Add characterization tests.

Integration-level tests to ensure that aclgen.py works as expected.

.gitignore

@@ -7,3 +7,4 @@ build/
 # Generated files
 filters/sample_*
 def/AUTOGEN.net
+tests/characterization_data/filters_actual

aclgen.py

@@ -434,7 +434,11 @@ def WriteFiles(write_files):
     output.flush()
 
 
-def main(_):
+def main(args):
+  if FLAGS.IsParsed():
+    FLAGS.Reset()  # Clear global state.
+  FLAGS(args)
+
   logging.debug('binary: %s\noptimize: %d\base_directory: %s\n'
                 'policy_file: %s\nrendered_acl_directory: %s',
                 str(sys.argv[0]),
@@ -495,4 +499,6 @@ def main(_):
     logging.info('done.')
 
 if __name__ == '__main__':
-  main(FLAGS(sys.argv))
+  # Start main program.
+  # Pass in command-line args.
+  main(sys.argv)

policies/pol/sample_multitarget.pol

@@ -17,7 +17,7 @@ header {
   target:: ciscoxr edge-inbound
 }
 
-#include 'policies/includes/untrusted-networks-blocking.inc'
+#include 'includes/untrusted-networks-blocking.inc'
 
 term permit-mail-services {
   destination-address:: MAIL_SERVERS

tests/characterization_data/README.md

@@ -0,0 +1,12 @@
+These folders contain data for characterization tests; i.e., tests
+that describe the actual behaviour of the current code.
+
+Folders:
+
+* `filters_expected`: filters that are expected to be generated given
+  the `def` and `policies` folders.
+* `filters_actual`: the filters actually generated, which are compared
+  with the `filters_expected` folder.  This folder is not committed to
+  version control.  It is deleted on every test run.  The files are
+  generated to this folder, rather than a temporary folder, to let you
+  inspect the output between runs and correct any errors.

tests/characterization_data/def/NETWORK.net

@@ -0,0 +1,90 @@
+#
+# Sample naming defintions for network objects
+#
+RFC1918 = 10.0.0.0/8      # non-public
+          172.16.0.0/12   # non-public
+          192.168.0.0/16  # non-public
+
+INTERNAL = RFC1918
+
+LOOPBACK = 127.0.0.0/8  # loopback
+           ::1/128       # ipv6 loopback
+
+RFC_3330 = 169.254.0.0/16  # special use IPv4 addresses - netdeploy
+
+RFC_6598 = 100.64.0.0/10   # Shared Address Space
+
+LINKLOCAL = FE80::/10  # IPv6 link-local
+
+SITELOCAL = FEC0::/10    # Ipv6 Site-local
+
+MULTICAST = 224.0.0.0/4  # IP multicast
+            FF00::/8     # IPv6 multicast
+
+CLASS-E   = 240.0.0.0/4
+
+RESERVED = 0.0.0.0/8           # reserved
+           RFC1918
+           LOOPBACK
+           RFC_3330
+           RFC_6598
+           MULTICAST
+           CLASS-E
+           0000::/8            # reserved by IETF
+           0100::/8            # reserved by IETF
+           0200::/7            # reserved by IETF
+           0400::/6            # reserved by IETF
+           0800::/5            # reserved by IETF
+           1000::/4            # reserved by IETF
+           4000::/3            # reserved by IETF
+           6000::/3            # reserved by IETF
+           8000::/3            # reserved by IETF
+           A000::/3            # reserved by IETF
+           C000::/3            # reserved by IETF
+           E000::/4            # reserved by IETF
+           F000::/5            # reserved by IETF
+           F800::/6            # reserved by IETF
+           FC00::/7            # unique local unicast
+           FE00::/9            # reserved by IETF
+           LINKLOCAL           # link local unicast
+           SITELOCAL           # IPv6 site-local
+
+ANY = 0.0.0.0/0
+
+# https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
+# 22-Apr-2011
+BOGON = 0.0.0.0/8
+        192.0.0.0/24
+        192.0.2.0/24
+        198.18.0.0/15
+        198.51.100.0/24
+        203.0.113.0/24
+        MULTICAST
+        CLASS-E
+        3FFE::/16      # 6bone
+        5F00::/8       # 6bone
+        2001:DB8::/32  # IPv6 documentation prefix
+
+GOOGLE_PUBLIC_DNS_ANYCAST = 8.8.4.4/32               # IPv4 Anycast
+                            8.8.8.8/32               # IPv4 Anycast
+                            2001:4860:4860::8844/128 # IPv6 Anycast
+                            2001:4860:4860::8888/128 # IPv6 Anycast
+GOOGLE_DNS = GOOGLE_PUBLIC_DNS_ANYCAST
+
+
+# The following are sample entires intended for us in the included
+# sample policy file.  These should be removed.
+
+WEB_SERVERS = 200.1.1.1/32  # Example web server 1
+              200.1.1.2/32  # Example web server 2
+
+MAIL_SERVERS = 200.1.1.4/32 # Example mail server 1
+               200.1.1.5/32 # Example mail server 2
+
+PUBLIC_NAT = 200.1.1.3/32   # Example company NAT address
+
+NTP_SERVERS = 10.0.0.1/32   # Example NTP server
+              10.0.0.2/32   # Example NTP server
+
+TACACS_SERVERS = 10.1.0.1/32  # Example tacacs server
+                 10.1.0.2/32  # Example tacacs server

