cisco_acl_intp 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d664d74e52b4738c1835532f0fecefe1ee162ece
-  data.tar.gz: 56a40d167de808a4bf0ef778d8f443b01c408a22
+  metadata.gz: 60c56206a4b40ecdfc1b4cae9ddb3fa11da7e07e
+  data.tar.gz: 25b304576447f136c1da714cf0205531318bac33
 SHA512:
-  metadata.gz: 63c07906a0c2910a1cdbb6cb53b02cb9ef36c32b4138223c400147d8447f101b9c44fb9af211363a9a79be6f4dde533f448483975cb132fd6461a4e49a7cf463
-  data.tar.gz: c5208c436298dde049720eb9b5f15f41b09d482b696aa592c95220ec5fc6f779f2e8b4aebd2dda7539946d8eded55cdbfc4ba1a1b871afebefb1daf88b5d9cc2
+  metadata.gz: 42749dd6747920756f5a5f2c0a87e0ecbbed20d59db964244446d6bfa136c3c714edd9f6371b86fd8f2b5c57254aed782ffb6e1080ef4b58d4f4ea1b4c7f8457
+  data.tar.gz: 7cdd4c8d508a3bb271eef640636fc1f98bc7658d07f3ce718f1684719e5b943f5c5acf05c5ec2e44927bd3cb88b1f6c5f2e49a233dbd22f16d565b567a941b1d

data/Gemfile

@@ -11,7 +11,7 @@ group :development, :test do
   gem 'rake', '~> 10.1.1'
   gem 'reek', '~> 1.3.6'
   gem 'rspec', '~> 2.14.1'
-  gem 'rubocop', '~> 0.18.1' if RUBY_VERSION >= '1.9.0'
+  gem 'rubocop', '~> 0.19.1' if RUBY_VERSION >= '1.9.0'
   gem 'simplecov', '~> 0.8.2' if RUBY_VERSION >= '1.9.0'
   gem 'yard', '~> 0.8.7'
 end

data/README.md

@@ -165,9 +165,70 @@ obj,... See more detail in documents (see also, Documents section)
 
 ### ACL Varidator Web Frontend
 
-Front-end of ACL Varidator is at
-[github](https://github.com/stereocat/cisco_acl_web). It not only can
-parse (with CLI tool, it can only parse), but also search for ACL(ACE).
+[Web front-end of ACL Varidator](https://github.com/stereocat/cisco_acl_web)
+is at my github repository. It not only can parse (with CLI tool, it
+can only parse), but also search for ACL(ACE).
+
+## ACL operation as IP/Port set operation
+### Overview
+
+A CIDR-IP-Subnet, IP address with wildcard mask, TCP/UDP port
+numbere(s) with operator (`any`, `eq`, `neq`, `lt`, `gt`, `range`),
+these are set of IPs and/or ports. In CiscoAclIntp, `contains?`
+methods are implemented some ACL/ACE class. It is a set operation
+method of IP address and TCP/UDP port (to check set inclusion
+relation).
+
+Example:
+```ruby
+src = AceSrcDstSpec.new(
+  ipaddr: '192.168.15.15', wildcard: '0.0.7.6',
+  operator: 'gt', port: AceTcpProtoSpec.new(32_767)
+)
+dst = AceSrcDstSpec.new(
+  ipaddr: '192.168.30.3', wildcard: '0.0.0.0',
+  operator: 'range',
+  begin_port: AceTcpProtoSpec.new(1_024),
+  end_port: AceTcpProtoSpec.new(65_535)
+)
+
+# permit tcp 192.168.15.15 0.0.7.6 gt 32767 host 192.168.30.3 range 1024 65535
+ace = ExtendedAce.new(
+  action: 'permit', protocol: 'tcp', src: src, dst: dst
+)
+
+ace.contains?(
+  protocol: 'tcp',
+  src_operator: :eq, src_ip: '192.168.9.11', src_port: 51234
+)
+#=> true
+```
+
+### IP Addr Operation
+
+See `NetAddr::CIDR#matches?` for CIDR subnet operation and
+`NetAddr::CIDR#contains?` for IP with wildcard mask.
+
+### Port Operation
+
+| User       | any  | eq X   | neq X  | lt X   | gt X   | range X1 X2   |
+|------------|------|--------|--------|--------|--------|---------------|
+| any        | true | true   | true   | true   | true   | true          |
+| strict_any | true | false  | false  | false  | false  | false         |
+| eq P       | true | P = X  | P != X | P < X  | X < P  | X1 <= P <= X2 |
+| neq P      | true | false  | P = X  | P = X = 65535 | P = X = 0 | (P=X1=0 and X2=65535) or (X1=0 and P=X2=65535) |
+| lt P       | true | false  | P <= X | P <= X | false   | X1 = 0 and P < X2 |
+| gt P       | true | false  | X <= P | false  | X <= P  | X1 < P and X2 = 65535 |
+| range P1 P2| true | false  | P2 < X or X < P1 | P2 < X | X < P1 | X1 <= P1 and P2 <= X2 |
+
+In above table, “User” column is the argment of `contains?`, and,
+operators at table header are receiver of `contains?`. For example,
+`[gt X].contains?([eq P])` will be `true` if port `X < P`. It means
+the ACL `[gt X]` permit (or deny) the flow `[eq P]`. You can search
+ACEs which matches a flows specified by search conditions.
+
+`:strict_any` is a special operator to search acl, the operator is
+matches only `:any` operator.
 
