/IOS-simple/demo.rkt

http://github.com/tnelson/Margrave · Racket · 226 lines · 129 code · 47 blank · 50 comment · 0 complexity · b52a404efb5972d98e970dc150d7c90a MD5 · raw file 

    

  1. ; Copyright Š 2009-2010 Brown University and Worcester Polytechnic Institute.

    2. 

  2. ;

    3. 

  3. ; This file is part of Margrave.

    4. 

  4. 

    5. 

  5. ; Margrave is free software: you can redistribute it and/or modify

    6. 

  6. ; it under the terms of the GNU Lesser General Public License as published by

    7. 

  7. ; the Free Software Foundation, either version 3 of the License, or

    8. 

  8. ; (at your option) any later version.

    9. 

  9. ;

    10. 

  10. ; Margrave is distributed in the hope that it will be useful,

    11. 

  11. ; but WITHOUT ANY WARRANTY; without even the implied warranty of

    12. 

  12. ; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

    13. 

  13. ; GNU Lesser General Public License for more details.

    14. 

  14. ;

    15. 

  15. ; You should have received a copy of the GNU Lesser General Public License

    16. 

  16. ; along with Margrave. If not, see <http://www.gnu.org/licenses/>.

    17. 

  17. 

    18. 

  18. #lang racket

    19. 

  19. 

    20. 

  20. (require margrave

    21. 

  21.          margrave/margrave-ios)

    22. 

  22. 

    23. 

  23. 

    24. 

  24. (define my-vector "(ahostname, entry-interface, 

    25. 

  25.         src-addr-in, src-addr-out, 

    26. 

  26.         dest-addr-in, dest-addr-out, 

    27. 

  27.         protocol, message, flags,

    28. 

  28.         src-port-in,  src-port-out, 

    29. 

  29.         dest-port-in, dest-port-out, 

    30. 

  30.         length, next-hop, exit-interface)")

    31. 

  31. 

    32. 

  32. 

    33. 

  33. (define (run-queries-for-example)

    34. 

  34.   

    35. 

  35.   ; Start Margrave's java engine

    36. 

  36.   ; Pass path of the engine files: 1 level up from here.

    37. 

  37. ;  (start-margrave-engine (build-path (current-directory) 'up))

    38. 

  38.   (start-margrave-engine)

    39. 

  39.   

    40. 

  40.   ; Load all the policies 

    41. 

  41.   ; InboundACL -> InboundACL1, InboundACL2, InboundACL3 respectively.

    42. 

  42.   (load-ios-policies (build-path (current-directory) "initial") "" "1")

    43. 

  43.   (load-ios-policies (build-path (current-directory) "change1") "" "2")

    44. 

  44.   (load-ios-policies (build-path (current-directory) "change2") "" "3")

    45. 

  45.   

    46. 

  46.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    47. 

  47.   ; which-packets

    48. 

  48.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    49. 

  49.   

    50. 

  50.   (printf "~n~nWhich-packets:~n")

    51. 

  51.   

    52. 

  52.   ;        AND fe0(entry-interface)

    53. 

  53.   ;    AND prot-tcp(protocol)

    54. 

  54.   ;    AND ip-192-168-5-10(dest-addr-in)

    55. 

  55.   ;    AND ip-10-1-1-2(ip-addr-in)

    56. 

  56.   

    57. 

  57.   

    58. 

  58.   (display-response (mtext "EXPLORE InboundACL1:Permit(ahostname, entry-interface, 

    59. 

  59.         src-addr-in, src-addr-out, 

    60. 

  60.         dest-addr-in, dest-addr-out, 

    61. 

  61.         protocol, message, flags,

    62. 

  62.         src-port-in,  src-port-out, 

    63. 

  63.         dest-port-in, dest-port-out, 

    64. 

  64.         length, next-hop, exit-interface)

    65. 

  65.      TUPLING")  )

    66. 

  66.   ; The TUPLING keyword activates the tupling optimization, which is very useful for firewalls.

    67. 

  67.   

    68. 

  68.   (display-response (mtext "GET ONE"))

    69. 

  69.      

    70. 

  70.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    71. 

  71.   ; verification

    72. 

  72.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    73. 

  73.   

    74. 

