netutils 0.1.1

data/bin/config-diff-check

@@ -0,0 +1,111 @@
+#!/bin/sh
+dir=`dirname $0`/../../../conf/net
+progname=`basename $0`
+cd $dir
+diffsep=
+diffall=
+tmpdira=a
+tmpdirb=b
+case `uname` in
+Linux|*BSD*)
+	tmpdiropt='-p /tmp'
+	;;
+*)
+	# Darwin does not have -p option...
+	;;
+esac
+tmpdir="`mktemp -u $tmpdiropt -d $progname.XXXXXXXX`"
+#
+usage()
+{
+	echo "
+Usage:
+	$progname -h
+	$progname [-d]
+Description:
+	check to see if a configuration of a network switch generated
+	by \`\`config-gets'' and stored into $dir
+	is changed or not.  Also, revert trivial modification such as
+	NTP drift, a timestamp of a configuration and so on.
+Options:
+	-h:	display this message.
+	-d:	display detailed diff.
+"
+}
+
+if [ ! -z "$1" -a ! "$1" = "-d" ]; then
+	usage
+	exit 1
+fi
+
+#
+# filters to ignore a difference of a configuration of Cisco, Alaxala,
+# Aruba WLC and NEC IX series even though no actual changes are made
+# like below:
+#
+# Cisco:
+# ! Last configuration change at 23:16:01 jst Sat Apr 14 2018 by hogehoge
+# ! NVRAM config last updated at 00:28:45 jst Sun Apr 8 2018 by hogehoge
+#
+# Alaxala:
+# #Last modified by hogehoge at Sun Apr 15 04:00:03 2018 JST with version 12.7.B
+#
+# NEC IX:
+# ! Current time Apr 15-Sun-2018 02:11:02 JST
+#
+regexp="								\
+	-e ^ntp\sclock-period -e ^!\s(N|L|C) -e ^#L			\
+	-e ^\s{3}key\s -e ^\s{3}ap-console-password\s			\
+	-e ^\s{3}bkup-passwords\s -e ^\s{3}wpa-passphrase\s		\
+	"
+grep="grep -E $regexp"
+grepex="grep -Ev $regexp"
+#
+if ! mkdir -p "$tmpdir/$tmpdira" "$tmpdir/$tmpdirb" > /dev/null 2>&1; then
+	echo "Cannot create temporary directory!!!"
+	exit 1
+fi
+for path in *.conf; do
+	file=`basename $path`
+	diff=`git diff "$file"`
+
+	# force to generate diff. for a untracked file.
+	if [ -z "$diff" ]; then
+		if git status "$file" | grep "$file" > /dev/null 2>&1; then
+			diff=`diff -wc /dev/null "$file"`
+		fi
+	fi
+
+	[ -z "$diff" ] && continue
+
+	#
+	# hack for Cisco and Aruba WLC that have different values,
+	# e.g., NTP drift or password hash values, in configuration
+	# output even though the configuration is never modified.
+	#
+	if $grep "$file" > /dev/null 2>&1; then
+		tmpfilea="$tmpdir/$tmpdira/$file"
+		tmpfileb="$tmpdir/$tmpdirb/$file"
+		git show HEAD:./$file |	$grepex > "$tmpfilea"
+		$grepex "$file" > "$tmpfileb"
+		diff=`cd "$tmpdir" &&					\
+		    diff -wc "$tmpdira/$file" "$tmpdirb/$file"`
+		if [ -z "$diff" ]; then
+			git checkout HEAD -- $file
+			continue
+		fi
+	fi
+
+	echo "$file changes"
+	diffall="$diffall$diffsep$diff"
+	diffsep="
+"
+done
+rm -rf "$tmpdira" "$tmpdirb"
+
+if [ -z "$diffall" ]; then
+	echo 'nothing changed.'
+elif [ "$1" = '-d' ]; then
+	echo ''
+	echo "$diffall" | sed -re '/^[^ ]* +block-list \[ / s/\./[.]/g'
+fi