tests/characterization_data/def/SERVICES.svc

@@ -0,0 +1,63 @@
+#
+# Sample naming service definitions
+#
+WHOIS = 43/udp
+SSH = 22/tcp
+TELNET = 23/tcp
+SMTP = 25/tcp
+MAIL_SERVICES = SMTP
+                ESMTP
+                SMTP_SSL
+                POP_SSL
+TIME = 37/tcp 37/udp
+TACACS = 49/tcp
+DNS = 53/tcp 53/udp
+BOOTPS = 67/udp   # BOOTP server
+BOOTPC = 68/udp   # BOOTP client
+DHCP = BOOTPS
+       BOOTPC
+TFTP = 69/tcp 69/udp
+HTTP = 80/tcp
+WEB_SERVICES = HTTP HTTPS
+POP3 = 110/tcp
+RPC = 111/udp
+IDENT = 113/tcp 113/udp
+NNTP = 119/tcp
+NTP = 123/tcp 123/udp
+MS_RPC_EPMAP = 135/udp 135/tcp
+MS_137 = 137/udp
+MS_138 = 138/udp
+MS_139 = 139/tcp
+IMAP = 143/tcp
+SNMP = 161/udp
+SNMP_TRAP = 162/udp
+BGP = 179/tcp
+IMAP3 = 220/tcp
+LDAP = 389/tcp
+LDAP_SERVICE = LDAP
+               LDAPS
+HTTPS = 443/tcp
+MS_445 = 445/tcp
+SMTP_SSL = 465/tcp
+IKE = 500/udp
+SYSLOG = 514/udp
+RTSP = 554/tcp
+ESMTP = 587/tcp
+LDAPS = 636/tcp
+IMAPS = 993/tcp
+POP_SSL = 995/tcp
+HIGH_PORTS = 1024-65535/tcp 1024-65535/udp
+MSSQL = 1433/tcp
+MSSQL_MONITOR = 1434/tcp
+RADIUS = 1812/tcp 1812/udp
+HSRP = 1985/udp
+NFSD = 2049/tcp 2049/udp
+NETFLOW = 2056/udp
+SQUID_PROXY = 3128/tcp
+MYSQL = 3306/tcp
+RDP = 3389/tcp
+IPSEC = 4500/udp
+POSTGRESQL = 5432/tcp
+TRACEROUTE = 33434-33534/udp
+
+

tests/characterization_data/filters_expected/sample_cisco_lab.acl

@@ -0,0 +1,51 @@
+! $Id:$
+! $Date:$
+! $Revision:$
+no ip access-list extended allowtointernet
+ip access-list extended allowtointernet
+remark $Id:$
+remark Denies all traffic to internal IPs except established tcp replies.
+remark Also denies access to certain public allocations.
+remark Ideal for some internal lab/testing types of subnets that are
+remark not well trusted, but allowing internal users to access.
+remark Apply to ingress interface (to filter traffic coming from lab)
+
+
+remark accept-dhcp
+remark Optional - allow forwarding of DHCP requests.
+ permit 17 any any eq 67
+ permit 17 any any eq 68
+
+
+remark accept-to-honestdns
+remark Allow name resolution using honestdns.
+ permit 17 any host 8.8.4.4 eq 53
+ permit 17 any host 8.8.8.8 eq 53
+
+
+remark accept-tcp-replies
+remark Allow tcp replies to internal hosts.
+ permit 6 any 10.0.0.0 0.255.255.255 established
+ permit 6 any 172.16.0.0 0.15.255.255 established
+ permit 6 any 192.168.0.0 0.0.255.255 established
+
+
+remark deny-to-internal
+remark Deny access to rfc1918/internal.
+ deny ip any 10.0.0.0 0.255.255.255
+ deny ip any 172.16.0.0 0.15.255.255
+ deny ip any 192.168.0.0 0.0.255.255
+
+
+remark deny-to-specific_hosts
+remark Deny access to specified public.
+ deny ip any host 200.1.1.1
+ deny ip any host 200.1.1.2
+ deny ip any 200.1.1.4 0.0.0.1
+
+
+remark default-permit
+remark Allow what's left.
+ permit ip any any
+
+exit

