Skip to content

Commit

Permalink
Build results of fac8a0a (on master)
Browse files Browse the repository at this point in the history
  • Loading branch information
@hknutzen
hknutzen committed Jan 25, 2017
1 parent 464b2ea commit face9b9
Show file tree
Hide file tree
Showing 38 changed files with 3,364 additions and 1,511 deletions.
20 changes: 20 additions & 0 deletions Changes
View file
@@ -1,3 +1,23 @@
5.019 2017-01-25 16:03:48+01:00 Europe/Berlin

- Fixed NAT at crypto router for topology where internet and internal
network are connected by some firewall.
- Fixed check for transient aggregate rules with leave zone.
Ignore routers with only one interface, occuring from split crypto
routers, when finding leave zone.
- If network with ID hosts is used in source of rule, the ACL at
authenticating router now checks for IP addresses of individual ID
hosts instead of IP of whole network.
- Abort now, if multiple static routes to one network would be
generated. Previously, a warning was given and only one of
multiple routes had been printed.
- Fixed static route pointing to network behind chain of bridges.
- Only one crypto spoke is allowed per device now.
- Better checks for missing aggregate rules.
- Improved performance of 'rename-netspoc' if many substitutions are
applied at once.
- Added script to convert text export of Barracuda rules to Netspoc rules.

5.018 2016-12-05 12:37:08+01:00 Europe/Berlin

- Added new attribute 'disable_at = yyyy-mm-dd' at service.
Expand Down
1 change: 1 addition & 0 deletions MANIFEST
View file
Expand Up @@ -51,6 +51,7 @@ lib/Netspoc/Compiler/Pass1.pm
lib/Netspoc/Compiler/Pass2.pm
misc/anonymize
misc/conv_owner.pl
misc/convert_barracuda.pl
misc/perltidyrc
old-doc/CSPM.pod
old-doc/ChangeLog
Expand Down
2 changes: 1 addition & 1 deletion META.yml
View file
Expand Up @@ -37,5 +37,5 @@ requires:
open: '0'
strict: '0'
warnings: '0'
version: '5.018'
version: '5.019'
x_serialization_backend: 'YAML::Tiny version 1.69'
2 changes: 1 addition & 1 deletion Makefile.PL
View file
Expand Up @@ -55,7 +55,7 @@ my %WriteMakefileArgs = (
"Test::More" => 0,
"lib" => 0
},
"VERSION" => "5.018",
"VERSION" => "5.019",
"test" => {
"TESTS" => "t/*.t"
}
Expand Down
4 changes: 2 additions & 2 deletions README
View file
@@ -1,11 +1,11 @@


This archive contains the distribution Netspoc,
version 5.018:
version 5.019:

Generates rules for many firewalls from a central ruleset.

This software is Copyright (c) 2016 by Heinz Knutzen.
This software is Copyright (c) 2017 by Heinz Knutzen.

This is free software, licensed under:

Expand Down
218 changes: 109 additions & 109 deletions bin/add-to-netspoc
View file
Expand Up @@ -21,11 +21,11 @@ and write to standard output.
A pair is a tuple of typed names "type1:NAME1" "type2:NAME2".
Occurences of "type1:NAME1" are searched and
replaced by "type1:NAME1, type2:NAME2".
Changes are applied only in group definitions and
Changes are applied only in group definitions and
in implicit groups inside rules, i.e. after "user =", "src =", "dst = ".
Multiple PAIRS can be applied in a single run of add-to-netspoc.
The following types can be used in PAIRS:
The following types can be used in PAIRS:
B<network host interface any group>.
=head1 OPTIONS
Expand All @@ -35,7 +35,7 @@ B<network host interface any group>.
=item B<-f> file
Read PAIRS from file.
If - is specified, read from standard input.
If - is specified, read from standard input.
=item B<-q>
Expand All @@ -53,7 +53,7 @@ Prints the manual page and exits.
=head1 COPYRIGHT AND DISCLAIMER
(c) 2015 by Heinz Knutzen <heinz.knutzen@googlemail.com>
(c) 2017 by Heinz Knutzen <heinz.knutzen@googlemail.com>
http://hknutzen.github.com/Netspoc
Expand All @@ -80,30 +80,29 @@ use Getopt::Long;
use Pod::Usage;
use Encode;

our $VERSION = '5.018'; # VERSION: inserted by DZP::OurPkgVersion
our $VERSION = '5.019'; # VERSION: inserted by DZP::OurPkgVersion
my $filename_encode = 'UTF-8';

my $ignore_files = '^(raw|config|CVS|RCS|\.#.*|.*~)$';
my $quiet;

