"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "go/pkg/pass2/check-acl.go" between
Netspoc-6.025.tar.gz and Netspoc-6.026.tar.gz

About: NetSPoC is a network security policy compiler (using its own description language) to manage all the packet filter devices inside your network topology.

check-acl.go  (Netspoc-6.025):check-acl.go  (Netspoc-6.026)
package pass2 package pass2
import ( import (
"fmt" "fmt"
"github.com/hknutzen/Netspoc/go/pkg/diag"
"github.com/hknutzen/Netspoc/go/pkg/fileop" "github.com/hknutzen/Netspoc/go/pkg/fileop"
"github.com/spf13/pflag" "github.com/spf13/pflag"
"io/ioutil" "io/ioutil"
"net" "net"
"os" "os"
"strconv" "strconv"
"strings" "strings"
) )
type packet struct { type packet struct {
skipping to change at line 37 skipping to change at line 38
os.Args[0]) os.Args[0])
fs.PrintDefaults() fs.PrintDefaults()
} }
// Command line flags // Command line flags
fromFile := fs.StringP("file", "f", "", "Read packet descriptions from fi le") fromFile := fs.StringP("file", "f", "", "Read packet descriptions from fi le")
if err := fs.Parse(os.Args[1:]); err != nil { if err := fs.Parse(os.Args[1:]); err != nil {
if err == pflag.ErrHelp { if err == pflag.ErrHelp {
return 1 return 1
} }
showErr("%s", err) diag.Err("%s", err)
fs.Usage() fs.Usage()
return 1 return 1
} }
// Initialize packet descriptions. // Initialize packet descriptions.
var packets []*packet var packets []*packet
if *fromFile != "" { if *fromFile != "" {
var err error var err error
packets, err = readPackets(*fromFile) packets, err = readPackets(*fromFile)
if err != nil { if err != nil {
showErr("%s", err) diag.Err("%s", err)
return 1 return 1
} }
} }
// Argument processing // Argument processing
args := fs.Args() args := fs.Args()
if !(*fromFile != "" && len(args) >= 2 || len(args) >= 3) { if !(*fromFile != "" && len(args) >= 2 || len(args) >= 3) {
fs.Usage() fs.Usage()
return 1 return 1
} }
path := args[0] path := args[0]
if !strings.HasSuffix(path, ".rules") { if !strings.HasSuffix(path, ".rules") {
path += ".rules" path += ".rules"
} }
if !fileop.IsRegular(path) { if !fileop.IsRegular(path) {
showErr("Can't find file %s", path) diag.Err("Can't find file %s", path)
return 1 return 1
} }
acl := args[1] acl := args[1]
packets = append(packets, parsePackets(args[2:])...) packets = append(packets, parsePackets(args[2:])...)
// Check, which packets match ACL. // Check, which packets match ACL.
return checkACL(path, acl, packets) return checkACL(path, acl, packets)
} }
skipping to change at line 95 skipping to change at line 96
func parsePackets(lines []string) []*packet { func parsePackets(lines []string) []*packet {
var result []*packet var result []*packet
for _, line := range lines { for _, line := range lines {
line = strings.TrimSpace(line) line = strings.TrimSpace(line)
if line == "" { if line == "" {
continue continue
} }
line = strings.ToLower(line) line = strings.ToLower(line)
fields := strings.Fields(line) fields := strings.Fields(line)
if len(fields) != 4 { if len(fields) != 4 {
showWarn("Ignored packet, must have exactly 4 words: %s", line) diag.Warn("Ignored packet, must have exactly 4 words: %s" , line)
continue continue
} }
ip1 := fields[0] ip1 := fields[0]
ip2 := fields[1] ip2 := fields[1]
prt := fields[2] prt := fields[2]
ext := fields[3] ext := fields[3]
ip1 = checkIP(ip1) ip1 = checkIP(ip1)
ip2 = checkIP(ip2) ip2 = checkIP(ip2)
if ip1 == "" || ip2 == "" { if ip1 == "" || ip2 == "" {
continue continue
skipping to change at line 122 skipping to change at line 123
if i != -1 { if i != -1 {
typ := ext[:i] typ := ext[:i]
code := ext[i+1:] code := ext[i+1:]
typ = checkNum(typ, 256) typ = checkNum(typ, 256)
