forked from stereocat/Cisco-AccessList-Parser
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck2.pl
279 lines (258 loc) · 8.08 KB
/
check2.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
# -*- cperl -*-
use lib qw(.);
use strict;
use warnings;
use Parse::Eyapp;
use Data::Dumper;
use Cisco::AccessList::Parser;
#sub TERMINAL::info { $_[0]{attr} }
my $input = << "EOACL";
ip access-list extended FA0-IN
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny tcp any any eq 135 log
deny udp any any eq 135 log
deny tcp any any range 137 139 log
deny udp any any range netbios-ns netbios-ss log
deny tcp any any eq 445 log
deny udp any any eq 445 log
deny tcp any any eq 6000 log
deny tcp any any eq 1433 log
remark vpn
permit udp any eq domain 122.219.206.8 0.0.0.7
remark vpn
permit esp any any
permit tcp any any eq 50
permit tcp any any eq 51
permit udp any any eq isakmp
permit udp any any eq 1701
remark ntp
permit udp host 210.188.224.14 eq ntp any
permit udp host 61.122.112.135 eq ntp any
remark 6to4
permit ip 192.88.99.0 0.0.0.255 any
permit 41 any any
remark permit USEN DHCP
permit udp any eq bootps any eq bootpc
remark home web server
permit tcp any any eq 8000
remark share
permit tcp any any eq 25010
remark permit any from inside to outside
evaluate iptraffic
permit tcp any any established
permit icmp any any
deny ip any any log
EOACL
my $multiple_std_acl = << 'EOACL';
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny any log
access-list 9 permit 192.168.0.0 0.0.255.255
access-list 10 deny any log
access-list 99 permit 192.168.0.0 0.0.255.255
access-list 99 deny any log
EOACL
my $multiple_ext_acl = << 'EOACL';
access-list 100 remark DNS Exempt
access-list 100 deny udp 122.219.206.8 0.0.0.7 any eq domain
access-list 100 deny tcp 122.219.206.8 0.0.0.7 any eq domain
access-list 100 remark NTP
access-list 100 permit tcp any host 210.197.74.200
access-list 100 permit udp any eq ntp any eq ntp
access-list 100 remark 6to4
access-list 100 permit 41 any host 192.88.99.1
access-list 100 permit ip any host 192.88.99.1
access-list 100 remark others
access-list 100 permit tcp any eq 0 any eq 0
access-list 100 permit udp any eq 0 any eq 0
access-list 100 deny ip any any log
access-list 110 remark SPLIT_VPN
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit tcp any any log
EOACL
my $multiple_std_ext_acl_mix = << 'EOACL';
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny any log
access-list 9 permit 192.168.0.0 0.0.255.255
access-list 10 deny any log
access-list 99 permit 192.168.0.0 0.0.255.255
access-list 99 deny any log
access-list 100 remark DNS Exempt
access-list 100 deny udp 122.219.206.8 0.0.0.7 any eq domain
access-list 100 deny tcp 122.219.206.8 0.0.0.7 any eq domain
access-list 100 remark NTP
access-list 100 permit tcp any host 210.197.74.200
access-list 100 permit udp any eq ntp any eq ntp
access-list 100 remark 6to4
access-list 100 permit 41 any host 192.88.99.1
access-list 100 permit ip any host 192.88.99.1
access-list 100 remark others
access-list 100 permit tcp any eq 0 any eq 0
access-list 100 permit udp any eq 0 any eq 0
access-list 100 deny ip any any log
access-list 110 remark SPLIT_VPN
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-lst 110 permit hoge
access-list 110 deny ip any any log
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit tcp any any log
EOACL
my $multiple_named_std_acl = << 'EOACL';
ip access-list standard remote-ipv4
permit 192.168.0.0 0.0.255.255
remark deny all
deny any log
!
ip access-list standard test-acl
permit 192.168.0.0 0.0.255.255
permit 192.168.2.0 0.0.255.255
permit host 192.168.4.5
deny any log
!
