
367
|
+
_build_target(
|
368
|
+
protocol: 'tcp',
|
369
|
+
src_operator: :eq,
|
370
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
371
|
+
dst_operator: :eq,
|
372
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_unmatch
|
373
|
+
))).to be_falsey
|
374
|
+
expect(
|
375
|
+
ea.contains?(
|
376
|
+
_build_target(
|
377
|
+
protocol: 'tcp',
|
378
|
+
src_operator: :eq,
|
379
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
380
|
+
dst_operator: :eq,
|
381
|
+
dst_ip: @dst_ip_unmatch, dst_port: @dst_port_unmatch
|
382
|
+
))).to be_falsey
|
362
383
|
end
|
363
384
|
|
364
385
|
it 'should be true when any destination port' do
|
365
386
|
ea = ExtendedAce.new(
|
366
387
|
action: 'permit', protocol: 'tcp', src: @src0, dst: @dst2
|
367
388
|
)
|
368
|
-
|
369
|
-
|
370
|
-
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
|
375
|
-
|
376
|
-
|
377
|
-
|
378
|
-
|
379
|
-
|
380
|
-
|
381
|
-
|
389
|
+
expect(
|
390
|
+
ea.contains?(
|
391
|
+
_build_target(
|
392
|
+
protocol: 'tcp',
|
393
|
+
src_operator: :eq,
|
394
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
395
|
+
dst_operator: :eq,
|
396
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_match
|
397
|
+
))).to be_truthy
|
398
|
+
expect(
|
399
|
+
ea.contains?(
|
400
|
+
_build_target(
|
401
|
+
protocol: 'tcp',
|
402
|
+
src_operator: :eq,
|
403
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
404
|
+
dst_operator: :eq,
|
405
|
+
dst_ip: @dst_ip_match, dst_port: @dst_port_unmatch
|
406
|
+
))).to be_truthy
|
382
407
|
end
|
383
408
|
|
384
409
|
it 'should be false when any destination port and unmatch ip' do
|
385
410
|
ea = ExtendedAce.new(
|
386
411
|
action: 'permit', protocol: 'tcp', src: @src0, dst: @dst2
|
387
412
|
)
|
388
|
-
|
389
|
-
|
390
|
-
|
391
|
-
|
392
|
-
|
393
|
-
|
394
|
-
|
395
|
-
|
396
|
-
|
397
|
-
|
398
|
-
|
399
|
-
|
400
|
-
|
401
|
-
|
413
|
+
expect(
|
414
|
+
ea.contains?(
|
415
|
+
_build_target(
|
416
|
+
protocol: 'tcp',
|
417
|
+
src_operator: :eq,
|
418
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
419
|
+
dst_operator: :eq,
|
420
|
+
dst_ip: @dst_ip_unmatch, dst_port: @dst_port_match
|
421
|
+
))).to be_falsey
|
422
|
+
expect(
|
423
|
+
ea.contains?(
|
424
|
+
_build_target(
|
425
|
+
protocol: 'tcp',
|
426
|
+
src_operator: :eq,
|
427
|
+
src_ip: @src_ip_match, src_port: @src_port_match,
|
428
|
+
dst_operator: :eq,
|
429
|
+
dst_ip: @dst_ip_unmatch, dst_port: @dst_port_unmatch
|
430
|
+
))).to be_falsey
|
402
431
|
end
|
403
432
|
end # context exists any ip/port
|
404
433
|
end # describe contains?
|