diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | python-capirca.spec | 338 | ||||
| -rw-r--r-- | sources | 1 | 
3 files changed, 340 insertions, 0 deletions
| @@ -0,0 +1 @@ +/capirca-2.0.9.tar.gz diff --git a/python-capirca.spec b/python-capirca.spec new file mode 100644 index 0000000..7c86d6a --- /dev/null +++ b/python-capirca.spec @@ -0,0 +1,338 @@ +%global _empty_manifest_terminate_build 0 +Name:		python-capirca +Version:	2.0.9 +Release:	1 +Summary:	Capirca +License:	Apache License, Version 2.0 +URL:		https://github.com/google/capirca/ +Source0:	https://mirrors.nju.edu.cn/pypi/web/packages/6a/21/2f7a20f2da1f7785f2236fdb4f000e79b5f4cb65eacd09c191700f3c9702/capirca-2.0.9.tar.gz +BuildArch:	noarch + +Requires:	python3-absl-py +Requires:	python3-ply +Requires:	python3-mock +Requires:	python3-six +Requires:	python3-PyYAML + +%description +/def/NETWORK.net  | a list of **network objects** definitions +/def/SERVICES.svc | a list of **service objects** definitions +Each network or service definition file has a very simple structure. A token is +defined, e.g. `GUEST_NET`, followed by an equal sign, then followed by a +definition, e.g. `10.10.10.0/24`, and optional description field, e.g. `# guest +network range`. +``` +GUEST_NET = 10.10.10.0/24      # guest network range +``` +The tool populates the **access control policy** from `.pol` files in a +particular directory, e.g. [`policies/`](./policies/). The tool searches +recursively for `.pol` files and add them to the policy, .e.g `.pol` files are +located in [`policies/pol`](./policies/pol). +Additionally, the `.pol` files MAY reference other policy definition files +located outside of the directory by using `include` directive. Please see +[Includes](#includes) section for documentation. +### Network Objects +The files with `.net` extension contain the definitions of network objects, e.g. +IP networks and hosts. The following definition creates `INTERNAL` and `RFC1918` +network objects in the object definitions, whether `INTERNAL` references the IP +ranges of RFC 1918 defined in the `RFC1918`. +``` +RFC1918 = 10.0.0.0/8      # non-public +          172.16.0.0/12   # non-public +          192.168.0.0/16  # non-public +INTERNAL = RFC1918 +``` +[Back to Top](#table-of-contents) +### Service Objects +The files with `.svc` extension contain the definitions of service objects, e.g. +ports and protocols. +``` +DNS = 53/tcp  # transfers +      53/udp  # queries +``` +[Back to Top](#table-of-contents) +### Object Nesting +The nesting of tokens is permitted only when both tokens are of the same type. +The referencing of a "network" object by "service" object is not allowed, and +vice versa. +The examples of nesting of the network and service object follow. +``` +HTTP = 80/tcp               # common web +HTTPS = 443/tcp             # SSL web +HTTP_8080 = 8080/tcp        #  web on non-standard port +WEB_SERVICES = HTTP HTTP_8080 HTTPS  # all our web services +DB_SERVICES = 3306/tcp      # allow db access +              HTTPS         # and SSL access +NYC_NETWORK = 200.1.1.0/24  # New York office +ATL_NETWORK = 200.2.1.0/24  # Atlanta office +DEN_NETWORK = 200.5.1.0/24  # Denver office +REMOTE_OFFICES = NYC_NETWORK +                 ATL_NETWORK +                 DEN_NETWORK +``` +The network objects may reference both IPv4 and IPv6 addresses at the same time. +``` +LOOPBACK = 127.0.0.1/32          # loopback in IPv4 +LINKLOCAL = FE80::/10            # IPv6 link local address +NYC_NETWORK = 172.16.1.0/24      # NYC IPv4 +              2620:0:10A1::/48   # NYC IPv6 +``` +[Back to Top](#table-of-contents) +### Anatomy of a policy file +A policy file (/policies/pol/something.pol) has the security policy written +using capirca specific meta-language and format. There are specific sections +(e.g: header) that tell capirca how to generate the output configuration of the +security policy. +#### Headers +The header section defines: +*   **target** firewall platforms (which ACL generator to use) +*   passes **additional arguments** to the generator responsible for that +    platform. +A single header may have many targets within a section. It will result in +multiple outputs being generated for that policy. +#### Terms +The **term** sections defines the access control rules within an ACL, it contains +keywords followed by an object (service or network) and policy decision ("action" keyword). +The term section specifies the network flow metadata for ACL matching. +*   Addresses +*   Ports +*   Protocols +*   Action (allow/deny) +Inside a `term` a mandatory keyword will be found followed by an object token +for rule evaluation. +#### Tokens +Tokens are the names of services and networks loaded from the object +definitions. Example: + +%package -n python3-capirca +Summary:	Capirca +Provides:	python-capirca +BuildRequires:	python3-devel +BuildRequires:	python3-setuptools +BuildRequires:	python3-pip +%description -n python3-capirca +/def/NETWORK.net  | a list of **network objects** definitions +/def/SERVICES.svc | a list of **service objects** definitions +Each network or service definition file has a very simple structure. A token is +defined, e.g. `GUEST_NET`, followed by an equal sign, then followed by a +definition, e.g. `10.10.10.0/24`, and optional description field, e.g. `# guest +network range`. +``` +GUEST_NET = 10.10.10.0/24      # guest network range +``` +The tool populates the **access control policy** from `.pol` files in a +particular directory, e.g. [`policies/`](./policies/). The tool searches +recursively for `.pol` files and add them to the policy, .e.g `.pol` files are +located in [`policies/pol`](./policies/pol). +Additionally, the `.pol` files MAY reference other policy definition files +located outside of the directory by using `include` directive. Please see +[Includes](#includes) section for documentation. +### Network Objects +The files with `.net` extension contain the definitions of network objects, e.g. +IP networks and hosts. The following definition creates `INTERNAL` and `RFC1918` +network objects in the object definitions, whether `INTERNAL` references the IP +ranges of RFC 1918 defined in the `RFC1918`. +``` +RFC1918 = 10.0.0.0/8      # non-public +          172.16.0.0/12   # non-public +          192.168.0.0/16  # non-public +INTERNAL = RFC1918 +``` +[Back to Top](#table-of-contents) +### Service Objects +The files with `.svc` extension contain the definitions of service objects, e.g. +ports and protocols. +``` +DNS = 53/tcp  # transfers +      53/udp  # queries +``` +[Back to Top](#table-of-contents) +### Object Nesting +The nesting of tokens is permitted only when both tokens are of the same type. +The referencing of a "network" object by "service" object is not allowed, and +vice versa. +The examples of nesting of the network and service object follow. +``` +HTTP = 80/tcp               # common web +HTTPS = 443/tcp             # SSL web +HTTP_8080 = 8080/tcp        #  web on non-standard port +WEB_SERVICES = HTTP HTTP_8080 HTTPS  # all our web services +DB_SERVICES = 3306/tcp      # allow db access +              HTTPS         # and SSL access +NYC_NETWORK = 200.1.1.0/24  # New York office +ATL_NETWORK = 200.2.1.0/24  # Atlanta office +DEN_NETWORK = 200.5.1.0/24  # Denver office +REMOTE_OFFICES = NYC_NETWORK +                 ATL_NETWORK +                 DEN_NETWORK +``` +The network objects may reference both IPv4 and IPv6 addresses at the same time. +``` +LOOPBACK = 127.0.0.1/32          # loopback in IPv4 +LINKLOCAL = FE80::/10            # IPv6 link local address +NYC_NETWORK = 172.16.1.0/24      # NYC IPv4 +              2620:0:10A1::/48   # NYC IPv6 +``` +[Back to Top](#table-of-contents) +### Anatomy of a policy file +A policy file (/policies/pol/something.pol) has the security policy written +using capirca specific meta-language and format. There are specific sections +(e.g: header) that tell capirca how to generate the output configuration of the +security policy. +#### Headers +The header section defines: +*   **target** firewall platforms (which ACL generator to use) +*   passes **additional arguments** to the generator responsible for that +    platform. +A single header may have many targets within a section. It will result in +multiple outputs being generated for that policy. +#### Terms +The **term** sections defines the access control rules within an ACL, it contains +keywords followed by an object (service or network) and policy decision ("action" keyword). +The term section specifies the network flow metadata for ACL matching. +*   Addresses +*   Ports +*   Protocols +*   Action (allow/deny) +Inside a `term` a mandatory keyword will be found followed by an object token +for rule evaluation. +#### Tokens +Tokens are the names of services and networks loaded from the object +definitions. Example: + +%package help +Summary:	Development documents and examples for capirca +Provides:	python3-capirca-doc +%description help +/def/NETWORK.net  | a list of **network objects** definitions +/def/SERVICES.svc | a list of **service objects** definitions +Each network or service definition file has a very simple structure. A token is +defined, e.g. `GUEST_NET`, followed by an equal sign, then followed by a +definition, e.g. `10.10.10.0/24`, and optional description field, e.g. `# guest +network range`. +``` +GUEST_NET = 10.10.10.0/24      # guest network range +``` +The tool populates the **access control policy** from `.pol` files in a +particular directory, e.g. [`policies/`](./policies/). The tool searches +recursively for `.pol` files and add them to the policy, .e.g `.pol` files are +located in [`policies/pol`](./policies/pol). +Additionally, the `.pol` files MAY reference other policy definition files +located outside of the directory by using `include` directive. Please see +[Includes](#includes) section for documentation. +### Network Objects +The files with `.net` extension contain the definitions of network objects, e.g. +IP networks and hosts. The following definition creates `INTERNAL` and `RFC1918` +network objects in the object definitions, whether `INTERNAL` references the IP +ranges of RFC 1918 defined in the `RFC1918`. +``` +RFC1918 = 10.0.0.0/8      # non-public +          172.16.0.0/12   # non-public +          192.168.0.0/16  # non-public +INTERNAL = RFC1918 +``` +[Back to Top](#table-of-contents) +### Service Objects +The files with `.svc` extension contain the definitions of service objects, e.g. +ports and protocols. +``` +DNS = 53/tcp  # transfers +      53/udp  # queries +``` +[Back to Top](#table-of-contents) +### Object Nesting +The nesting of tokens is permitted only when both tokens are of the same type. +The referencing of a "network" object by "service" object is not allowed, and +vice versa. +The examples of nesting of the network and service object follow. +``` +HTTP = 80/tcp               # common web +HTTPS = 443/tcp             # SSL web +HTTP_8080 = 8080/tcp        #  web on non-standard port +WEB_SERVICES = HTTP HTTP_8080 HTTPS  # all our web services +DB_SERVICES = 3306/tcp      # allow db access +              HTTPS         # and SSL access +NYC_NETWORK = 200.1.1.0/24  # New York office +ATL_NETWORK = 200.2.1.0/24  # Atlanta office +DEN_NETWORK = 200.5.1.0/24  # Denver office +REMOTE_OFFICES = NYC_NETWORK +                 ATL_NETWORK +                 DEN_NETWORK +``` +The network objects may reference both IPv4 and IPv6 addresses at the same time. +``` +LOOPBACK = 127.0.0.1/32          # loopback in IPv4 +LINKLOCAL = FE80::/10            # IPv6 link local address +NYC_NETWORK = 172.16.1.0/24      # NYC IPv4 +              2620:0:10A1::/48   # NYC IPv6 +``` +[Back to Top](#table-of-contents) +### Anatomy of a policy file +A policy file (/policies/pol/something.pol) has the security policy written +using capirca specific meta-language and format. There are specific sections +(e.g: header) that tell capirca how to generate the output configuration of the +security policy. +#### Headers +The header section defines: +*   **target** firewall platforms (which ACL generator to use) +*   passes **additional arguments** to the generator responsible for that +    platform. +A single header may have many targets within a section. It will result in +multiple outputs being generated for that policy. +#### Terms +The **term** sections defines the access control rules within an ACL, it contains +keywords followed by an object (service or network) and policy decision ("action" keyword). +The term section specifies the network flow metadata for ACL matching. +*   Addresses +*   Ports +*   Protocols +*   Action (allow/deny) +Inside a `term` a mandatory keyword will be found followed by an object token +for rule evaluation. +#### Tokens +Tokens are the names of services and networks loaded from the object +definitions. Example: + +%prep +%autosetup -n capirca-2.0.9 + +%build +%py3_build + +%install +%py3_install +install -d -m755 %{buildroot}/%{_pkgdocdir} +if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi +if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi +if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi +if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi +pushd %{buildroot} +if [ -d usr/lib ]; then +	find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/lib64 ]; then +	find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/bin ]; then +	find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/sbin ]; then +	find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst +fi +touch doclist.lst +if [ -d usr/share/man ]; then +	find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst +fi +popd +mv %{buildroot}/filelist.lst . +mv %{buildroot}/doclist.lst . + +%files -n python3-capirca -f filelist.lst +%dir %{python3_sitelib}/* + +%files help -f doclist.lst +%{_docdir}/* + +%changelog +* Tue Apr 11 2023 Python_Bot <Python_Bot@openeuler.org> - 2.0.9-1 +- Package Spec generated @@ -0,0 +1 @@ +43c2ad9156be459cb141d4a65c427195  capirca-2.0.9.tar.gz | 