  74.   (printf "~n~nVerification:~n")

    75. 

  75.   

    76. 

  76.   (display-response (mtext "EXPLORE InboundACL1:Permit(ahostname, entry-interface, 

    77. 

  77.         src-addr-in, src-addr-out, 

    78. 

  78.         dest-addr-in, dest-addr-out, 

    79. 

  79.         protocol, message, flags,

    80. 

  80.         src-port-in,  src-port-out, 

    81. 

  81.         dest-port-in, dest-port-out, 

    82. 

  82.         length, next-hop, exit-interface)

    83. 

  83. 

    84. 

  84.         AND src-addr-in = 10.1.1.2 

    85. 

  85.         AND fe0 = entry-interface

    86. 

  86. 

    87. 

  87.      TUPLING") )

    88. 

  88.   (display-response (mtext "IS POSSIBLE?"))

    89. 

  89.   

    90. 

  90.   

    91. 

  91.   

    92. 

  92.   ;; due to gensym use, rule names will change along with line numbers and on each re-parse

    93. 

  93.     

    94. 

  94.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    95. 

  95.   ; rule responsibility

    96. 

  96.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    97. 

  97.   

    98. 

  98.   (printf "~n~nRule-blaming:~n")

    99. 

  99.   

    100. 

  100.   (display-response (mtext (string-append "EXPLORE InboundACL1:Deny" my-vector

    101. 

  101.                         

    102. 

  102.                         " AND 10.1.1.2 = src-addr-in"

    103. 

  103.                         " AND fe0 = entry-interface "

    104. 

  104.                         

    105. 

  105.                         " INCLUDE InboundACL1:Router-fe0-line9_applies" my-vector ","

    106. 

  106.                         "InboundACL1:Router-fe0-line12_applies" my-vector

    107. 

  107.                         " TUPLING")))

    108. 

  108.   (display-response (mtext (string-append "SHOW REALIZED InboundACL1:Router-fe0-line9_applies" my-vector ","

    109. 

  109.                         "InboundACL1:Router-fe0-line12_applies" my-vector)))

    110. 

  110.   

    111. 

  111.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    112. 

  112.   ; change-impact

    113. 

  113.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    114. 

  114.   

    115. 

  115.   (printf "~n~nChange-impact:~n")

    116. 

  116.   

    117. 

  117.   ; vs change 1    

    118. 

  118.   (display-response (mtext "EXPLORE (InboundACL1:Permit(ahostname, entry-interface, 

    119. 

  119.         src-addr-in, src-addr-out, 

    120. 

  120.         dest-addr-in, dest-addr-out, 

    121. 

  121.         protocol, message, flags,

    122. 

  122.         src-port-in,  src-port-out, 

    123. 

  123.         dest-port-in, dest-port-out, 

    124. 

  124.         length, next-hop, exit-interface)

    125. 

  125. 

    126. 

  126.        AND NOT InboundACL2:Permit(ahostname, entry-interface, 

    127. 

  127.         src-addr-in, src-addr-out, 

    128. 

  128.         dest-addr-in, dest-addr-out, 

    129. 

  129.         protocol, message, flags,

    130. 

  130.         src-port-in,  src-port-out, 

    131. 

  131.         dest-port-in, dest-port-out, 

    132. 

  132.         length, next-hop, exit-interface) )

    133. 

  133. 

    134. 

  134.        OR

    135. 

  135.        (InboundACL2:Permit(ahostname, entry-interface, 

    136. 

  136.         src-addr-in, src-addr-out, 

    137. 

  137.         dest-addr-in, dest-addr-out, 

    138. 

  138.         protocol, message, flags,

    139. 

  139.         src-port-in,  src-port-out, 

    140. 

  140.         dest-port-in, dest-port-out, 

    141. 

  141.         length, next-hop, exit-interface)

    142. 

  142. 

    143. 

  143.        AND NOT InboundACL1:Permit(ahostname, entry-interface, 

    144. 

  144.         src-addr-in, src-addr-out, 

    145. 

  145.         dest-addr-in, dest-addr-out, 

    146. 

  146.         protocol, message, flags,

    147. 

  147.         src-port-in,  src-port-out, 

    148. 

  148.         dest-port-in, dest-port-out, 

    149. 