tests/characterization_data/filters_expected/sample_gce.gce

@@ -0,0 +1,84 @@
+# $Id:$
+# $Date:$
+# $Revision:$
+[
+  {
+    "allowed": [
+      {
+        "IPProtocol": "tcp",
+        "ports": [
+          "22"
+        ]
+      }
+    ],
+    "description": "Allow SSH access to all instances from company.",
+    "name": "default-test-ssh",
+    "network": "global/networks/default",
+    "sourceRanges": [
+      "200.1.1.3/32"
+    ]
+  },
+  {
+    "allowed": [
+      {
+        "IPProtocol": "tcp",
+        "ports": [
+          "80"
+        ]
+      }
+    ],
+    "description": "Allow HTTP/S to instances with webserver tag.",
+    "name": "default-test-web",
+    "network": "global/networks/default",
+    "sourceRanges": [
+      "0.0.0.0/0"
+    ],
+    "targetTags": [
+      "webserver"
+    ]
+  },
+  {
+    "allowed": [
+      {
+        "IPProtocol": "icmp"
+      }
+    ],
+    "description": "Allow ICMP from company.",
+    "name": "default-test-icmp",
+    "network": "global/networks/default",
+    "sourceRanges": [
+      "200.1.1.3/32"
+    ]
+  },
+  {
+    "allowed": [
+      {
+        "IPProtocol": "tcp"
+      }
+    ],
+    "description": "Allow all GCE network internal traffic.",
+    "name": "default-test-internal-tcp",
+    "network": "global/networks/default",
+    "sourceRanges": [
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16"
+    ]
+  },
+  {
+    "allowed": [
+      {
+        "IPProtocol": "udp"
+      }
+    ],
+    "description": "Allow all GCE network internal traffic.",
+    "name": "default-test-internal-udp",
+    "network": "global/networks/default",
+    "sourceRanges": [
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16"
+    ]
+  }
+]
+

tests/characterization_data/filters_expected/sample_ipset.ips

@@ -0,0 +1,33 @@
+# begin:ipset-rules
+create deny-to-reserved-dst hash:net family inet hashsize 16 maxelem 16
+add deny-to-reserved-dst 0.0.0.0/8
+add deny-to-reserved-dst 10.0.0.0/8
+add deny-to-reserved-dst 100.64.0.0/10
+add deny-to-reserved-dst 127.0.0.0/8
+add deny-to-reserved-dst 169.254.0.0/16
+add deny-to-reserved-dst 172.16.0.0/12
+add deny-to-reserved-dst 192.168.0.0/16
+add deny-to-reserved-dst 224.0.0.0/4
+add deny-to-reserved-dst 240.0.0.0/4
+create deny-to-bogons-dst hash:net family inet hashsize 16 maxelem 16
+add deny-to-bogons-dst 0.0.0.0/8
+add deny-to-bogons-dst 10.0.0.0/8
+add deny-to-bogons-dst 100.64.0.0/10
+add deny-to-bogons-dst 127.0.0.0/8
+add deny-to-bogons-dst 169.254.0.0/16
+add deny-to-bogons-dst 172.16.0.0/12
+add deny-to-bogons-dst 192.168.0.0/16
+add deny-to-bogons-dst 224.0.0.0/3
+create allow-web-to-mail-src hash:net family inet hashsize 4 maxelem 4
+add allow-web-to-mail-src 200.1.1.1/32
+add allow-web-to-mail-src 200.1.1.2/32
+# end:ipset-rules
+# Ipset OUTPUT Policy
+# $Id:$
+# $Date:$
+# $Revision:$
+# inet
+-P OUTPUT DROP
+-A OUTPUT -p all -m set --match-set deny-to-reserved-dst dst -j DROP
+-A OUTPUT -p all -m set --match-set deny-to-bogons-dst dst -j DROP
+-A OUTPUT -p all -m set --match-set allow-web-to-mail-src src -d 200.1.1.4/31 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT