jamesallman/hppolicy.pl

## hppolicy.pl
#!/usr/bin/perl

use strict;
use warnings;

my %HoH;
my %portgroups;
while (<>) {
    next unless $. > 1;
    chomp;
    my @csv = split(/,/);
    my ($epr, $source_ip, $destination_ip, $trf_port, $comments, $src_int, $dst_int) = ($csv[0], $csv[4], $csv[5], $csv[3], $csv[1], $csv[8], $csv[9]);

# Substitute portrange for high ports
    if ($trf_port =~ /(tcp|udp)-(\d+)/) {
        if ($2 >= 49152 && $2 <= 65535) {
            $trf_port = { tcp => "GIgnite_high_ports_49152_to_65535", udp => "GP-49152-65535" }->{$1};
        }
    }

    $HoH{$epr}{source_ip}{$source_ip} = 1;
    $HoH{$epr}{destination_ip}{$destination_ip} = 1;
    $HoH{$epr}{trf_port}{$trf_port} = 1;
    $HoH{$epr}{info_text}{$comments} = 1;
    $HoH{$epr}{src_interface}{$src_int} = 1;
    $HoH{$epr}{dst_interface}{$dst_int} = 1;
}

generate_source_groups();
generate_destination_groups();
generate_consolidated_services();

# Generate policies
_config("firewall policy");
foreach my $epr ( sort keys %HoH ) {
    _edit("0");
    _set("srcintf", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{src_interface} } );
    _set("dstintf", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{dst_interface} } );
    _set("srcaddr", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{source_ip} } );
    _set("dstaddr", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{destination_ip} } );
    _set("service", map { qq/"$_"/ } @{ $HoH{$epr}{trf_port} } );
    _set("comments", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{info_text} } );
    _set("action accept");
    _set("logtraffic all");
    _next();
}
_end();

sub println {
    print @_ ? "$_[0]\n" : "\n";
}

sub _config {
    println("config @_");
}

sub _edit {
    println("edit \"@_\"");
}

sub _set {
    println("set @_");
}

sub _next {
    println("next");
}

sub _end {
    println("end");
}

sub byip {
    my $aip;
    my $bip;
    if ($a =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/) {
        $aip = $1 * 16777216 + $2 * 65536 + $3 * 256 + $4;
    }
    if ($b =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/) {
        $bip = $1 * 16777216 + $2 * 65536 + $3 * 256 + $4;
    }
    $aip <=> $bip;
}

sub byport {
    my $aprot;
    my $aport;
    my $bprot;
    my $bport;
    if ($a =~ /(tcp|udp)-(\d+)/) {
        $aprot = $1;
        $aport = $2;
        if ($b =~ /(tcp|udp)-(\d+)/) {
            $bprot = $1;
            $bport = $2;
            return $aprot cmp $bprot || $aport <=> $bport;
        }
    }
    return $a cmp $b;
}

sub generate_source_groups {
    _config("firewall addrgrp");
    foreach my $epr ( sort keys %HoH ) {
        if ((keys %{ $HoH{$epr}{source_ip} }) >= 15) {
            my $group = "src-" . (keys %{ $HoH{$epr}{info_text} })[0];
            _edit($group);
            _set("member", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{source_ip} });
            _next();
            %{ $HoH{$epr}{source_ip} } = ($group, 1);
        }
    }
    _end();
}

sub generate_destination_groups {
    _config("firewall addrgrp");
    foreach my $epr ( sort keys %HoH ) {
        if ((keys %{ $HoH{$epr}{destination_ip} }) >= 15) {
            my $group = "dst-" . (keys %{ $HoH{$epr}{info_text} })[0];
            _edit($group);
            _set("member", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{destination_ip} });
            _next();
            %{ $HoH{$epr}{destination_ip} } = ($group, 1);
        }
    }
    _end();
}

sub generate_consolidated_services {
    foreach my $epr ( sort keys %HoH ) {
        $HoH{$epr}{trf_port} = [ consolidate($HoH{$epr}{trf_port}) ];
    }
    _config("firewall service custom");
    foreach ( sort byport keys %portgroups) {
        if ($_ =~ /(tcp|udp)-(\d+):(\d+)/) {
            _edit($_);
            _set("$1-portrange $2-$3");
            _next();
        }
    }
    _end();
}

sub consolidate {
    my @a;
    my $prot;
    my $lo;
    my $hi;

    my $save = sub {
        my $obj;
        if ($lo == $hi) {
            $obj = "$prot-$hi"
        }
        else {
            $obj = "$prot-$lo:$hi";
            $portgroups{$obj} = 1;
        }
        return $obj;
    };

    foreach ( sort byport keys %{ $_[0] } ) {
        if ( $_ =~ /(tcp|udp)-(\d+)/) {
            if (!$prot) {
                $prot = $1;
                $lo = $2;
                $hi = $2;
            }
            elsif ($1 ne $prot) {
                push @a, $save->();
                $prot = $1;
                $lo = $2;
                $hi = $2;
            }
            elsif ($2 == $hi + 1) {
                $hi = $2;
            }
            else {
                push @a, $save->();
                $lo = $2;
                $hi = $2;
            }
        }
        else {
            push @a, $_;
        }
    }
    if ($prot) {
        push @a, $save->();
    }
    return @a;
}
	#!/usr/bin/perl

	use strict;
	use warnings;

	my %HoH;
	my %portgroups;
	while (<>) {
	next unless $. > 1;
	chomp;
	my @csv = split(/,/);
	my ($epr, $source_ip, $destination_ip, $trf_port, $comments, $src_int, $dst_int) = ($csv[0], $csv[4], $csv[5], $csv[3], $csv[1], $csv[8], $csv[9]);

	# Substitute portrange for high ports
	if ($trf_port =~ /(tcp\|udp)-(\d+)/) {
	if ($2 >= 49152 && $2 <= 65535) {
	$trf_port = { tcp => "GIgnite_high_ports_49152_to_65535", udp => "GP-49152-65535" }->{$1};
	}
	}

	$HoH{$epr}{source_ip}{$source_ip} = 1;
	$HoH{$epr}{destination_ip}{$destination_ip} = 1;
	$HoH{$epr}{trf_port}{$trf_port} = 1;
	$HoH{$epr}{info_text}{$comments} = 1;
	$HoH{$epr}{src_interface}{$src_int} = 1;
	$HoH{$epr}{dst_interface}{$dst_int} = 1;
	}

	generate_source_groups();
	generate_destination_groups();
	generate_consolidated_services();

	# Generate policies
	_config("firewall policy");
	foreach my $epr ( sort keys %HoH ) {
	_edit("0");
	_set("srcintf", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{src_interface} } );
	_set("dstintf", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{dst_interface} } );
	_set("srcaddr", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{source_ip} } );
	_set("dstaddr", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{destination_ip} } );
	_set("service", map { qq/"$_"/ } @{ $HoH{$epr}{trf_port} } );
	_set("comments", map { qq/"$_"/ } sort keys %{ $HoH{$epr}{info_text} } );
	_set("action accept");
	_set("logtraffic all");
	_next();
	}
	_end();

	sub println {
	print @_ ? "$_[0]\n" : "\n";
	}

	sub _config {
	println("config @_");
	}

	sub _edit {
	println("edit \"@_\"");
	}

	sub _set {
	println("set @_");
	}

	sub _next {
	println("next");
	}

	sub _end {
	println("end");
	}

	sub byip {
	my $aip;
	my $bip;
	if ($a =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/) {
	$aip = $1 * 16777216 + $2 * 65536 + $3 * 256 + $4;
	}
	if ($b =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/) {
	$bip = $1 * 16777216 + $2 * 65536 + $3 * 256 + $4;
	}
	$aip <=> $bip;
	}

	sub byport {
	my $aprot;
	my $aport;
	my $bprot;
	my $bport;
	if ($a =~ /(tcp\|udp)-(\d+)/) {
	$aprot = $1;
	$aport = $2;
	if ($b =~ /(tcp\|udp)-(\d+)/) {
	$bprot = $1;
	$bport = $2;
	return $aprot cmp $bprot \|\| $aport <=> $bport;
	}
	}
	return $a cmp $b;
	}

	sub generate_source_groups {
	_config("firewall addrgrp");
	foreach my $epr ( sort keys %HoH ) {
	if ((keys %{ $HoH{$epr}{source_ip} }) >= 15) {
	my $group = "src-" . (keys %{ $HoH{$epr}{info_text} })[0];
	_edit($group);
	_set("member", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{source_ip} });
	_next();
	%{ $HoH{$epr}{source_ip} } = ($group, 1);
	}
	}
	_end();
	}

	sub generate_destination_groups {
	_config("firewall addrgrp");
	foreach my $epr ( sort keys %HoH ) {
	if ((keys %{ $HoH{$epr}{destination_ip} }) >= 15) {
	my $group = "dst-" . (keys %{ $HoH{$epr}{info_text} })[0];
	_edit($group);
	_set("member", map { qq/"$_"/ } sort byip keys %{ $HoH{$epr}{destination_ip} });
	_next();
	%{ $HoH{$epr}{destination_ip} } = ($group, 1);
	}
	}
	_end();
	}

	sub generate_consolidated_services {
	foreach my $epr ( sort keys %HoH ) {
	$HoH{$epr}{trf_port} = [ consolidate($HoH{$epr}{trf_port}) ];
	}
	_config("firewall service custom");
	foreach ( sort byport keys %portgroups) {
	if ($_ =~ /(tcp\|udp)-(\d+):(\d+)/) {
	_edit($_);
	_set("$1-portrange $2-$3");
	_next();
	}
	}
	_end();
	}

	sub consolidate {
	my @a;
	my $prot;
	my $lo;
	my $hi;

	my $save = sub {
	my $obj;
	if ($lo == $hi) {
	$obj = "$prot-$hi"
	}
	else {
	$obj = "$prot-$lo:$hi";
	$portgroups{$obj} = 1;
	}
	return $obj;
	};

	foreach ( sort byport keys %{ $_[0] } ) {
	if ( $_ =~ /(tcp\|udp)-(\d+)/) {
	if (!$prot) {
	$prot = $1;
	$lo = $2;
	$hi = $2;
	}
	elsif ($1 ne $prot) {
	push @a, $save->();
	$prot = $1;
	$lo = $2;
	$hi = $2;
	}
	elsif ($2 == $hi + 1) {
	$hi = $2;
	}
	else {
	push @a, $save->();
	$lo = $2;
	$hi = $2;
	}
	}
	else {
	push @a, $_;
	}
	}
	if ($prot) {
	push @a, $save->();
	}
	return @a;
	}