junoser icon indicating copy to clipboard operation
junoser copied to clipboard

Published 20 hours ago verified publisher icon codeout

Detecting match conditions inside tcp-flags

Open Jypear opened this issue 11 months ago • 5 comments

Hi,

We are testing this tool for parsing junos configuration and using it for syntax checking. In configuration we have something like the following example:

set firewall family inet filter protect-router term prevent-syn-attacks from tcp-flags "(syn & !ack) | fin | rst"

When running junosers syntax checking the syntax error is raised by using ! or | in the match expression. However the syntax error is not present when stating a single tcp-flag (like syn or ack).

Generated rule files seems to show the available args for the TCP flag

        "tcp-flags" (  /* TCP flags */
          ("fin" | "syn" | "rst" | "push" | "ack" | "urgent" | arg)
        ),

However, juniper docs states match expressions are valid within configuration. https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-stateless-match-conditions-bit-field-values.html

In this a limitation of the XSD file Juniper supplies?

  <xsd:element name="tcp-flags" minOccurs="0" type="xsd:string">
    <xsd:annotation>
      <xsd:documentation>Match TCP flags (in symbolic or hex formats)</xsd:documentation>
      <xsd:appinfo>
        <flag>unquoted</flag>
        <flag>current-product-support</flag>
      </xsd:appinfo>
    </xsd:annotation>
  </xsd:element>

Jypear avatar Mar 08 '24 16:03 Jypear

Hi,

Thank you for your report. It looks like a quote-handling issue. That XSD generates ruby code below

a(str("tcp-flags"), arg),

which doesn't match expressions with a white space. We need a special care of this, but it can be fixed.

codeout avatar Mar 11 '24 07:03 codeout

I'm just thinking that we might interpret <flag>unquoted</flag> in the opposite way, like "may be quoted".

codeout avatar Mar 11 '24 07:03 codeout

Hi, thanks for taking a look at this.

which doesn't match expressions with a white space.

I can confirm, I modified the config file to the following: tcp-flags "(syn|!ack)|fin|rst" This worked fine without the whitespace.

When doing a syntax check, this works as both quoted and unquoted (as long as there is no whitespace).

Jypear avatar Mar 11 '24 09:03 Jypear

Hi, I've just pushed a quick fix for this. I'm going to study Juniper's .xsd to find long-time solution, but need some time. Meanwhile, if you don't mind installing junoser from GitHub, you can use the fixed version.

gem install specific_install
gem specific_install https://github.com/codeout/junoser.git

codeout avatar Mar 11 '24 14:03 codeout

Just installed the version from github and can confirm the changes you made have resolved that issue. Thanks for the quick fix and the time put into this tool. 👍

Jypear avatar Mar 11 '24 14:03 Jypear