 ## Documents
 

data/cisco_acl_intp.gemspec

@@ -9,8 +9,8 @@ Gem::Specification.new do |spec|
   spec.version       = CiscoAclIntp::VERSION
   spec.authors       = ['stereocat']
   spec.email         = ['stereocat@gmail.com']
-  spec.description   = %q{Cisco ACL Interpreter}
-  spec.summary       = %q{Cisco IOS Access Control List Interpreter}
+  spec.description   = %q(Cisco ACL Interpreter)
+  spec.summary       = %q(Cisco IOS Access Control List Interpreter)
   spec.homepage      = 'https://github.com/stereocat/cisco_acl_intp'
   spec.license       = 'MIT'
 

data/lib/cisco_acl_intp/ace.rb

@@ -1,5 +1,4 @@
 # -*- coding: utf-8 -*-
-
 require 'cisco_acl_intp/ace_srcdst'
 
 module CiscoAclIntp
@@ -42,7 +41,7 @@ module CiscoAclIntp
     # Search matched ACE
     # @return [Boolean] Matched or not
     # @abstract
-    def matches?
+    def contains?
       false
     end
   end
@@ -57,7 +56,7 @@ module CiscoAclIntp
     end
 
     def to_s
-      tag_error(sprintf('!! error !! %s', @line))
+      tag_error(format('!! error !! %s', @line))
     end
   end
 
@@ -78,19 +77,19 @@ module CiscoAclIntp
     # Check equality
     # @return [Boolean] Compare with comment string
     def ==(other)
-      @comment == other.comment
+      other.instance_of?(RemarkAce) && @comment == other.comment
     end
 
     # Generate string for Cisco IOS access list
     # @return [String] Comment string
     def to_s
-      sprintf 'remark %s', tag_remark(@comment.to_s)
+      format 'remark %s', tag_remark(@comment.to_s)
     end
 
     # Search matched ACE
     # @param [Hash] opts Options
     # return [Boolean] false, Remark does not match anithyng.
-    def matches?(opts = nil)
+    def contains?(opts = nil)
       false
     end
   end
@@ -126,300 +125,24 @@ module CiscoAclIntp
 
     # @return [Boolean] Compare with recursive entry name
     def ==(other)
-      @recursive_name == other.recursive_name
+      other.instance_of?(EvaluateAce) &&
+        @recursive_name == other.recursive_name
     end
 
     # Generate string for Cisco IOS access list
     # @return [String]
     def to_s
-      sprintf 'evaluate %s', tag_name(@recursive_name)
+      format 'evaluate %s', tag_name(@recursive_name)
     end
 
     # Search matched ACE
     # @param [Hash] opts Options
     # return [Boolean]
     # @todo for Recursive name matching is not implemented yet
-    def matches?(opts = nil)
+    def contains?(opts = nil)
       false
     end
   end
-
-  # ACE for standard access list
-  class StandardAce < AceBase
-    # @param [String] value Action
-    # @return [String]
-    attr_accessor :action
-
-    # @param [AceSrcDstSpec] value Source spec object
-    # @return [AceSrcDstSpec]
-    attr_accessor :src_spec
-
-    # @param [AceLogSpec] value Log spec object
-    # @return [AceLogSpec]
-    attr_accessor :log_spec
-
-    # Constructor
-    # @param [Hash] opts Options
-    # @option opts [Integer] :number Sequence number
-    # @option opts [String] :action Action (permit/deny)
-    # @option opts [AceSrcDstSpec] :src Source spec object
-    # @option opts [Hash] :src Source spec parmeters
-    # @option opts [AceLogSpec] :log Log spec object
-    # @return [StandardAce]
-    # @raise [AclArgumentError]
-    def initialize(opts)
-      super
-      @options = opts
-      @action = define_action
-      @src_spec = define_src_spec
-      @log_spec = define_log_spec
-    end
-
-    # @return [Boolean]
-    def ==(other)
-      @action == other.action && @src_spec == other.src_spec
-    end
-
-    # Generate string for Cisco IOS access list
-    # @return [String]
-    def to_s
-      sprintf(
-        '%s %s %s',
-        tag_action(@action.to_s),
-        @src_spec,
-        tag_other_qualifier(@log_spec ? @log_spec : '')
-     )
-    end
-
-    # Search matched ACE
-    # @param [Hash] opts Options (target packet info)
-    # @option opts [String] :src_ip Source IP Address
-    # @return [Boolean] Matched or not
-    # @raise [AclArgumentError] Invalid src_ip
-    def matches?(opts)
-      if opts.key?(:src_ip)
-        @src_spec.matches?(opts[:src_ip])
-      else
-        fail AclArgumentError, 'Invalid match target src IP address'
-      end
-    end
-
-    private
-
-    # Set instance variables
-    # @return [String] Action string
-    # @raise [AclArgumentError]
-    def define_action
-      if @options.key?(:action)
-        @options[:action]
-      else
-        fail AclArgumentError, 'Not specified action'
-      end
-    end
-
-    # Set instance variables
-    # @return [AceSrcDstSpec] Source spec object
-    # @raise [AclArgumentError]
-    def define_src_spec
-      if @options.key?(:src)
-        src = @options[:src]
-        case src
-        when Hash
-          AceSrcDstSpec.new(src)
-        when AceSrcDstSpec
-          src
-        else
-          fail AclArgumentError, 'src spec: unknown class'
-        end
-      else
-        fail AclArgumentError, 'Not specified src spec'
-      end
-    end
-
-    # Set instance variables
-    # @return [String] Log spec object
-    # @raise [AclArgumentError]
-    def define_log_spec
-      @options[:log] || nil
-    end
-  end
-
-  # ACE for extended access list
-  class ExtendedAce < StandardAce
-    # @param [String] value L3/L4 protocol
-    # @return [String]
-    attr_accessor :protocol
-
-    # @param [AceSrcDstSpec] value Destination spec object
-    # @return [AceSrcDstSpec]
-    attr_accessor :dst_spec
-
-    # @param [AceTcpFlagList] value
-    #   TCP flags (used when '@protocol':tcp)
-    # @return [AceTcpFlagList]
-    attr_accessor :tcp_flags
-
-    # @param [AceOtherQualifierList] value
-    #   TCP other qualifier list object (used when '@protocol':tcp)
-    # @return [AceOtherQualifierList]
-    attr_accessor :tcp_other_qualifiers
-
-    # Option,
-    # :src and :dst can handle multiple types of object generation,
-    # so that the argments can takes hash of AceSrcDstSpec.new or
-    # AceSrcDstSpec instance.
-    # :protocol and so on. (AceIpProtoSpec Object)
-    #
-    # about :protocol, it has specification of name and number
-    # (specified in internal of parser).
-    # basically, it is OK that specify only name.
-    # (does it convert name <=> number each oether?)
-    # (does it use number?
-    #
-
-    # Constructor
-    # @param [Hash] opts Options
-    # @option opts [String] :protocol L3/L4 protocol
