Cisco2Checkpoint icon indicating copy to clipboard operation
Cisco2Checkpoint copied to clipboard
verified publisher icon GoSecure

fixed bug in method _fixACLRuleRedundancy()

Open lduck opened this issue 5 years ago • 5 comments

In some cases, ACLs were removed/lost by method _fixACLRuleRedundancy() because of a bug. If we had ACL_a, ACL_b, and ACL_c where ACL_a can be merged with ACL_b, and ACL_b can be merged with ACL_c, then this happend: ACL_a was merged with ACL_b and ACL_b was removed from self.obj_list but retained in local aclRules ACL_b was merged with ACL_c and ACL_c was removed from self.obj_list

lduck avatar Nov 10 '20 13:11 lduck

Hi @lduck! Thanks for the contribution! Ideally I would like to have a test case for this to avoid regressions.

Can you provide or modify our tests so that they fail without your patch?

Then we can apply your patch and see the tests succeed. That would be awesome!

obilodeau avatar Nov 10 '20 15:11 obilodeau

Forgot to say: our testing infrastructure is here: https://github.com/GoSecure/Cisco2Checkpoint/tree/master/tests Basically the input and expected output of the tool. Modify there to highlight the error.

obilodeau avatar Nov 10 '20 15:11 obilodeau

I understand that providing a test case might be too much so I was willing to test the patch myself and merge it if there were no regressions.

However, I can't even get the thing to run on my system now. I have the submodule installed but I still get an error:

$ python2.7 c2c.py --verify     --format text     --ciscoFile tests/network_script.txt     --syntax asa     --policy My_Policy     --installOn My_Firewall     --output 'network_script_verify.txt'
Traceback (most recent call last):
  File "c2c.py", line 34, in <module>
    from cisco2checkpoint import Cisco2Checkpoint,Cisco2CheckpointManager
  File "lib/cisco2checkpoint.py", line 26, in <module>
    from ciscoconfparse_patch import CiscoConfParse
  File "lib/ciscoconfparse_patch.py", line 29, in <module>
    from ciscoconfparse import models_cisco
ImportError: No module named ciscoconfparse

I'm running python 2.7.18 and I'm afraid it has to do with this thing:

sys.path.insert(0, 'lib')
del sys

I spent some time on it and couldn't fix it. The original developer who created this project is no longer around. Can you help me run the tests? I would happily merge that PR if there are no visible regressions.

obilodeau avatar Nov 18 '20 05:11 obilodeau

Hi, sorry for late response. I didn't have to much time because of a project deadline.

I was also fighting with running the code at first time, because of incompatibilities with other packages. (I think it was dns module, and maybe parse module. ) I was able to use this code on some CentOS 7 with Python 2.7.5 after uninstalling/installing some packages. And I'm also able to use it with CygWin Python 3.6.8 after multiple code modifications. So I do not think that it is because of sys.path.insert(0, 'lib') as this works OK with Python3.6. I do not remember, if I had the same or similar issue as you with ciscoconfparse, but I remember, that installed the ciscoconfparse via pip (maybe version 1.2.40).

I wanted to write the test, but I was not able to run successfully test in repository with unchanged code:

python2.7  c2c.py --verify --format text --ciscoFile tests/test_policy.CONFIG --syntax asa --policy My_Policy --installOn My_Firewall --output network_script_verify.txt
#[+] Importing all objects except groups.
#[+] Importing Checkpoint network objects
#[+] Importing all names.
#[+] Importing all hosts.
#[+] Importing all networks.
#[+] Importing all ranges.
#[+] Fixing duplicate names
#[+] Fixing duplicate IP addresses
#[+] Fixing duplicate subnets
#[+] Fixing duplicate ranges
#[+] Importing Checkpoint ports objects
#[+] Adding ICMP Aliases
#[+] Importing all single ports objects.
#[+] Importing all port ranges objects.
#[+] Importing all net/host/range groups.
#[+] Importing all protocol groups.
#[+] Importing all port groups.
#[+] Importing all NAT rules.
#[+] Importing all firewall rules. (access-list)
Traceback (most recent call last):
  File "c2c.py", line 171, in <module>
    c2c.importConfig(args.cpPortsFile,args.cpNetObjFile,args.ciscoFile)
  File "lib/cisco2checkpoint.py", line 1765, in importConfig
    self._importASAACLRules(self.parser.getACLRules())
  File "lib/cisco2checkpoint.py", line 1882, in _importASAACLRules
    forceLog = self.forceLog))
  File "lib/cisco2checkpoint.py", line 1255, in __init__
    self._buildFromParsedObj(parsedObj)
  File "lib/cisco2checkpoint.py", line 1301, in _buildFromParsedObj
    self.port = self._getServices(parsedObj)
  File "lib/cisco2checkpoint.py", line 1393, in _getServices
    return [self._getOrCreateMemberObj('port-group',port)]
  File "lib/cisco2checkpoint.py", line 516, in _getOrCreateMemberObj
    self._createMemberObj(type,v1,v2,v3)
  File "lib/cisco2checkpoint.py", line 508, in _createMemberObj
    raise C2CException('Cannot create a port group member "%s" on the fly.' % v1)
cisco2checkpoint.C2CException: Cannot create a port group member "MyICMP" on the fly.

lduck avatar Dec 09 '20 14:12 lduck

I can't reproduce since I can't get this thing to work. Can you submit your changes to port it to Python 3 please? In a separate pull request. I'll integrate that and then advise. I don't think going back to an old CentOS / Python is a good idea from here.

obilodeau avatar Dec 09 '20 21:12 obilodeau