/
optimize-subnet.t
94 lines (73 loc) · 2.03 KB
/
optimize-subnet.t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/usr/bin/perl
use strict;
use Test::More;
use Test::Differences;
use lib 't';
use Test_Netspoc;
############################################################
my $title = 'Optimize subnet at secondary packet filter';
############################################################
my $in = <<END;
network:sub = { ip = 10.1.7.32/27; subnet_of = network:customer; }
router:r = { interface:sub; interface:customer = { ip = 10.1.7.30; } }
network:customer = { ip = 10.1.7.0/24; }
router:gw = {
managed = secondary;
model = IOS_FW;
interface:customer = { ip = 10.1.7.1; hardware = outside;}
interface:trans = { ip = 10.1.3.1; hardware = inside;}
}
network:trans = { ip = 10.1.3.0/24; }
router:b1 = {
managed;
model = Linux;
interface:trans = {
ip = 10.1.3.3;
hardware = eth0;
}
interface:server = {
ip = 10.1.2.1;
hardware = eth1;
}
}
network:server = {
ip = 10.1.2.0/24;
host:s10 = { ip = 10.1.2.10; }
host:s11 = { ip = 10.1.2.11; }
}
protocol:Echo = icmp 8;
policy:p1 = {
user = network:sub;
permit src = user; dst = host:s10; prt = service:Echo;
}
policy:p2 = {
user = network:customer;
permit src = user; dst = host:s11; srv = service:Echo;
}
END
my $out1 = <<END;
! [ ACL ]
ip access-list extended outside_in
permit ip 10.1.7.0 0.0.0.255 10.1.2.0 0.0.0.255
deny ip any any
END
my $head1 = (split /\n/, $out1)[0];
TODO: {
local $TODO = "recognize subnet during local_optimization";
eq_or_diff(get_block(compile($in), $head1), $out1, $title);
}
############################################################
$title = 'Optimize subnet at secondary packet filter';
############################################################
$in =~ s/managed = secondary/managed/ms;
$in =~ s/(protocol:Echo = icmp 8)/$1, dst_net/;
my $out2 = <<END;
! [ ACL ]
ip access-list extended outside_in
permit icmp 10.1.7.0 0.0.0.255 10.1.2.0 0.0.0.255 8
deny ip any any
END
my $head2 = (split /\n/, $out2)[0];
eq_or_diff(get_block(compile($in), $head2), $out2, $title);
############################################################
done_testing;