-    # @option opts [Integer] :number Protocol/Port number
-    # @option opts [String] :action Action
-    # @option opts [AceSrcDstSpec] :src Source spec object
-    # @option opts [Hash] :src Source spec parmeters
-    # @option opts [AceSrcDstSpec] :dst Destination spec object
-    # @option opts [Hash] :dst Destination spec parmeters
-    # @option opts [AceTcpFlagList] :tcp_port_qualifier
-    #   TCP Flags object
-    # @raise [AclArgumentError]
-    # @return [ExtendACE]
-    #
-    # @example Construct ACE object
-    #   ExtendACE.new(
-    #     :protocol => 'tcp',
-    #     :number => 10,
-    #     :action => 'permit',
-    #     :src => { :ipaddr => '192.168.3.0', :wildcard => '0.0.0.127' },
-    #     :dst => { :ipaddr => '172.30.0.0', :wildcard => '0.0.7.127',
-    #               :operator => 'eq', :begin_port => 80 })
-    #
-    def initialize(opts)
-      super
-      @options = opts
-      @protocol = define_protocol
-      @dst_spec = define_dst_spec
-      @tcp_flags = define_tcp_flags
-      @tcp_other_qualifiers = nil # not yet.
-    end
-
-    # @param [ExtendACE] other RHS object
-    # @return [Boolean]
-    def ==(other)
-      @action == other.action &&
-        @protocol == other.protocol &&
-        @src_spec == other.src_spec &&
-        @dst_spec == other.dst_spec &&
-        @tcp_flags == other.tcp_flags
-      ## does it need to compare? : tcp_other_qualifiers
-    end
-
-    # Generate string for Cisco IOS access list
-    # @return [String]
-    def to_s
-      sprintf(
-        '%s %s %s %s %s %s',
-        tag_action(@action.to_s),
-        tag_protocol(@protocol.to_s),
-        @src_spec,
-        @dst_spec,
-        @tcp_flags,
-        @tcp_other_qualifiers
-     )
-    end
-
-    # Search matched ACE
-    # @param [Hash] opts Options (target packet info)
-    # @option opts [String] :protocol L3/L4 protocol name
-    #   (allows "tcp", "udp" and "icmp")
-    # @option opts [String] :src_ip Source IP Address
-    # @option opts [Integer,String] :src_port Source Port No./Name
-    # @option opts [String] :dst_ip Destination IP Address
-    # @option opts [Integer,String] :dst_port Destination Port No./Name
-    # @return [Boolean] Matched or not
-    # @raise [AclArgumentError]
-    def matches?(opts)
-      if opts.key?(:protocol)
-        match_protocol?(opts[:protocol]) &&
-          @src_spec.matches?(opts[:src_ip], opts[:src_port]) &&
-          @dst_spec.matches?(opts[:dst_ip], opts[:dst_port])
-      else
-        fail AclArgumentError, 'Invalid match target protocol'
-      end
-    end
-
-    private
-
-    # check protocol
-    # @option protocol [AceProtoSpecBase] protocol
-    # @return [Boolean] Matched or not
-    # @raise [AclArgumentError]
-    def match_protocol?(protocol)
-      protocol_str = @protocol.to_s
-      if [protocol_str, protocol].include?('ip')
-        true # allow any of icmp/tcp/udp
-      else
-        # @todo what to do when NO name and only protocol number is
-        #   specified?  In principle, it must be compared by object.
-        protocol == protocol_str
-      end
-    end
-
-    # Set instance variables
-    # return [AceIpProtoSpec] IP protocol object
-    # raise [AclArgumentError]
-    def define_protocol
-      if @options.key?(:protocol)
-        protocol = @options[:protocol]
-        case protocol
-        when AceIpProtoSpec
-          protocol
-        else
-          AceIpProtoSpec.new(
-            name: protocol,
-            number: @options[:protocol_num]
-          )
-        end
-      else
-        fail AclArgumentError, 'Not specified IP protocol'
-      end
-    end
-
-    # Set instance variables
-    # @return [AceSrcDstSpec] Destination spec object
-    # @raise [AclArgumentError]
-    def define_dst_spec
-      if @options.key?(:dst)
-        dst = @options[:dst]
-        case dst
-        when Hash
-          AceSrcDstSpec.new(dst)
-        when AceSrcDstSpec
-          dst
-        else
-          fail AclArgumentError, 'Dst spec: unknown class'
-        end
-      else
-        fail AclArgumentError, 'Not specified dst spec'
-      end
-    end
-
-    # Set instance variables
-    # @return [AceOtherQualifierList]
-    def define_tcp_flags
-      if @protocol.name == 'tcp' && @options.key?(:tcp_flags_qualifier)
-        @options[:tcp_flags_qualifier]
-      else
-        nil
-      end
-    end
-  end
 end # module
 
