-
Notifications
You must be signed in to change notification settings - Fork 0
/
hillstone2srx.pl
443 lines (420 loc) · 20 KB
/
hillstone2srx.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
#!/usr/bin/perl
use warnings;
#use strict;
use Data::Dumper;
use Scalar::Util qw(looks_like_number);
#use NetAddr::IP;
#use Net::IP::LPM;
#use Getopt::Std;
#use Cwd 'abs_path';
#use File::Basename;
use Excel::Writer::XLSX;
use vars qw($opt_c);
use v5.10.1;
#use DateTime::Format::Flexible;
#The major goal of the script is translate hillstone config to juniper srx config
# define variable
my $text; # save all config
my @texts; # save all config to array
my $n=0; # line number for 1st cycle
my $second_n = 0; # line number for 2nd cycle
my $row=0; # excel compare file line number
my $workbook; # excel compare file
my $worksheet;
my $hillstone_format;
my $srx_format;
my %hilston_srx_services = (
FTP => "junos-ftp", Any => "any",
HTTP => "junos-http", HTTPS => "junos-https",
SSH => "junos-ssh", SYSLOG => "junos-syslog",
RDP => "junos-rdp", ICMP => "junos-icmp-all",
);
sub get_netmask {
my $netmask = "@_";
my @netmasks = split (/\./, $netmask);
my $array_num = @netmasks;
my $bit_num = 0;
RETURN_BIT_NUM:
for (my $i=0; $i<$array_num; $i++) {
my $factor = 7;
my $sum = 0;
if ($netmasks[$i] != 0) {
while ($netmasks[$i] != $sum) {
$sum += 2**$factor;
$factor--;
$bit_num++;
}
}
elsif ($netmasks[$i] == 0) {
last RETURN_BIT_NUM;
}
}
return $bit_num;
}
sub set_compare {
local ($hillstone_conf, $srx_conf) = @_;
# remove the new line charter of every array elements
chomp (@$hillstone_conf, @$srx_conf);
# connect every array elements by new line
@$hillstone_conf = join ("\n", @$hillstone_conf);
@$srx_conf = join ("\n", @$srx_conf);
$worksheet->write( $row, 0, $hillstone_conf, $hillstone_format );
$worksheet->write( $row, 1, $srx_conf, $srx_format );
$row++;
return;
}
sub set_address_books {
local $address_book_name = "@_";
local (@hillstone_config, @srx_config);
push @hillstone_config, $texts[$n];
$n++;
until($texts[$n] eq "exit") {
local @cells = split/\s+/, $texts[$n];
push @hillstone_config, $texts[$n];
given($cells[0]) {
when ("ip") {
print "set security address-book global address $address_book_name $cells[-1]\n";
push @srx_config, "set security address-book global address $address_book_name $cells[-1]";
}
when ("range") {
print "set security address-book global address $address_book_name range-address $cells[-2] to $cells[-1]\n";
push @srx_config, "set security address-book global address $address_book_name range-address $cells[-2] to $cells[-1]";
}
when ("description") {
print "set security address-book global address $address_book_name description $cells[-1]\n";
push @srx_config, "set security address-book global address $address_book_name description $cells[-1]";
}
}
$n++;
}
push @hillstone_config, $texts[$n];
if ( (@hillstone_config && @srx_config) && defined $opt_c ) {
set_compare(\@hillstone_config, \@srx_config);
}
return;
}
sub set_services {
local ($service_type, $service_name) = @_;
local (@hillstone_config, @srx_config);
push @hillstone_config, $texts[$n];
$n++;
if ($service_type eq "service") {
until ($texts[$n] eq "exit" ) {
local @cells = split/\s+/, $texts[$n];
local $cells_num = @cells;
push @hillstone_config, $texts[$n];
if ($cells_num == 3) {
print "set applications application $service_name term $cells[0]-$cells[1]-$cells[2] protocol $cells[0] destination-port $cells[2]\n";
push @srx_config, "set applications application $service_name term $cells[0]-$cells[1]-$cells[2] protocol $cells[0] destination-port $cells[2]\n";
}
