# $Id: ConfigFiles.n3,v 1.5 2002/12/22 18:46:08 graham Exp $ # # Network configuration files generation template. # This is used in conjunction with program N3GenReport.py. # #--------+---------+---------+---------+---------+---------+---------+---------+ # # # Copyright (c) 2002, CCLRC # # This file has been prepared for the public SWAD-Europe project. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. The name of the author may not be used to endorse or promote products # derived from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #--------+---------+---------+---------+---------+---------+---------+---------+ # $Source: /Users/graham/cvs/cvsweb/ninebynine.org/docs/SWAD-E/Scenario-HomeNetwork/ConfigFiles.n3,v $ # $Author: graham $ # $Date: 2002/12/22 18:46:08 $ # $Id: ConfigFiles.n3,v 1.5 2002/12/22 18:46:08 graham Exp $ #--------+---------+---------+---------+---------+---------+---------+---------+ # 1 2 3 4 5 6 7 8 @prefix rdf: . @prefix rdfs: . @prefix foaf: . @prefix ical: . @prefix user: . @prefix ndev: . @prefix dnsa: . @prefix dhcp: . @prefix homenet: . @prefix rep: . @prefix : <#> . ### Report structure ### rep:GenReport a rep:Report ; :- ( [ rep:cmd rep:if ; rep:defined "Output" ; rep:do :GenFiles ] ) . :GenFiles a rep:Report ; :- ( [ rep:cmd rep:open ; rep:chan "dhc" ; rep:file ( [ rep:var "OutDir" ] "/dhcpd.conf" ) ] [ rep:cmd rep:open ; rep:chan "dns" ; rep:file ( [ rep:var "OutDir" ] "/named-localnet.conf" ) ] [ rep:cmd rep:open ; rep:chan "ios" ; rep:file ( [ rep:var "OutDir" ] "/IOS-accesslists.conf" ) ] [ rep:cmd rep:if ; rep:pattern :NetPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :DHCHead ] [ rep:cmd rep:write ; rep:chan "dns" ; rep:data :DNSHead ] [ rep:do :GenNetDetails ] [ rep:do :GenHostDetails ] [ rep:cmd rep:write ; rep:chan "dns" ; rep:data :DNSFoot ] [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :DHCFoot ] [ rep:cmd rep:if ; rep:pattern :DialPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :DialHead ] [ rep:do :GenEntryDetails ] [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :DialFoot ] ) ; rep:else ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :NoDial ] ) ] [ rep:cmd rep:if ; rep:pattern :AccessPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :AccessHead ] [ rep:do :GenEntryDetails ] [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :AccessFoot ] ) ; rep:else ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :NoAccess ] ) ] [ rep:do :GenTimeRangeDetails ] ) ; rep:else ( [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :NoHosts ] [ rep:cmd rep:write ; rep:chan "dns" ; rep:data :NoHosts ] [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :NoHosts ] ) ] [ rep:cmd rep:close ; rep:chan "ios" ] [ rep:cmd rep:close ; rep:chan "dns" ] [ rep:cmd rep:close ; rep:chan "dhc" ] ) . :GenNetDetails :- ( [ rep:cmd rep:write ; rep:chan "dns" ; rep:data :DNSNet ] [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :DHCNet1 ] [ rep:cmd rep:for ; rep:pattern :DNSPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :DHCDNS ] ) ; rep:sep ( [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :DHCDNSSep ] ) ] [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :DHCNet2 ] ) . :GenHostDetails :- ( [ rep:cmd rep:for ; rep:pattern :HostPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "dhc" ; rep:data :DHCHost ] [ rep:cmd rep:write ; rep:chan "dns" ; rep:data :DNSHost ] ) ] ) . :GenTimeRangeDetails :- ( [ rep:cmd rep:for ; rep:pattern :TimeRangePattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :TimeRangeHead ] [ rep:cmd rep:for ; rep:pattern :TimeRangeEventPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :TimeRangeEvent ] ) ] [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :TimeRangeFoot ] ) ] ) . # This last section is a kludge to create useful config files in the absence of powerful enough # inference capabilities in the RDF rules. Ideally, all the logic to generate these access lists # would provide a list of IOS primitive access rules to generate. # # I haven't yet figured if this is possible with cwm, though it is surely possible to design # a general-purpose inference engine that can handle such transformations? :GenEntryDetails :- ( [ rep:cmd rep:for ; rep:pattern :EntryPattern ; rep:do ( [ rep:cmd rep:if ; rep:defined "PermitLocal" ; rep:do :GenPermitLocal ] [ rep:cmd rep:if ; rep:defined "DenyPool" ; rep:do :GenDenyPool ] [ rep:cmd rep:if ; rep:defined "DenyService" ; rep:do :GenDenyService ] [ rep:cmd rep:if ; rep:defined "PermitRule" ; rep:do :GenPermitRule ] [ rep:cmd rep:if ; rep:defined "PermitUser" ; rep:do :GenPermitUser ] [ rep:cmd rep:if ; rep:defined "PermitHost" ; rep:do :GenPermitHost ] ) ] ) . :GenPermitLocal :- ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :PermitLocal ] ) . :GenDenyPool :- ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :DenyPool ] ) . :GenDenyService :- ( # Deny service: loop through protocols, denying each that is blocked [ rep:cmd rep:for ; rep:pattern :DenyServicePattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :DenyServicePort ] ) ] ) . :GenPermitRule :- ( # Permit rule: allow accdess by any host for designated services at designated times # ( [ rep:opt ( [ rep:uri user:permitRule ] [ rep:var "PermitRule" ] ) ] ), [ rep:cmd rep:for ; rep:pattern :PermitRulePattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :PermitRule ] ) ; rep:else ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :NoPermitRule ] ) ] ) . :GenPermitUser :- ( # Permit user: loop through designated hosts for indicated user, allowing access at any time # ( [ rep:opt ( [ rep:uri user:permitUser ] [ rep:var "PermitUser" ] ) ] ), [ rep:cmd rep:for ; rep:pattern :PermitUserPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :PermitHost ] ) ] ) . :GenPermitHost :- ( # Permit host: allowing access for host at any time # ( [ rep:opt ( [ rep:uri user:permitHost ] [ rep:var "PermitHost" ] ) ] ) [ rep:cmd rep:for ; rep:pattern :PermitHostPattern ; rep:do ( [ rep:cmd rep:write ; rep:chan "ios" ; rep:data :PermitHost ] ) ] ) . #### query patterns #### :NetPattern :- ( [ rep:var "LocalNet" ] [ rep:and ( [ rep:uri user:networkDomain ] [ rep:var "NetDomain" ] ), ( [ rep:uri dhcp:dhcpHostFQDN ] [ rep:var "NetDHCPServer" ] ), ( [ rep:uri dhcp:defLease ] [ rep:var "NetDefLease" ] ), ( [ rep:uri dhcp:maxLease ] [ rep:var "NetMaxLease" ] ), ( [ rep:uri dhcp:updateStyle ] [ rep:var "NetUpdateStyle" ] ), ( [ rep:uri user:networkAddr ] [ rep:var "NetIPAddr" ] ), ( [ rep:uri user:networkMask ] [ rep:var "NetIPMask" ] ), ( [ rep:uri user:broadcastAddr ] [ rep:var "NetBCAddr" ] ), ( [ rep:uri user:defaultGateway ] [ rep:var "NetGateway" ] ), ( [ rep:uri user:defaultDNS ] [ rep:var "NetNameServers" ] ), ( [ rep:uri user:addressPool ] [ rep:var "NetAddressPool" ] ), ( [ rep:uri user:netbiosServer ] [ rep:var "NetNetbiosServer" ] ) ] ) . :DNSPattern :- ( [ rep:var "NetNameServers" ] rep:element [ rep:var "NetNameServer" ] ) . :HostPattern :- ( [ rep:var "Host" ] [ rep:and ( [ rep:uri user:hostName ] [ rep:var "HostName" ] ), ( [ rep:uri rdfs:label ] [ rep:var "HostLabel" ] ), ( [ rep:uri dnsa:hostDomainName ] [ rep:var "HostFQDN" ] ), ( [ rep:uri dnsa:hostIPAddress ] [ rep:var "HostIP" ] ), ( [ rep:uri dhcp:hostMACAddress ] [ rep:var "HostMAC" ] ) ] ) . :DialPattern :- ( [ rep:uri user:IOS_Dialout_Rules ] [ rep:and ( [ rep:uri user:accessList ] [ rep:var "AccessListNum" ] ), ( [ rep:uri user:sequence ] [ rep:var "AccessList" ] ), ( [ rep:uri rdfs:label ] [ rep:var "DialLabel" ] ) ] ) . :AccessPattern :- ( [ rep:uri user:IOS_Recv_Local_Rules ] [ rep:and ( [ rep:uri user:accessList ] [ rep:var "AccessListNum" ] ), ( [ rep:uri user:sequence ] [ rep:var "AccessList" ] ), ( [ rep:uri rdfs:label ] [ rep:var "AccessLabel" ] ) ] ) . :EntryPattern :- ( [ rep:var "AccessList" ] rep:element [ rep:var "AccessItem" ] [ rep:and # These refer to localnet details already matched: ( [ rep:opt ( [ rep:uri user:permitLocal ] [ rep:var "PermitLocal" ] ) ] ), ( [ rep:opt ( [ rep:uri user:denyPool ] [ rep:var "DenyPool" ] ) ] ), # These match further details according to the property used ( [ rep:opt ( [ rep:uri user:denyService ] [ rep:var "DenyService" ] ) ] ), ( [ rep:opt ( [ rep:uri user:permitRule ] [ rep:var "PermitRule" ] ) ] ), ( [ rep:opt ( [ rep:uri user:permitUser ] [ rep:var "PermitUser" ] ) ] ), ( [ rep:opt ( [ rep:uri user:permitHost ] [ rep:var "PermitHost" ] ) ] ) ] ) . :DenyServicePattern :- ( [ rep:var "DenyService" ] [ rep:and ( [ rep:uri user:ipProtocol ] [ rep:var "IPProtocol" ] ), ( [ rep:uri user:excludePorts ] [ rep:var "ExcludePorts" ] rep:element [ rep:var "ExcludePortNumber" ] ) # Logic fails if multiple excludePorts property lists present ] ) . :PermitRulePattern :- ( [ rep:var "PermitRule" ] [ rep:and ( [ rep:uri user:accessServices ] [ rep:var "AccessServices" ] [ rep:uri user:accessProtocol ] [ rep:var "ServiceProtocol" ] [ rep:opt ( [ rep:uri user:ipProtocol ] [ rep:var "IPProtocol" ] ), ( [ rep:uri user:includePort ] [ rep:var "IncludePortNumber" ] ) ] ), ( [ rep:uri user:accessTimes ] [ rep:var "AccessTimes" ] [ rep:uri user:rangeName ] [ rep:var "TimeRangeName" ] ) ] ) . :PermitUserPattern :- ( [ rep:var "PermitUser" ] [ rep:and ( [ rep:uri user:usesHost ] [ rep:var "PermitHost" ] [ rep:uri user:hostIP ] [ rep:var "HostIP" ] ), ( [ rep:uri user:accessType ] [ rep:var "AccessType" ] ) ] ) . :PermitHostPattern :- ( [ rep:var "PermitHost" ] [ rep:and ( [ rep:uri user:accessType ] [ rep:var "AccessType" ] ), ( [ rep:uri user:hostIP ] [ rep:var "HostIP" ] ) ] ) . :TimeRangePattern :- ( [ rep:var "TimeRange" ] [ rep:and ( [ rep:uri rdf:type ] [ rep:uri ical:VCALENDAR ] ), ( [ rep:uri user:rangeName ] [ rep:var "TimeRangeName" ] ) ] ) . :TimeRangeEventPattern :- ( [ rep:var "TimeRange" ] [ rep:uri ical:VEVENT__PROP ] [ rep:var "TimeRangeEvent" ] [ rep:and ( [ rep:uri ndev:dayName ] [ rep:var "DayName" ] ), ( [ rep:uri ndev:timeStart ] [ rep:var "TimeStart" ] ), ( [ rep:uri ndev:timeEnd ] [ rep:var "TimeEnd" ] ) ] ) . #### output templates #### :DHCHead :- ( "# DHCP configuration generated by cwm/semafor RDF tools" rep:nl "#" rep:nl ) . :DHCNet1 :- ( "server-identifier " [rep:var "NetDHCPServer"] " ;" rep:nl "default-lease-time " [rep:var "NetDefLease"] " ;" rep:nl "max-lease-time " [rep:var "NetMaxLease"] " ;" rep:nl "ddns-update-style " [rep:var "NetUpdateStyle"] " ;" rep:nl "option subnet-mask " [rep:var "NetIPMask"] " ;" rep:nl "option broadcast-address " [rep:var "NetBCAddr"] " ;" rep:nl "option routers " [rep:var "NetGateway"] " ;" rep:nl "option domain-name " [rep:var "NetDomain"] " ;" rep:nl "option domain-name-servers " ) . :DHCDNS :- ( [rep:var "NetNameServer"] ) . :DHCDNSSep :- ( ", " ) . :DHCNet2 :- ( " ;" rep:nl "subnet " [rep:var "NetIPAddr"] " netmask " [rep:var "NetIPMask"] rep:nl " {" rep:nl " range " [rep:var "NetAddressPool"] " ;" rep:nl " option netbios-name-servers " [rep:var "NetNetbiosServer"] " ;" rep:nl " }" rep:nl "#" rep:nl "# Fixed host address details follow" rep:nl "#" rep:nl ) . :DHCHost :- ( "host " [rep:var "HostName"] rep:nl " {" rep:nl " hardware ethernet " [rep:var "HostMAC"] " ;" rep:nl " fixed-address " [rep:var "HostFQDN"] " ;" rep:nl " }" rep:nl ) . :DHCFoot :- ( "#" rep:nl "# End." rep:nl ) . :DNSHead :- ( "; DNS zone configuration generated by cwm/semafor RDF tools" rep:nl ";" rep:nl ) . :DNSNet :- ( "$ORIGIN " [rep:var "NetDomain"] "." rep:nl "@ IN SOA admin." [rep:var "NetDHCPServer"] " (" rep:nl " 20021211 ; SOA serial number -- needs to be updated" rep:nl " 10800 ; Refresh time 3 hours" rep:nl " 3600 ; Retry time 1 hour" rep:nl " 604800 ; Expiratoon time 1 week" rep:nl " 86400 ) ; TTL 1 day" rep:nl " NS " [rep:var "NetDHCPServer"] rep:nl ";" rep:nl "; Host address records follow" rep:nl ";" rep:nl ) . :DNSHost :- ( [rep:var "HostName"] " IN A " [rep:var "HostIP"] " ; " [rep:var "HostLabel"] rep:nl ) . :DNSFoot :- ( ";" rep:nl "; End of DNS zone file" rep:nl ) . :NoHosts :- ( ";#### No hosts defined ####" rep:nl ) . :DialHead :- ( "!" rep:nl "! Dialer access list " [rep:var "AccessListNum"] rep:nl "!" rep:nl "no access-list " [rep:var "AccessListNum"] " ! Flush any previous list" rep:nl ) . :DialFoot :- ( "!" rep:nl "! End of dialer access list " [rep:var "AccessListNum"] rep:nl ) . :NoDial :- ( "! No