I'm having some problems with an OO module that does PIX firewall ACL parsing (PIX::Walker), and I can't figure out what's going on. In some cases the array reference that should be returned by $configs{$fw}->obj($line->source_str) to should be dereferenced into @sources is returning null, e.g.:
1) deny (ip) IP_Block -> 0.0.0.0/0 IP_Block $VAR1 = [];
It only seems to happen on deny rules, but I'm not 100% positive this is the only case.
Here's the script, I've commented out the code that I've been using to try to troubleshoot this. I've used this module before and the obj object, and never run into anything like this.
#!/usr/bin/perl use strict; use PIX::Walker; use Getopt::Std; use Socket; use Data::Dumper; my $usage = "Usage: portproto-rpt.pl -d config directory -d is required Output is in CSV format to STDOUT, redirect to a file as required use portproto-rpt.pl -h to get this help\n\n"; my @internal = ("10.0.0.0\/8","172.16.0.0\/14","192.168.0.0\/16"); my @firewalls = ("east","west","central"); my %protocols = ( tcp => 1, udp => 1, icmp => 1, gre => 1, esp => 1, ip => 1, ); my %options; my %configs; my %elements; my (@ports,@dests,@sources,@protos); my ($fw,$acl); getopts('hd:', \%options); if ($options{h}) { die $usage }; foreach (@firewalls) { $fw = sprintf "%s\/%s.config",$options{d},$_; if (-e $fw) { $configs{$_} = new PIX::Walker($fw); } else { die "Cannot find config file $_ in \n"; } } print "Firewall,Source,Destination,Protocol,Port,Action\n"; foreach $fw (keys %configs) { $acl = $configs{$fw}->acl("outside-in") || die "ACL: outside-in do +es not exist on filewal config $fw\n"; foreach my $line ($acl->lines) { (@ports,@dests,@sources,@protos,%elements) = 0; # if ($line->action =~ /deny/) { # print $line->print, "\n"; # } if ($protocols{$line->proto_str}) { push @protos, $line->proto_str; } else { my @protos = $configs{$fw}->obj($line->proto_str) } while ($elements{proto} = pop @protos) { if (!$line->destport_str) { push @ports, "any"; } elsif ($line->destport_str =~ /^\d/) { push @ports, $line->destport_str; } else { my @ports = $configs{$fw}->obj($line->destport_st +r) } unless ($ports[0]) {shift @ports}; while ($elements{port} = shift @ports) { if ($line->dest_str =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d +{1,3}/) { push @dests, $line->dest_str; } else { my @dests = $configs{$fw}->obj($line->dest_st +r) } while ($elements{dest} = pop @dests) { if ($line->source_str =~ /^\d{1,3}\.\d{1,3}\.\d{1, +3}\.\d{1,3}/) { push @sources, $line->source_str; } else { print "Help Me\t" . $line->source_str . "\n"; my @sources = $configs{$fw}->obj($line->source +_str); } # if ($line->action =~ /deny/) { # print $line->source_str, "\n"; # unless ($configs{$fw}->obj($line->source_str +)) {print "Cannot find " . $line->source_str, "\n"} # print Dumper(@sources); # } while ($elements{source} = pop @sources) { # if ($line->action =~ /deny/) { print Dumper( +%elements) } unless (checksource($elements{source})) { printf "%s,%s,%s,%s,%s,%s\n", $fw,$element +s{source},$elements{dest},$elements{proto},$elements{port},$line->act +ion; } } } } } } } sub checksource { my $block = shift; $block =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/; my $ip = $1; my $out = 0; foreach (@internal) { my ($net,$bit) = split('/'); if (unpack("N",inet_aton($net)) le unpack("N",inet_aton($ip)) +&& unpack("N",inet_aton($ip)) lt (unpack("N",inet_aton($net))+(2**(32 +-$bit)))) { $out = 1; } } return $out; }
Thanks for any help I can get.
Vec
Edit:
I've realized that a major part of my problem is that I should have been using @sources = $configs{$fw}->obj($line->source_str)->list when I was looking at a smaller utility that determines if an IP is in a particular group.
In reply to Objectionable reference by vectorvillain
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |