-
Notifications
You must be signed in to change notification settings - Fork 228
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PAN: extract security rule categories (#8111)
- Loading branch information
Showing
11 changed files
with
245 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -88,8 +88,7 @@ srs_application | |
|
||
srs_category | ||
: | ||
CATEGORY | ||
null_rest_of_line | ||
CATEGORY variable_list | ||
; | ||
|
||
srs_description | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
...atfish/src/main/java/org/batfish/representation/palo_alto/CustomUrlCategoryReference.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
package org.batfish.representation.palo_alto; | ||
|
||
import javax.annotation.Nonnull; | ||
|
||
/** Represents a reference to a custom-url-category. */ | ||
public final class CustomUrlCategoryReference implements Reference { | ||
|
||
@Override | ||
public <T, U> T accept(ReferenceVisitor<T, U> visitor, U arg) { | ||
return visitor.visitCustomUrlCategoryReference(this, arg); | ||
} | ||
|
||
public CustomUrlCategoryReference(String name) { | ||
_name = name; | ||
} | ||
|
||
@Override | ||
public boolean equals(Object o) { | ||
if (this == o) { | ||
return true; | ||
} | ||
if (!(o instanceof CustomUrlCategoryReference)) { | ||
return false; | ||
} | ||
return _name.equals(((CustomUrlCategoryReference) o).getName()); | ||
} | ||
|
||
@Override | ||
public int hashCode() { | ||
return _name.hashCode(); | ||
} | ||
|
||
/** Return the name of the referenced Category */ | ||
@Override | ||
@Nonnull | ||
public String getName() { | ||
return _name; | ||
} | ||
|
||
@Nonnull private final String _name; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
.../batfish/src/test/resources/org/batfish/grammar/palo_alto/testconfigs/rulebase-extraction
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
set deviceconfig system hostname rulebase | ||
set network interface ethernet ethernet1/1 layer3 ip 1.1.1.1/24 | ||
set network interface ethernet ethernet1/2 layer3 ip 1.1.2.1/24 | ||
set network interface ethernet ethernet1/3 layer3 ip 1.1.3.1/24 | ||
set zone z1 network layer3 ethernet1/1 | ||
set zone z2 network layer3 ethernet1/2 | ||
set zone z3 network layer3 ethernet1/2 | ||
|
||
set address ADDR1 ip-netmask 10.1.1.1/24 | ||
set address ADDR2 ip-netmask 10.2.1.1/24 | ||
set address ADDR3 ip-netmask 10.2.1.1/24 | ||
|
||
set service SERVICE1 protocol tcp port 999 | ||
set service SERVICE2 protocol tcp port 9999 | ||
|
||
set profiles custom-url-category CAT1 list github.com | ||
set profiles custom-url-category CAT2 list example.com | ||
|
||
# All supported fields populated | ||
set rulebase security rules RULE1 from [ z1 z2 ] | ||
set rulebase security rules RULE1 to [ z1 z3 ] | ||
set rulebase security rules RULE1 source [ ADDR1 ADDR2] | ||
set rulebase security rules RULE1 negate-source yes | ||
set rulebase security rules RULE1 destination [ ADDR1 ADDR3 ] | ||
set rulebase security rules RULE1 negate-destination yes | ||
set rulebase security rules RULE1 service [ SERVICE1 SERVICE2 ] | ||
set rulebase security rules RULE1 category [ CAT1 CAT2 ] | ||
set rulebase security rules RULE1 application [ ssh ssl ] | ||
set rulebase security rules RULE1 action deny | ||
set rulebase security rules RULE1 description descr | ||
# No-op's - these items already exist | ||
set rulebase security rules RULE1 from z2 | ||
set rulebase security rules RULE1 to z3 | ||
# TODO uncomment these when they are also no-op's | ||
#set rulebase security rules RULE1 source ADDR2 | ||
#set rulebase security rules RULE1 destination ADDR3 | ||
set rulebase security rules RULE1 service SERVICE2 | ||
set rulebase security rules RULE1 category CAT2 | ||
set rulebase security rules RULE1 application ssl | ||
|
||
# Only required fields are populated | ||
set rulebase security rules RULE2 from any | ||
set rulebase security rules RULE2 to any | ||
set rulebase security rules RULE2 source any | ||
set rulebase security rules RULE2 destination any | ||
set rulebase security rules RULE2 service any | ||
set rulebase security rules RULE2 application any | ||
set rulebase security rules RULE2 action allow |