code = checkNum(code, 256) code = checkNum(code, 256)
if typ == "" || code == "" { if typ == "" || code == "" {
continue continue
} }
ext = typ + "/" + code ext = typ + "/" + code
} else { } else {
showWarn("Ignored icmp packet with invalid type/c ode: %s", line) diag.Warn("Ignored icmp packet with invalid type/ code: %s", line)
continue continue
} }
case "proto": case "proto":
ext = checkNum(ext, 256) ext = checkNum(ext, 256)
default: default:
showWarn("Ignored packet with unexpected protocol: %s", l ine) diag.Warn("Ignored packet with unexpected protocol: %s", line)
continue continue
} }
if ext == "" { if ext == "" {
continue continue
} }
p := packet{src: ip1, dst: ip2, prt: prt + " " + ext} p := packet{src: ip1, dst: ip2, prt: prt + " " + ext}
result = append(result, &p) result = append(result, &p)
} }
return result return result
} }
func checkIP(s string) string { func checkIP(s string) string {
ip := net.ParseIP(s) ip := net.ParseIP(s)
if ip == nil { if ip == nil {
showWarn("Ignored packet with invalid IP address: %s", s) diag.Warn("Ignored packet with invalid IP address: %s", s)
return "" return ""
} }
return ip.String() return ip.String()
} }
func checkNum(s string, max int) string { func checkNum(s string, max int) string {
num, err := strconv.Atoi(s) num, err := strconv.Atoi(s)
if err != nil || num < 0 || num >= max { if err != nil || num < 0 || num >= max {
showWarn("Ignored packet with invalid protocol number: %s", s) diag.Warn("Ignored packet with invalid protocol number: %s", s)
return "" return ""
} }
return strconv.Itoa(num) return strconv.Itoa(num)
} }
// Print each packet to STDOUT. // Print each packet to STDOUT.
// Packet, that matches ACL is prefixed with "permit". // Packet, that matches ACL is prefixed with "permit".
// Other packet is prefixed with "deny ". // Other packet is prefixed with "deny ".
func checkACL(path, acl string, packets []*packet) int { func checkACL(path, acl string, packets []*packet) int {
rData := readJSON(path) rData := readJSON(path)
var aInfo *aclInfo var aInfo *aclInfo
for _, a := range rData.acls { for _, a := range rData.acls {
if a.name == acl { if a.name == acl {
aInfo = a aInfo = a
break break
} }
} }
if aInfo == nil { if aInfo == nil {
showErr("Unknown ACL: %s", acl) diag.Err("Unknown ACL: %s", acl)
return 1 return 1
} }
// Remember number of original rules. // Remember number of original rules.
sz := len(aInfo.rules) sz := len(aInfo.rules)
// Add packets as rules. // Add packets as rules.
addPackets(aInfo, packets) addPackets(aInfo, packets)
// Set relation between original and added rules. // Set relation between original and added rules.
setupPrtRelation(aInfo.prt2obj) setupPrtRelation(aInfo.prt2obj)
setupIPNetRelation(aInfo.ipNet2obj) setupIPNetRelation(aInfo.ipNet2obj)
// Remember original rules because aInfo gets changed, // Remember original rules because aInfo gets changed,
skipping to change at line 230 skipping to change at line 231
} }
return getIPNet(s, ipNet2obj) return getIPNet(s, ipNet2obj)
} }
src := ipObj(p.src) src := ipObj(p.src)
dst := ipObj(p.dst) dst := ipObj(p.dst)
prt := getPrtObj(p.prt, prt2obj) prt := getPrtObj(p.prt, prt2obj)
rules.push(&ciscoRule{src: src, dst: dst, prt: prt}) rules.push(&ciscoRule{src: src, dst: dst, prt: prt})
} }
a.rules = rules a.rules = rules
} }
func showErr(format string, args ...interface{}) {
fmt.Fprintf(os.Stderr, "Error: "+format+"\n", args...)
}
func showWarn(format string, args ...interface{}) {
fmt.Fprintf(os.Stderr, "Warning: "+format+"\n", args...)
}
 End of changes. 11 change blocks. 
9 lines changed or deleted 10 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)