data/bin/config-gets

@@ -0,0 +1,64 @@
+#!/usr/bin/env ruby
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)).untaint, '/..')
+
+require 'netutils'
+#
+def usage(errmsg = nil)
+	progname = File.basename($0)
+	STDERR.print "ERROR: #{errmsg}\n\n" if errmsg
+	STDERR.print "\
+Usage:
+	#{progname} -h
+	#{progname} [-a] <switch IP address1> <switch IP address2> ...
+Description:
+	retrieve configurations of network switches.  If an option, ``-a,''
+	is specified, retrieve from all neighboring switches as well using
+	LLDP or CDP.
+Arguments:
+	switch IP address:
+		an IP address of a switch.  If no IP address is given,
+		pre-defined IP addresses are used.
+Options:
+	-h:	output this help message.
+	-a:	try to find all neighboring switches.
+Example:
+	#{progname} 192.168.0.1
+	#{progname} -a 192.168.0.1
+"
+        exit 1
+end
+
+if ARGV[0] === '-h'
+	ARGV.shift
+	usage
+end
+if ARGV[0] === '-a'
+	ARGV.shift
+	Switch.set_retrieve_all
+end
+if ARGV.length > 0
+	ARGV.each do |ia|
+		Switch.new(nil, Switch::Type::ROUTER, ia)
+	end
+else
+	SWITCHES.each { |name, ia| Switch.new(name, Switch::Type::ROUTER, ia) }
+end
+
+Switch.retrieve do |sw|
+	start = Time.now
+	if sw.name
+		print "Connecting: ``#{sw.name}'' (#{sw.ia})\n"
+	else
+		print "Connecting: #{sw.ia}\n"
+	end
+	sw.login
+	duration = Time.now - start
+	print " Connected: ``#{sw.name}'' (#{sw.ia}) (#{sw.maker_to_s} #{sw.product}) (#{duration} seconds)\n"
+	sw.config_get
+	sw.config_dump(File.join(File.expand_path(File.dirname(__FILE__)).untaint, '/../../../conf/net'))
+	#switch.if_dump
+	#switch.if_dump_csv
+	print "      Done: ``#{sw.name}'' (#{sw.ia}) (#{sw.maker_to_s} #{sw.product})\n"
+end
+Switch.warn
+

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "netutils"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/host-locate-on-demand

@@ -0,0 +1,102 @@
+#!/usr/bin/env ruby
+$:.unshift File.join(File.expand_path(File.dirname(__FILE__)).untaint, '/..')
+
+require 'netutils'
+
+################################################################################
+def usage
+	STDERR.print "\
+Usage: #{$progname} [-h] [-d] <host IP address>
+Description:
+	this script also locates an edge switch and a port using LLDP and/or CDP
+	to which an specified host is connected.
+	this script firstly locates a router that directly connects to a specified
+	IP address of a host.  this script then resolves a MAC address of the IP
+	address.  this script finally locates the switch and the port.
+Options:
+	-h:	output this help message.
+	-d:	locate a directly connected router only.
+Bugs:
+	this script may fail to locate a host when the host is already detached
+	from a network or the host does not generate any traffic for a certain
+	duration.
+Example:
+	#{$progname} 192.168.0.1
+"
+        exit
+end
+
+usage if ! ARGV.size.between?(1, 2)
+case ARGV[0]
+when '-h'
+	usage
+when '-d'
+	ARGV.shift
+	connectedonly = true
+end
+usage if ARGV.size != 1
+
+ia = ARGV[0]
+usage if ia !~ /^[0-9\.]+$/
+
+def host_locate(sw, interface, ma)
+	vlan = interface_name_vlan_id(interface)
+	return sw, interface if ! vlan
+
+	sws = {}
+	while true
+		log_without_newline "\t#{sw.name} (#{sw.ia}) "
+		ports = sw.mac_address_table_get(ma, vlan)
+		if ports.size === 0
+			raise "No FIB entry found for #{ma} " +
+			    "on #{sw.name} (#{sw.ia})"
+		end
+		ports.each do |name, port|
+			next if sws.has_key?(sw.name)
+			sws[sw.name] = sw
+
+			log "#{port}"
+
+			ssw = static_neighbor_resolve(sw.name, port)
+			if ssw
+				sw = ssw
+			else
+				nsw = sw.neighbor_gets(port)
+				if ! nsw ||
+				   (nsw.type != Switch::Type::ROUTER &&
+				    nsw.type != Switch::Type::SWITCH)
+					return sw, port
+				end
+				if ! nsw.ia
+					raise "ERROR: #{nsw.name} found but " +
+					    "no IP address!!!"
+				end
+				sw = nsw
+			end
+			sw.login
+			break
+		end
+	end
+end
+
+begin
+	log "locating directly connected router for #{ia}... "
+	sw, xia = router_locate(ia)
+	if ia == xia
+		log "\t\"#{sw.name}\" (#{sw.ia})"
+	else
+		log "\t\"department router\" (#{xia})"
+	end
+
+	exit 0 if connectedonly
+
+	log_without_newline "resolving MAC address for #{xia}... "
+	ma, vrf, interface = sw.macaddr_resolve(xia)
+	log "found"
+	log "\t#{xia} #{ma} on VRF \"#{vrf.name}\" #{interface}"
+
+	log "locating MAC address #{ma}..."
+	sw, port = host_locate(sw, interface, ma)
+rescue => e
+	log " FAILED: #{e.to_s}"
+end

data/bin/ipaddr-resolv

@@ -0,0 +1,74 @@
+#!/usr/bin/env ruby
+
+require 'resolv'
+
+DOMAINS = [
+    'officecdn.microsoft.com',
+    'officecdn.microsoft.com.edgesuite.net',
+    'ctldl.windowsupdate.com',
+    'niig4.ocsp.secomtrust.net',
+    'repo1.secomtrust.net',
+    'scrootca1.ocsp.secomtrust.net',
+    'scrootca2.ocsp.secomtrust.net',
+    'repository.secomtrust.net',
+    'ocsp.digicert.com'
+    ]
+
+MAXTTL = 3600
+
+class Domain
+	def initialize(name)
+		@name = name
+		@ias = {}
+	end
+
+	def update
+		expires = @ias
+		@ias = {}
+
+		resolv = Resolv::DNS.new
+		rs = resolv.getresources(@name, Resolv::DNS::Resource::IN::A)
+
+		minttl = MAXTTL
+		rs.each do |r|
+			key = r.address.to_s
+			@ias[key] = r
+			if expires.has_key?(key)
+				expires.delete(key)
+				puts "#{@name}: #{key} update!!!"
+			else
+				puts "#{@name}: #{key} new!!!"
+			end
+			if minttl > r.ttl
+				minttl = r.ttl
+			end
+		end
+		expires.each do |k, v|
+			puts "#{@name}: #{v.address} expires!!!"
+		end
+		return minttl
+	end
+end
+
+domains = []
+DOMAINS.each do |h|
+	domains <<= Domain.new(h)
+end
+
+while true
+	minttl = MAXTTL
+	domains.each do |d|
+		begin
+			ttl = d.update
+		rescue
+			ttl = 1
+		end
+		if minttl > ttl
+			minttl = ttl
+		end
+	end
+	if minttl < 1
+		minttl = 1
+	end
+	sleep minttl
+end

data/bin/ipaddr-resolv.sh

@@ -0,0 +1,97 @@
+#!/bin/sh
+
+hostnames="\
+	officecdn.microsoft.com						\
+	officecdn.microsoft.com.edgesuite.net				\
+	ctldl.windowsupdate.com						\
+	niig4.ocsp.secomtrust.net					\
+	repo1.secomtrust.net						\
+	scrootca2.ocsp.secomtrust.net					\
+	repository.secomtrust.net					\
+	wpad.tottori-u.ac.jp						\
+	"
+filename=ipaddrs.txt
+
+#
+tmpfile=$filname.tmp
+interval=300
+expiry=864000
+
+log()
+{
+
+	echo `date '+%Y/%m/%d %H:%M:%S'` "$1"
+}
+
+resolve()
+{
+	hostname=$1
+
+	host $hostname | sed -rn 's/^.* has address ([0-9.]+)$/\1/p'
+}
+
+add()
+{
+	ia=$1
+	hostname=$2
+	time=$3
+
+	if ! remove $ia $hostname 'no'; then
+		log "add $hostname ($ia) $time"
+		r=0
+	else
+		r=1
+	fi
+	echo "$ia $hostname $time" >> $filename
+	return $r
+}
+
+remove()
+{
+	ia=$1
+	hostname=$2
+	removeonly=$3
+
+	[ ! -e $filename ] && return
+	if [ "$removeonly" = 'yes' ]; then
+		log "Remove $hostname ($ia)"
+	fi
+	grep "^$ia .*$" $filename > /dev/null 2>&1
+	r=$?
+	if [ $r -eq 0 ]; then
+		grep -v "^$ia .*$" $filename > $tmpfile
+		mv $tmpfile $filename
+	fi
+	return $r
+}
+
+expire()
+{
+	now=$1
+	expiry=$2
+
+	while read ia hostname lasttime; do
+		diff=`expr $now - $lasttime`
+		if [ $diff -gt $expiry ]; then
+			remove $ia $hostname 'yes'
+		fi
+	done < $filename
+}
+
+log 'Started'
+while true; do
+	changed=no
+	now=`date +%s`
+	for h in $hostnames; do
+		for ia in `resolve $h`; do
+			if add "$ia" "$h" "$now"; then
+				changed=yes
+			fi
+		done
+	done
+	expire $now $expiry
+	if [ "$changed" = 'yes' ]; then
+		ruby wiredlanauth-filter-sync.rb
+	fi
+	sleep $interval
+done