## no critic (RequireArgUnpacking)
sub debug { print STDERR @_, "\n"; return; }
sub info { print STDERR @_, "\n"; return; }

sub fatal_err {
print STDERR "Error: ", @_, "\n";
die "Aborted\n";
}
## use critic

my %valid_type =
my %valid_type =
map { $_ => 1 } qw(network host interface any group area service);

my %add_to;

sub check_name {
my ($typed_name) = @_;
my ($type, $name) = ($typed_name =~ /^(\w+):(.*)$/) or
my ($type, $name) = ($typed_name =~ /^(\w+):(.*)$/) or
fatal_err "Missing type in '$typed_name'";
$valid_type{$type} or fatal_err("Can't use type in '$typed_name'");
$name =~ /([^-\w.:\@\/\[\]])/ and
Expand All @@ -119,144 +118,145 @@ sub setup_add_to {
$add_to{$old} = $new;
return;
}

# Find occurence of typed name in list of objects:
# - group:<name> = <typed name>, ... <typed name>;
# - src =
# - dst =
# - src =
# - dst =
# but ignore typed name in definition:
# - <typed name> =
# - <typed name> =
sub process {
my ($lines) = @_;
my ($input) = @_;
my $changed = 0;
my $in_list = 0;
my $search_eq = 0;
for my $line (@$lines) {
my $copy = '';
my $line_changed = 0;
TOKEN:
while(1) {
if ($in_list) {
LIST:
while (1) {

# Find next "type:name".
if ($line =~ /\G (\s*) (\w+ : [-\w.:\@\/]+)/gcx) {
$copy .= "$1$2";
my $old = $2;
if ($line =~ /\G ( \[ (?: auto | all ) \] )/gcx) {
$old .= $1;
}
my $new = $add_to{$old} or next;
$line_changed++;

# If current line has only one entry,
# add new entry to separate line.
if ($line =~ /^ ((?:\s*[\w:]+\s*=)?\s*)
\Q$old\E
(\s* ([,;]?) \s* ([#].*)?) $/xs)
{
my $prefix = $1;
my $tail = $2;
(my $indent = $prefix) =~ s/[^\s]/ /g;
$copy = "$prefix$old,\n$indent$new$tail";
$in_list = 0 if $tail =~ /^ \s* ;/x;
last TOKEN;
}
else {
$copy .= ", $new";
}
}

elsif (
# Start of automatic group; list continues.
$line =~ /\G ( \s* \w+ : \[ )/gcx or

# Managed automatic group.
$line =~ /\G ( \s* managed \s* & )/gcx or

# IP for automatic group.
$line =~ /\G ( \s* ip \s* = \s* [0-9.\/]+ \s* & )/gcx or

# End of automatic group.
$line =~ /\G (\s* \])/gcx or

# Negation / intersection.
$line =~ /\G (\s* [&!])/gcx
)
{
$copy .= $1;
}

# Read comma.
elsif ($line =~ /\G (\s*,\s*) /gcsx) {
$copy .= $1;
}
else {
last LIST;
}
}
my $copy = '';
while(1) {

# Whitespace or comment at end of line doesn't terminate list.
if ($line =~ /\G (\s* (?:[#].*)? ) $/gcsx) {
$copy .= $1;
last TOKEN;
# Ignore comment.
if ($input =~ /\G (\s* [#] .*\n) /gcx) {
$copy .= $1;
}

elsif ($in_list) {

# Find next "type:name".
if ($input =~ /\G (\s*) (\w+ : [-\w.:\@\/]+)/gcx) {
my $space = $1;
my $object = $2;
if ($input =~ /\G ( \[ (?: auto | all ) \] )/gcx) {
$object .= $1;
}
my $new = $add_to{$object};
if (not $new) {
$copy .= "$space$object";
next;
}
$changed++;
$copy .= $space;

