Firewall-Policy-Designer
16 results

 view release on metacpan or  search on metacpan

lib/Firewall/Policy/Designer/Srx.pm  view on Meta::CPAN 

package Firewall::Policy::Designer::Srx;

#------------------------------------------------------------------------------
# 加载扩展模块
#------------------------------------------------------------------------------
use Moose;
use namespace::autoclean;

#------------------------------------------------------------------------------
# 加载项目模块
#------------------------------------------------------------------------------
use Firewall::Utils::Date;
use Firewall::Policy::Searcher::Report::FwInfo;

has dbi => ( is => 'ro', does => 'Firewall::DBI::Role', required => 1, );

has searcherReportFwInfo => ( is => 'ro', isa => 'Firewall::Policy::Searcher::Report::FwInfo', required => 1, );

has commandText => ( is => 'ro', isa => 'ArrayRef[Str]', default => sub { [] }, );

sub addToCommandText {
  my ( $self, @commands ) = @_;
  push @{$self->commandText}, @commands;
}

sub design {
  my $self = shift;
  if ( $self->searcherReportFwInfo->type eq 'new' ) {
    $self->createRule;
  }
  elsif ( $self->searcherReportFwInfo->type eq 'modify' ) {
    $self->modifyRule;
  }
  elsif ( $self->searcherReportFwInfo->type eq 'ignore' ) {
    if ( defined $self->searcherReportFwInfo->action ) {
      my $param = $self->searcherReportFwInfo->action->{'new'};
      for my $type ( keys %{$param} ) {
        if ( $type eq 'natDst' or $type eq 'natSrc' ) {
          $self->createNat( $param->{$type} );
        }
      }
    }
  }
  else {
    confess( "ERROR: searcherReportFwInfo->type(" . $self->searcherReportFwInfo->type . ") must be 'new' or 'modify'" );
  }
  if ( @{$self->commandText} > 0 ) {
    push @{$self->commandText}, 'commit check';
    push @{$self->commandText}, 'commit';
  }
  return join( '', map {"$_\n"} @{$self->commandText} );
} ## end sub design

sub createRule {
  my $self = shift;

  #先检查涉及到的 addr or srv 在防火墙上有没有已经存在的名字,没有就需要创建
  my $action  = $self->searcherReportFwInfo->action;
  my $nameMap = $self->checkAndCreateAddrOrSrvOrNat( $action->{'new'} );

=example
set security policies from-zone l2-untrust to-zone l2-trust policy p409 match source-address host_10.39.100.252
set security policies from-zone l2-untrust to-zone l2-trust policy p409 match destination-address host_10.44.96.12
set security policies from-zone l2-untrust to-zone l2-trust policy p409 match application tcp_44441-44444
set security policies from-zone l2-untrust to-zone l2-trust policy p409 then permit

=cut

  my ( $fromZone, $toZone ) = ( $self->searcherReportFwInfo->fromZone, $self->searcherReportFwInfo->toZone );
  my @commands;
  my $randNum  = $$ || sprintf( '%05d', int( rand(99999) ) );
  my $ruleName = 'p_' . Firewall::Utils::Date->new->getFormatedDate('yyyymmdd_hhmiss') . "_$randNum";
  for my $type ( keys %{$nameMap} ) {
    push @commands,
      map {"set security policies from-zone $fromZone to-zone $toZone policy $ruleName match source-address $_"}
      @{$nameMap->{$type}}
      if $type eq 'src';
    push @commands,
      map {"set security policies from-zone $fromZone to-zone $toZone policy $ruleName match destination-address $_"}



( run in 1.114 second using v1.01-cache-2.11-cpan-39bf76dae61 )