Skip to content

PolicyReader library

Jump to bottom
Vjaceslavs Klimovs edited this page Aug 4, 2015 · 1 revision

Introduction

The policy reader library is library that allows other code to easily examine policy source files. The policy library only reads policies for the purpose of rendering objects for passing to generators. For some tools, we needed to be able to easily examine the various filters and terms for programmatically. where certain tokens are used where specific options are used etc.

Policy reader renders simple objects that allow us to do this Handy for a variety of tools, such as rendering policies in a Web UI for example

Overview

Import the policyreader library from the top Capirca directory.

Load a policy and set of definitions:

p = policyreader.Policy('policy_path', 'definitions_path')

Print out the policy:

print p

Search for terms matching specific criteria:

>>> p.Matches(src='1.1.1.1', dport='53/udp')
[[0, 1]]

The result tuple indicates that a matching rule was found in Filter 0 at Term 1.

You can print out the name of this term with:

print p.filter[0].term[1].name
accept-to-honestdns

You can also display this entire specific term using:

print  p.filter[0].term[1]
  Term: accept-to-honestdns
  Source-address:: 
  Destination-address:: GOOGLE_DNS
  Source-port:: 
  Destination-port:: DNS
  Protocol:: udp
  Option:: 
  Action:: accept

You can examine the values of addresses or services as follows:

print p.defs.GetNet('GOOGLE_DNS')
[IPv4('8.8.4.4/32'), IPv4('8.8.8.8/32'), IPv6('2001:4860:4860::8844/128'), IPv6('2001:4860:4860::8888/128')]

>>> print p.defs.GetService('DNS')
['53/tcp', '53/udp']

Example Usage

$ python
>>> from lib import policyreader
>>> p=policyreader.Policy('./policies/sample_cisco_lab.pol', './def/')
>>> print p

Filter: allowtointernet

-----------------------

  Term: accept-dhcp
  Source-address:: 
  Destination-address:: 
  Source-port:: 
  Destination-port:: DHCP
  Protocol:: udp
  Option:: 
  Action:: accept

  Term: accept-to-honestdns
  Source-address:: 
  Destination-address:: GOOGLE_DNS
  Source-port:: 
  Destination-port:: DNS
  Protocol:: udp
  Option:: 
  Action:: accept

  Term: accept-tcp-replies
  Source-address:: 
  Destination-address:: INTERNAL
  Source-port:: 
  Destination-port:: 
  Protocol:: tcp
  Option:: tcp-established
  Action:: accept

  Term: deny-to-internal
  Source-address:: 
  Destination-address:: INTERNAL
  Source-port:: 
  Destination-port:: 
  Protocol:: 
  Option:: 
  Action:: deny

  Term: deny-to-specific_hosts
  Source-address:: 
  Destination-address:: WEB_SERVERS MAIL_SERVERS
  Source-port:: 
  Destination-port:: 
  Protocol:: 
  Option:: 
  Action:: deny

  Term: default-permit
  Source-address:: 
  Destination-address:: 
  Source-port:: 
  Destination-port:: 
  Protocol:: 
  Option:: 
  Action:: accept
>>> 
>>> p.defs.GetNet('INTERNAL')
[IPv4('10.0.0.0/8'), IPv4('172.16.0.0/12'), IPv4('192.168.0.0/16')]
>>>
>>> p.defs.GetService('DNS')
['53/tcp', '53/udp']
Clone this wiki locally