 ### Local variables:

data/lib/cisco_acl_intp/ace_ip.rb

@@ -1,5 +1,4 @@
 # -*- coding: utf-8 -*-
-
 require 'forwardable'
 require 'netaddr'
 require 'cisco_acl_intp/acl_base'
@@ -14,7 +13,7 @@ module CiscoAclIntp
     # @return [NetAddr::CIDR]
     attr_reader :ipaddr
 
-    # @param [Integer] value Netmask length
+    # @param [Integer] value Netmask *length*
     # @return [Integer]
     attr_reader :netmask
 
@@ -23,10 +22,10 @@ module CiscoAclIntp
     # @return [String]
     attr_reader :wildcard
 
-    def_delegator :@ipaddr, :ip, :ipaddr
-
     # `matches?' method is wildcard mask operation
-    def_delegators :@ipaddr, :matches?
+    def_delegators :@ipaddr, :matches?, :contains?
+    # ip returns non-masked address
+    def_delegators :@ipaddr, :ip
 
     # Constructor
     # @param [Hash] opts Options
@@ -49,9 +48,8 @@ module CiscoAclIntp
     # @param [AceIpSpec] other RHS Object
     # @return [Boolean]
     def ==(other)
-      @ipaddr == other.ipaddr &&
-        @netmask == other.netmask &&
-        @wildcard == other.wildcard
+      @ipaddr == other.ipaddr && ip == other.ip &&
+        @netmask == other.netmask && @wildcard == other.wildcard
     end
 
     # Generate string for Cisco IOS access list
@@ -63,9 +61,9 @@ module CiscoAclIntp
       else
         if @wildcard == '0.0.0.0'
           # /32 mask
-          sprintf('%s %s', tag_mask('host'), tag_ip(@ipaddr.ip))
+          format '%s %s', tag_mask('host'), tag_ip(@ipaddr.ip)
         else
-          sprintf('%s %s', tag_ip(to_wmasked_ip_s), tag_mask(@wildcard))
+          format '%s %s', tag_ip(to_wmasked_ip_s), tag_mask(@wildcard)
         end
       end
     end
@@ -100,6 +98,8 @@ module CiscoAclIntp
     # Covnet IPv4 bit-flapped wildcard to netmask length
     # @return [Fixnum] netmask length
     #   or `nil` when discontinuous-bits-wildcard-mask
+    # @todo Known bug: it cannot handle wrong wildcard,
+    #   e.g. '0.0.0.1.255' #=> 31
     def wildcard_bitlength
       @wildcard.split(/\./).reduce(0) do |len, octet|
         if len && OCTET_BIT_LENGTH.key?(octet)
@@ -110,8 +110,19 @@ module CiscoAclIntp
       end
     end
 