elsif ($cells_num == 6) {
print "set applications application $service_name term $cells[0]-$cells[1]-$cells[2] protocol $cells[0] destination-port $cells[2] source-port $cells[-2]-$cells[-1]\n";
push @srx_config, "set applications application $service_name term $cells[0]-$cells[1]-$cells[2] protocol $cells[0] destination-port $cells[2] source-port $cells[-2]-$cells[-1]\n";
}
elsif ($cells_num == 7) {
print "set applications application $service_name term $cells[0]-$cells[1]-$cells[2]-$cells[3] protocol $cells[0] destination-port $cells[2]-$cells[3] source-port $cells[-2]-$cells[-1]\n";
push @srx_config, "set applications application $service_name term $cells[0]-$cells[1]-$cells[2]-$cells[3] protocol $cells[0] destination-port $cells[2]-$cells[3] source-port $cells[-2]-$cells[-1]\n";
}
elsif ($cells_num == 4) {
print "set applications application $service_name term $cells[0]-$cells[1]-$cells[2]-$cells[3] protocol $cells[0] destination-port $cells[-2]-$cells[-1]\n";
push @srx_config, "set applications application $service_name term $cells[0]-$cells[1]-$cells[2]-$cells[3] protocol $cells[0] destination-port $cells[-2]-$cells[-1]\n";
}
$n++;
}
push @hillstone_config, $texts[$n];
if ( (@hillstone_config && @srx_config) && defined $opt_c ) {
set_compare(\@hillstone_config, \@srx_config);
}
}
elsif ($service_type eq "servgroup") {
until ($texts[$n] eq "exit") {
push @hillstone_config, $texts[$n];
local @cells = split/\s+/, $texts[$n];
print "set applications application-set $service_name application $cells[-1]\n";
push @srx_config, "set applications application-set $service_name application $cells[-1]\n";
$n++;
}
push @hillstone_config, $texts[$n];
if ( (@hillstone_config && @srx_config) && defined $opt_c ) {
set_compare(\@hillstone_config, \@srx_config);
}
}
return;
}
sub set_polices {
local $policy_id = "@_";
local ( @hillstone_config, @srx_config );
push @hillstone_config, $texts[$n];
$n++;
local ($action, $src_zone, $dst_zone, @src_address, @dst_address, @application);
until($texts[$n] eq "exit") {
push @hillstone_config, $texts[$n];
local @cells = split/\s+/, $texts[$n];
given($cells[0]) {
when ("action") {
$action = $cells[-1];
}
when ("src-zone") {
$src_zone = $cells[-1];
}
when ("dst-zone") {
$dst_zone = $cells[-1];
}
when ("src-addr") {
push @src_address, $cells[-1];
}
when ("dst-addr") {
push @dst_address, $cells[-1];
}
when ("src-ip") {
push @src_address, $cells[-1];
print "set security address-book global address $cells[-1] $cells[-1]\n";
push @srx_config, "set security address-book global address $cells[-1] $cells[-1]\n";
}
when ("dst-ip") {
push @dst_address, $cells[-1];
print "set security address-book global address $cells[-1] $cells[-1]\n";
push @srx_config, "set security address-book global address $cells[-1] $cells[-1]\n";
}
when ("dst-host") {
push @dst_address, $cells[-1];
print "set security address-book global address $cells[-1] $cells[-1]\n";
push @srx_config, "set security address-book global address $cells[-1] $cells[-1]\n";
}
when ("service") {
push @application, $cells[-1];
}
when ( "src-range") {
push @src_address, "range-$cells[-2]-$cells[-1]";
print "set security address-book global address range-$cells[-2]-$cells[-1] range-address $cells[-2] to $cells[-1]\n";
push @srx_config, "set security address-book global address range-$cells[-2]-$cells[-1] range-address $cells[-2] to $cells[-1]\n";
}
when ( "dst-range") {
push @dst_address, "range-$cells[-2]-$cells[-1]";
print "set security address-book global address range-$cells[-2]-$cells[-1] range-address $cells[-2] to $cells[-1]\n";
