File Coverage

blib/lib/Net/Cisco/AccessList/Extended.pm

Criterion	Covered	Total	%
statement	58	58	100.0
branch	58	64	90.6
condition	41	48	85.4
subroutine	8	8	100.0
pod	3	3	100.0
total	168	181	92.8

line	stmt	bran	cond	sub	pod	time	code
1							package Net::Cisco::AccessList::Extended;
2	4			4		102172	use base qw(Class::Accessor::Fast);
	4					9
	4					4227
3
4							# generates Cisco extended access-lists
5
6	4			4		16393	use strict;
	4					11
	4					123
7	4			4		27	use warnings FATAL => 'all';
	4					13
	4					292
8
9							our $VERSION = '1.01';
10							$VERSION = eval $VERSION; # numify for warning-free dev releases
11
12	4			4		4071	use List::MoreUtils qw(any);
	4					5332
	4					402
13	4			4		28	use Carp;
	4					8
	4					9256
14
15							__PACKAGE__->mk_ro_accessors(qw(_name _acls));
16							# okay, this is a little sly... _acls is read-only but because it's an array
17							# reference we can push items onto the array without writing to the accessor
18
19							# ===========================================================================
20
21							# initialize the ACL rules list and private attr
22							sub new {
23	4			4	1	576	my ($class, $name) = @_;
24
25	4	100				256	croak 'missing parameter for list name' if !defined $name;
26
27	3					48	my $self = $class->SUPER::new({
28							_name => $name,
29							_acls => [],
30							});
31	3					44	bless ($self, $class); # reconsecrate into __PACKAGE__
32
33	3					10	return $self;
34							}
35
36							# Add a new rule to our ACL rule list, specified by parameters in hash.
37							sub push {
38	31			31	1	14418	my ($self, $arg_ref) = @_;
39
40	31	100				351	croak 'missing parameter "access"' if !defined $arg_ref->{access};
41	29	50	66			181	croak 'missing parameter "proto" or "proto_og"'
42							if !defined $arg_ref->{proto} and !defined $arg_ref->{proto_og};
43
44	28	100	66			240	croak 'cannot specify both protocol and protocol group'
45							if defined $arg_ref->{proto} and defined $arg_ref->{proto_og};
46
47	27	100	66			173	croak 'missing source network address'
48							if defined $arg_ref->{src_mask} and !defined $arg_ref->{src_ip};
49	26	100	66			170	croak 'missing destination network address'
50							if defined $arg_ref->{dst_mask} and !defined $arg_ref->{dst_ip};
51
52	25	100	66			152	croak 'cannot specify both source network and network group'
53							if defined $arg_ref->{src_ip} and defined $arg_ref->{src_og};
54	24	100	66			167	croak 'cannot specify both destination network and network group'
55							if defined $arg_ref->{dst_ip} and defined $arg_ref->{dst_og};
56
57	23	100	100			156	croak 'missing low service for source service range'
58							if defined $arg_ref->{src_svc_hi} and !defined $arg_ref->{src_svc};
59	22	100	100			150	croak 'missing source service operator'
60							if defined $arg_ref->{src_svc} and !defined $arg_ref->{src_svc_op};
61	21	100	100			152	croak 'cannot specify both source service and service group'
62							if defined $arg_ref->{src_svc_op} and defined $arg_ref->{src_svc_og};
63
64	20	100	100			150	croak 'missing low service for destination service range'
65							if defined $arg_ref->{dst_svc_hi} and !defined $arg_ref->{dst_svc};
66	19	100	100			140	croak 'missing destination service operator'
67							if defined $arg_ref->{dst_svc} and !defined $arg_ref->{dst_svc_op};
68	18	100	100			143	croak 'cannot specify both destination service and service group'
69							if defined $arg_ref->{dst_svc_op} and defined $arg_ref->{dst_svc_og};
70
71	17	100	100			142	croak 'cannot specify both icmp type and icmp group'
72							if defined $arg_ref->{icmp} and defined $arg_ref->{icmp_og};
73	16	100	100			925	croak 'cannot use icmp with services'
			100
			66