dialer access list" rep:nl ) . :AccessHead :- ( "!" rep:nl "! Outbound packet access list " [rep:var "AccessListNum"] rep:nl "!" rep:nl "no access-list " [rep:var "AccessListNum"] " ! Flush any previous list" rep:nl ) . :AccessFoot :- ( "access-list " [rep:var "AccessListNum"] " deny ip any any" rep:nl "!" rep:nl "! End of outbound packet access list " [rep:var "AccessListNum"] rep:nl ) . :NoAccess :- ( "! No outbound packet access list" rep:nl ) . :PermitLocal :- ( # The generated IOS command here needs fixing (address mask should be inverted) #access-list 106 permit ip 193.123.216.0 0.0.0.255 193.123.216.0 0.0.0.255 " ! ----- Note: address mask needs fixing -----" rep:nl "access-list " [rep:var "AccessListNum"] " permit ip " [rep:var "NetIPAddr"] " " [rep:var "NetIPMask"] " " [rep:var "NetIPAddr"] " " [rep:var "NetIPMask"] rep:nl ) . :DenyPool :- ( # The generated IOS command here needs fixing # range to be expressed as sequence of address/mask values rather than lo-hi pair #access-list 106 deny ip 193.123.216.96 0.0.0.31 any " ! ----- Note: address range needs fixing -----" rep:nl "access-list " [rep:var "AccessListNum"] " deny ip " [rep:var "NetAddressPool"] " any" rep:nl ) . :DenyServicePort :- ( #access-list 106 deny tcp any any eq 1214 "access-list " [rep:var "AccessListNum"] " deny " [ rep:var "IPProtocol" ] " any any " "eq " [ rep:var "ExcludePortNumber" ] rep:nl ) . :PermitRule :- ( #access-list 106 permit tcp any any eq 1214 time-range allow-peertopeer #access-list 106 permit ip any any time-range control-timerange "access-list " [rep:var "AccessListNum"] " permit " [ rep:if [rep:defined "IPProtocol"] ; rep:do ( [rep:var "IPProtocol"] " any any" " eq " [rep:var "IncludePortNumber"] ) ; rep:else ( "ip any any" ) ] " time-range " [rep:var "TimeRangeName"] rep:nl ) . :NoPermitRule :- ( " ! ***** No match for permitted rule " [rep:local "PermitRule"] " *****" rep:nl ) . :PermitHost :- ( #access-list 106 permit ip host 193.123.216.65 any "access-list " [rep:var "AccessListNum"] " permit ip " "host " [rep:var "HostIP"] " any" rep:nl ) . :TimeRangeHead :- ( #time-range allow-peertopeer "!" rep:nl "! Time range for " [rep:var "TimeRangeName"] rep:nl "!" rep:nl "time-range " [rep:var "TimeRangeName"] rep:nl ) . :TimeRangeEvent :- ( # periodic Saturday 20:00 to 22:00 " periodic " [rep:var "DayName"] " " [rep:var "TimeStart"] " to " [rep:var "TimeEnd"] rep:nl ) . :TimeRangeFoot :- ( "!" rep:nl "! End of time range " [rep:var "TimeRangeName"] rep:nl ) . # #--------+---------+---------+---------+---------+---------+---------+---------+ # $Log: ConfigFiles.n3,v $ # Revision 1.5 2002/12/22 18:46:08 graham # Updated copyright notice # # Revision 1.4 2002/12/16 17:28:39 graham # Fix up inconsistencies with RDF semantics # # Revision 1.3 2002/12/12 12:21:58 graham # All config files now generated. # Adjust batch files to tweak a few names. # # Revision 1.2 2002/12/12 01:09:23 graham # Most rules working. # Generation of time-ranges remains. # # Revision 1.1 2002/12/11 14:42:50 graham # Formatting template file created #