+    # Check ip addr string: alias 'any' ipaddr
+    # @return [AceIpSpec] IP spec object.
+    def check_ip_any_alias
+      case @options[:ipaddr]
+      when nil, '', 'any', /^\s*$/
+        @options[:ipaddr] = '0.0.0.0'
+        @options[:netmask] = 0
+      end
+    end
+
     # Set instance variables
     def define_addrinfo
+      check_ip_any_alias
       if @options.key?(:wildcard)
         define_addrinfo_prefer_wildcard
       else
@@ -137,7 +148,8 @@ module CiscoAclIntp
       if @options.key?(:netmask)
         define_addrinfo_with_netmask
       else
-        define_addrinfo_with_default_netmask
+        @options[:netmask] = 32 # default ('host' mask)
+        define_addrinfo_with_netmask
       end
     end
 
@@ -154,17 +166,7 @@ module CiscoAclIntp
     def define_addrinfo_with_netmask
       @netmask = @options[:netmask]
       @ipaddr = NetAddr::CIDR.create(
-        [@options[:ipaddr], @netmask].join('/')
-      )
-      @wildcard = @ipaddr.wildcard_mask(true)
-    end
-
-    # Set instance variables with ip/default-netmask
-    def define_addrinfo_with_default_netmask
-      # default mask
-      @netmask = '255.255.255.255'
-      @ipaddr = NetAddr::CIDR.create(
-        [@options[:ipaddr], @netmask].join(' ')
+        format '%s/%s', @options[:ipaddr], @netmask
       )
       @wildcard = @ipaddr.wildcard_mask(true)
     end

data/lib/cisco_acl_intp/ace_other_qualifiers.rb

@@ -16,8 +16,8 @@ module CiscoAclIntp
 
     # Constructor
     # @return [AceOtherQualifierList]
-    def initialize
-      @list = []
+    def initialize(list = [])
+      @list = list
     end
 
     # Generate string for Cisco IOS access list
@@ -29,7 +29,9 @@ module CiscoAclIntp
     # @param [AceOtherQualifierList] other RHS Object
     # @return [Boolean]
     def ==(other)
-      @list == other.list
+      @list.reduce(true) do |res, each|
+        res && other.list.include?(each)
+      end
     end
   end
 
@@ -45,7 +47,7 @@ module CiscoAclIntp
 
     # Specified log-input logging?
     # @return [Boolean]
-    attr_reader :input
+    attr_accessor :input
 
     # alias as boolean method
     # @return [Boolean]
@@ -63,12 +65,20 @@ module CiscoAclIntp
     # Generate string for Cisco IOS access list
     # @return [String]
     def to_s
-      sprintf(
+      format(
         '%s %s',
         @input ? 'log-input' : 'log',
         @cookie ? @cookie : ''
       )
     end
+
+    # @param [AceLogSpec] other RHS object
+    # @return [Boolean]
+    def ==(other)
+      other.instance_of?(AceLogSpec) &&
+        @input == other.input &&
+        @cookie == other.cookie
+    end
   end
 
   # Recursive qualifier container
@@ -90,7 +100,14 @@ module CiscoAclIntp
     # Generate string for Cisco IOS access list
     # @return [String]
     def to_s
-      sprintf 'reflect %s', tag_name(@recursive_name)
+      format 'reflect %s', tag_name(@recursive_name)
+    end
+
+    # @param [AceRecursiveQualifier] other RHS object
+    # @return [Boolean]
+    def ==(other)
+      other.instance_of?(AceRecursiveQualifier) &&
+        @recursive_name == other.recursive_name
     end
   end
 end # module