74							if (defined $arg_ref->{icmp} or defined $arg_ref->{icmp_og})
75							and (defined $arg_ref->{src_svc_op}
76							or defined $arg_ref->{src_svc_og}
77							or defined $arg_ref->{dst_svc_op}
78							or defined $arg_ref->{dst_svc_og});
79
80
81	8					8	my ($proto, $src, $dst, $ssvc, $dsvc, $icmp, $line);
82	8					10	$ssvc = $dsvc = $icmp = ''; # optionals
83
84	8					20	my $name = $self->_name;
85	8					49	my $acls = $self->_acls;
86
87	8	100				55	$arg_ref->{access} =
88							$arg_ref->{access} =~ m/^(?:[Pp]ermit\|1)$/ ? 'permit' : 'deny';
89
90	8	50				14	$proto = defined $arg_ref->{proto} ? $arg_ref->{proto}
91							: "object-group $arg_ref->{proto_og}";
92
93	8	50				27	$src = defined $arg_ref->{src_og} ? "object-group $arg_ref->{src_og}"
		50
		100
94							: defined $arg_ref->{src_mask} ? "$arg_ref->{src_ip} $arg_ref->{src_mask}"
95							: defined $arg_ref->{src_ip} ? "host $arg_ref->{src_ip}"
96							: "any"
97							;
98
99	8	50				29	$dst = defined $arg_ref->{dst_og} ? "object-group $arg_ref->{dst_og}"
		50
		100
100							: defined $arg_ref->{dst_mask} ? "$arg_ref->{dst_ip} $arg_ref->{dst_mask}"
101							: defined $arg_ref->{dst_ip} ? "host $arg_ref->{dst_ip}"
102							: "any"
103							;
104
105	8	100				41	$ssvc = " object-group $arg_ref->{src_svc_og}"
106							if defined $arg_ref->{src_svc_og};
107	8	100				27	$ssvc = " $arg_ref->{src_svc_op} $arg_ref->{src_svc}"
108							if defined $arg_ref->{src_svc_op};
109	8	100				15	$ssvc .= " $arg_ref->{src_svc_hi}" if defined $arg_ref->{src_svc_hi};
110
111	8	100				14	$dsvc = " object-group $arg_ref->{dst_svc_og}"
112							if defined $arg_ref->{dst_svc_og};
113	8	100				15	$dsvc = " $arg_ref->{dst_svc_op} $arg_ref->{dst_svc}"
114							if defined $arg_ref->{dst_svc_op};
115	8	100				17	$dsvc .= " $arg_ref->{dst_svc_hi}" if defined $arg_ref->{dst_svc_hi};
116
117	8	100				38	$icmp = " object-group $arg_ref->{icmp_og}"
118							if defined $arg_ref->{icmp_og};
119	8	100				16	$icmp = " $arg_ref->{icmp}" if defined $arg_ref->{icmp};
120
121	8					37	$line = sprintf "access-list $name extended %s %s %s%s %s%s%s",
122							$arg_ref->{access}, $proto, $src, $ssvc, $dst, $dsvc, $icmp;
123
124	8					10	push @$acls, $line;
125							# see, we don't need to store $acls back into _acls here
126
127	8					18	return $self;
128							}
129
130							# return our current ACL rule list.
131							sub dump {
132	13			13	1	3016	my $self = shift;
133
134	13					17	return join "\n", @{$self->_acls};
	13					114
135							}
136
137							1;
138
139							=head1 NAME
140
141							Net::Cisco::AccessList::Extended - Generate Cisco extended access-lists
142
143							=head1 VERSION
144
145							This document refers to version 1.01 of Net::Cisco::AccessList::Extended.
146
147							=head1 SYNOPSIS
148
149							use Net::Cisco::AccessList::Extended;
150							my $l = Net::Cisco::AccessList::Extended->new('INCOMING_LIST');
151
152							$l->push({
153							access => 'permit',
154							proto => 'ip',
155							src_og => 'friendly_net',
156							dst_og => 'local_net',
157							});
158
159							print $l->dump, "\n";
160							# prints the access-list commands to STDOUT, something like:
161
162							access-list INCOMING_LIST extended permit ip object-group friendly_net object-group local_net
163
164							=head1 DESCRIPTION
165
166							Use this module to manage the presentation of Cisco Extended Access Lists.
167							List entries are pushed into the object in a simple parmaterized fashion, and
168							you can then dump the list in a format that is parsable by Cisco devices.
169
170							Support is included for list entries that reference Object Groups (as used by
171							more recent PIX OS and FWSM software versions).
