6 Replies Latest reply on Jan 23, 2017 8:14 AM by Chris T

    regex for acls

    thsukudu

      was curious how you all are configuring your regex for acl entires.

       

      for example an acl can look like this

       

       

      access-list 1 permit 1.1.1.1

      access-list 1 permit 2.2.2.0 255.255.255.0

      access-list 1 remark THIS IS A COMMENT

      access-list 1 remark ANOTHER LINE OF COMMENT

      access-list 1 permit 3.3.3.3 log

      access-list 1 deny any log

       

       

      my problem is sometimes the "remark" lines are all over the place, sometimes 1 or 2 remarks, depending on what version of IOS it's running.

       

      I tried various permutations of

       

      access-list 1 permit 1.1.1.1

      (.*remark.*\n)*?                          

      access-list 1 permit 2.2.2.0 255.255.255.0

      (.*remark.*\n)*?

      access-list 1 permit 3.3.3.3 log

      (.*remark.*\n)*?

      access-list 1 deny any log

       

      but doesn't seem to be working. shouldn't the line "(.*remark.*\n)*?" match any amount of lines (0-infinity) with remark?

       

      is there a better way to manage ACL's? because this would fail if the ACL is out of place (2.2.2.0 is before 1.1.1.1)  but still would be a valid acl

        • Re: regex for acls
          evilgoat

          Hey, thsukudu.

           

          It's not clear what you mean by 'manage your ACLs'. Do you want to specifically match the remark lines and remove them?

            • Re: regex for acls
              thsukudu

              evilgoat I'm trying to make sure ACL's on the device match what we have on file. "Remarks" aren't required to be put on the ACL's so my regex is attempting to skip them, but it's not.

               

               

              the regex above doesn't work. and if I split the regex up in solarwinds (access-list 1 permit 1.1.1.1 AND access-list 1 permit 2.2.2.0 255.255.255.0 etc...) that means there could be other entries in my ACL.

               

              an example if a GOOD ACL  :

              access-list 1 permit 1.1.1.1

              access-list 1 permit 2.2.2.0 255.255.255.0

              access-list 1 remark THIS IS A COMMENT

              access-list 1 remark ANOTHER LINE OF COMMENT

              access-list 1 permit 3.3.3.3 log

              access-list 1 deny any log

               

               

              example of a BAD ACL

               

              access-list 1 permit 1.1.1.1

              access-list 1 permit SNEAKY ATTACKER IP

              access-list 1 permit 2.2.2.0 255.255.255.0

              access-list 1 remark THIS IS A COMMENT

              access-list 1 remark ANOTHER LINE OF COMMENT

              access-list 1 permit 3.3.3.3 log

              access-list 1 deny any log

               

               

              the regex string i made doesn't work on any of these because of the "remark" lines

               

              access-list 1 permit 1.1.1.1

              (.*remark.*\n)*?                           !! 0 or more lines of remark

              access-list 1 permit 2.2.2.0 255.255.255.0

              (.*remark.*\n)*?

              access-list 1 permit 3.3.3.3 log

              (.*remark.*\n)*?

              access-list 1 deny any log

                • Re: regex for acls
                  evilgoat

                  ah, ok.

                  well, i don't have access to solar winds right now but i did test something out on an online .net regex helper and it seems to work:

                   

                  I used \n(.*remark.*\n)* to ignore the remarks. you need the extra \n to terminate the lines you are checking for, and the ? is not required as * already means 0 or more repetitions of the preceding

                   

                    • Re: regex for acls
                      thsukudu

                      nah i'm afraid that doesn't work either.

                        • Re: regex for acls
                          Chris T

                          What I did for my ACL's is broke them down into separate lines where each approved permit or deny gets it's own check. Once I have all those in there I make another check at the end for a must not contain of something like the below.

                           

                          ^access\-list 1 permit (?!(1\.1\.1\.1|2\.2\.2\.0 255\.255\.255\.0)).*[\r\n]$

                           

                          That will check for any additional lines that contain something other than what should be approved. You can even add in there the remark line so it will look like this>

                           

                          ^access\-list 1 permit (?!(1\.1\.1\.1|2\.2\.2\.0 255\.255\.255\.0|remark)).*[\r\n]$

                           

                          That should cover you for when there are remarks in there to where you can still check to make sure that the permits and denies are correct at least. The remark lines are not checked for consistency, but they are not flagged as a failure.

                  • Re: regex for acls
                    sixmill

                    I've never been able to get a regex string to be consistently parsed in the configuration comparison module, so it doesn't surprise me that it's inconsistent in other applications.