# Current line has only one entry, possibly preceeded
# by start of list.
# Add new entry to separate line with same indentation.
if (my ($prefix) =
$copy =~ /\n ( (?:[ \t]*[\w:]+[ \t]*=)? [ \t]* ) $/x
and
$input =~ /\G ((?:[ \t]* [,;])?) ([ \t]* (?:[#].*)?) \n/gcx)
{
my ($delim, $comment) = ($1, $2);
(my $indent = $prefix) =~ s/[^\s]/ /g;
$copy .= "$object,$comment\n$indent$new$delim\n";
}

# Everything else terminates list.
# Add new entry on same line separated by white space.
else {
$in_list = undef;
$copy .= "$object, $new";
}
}
elsif ($search_eq and $line =~ /\G (\s*=\s*) /gcsx) {

elsif (

# Start of automatic group; list continues.
$input =~ /\G ( \s* \w+ : \[ )/gcx or

# Managed automatic group.
$input =~ /\G ( \s* managed \s* & )/gcx or

# IP for automatic group.
$input =~ /\G ( \s* ip \s* = \s* [0-9.\/]+ \s* & )/gcx or

# End of automatic group.
$input =~ /\G (\s* \])/gcx or

# Negation / intersection.
$input =~ /\G (\s* [&!])/gcx
)
{
$copy .= $1;
$in_list = 1;
$search_eq = 0;
}
elsif ($line =~ /\G (.*?) (src | dst | user | group:[-\w]+) /gcx) {
$copy .= "$1$2";
$search_eq = 1;

# Read and copy comma.
elsif ($input =~ /\G (\s* , (?: [ \t]* \n)? ) /gcx) {
$copy .= $1;
}

# Ignore rest of line if nothing matches.
# Everything else terminates list.
else {
$line =~ /\G (.+) /gcsx and $copy .= $1;
last TOKEN;
$in_list = undef;
}
}
if ($line_changed) {
$line = $copy;
$changed += $line_changed;

# Find start of group.
elsif ($input =~ /\G (.*?) (src | dst | user | group:[-\w]+) /gcx) {
$copy .= "$1$2";

# Find equal sign.
if ($input =~ /\G (\s* = [ \t]*) /gcx) {
$copy .= $1;
$in_list = 1;
}
}

# Ignore rest of line if nothing matches.
elsif($input =~ /\G (.* \n) /gcx) {
$copy .= $1;
}

# Terminate if everything has been processed.
else {
last;
}
}
return $changed;
return ($changed, $copy);
}

sub process_file {
my ($path) = @_;
# debug "File $path";
my $input;

## no critic ProhibitTwoArgOpen
open(my $in, $path) or fatal_err "Can't open $path: $!";
my @input = <$in>;

# Undef input record separator to read all output at once.
{ local $/ = undef; $input = <$in>; }
close $in;
if (my $count = process(\@input) or $path eq '-') {
my ($count, $copy) = process($input);
if ($count or $path eq '-') {
info "$count changes in $path" if not $quiet;
if ($path ne '-') {
unlink($path) or fatal_err "Can't remove $path: $!\n";
}
open(my $out, ">$path") or fatal_err "Can't create $path: $!";
print $out @input;
print $out $copy;
close $out;
}
## use critic
return;
}

sub process_file_or_dir {
my ($path) = @_;
if (-d $path) {
local (*DIR);

# Strip trailing slash.
$path =~ s</$><>;
opendir DIR, $path or fatal_err "Can't opendir $path: $!";
Expand Down Expand Up @@ -296,7 +296,7 @@ sub read_pairs {
setup_pairs(@pairs);
return;
}

####################################################################
# Argument processing
####################################################################
Expand Down

0 comments on commit face9b9

Please sign in to comment.