172
173							=head1 IMPORTANT NOTE
174
175							This module's error checking is only concerned with B.
176							It makes no judgement of the I of your list entries.
177
178							For instance, newer FWSM systems use netmasks specified in terms of host
179							address network masks (e.g. C<255.255.255.0>), whereas older systems use
180							wildcard bits (e.g. C<0.0.0.255>). C will
181							not check that you use the correct type of mask, or even that your mask isn't
182							something completely inappropriate (e.g. C).
183
184							=head1 METHODS
185
186							=head2 C<< Net::Cisco::AccessList::Extended->new >>
187
188							Each access list that you manage must be created through this method, which
189							takes one parameter, the name of the access list.
190
191							On success this method returns a newly instatiated
192							C object. Lucky you.
193
194							=head2 C
195
196							Use this method to add an access list entry (sometimes called an Access
197							Control Entry by Cisco documentation) to the end of an access list. In case it
198							is not obvious, access lists are ordered, so I an entry means it is
199							added to the I of the list.
200
201							Parameters are all passed within a single hash reference argument. Which keys
202							of that hash you populate will depend on the Access Control Entry (hereafter,
203							ACE) that you are appending to the access list. Logic within the module should
204							check that you are syntactically correct, but for brevity of this
205							documentation you are referred to the many Cisco manuals containing ACE syntax
206							usage guidelines.
207
208							Possible keys and values are as follows:
209
210							=over 4
211
212							=item C
213
214							This parameter is required and dictates whether the ACE will be a I or
215							I rule, with the following values being interpreted as meaning
216							C:
217
218							Permit \| permit \| 1
219
220							Any other value in this slot is taken to be a request for a C statement.
221
222							=item C or C
223
224							Network protocol. As mentioned above, it is your responsibility to enter
225							something that the Cisco device will parse (e.g. a recognised protocol name or
226							IANA assigned number, or protocol object group). This parameter is required.
227
228							=item C, C or C
229
230							Source network. Various combinations of these three keys are permitted.
231							Omitting them all results in the keyword C being used. Only providing the
232							C is allowed, as well as providing both the C and C.
233							I you may specify an object group in the C slot.
234
235							=item C, C, C or C
236
237							Source port(s). Again, various combinations of these keys are permitted. A
238							service (aka I) object group is used by I filling the
239							C slot. Otherwise, C is required and is the service
240							operator (e.g. C, C, etc). C is the service name or IANA
241							assigned port number, and if the operator is C then the upper port
242							boundary must be provided in the C slot.
243
244							=item C, C or C
245
246							These keys function identically to their C counterparts, but of course
247							control the production of destination network address fields.
248
249							=item C, C, C or C
250
251							These keys function identically to their C counterparts, but of course
252							control the production of destination service fields.
253
254							=item C or C
255
256							Any value in this slot will be appended to the ACE, so that you can limit the
257							match to a particular ICMP message type if the rule's protocol is C. Use
258							C if your value is the name of an icmp object group.
259
260							=back
261
262							On success this method returns its own object. On failure this module will
263							C.
264
265							=head2 C
266
267							This method generates and returns the access list as it would look in a Cisco
268							configuration file.
269
270							The returned value is a scalar, with embedded newline characters and no
271							terminating newline, so you will need to append that as required. Note that
272							when submitting this to, for example, a L session via
273							C, a newline will be automatically appended by that method.
274
275							Fully compatible Cisco commands are produced on the fly from the data stored
276							in the C object, so you can C and
277							C repeatedly to your heart's content.
278
279							=head1 DIAGNOSTICS
280
281							=over 4
282
283							=item C
284
285							You have not provided the required parameter to C, see L.
286
287							=item Various other C or C messages
288
289							These are generated by the internal syntax checking routine, which will alert
290							you to conflicting parameters passed to the C object method.
291
292							=back
293
294							=head1 DEPENDENCIES
295
296							Other than the contents of the standard Perl distribution, you will need the
297							following:
298
299							=over 4
300
301							=item *
302
303							Class::Accessor::Fast (bundled with Class::Accessor)
304
305							=item *
306
307							List::MoreUtils
308
309							=back
310
311							=head1 SEE ALSO
312
313							L, L
314
315							=head1 AUTHOR
316
317							Oliver Gorwits C<< >>
318
319							=head1 COPYRIGHT & LICENSE
320
321							Copyright (c) The University of Oxford 2008.
322
323							This library is free software; you can redistribute it and/or modify it under
324							the same terms as Perl itself.
325
326							=cut
327