EOACL
my $multiple_named_ext_acl = << 'EOACL';
!
ip access-list extended FA0-IN
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny tcp any any eq 135 log
!
ip access-list extended FA0-OUT
deny ip any 10.0.0.0 0.255.255.255 log
permit icmp any any
permit ip any any reflect iptraffic timeout 300
deny ip any any log
!
EOACL
my $multiple_named_ext_std_acl_mix = << 'EOACL';
ip access-list extended FA0-IN
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny tcp any any eq 135 log
!
ip access-list extended FA0-OUT
deny ip any 10.0.0.0 0.255.255.255 log
permit icmp any any
permit ip any any reflect iptraffic timeout 300
deny ip any any log
!
ip access-list extended FA0-IN
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny tcp any any eq 135 log
!
ip access-list extended FA0-OUT
deny ip any 10.0.0.0 0.255.255.255 log
permit icmp any any
permit ip any any reflect iptraffic timeout 300
deny ip any any log
!
EOACL
my $input2 = << 'EOACL';
ip access-list standard remote-ipv4
permit 192.168.0.0 0.0.255.255
deny any log
!
ip access-list extended FA0-IN
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny tcp any any eq 135 log
!
ip access-list extended FA0-OUT
deny ip any 10.0.0.0 0.255.255.255 log
permit icmp any any
permit ip any any reflect iptraffic timeout 300
deny ip any any log
!
EOACL
my $input3 = << 'EOACL';
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny any log
access-list 100 remark DNS Exempt
access-list 100 deny udp 122.219.206.8 0.0.0.7 any eq domain
access-list 100 deny tcp 122.219.206.8 0.0.0.7 any eq domain
access-list 100 remark NTP
access-list 100 permit tcp any host 210.197.74.200
access-list 100 permit udp any eq ntp any eq ntp
access-list 100 remark 6to4
access-list 100 permit 41 any host 192.88.99.1
access-list 100 permit ip any host 192.88.99.1
access-list 100 remark others
access-list 100 permit tcp any eq 0 any eq 0
access-list 100 permit udp any eq 0 any eq 0
access-list 100 deny ip any any log
access-list 110 remark SPLIT_VPN
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
EOACL
my $input5 = << 'EOACL';
access-list 130 deny ip any any log
access-list 130 remark SPLIT_VPN
access-list 130 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 remark SPLIT_VPN
access-list 120 permit udp any eq 0 any eq 0
access-list 100 permit udp any eq 0 any eq 0
access-list 100 deny ip any any log
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
EOACL
my $input6 = << 'EOACL';
ip access-list standard remote-ipv4
10 deny host 192.168.0.33 log
20 permit 192.168.0.0 0.0.255.255
30 deny any log
EOACL
my $input7 = << "EOACL";
ip access-list extended FA0-IN
deny tcp any any eq 1433 log
remark ip vpn
permit udp any eq domain 122.219.206.8 0.0.0.7
deny ipinip any any log
deny ip any any log
EOACL
my $input8 = << "EOACL";
ip access-list standard remote-ipv4
deny host 192.168.0.33 log
permit 192.168.0.0 0.0.255.255
deny any any log
EOACL
my $input9 = << "EOACL";
ip access-list standard remote-ipv4
deny host 192.168.0.33 log
permit 192.168.0.0 0.0.255.255
deny any log
EOACL
my $objgrp1 = << "EOACL";
object-group network SMTP_Server
description ISP SMTP server
host 192.168.0.2
192.168.1.0 /24
192.168.2.0 0.0.0.128
group-object other_network
host 172.16.2.3
range 192.168.3.2 192.168.3.200
!
object-group service Web_Service
description web service
icmp echo
tcp smtp
tcp telnet
tcp source range 1 65535
udp domain
tcp-udp range 2000 2005
group-object other-list
EOACL
my $test_data = $objgrp1;
my $aclparser = Cisco::AccessList::Parser->new();
my $debug = 0x1F;
my ( $acl, $objgrp )
= $aclparser->parse( 'input' => $test_data, 'debug' => $debug );
print Dumper $acl, $objgrp;
print "RESULT: ", ( keys(%$acl) + keys(%$objgrp) ), "\n";
print "==================\n";
$aclparser->lex_check( 'input' => $test_data );