Skip to content

Commit 9caa02f

Browse files
donaldjrayCapirca Team
authored andcommitted
Skip established rules in fortigate generator.
Fortigate is stateful and handles return flows automagically: https://www.fortinet.com/resources/cyberglossary/stateful-firewall PiperOrigin-RevId: 933409011
1 parent 44113a2 commit 9caa02f

2 files changed

Lines changed: 30 additions & 8 deletions

File tree

capirca/lib/fortigate.py

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -764,12 +764,12 @@ def _BuildTokens(self):
764764
'icmp_code',
765765
'fortigate_application_id'}
766766

767-
supported_sub_tokens.update({'option': {'tcp-established'},
768-
# Warning, some of these are mapped
769-
# differently. See _ACTION_TABLE
770-
'action': {'accept', 'deny',
771-
'next', 'reject',
772-
'reject-with-tcp-rst'}})
767+
supported_sub_tokens.update({
768+
'option': {'established', 'tcp-established'},
769+
# Warning, some of these are mapped
770+
# differently. See _ACTION_TABLE
771+
'action': {'accept', 'deny', 'next', 'reject', 'reject-with-tcp-rst'},
772+
})
773773

774774
return supported_tokens, supported_sub_tokens
775775

@@ -841,6 +841,12 @@ def _TranslatePolicy(self, pol, exp_info):
841841
term.name,
842842
filter_name)
843843
continue
844+
if set(['established', 'tcp-established']).intersection(term.option):
845+
logging.debug(
846+
'Skipping established term %s because FortiGate is stateful.',
847+
term.name,
848+
)
849+
continue
844850
if term.expiration:
845851
if term.expiration <= exp_info_date:
846852
logging.info(

tests/lib/fortigate_test.py

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -292,7 +292,7 @@ def testServices(self):
292292
ip_term = self.fmt.format(TERM_TEMPLATE,
293293
remove_fields=('dest_port', 'src_port'))
294294
custom_port_term = self.fmt.format(TERM_TEMPLATE, src_port='WHOIS')
295-
#print("\icmp_term=========\n", icmp_term)
295+
# print("\icmp_term=========\n", icmp_term)
296296

297297
dest_only_acl = fortigate.Fortigate(policy.ParsePolicy(
298298
GOOD_HEADER + dest_only_term,
@@ -342,7 +342,7 @@ def testInterfaces(self):
342342
no_interfaces_term = self.fmt.format(TERM_TEMPLATE,
343343
remove_fields=('src_interface',
344344
'dest_interface'))
345-
#print("no_interfaces_term=", no_interfaces_term)
345+
# print("no_interfaces_term=", no_interfaces_term)
346346
src_only_int_term = self.fmt.format(TERM_TEMPLATE,
347347
src_interface='wan1',
348348
remove_fields=('dest_interface',))
@@ -419,6 +419,22 @@ def testExpiration(self):
419419
and expiration_sig in str(expiration_acl),
420420
'[%s]' % str(expiration_acl))
421421

422+
def testEstablished(self):
423+
"""Tests that established terms are skipped."""
424+
established_term = self.fmt.format(
425+
TERM_TEMPLATE,
426+
add_fields={'option': 'established', 'comment': '"test established"'},
427+
)
428+
429+
established_acl = fortigate.Fortigate(
430+
policy.ParsePolicy(GOOD_HEADER + established_term, self.naming),
431+
EXP_INFO,
432+
)
433+
434+
self.assertNotIn(
435+
'test established', str(established_acl), '[%s]' % str(established_acl)
436+
)
437+
422438
def testApplication_ID(self):
423439
"""
424440
Tests an application ID being used.

0 commit comments

Comments
 (0)