Contribute Open Script

network prefix mask based ACL

by kobayash on ‎07-10-2012 07:12 PM (29 Views)

Tested with Brocade ServerIron ADX : Yes

Description :

This is an approach for network prefix and mask ACL.

    As you know, openscript has feature rich, includes regex.

    Of course regex is very powerful, but slightly hard to use.

    We have sample which can check the ip address using regex.

    However, almost network guys are not familiar with regex.

    They are familiar with network/prefix such as 192.168.1.0/24.

    And in some cases, you would like to use another mask such as /25, or /26 and something.

    In such case, regex might be complex and hard to understand.

    My trivial code helps such requirements.

    Of course, that code is not best I think, please give me your comments.

    The code has comments and it will help you, but I would like to give you short sample.

    1. At first, defined ACL, following sample is 66.67.68.0/24.

    my $obj = Acl->new("66.67.68.0","255.255.255.0");

   2. Next, you can check your ip address match in above ACL.

    print "host in range : ".$obj->host_in_range("66.67.68.69")."\n";

    #1

    print "host in range : ".$obj->host_in_range("66.67.69.69")."\n";

    #0

    3. Of course, above object returns 1(True) or 0(False), you can use this in several condition syntax such as if.

Limitations  : None

Required environment  : 12.4.00b or later. You may MP crash if you use previous version.

Your Source Code :

use OS_SLB;
use OS_HTTP_REQUEST;

package Acl;

sub new {
        my $pkg = shift;
        my $network= shift;
        my $mask = shift;

        my @network=split('\.',$network);
        my $network_hex=pack("C4",@network);

        my @mask=split('\.',$mask);
        my $mask_hex=pack("C4",@mask);

        bless{
        network_hex => $network_hex,
        mask_hex => $mask_hex
        },$pkg;
}


sub host_in_range{
        my $self =shift;
        my $host =shift;

        my $mask_hex=$self->{mask_hex};
        my $network_hex=$self->{network_hex};

        my @host=split('\.',$host);
        my $host_hex=pack("C4",@host);

        if (($host_hex & $mask_hex) eq $network_hex) {
                return 1;
        } else { return 0; }
}

package main;

sub HTTP_REQUEST{

        # Following code are sample.

        # In general, you get an IP address using OS_IP::src, or such functions.

        # You can check above IP address is in defined network range or not.

        # At first, create object which include network prefix and mask

        # Second you can check the IP address using $obj->host_in_range()

        # It returns "1" or "0"

        my $obj = Acl->new("66.67.68.0","255.255.255.0");

        print "host in range : ".$obj->host_in_range("66.67.68.69")."\n";
        print "host in range : ".$obj->host_in_range("66.67.69.69")."\n";

        OS_SLB::forward("1");

}

Comments
by Derek_Kang on ‎07-23-2012 03:52 PM

I find this contribution very useful. Just one comment is that you might want to call "acl->new" in the BEGIN block to avoid running it on every requests.

by kobayash on ‎07-23-2012 11:12 PM

Hi Derek,

Thanks for your comments. You are right.

My script should update.

What is best way for update? Should I re-post??