  149.         length, next-hop, exit-interface) )

    150. 

  150. 

    151. 

  151.      TUPLING"))  

    152. 

  152.   (display-response (mtext "IS POSSIBLE?"))

    153. 

  153.   

    154. 

  154.   

    155. 

  155.   ; Vs. change 2

    156. 

  156.   (display-response (mtext "EXPLORE (InboundACL1:Permit(ahostname, entry-interface, 

    157. 

  157.         src-addr-in, src-addr-out, 

    158. 

  158.         dest-addr-in, dest-addr-out, 

    159. 

  159.         protocol, message, flags,

    160. 

  160.         src-port-in,  src-port-out, 

    161. 

  161.         dest-port-in, dest-port-out, 

    162. 

  162.         length, next-hop, exit-interface)

    163. 

  163. 

    164. 

  164.        AND NOT InboundACL3:Permit(ahostname, entry-interface, 

    165. 

  165.         src-addr-in, src-addr-out, 

    166. 

  166.         dest-addr-in, dest-addr-out, 

    167. 

  167.         protocol, message, flags,

    168. 

  168.         src-port-in,  src-port-out, 

    169. 

  169.         dest-port-in, dest-port-out, 

    170. 

  170.         length, next-hop, exit-interface) )

    171. 

  171. 

    172. 

  172.        OR

    173. 

  173.        (InboundACL3:Permit(ahostname, entry-interface, 

    174. 

  174.         src-addr-in, src-addr-out, 

    175. 

  175.         dest-addr-in, dest-addr-out, 

    176. 

  176.         protocol, message, flags,

    177. 

  177.         src-port-in,  src-port-out, 

    178. 

  178.         dest-port-in, dest-port-out, 

    179. 

  179.         length, next-hop, exit-interface)

    180. 

  180. 

    181. 

  181.        AND NOT InboundACL1:Permit(ahostname, entry-interface, 

    182. 

  182.         src-addr-in, src-addr-out, 

    183. 

  183.         dest-addr-in, dest-addr-out, 

    184. 

  184.         protocol, message, flags,

    185. 

  185.         src-port-in,  src-port-out, 

    186. 

  186.         dest-port-in, dest-port-out, 

    187. 

  187.         length, next-hop, exit-interface) )

    188. 

  188. 

    189. 

  189.      TUPLING")  )

    190. 

  190.  (display-response  (mtext "IS POSSIBLE?"))

    191. 

  191.   

    192. 

  192.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    193. 

  193.   ; Rule relationships

    194. 

  194.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    195. 

  195.   

    196. 

  196.   (printf "~n~nRule relationships:~n")

    197. 

  197.   

    198. 

  198.   ;; This involves rules in the first change (InboundACL2)

    199. 

  199.   ; line 12 wants to apply: what prevents it from doing so?

    200. 

  200.   

    201. 

  201.   (display-response (mtext (string-append "EXPLORE InboundACL2:Router-fe0-line12_matches" my-vector

    202. 

  202.                         

    203. 

  203.                         " INCLUDE InboundACL2:Router-fe0-line9_applies" my-vector ","

    204. 

  204.                         "InboundACL2:Router-fe0-line10_applies" my-vector ","

    205. 

  205.                         "InboundACL2:Router-fe0-line11_applies" my-vector

    206. 

  206.                         " TUPLING"))) 

    207. 

  207.   (display-response (mtext (string-append "SHOW REALIZED InboundACL2:Router-fe0-line9_applies" my-vector ","

    208. 

  208.                         "InboundACL2:Router-fe0-line10_applies" my-vector ","

    209. 

  209.                         "InboundACL2:Router-fe0-line11_applies" my-vector)))

    210. 

  210.   

    211. 

  211.   

    212. 

  212.   

    213. 

  213.   

    214. 

  214.   

    215. 

  215.   

    216. 

  216.   ; Computing superfluous rules

    217. 

  217.   ; ----> In sup-ios.rkt

    218. 

  218.   

    219. 

  219.   ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    220. 

  220.   

    221. 

  221.   ; 2.1 in other file

    222. 

  222.   

    223. 

  223.   

    224. 

  224.   

    225. 

  225.   ;(stop-margrave-engine)

    226. 

  226.   )
    227.