push @srx_config, "set security address-book global address range-$cells[-2]-$cells[-1] range-address $cells[-2] to $cells[-1]\n";
}
}
$n++;
}
push @hillstone_config, $texts[$n];
# if source address, destination address, application and action not defined, the policy will not function in hilston, so ignore these rules
# perl no longer support test array and hash by defined function, instead of if (@array or %hash)
if (defined ($src_zone && $dst_zone && $action) && (@src_address && @dst_address && @application) && ($src_zone ne "any" && $dst_zone ne "any")) {
print "set security policies from-zone $src_zone to-zone $dst_zone policy p_$policy_id match source-address [ @src_address ] destination-address [ @dst_address ] application [ @application ]\n";
print "set security policies from-zone $src_zone to-zone $dst_zone policy p_$policy_id then $action\n";
push @srx_config, "set security policies from-zone $src_zone to-zone $dst_zone policy p_$policy_id match source-address [ @src_address ] destination-address [ @dst_address ] application [ @application ]\n";
push @srx_config, "set security policies from-zone $src_zone to-zone $dst_zone policy p_$policy_id then $action\n";
}
elsif (defined ($src_zone && $dst_zone && $action) && (@src_address && dst_address && @application) && ($src_zone eq "any" || $dst_zone eq "any")) {
print "set security policies global policy p_$policy_id match source-address [ @src_address ] destination-address [ @dst_address ] application [ @application ]\n";
print "set security policies global policy p_$policy_id match from-zone $src_zone to-zone $dst_zone\n";
print "set security policies global policy p_$policy_id then $action\n";
push @srx_config, "set security policies global policy p_$policy_id match source-address [ @src_address ] destination-address [ @dst_address ] application [ @application ]\n";
push @srx_config, "set security policies global policy p_$policy_id match from-zone $src_zone to-zone $dst_zone\n";
push @srx_config, "set security policies global policy p_$policy_id then $action\n";
}
elsif (!defined ($src_zone && $dst_zone) && (@src_address && @dst_address && @application) && defined $action) {
print "set security policies global policy p_$policy_id match source-address [ @src_address ] destination-address [ @dst_address ] application [ @application ]\n";
print "set security policies global policy p_$policy_id then $action\n";
push @srx_config, "set security policies global policy p_$policy_id match source-address [ @src_address ] destination-address [ @dst_address ] application [ @application ]\n";
push @srx_config, "set security policies global policy p_$policy_id then $action\n";
}
if ( (@hillstone_config && @srx_config) && defined $opt_c ) {
set_compare(\@hillstone_config, \@srx_config);
}
undef $src_zone;
undef $dst_zone;
undef @src_address;
undef @dst_address;
undef @application;
undef $action;
return;
}
sub set_interface_zone {
local $interface = "@_";
local $port_num = (split/\//, $interface)[-1];
$interface =~ s!aggregate!reth!;
local (@hillstone_config, @srx_config);
push @hillstone_config, $texts[$n];
$n++;
local $zone;
until($texts[$n] eq "exit") {
local @cells = split/\s+/, $texts[$n];
push @hillstone_config, $texts[$n];
given($cells[0]) {
when ("aggregate") {
$cells[-1] =~ s!aggregate!reth!;
print "set interfaces xe-0/0/$port_num gigether-options redundant-parent $cells[-1]\n";
print "set interfaces $cells[-1] redundant-ether-options redundancy-group 1\n";
push @srx_config, "set interfaces xe-0/0/$port_num gigether-options redundant-parent $cells[-1]\n";
push @srx_config, "set interfaces $cells[-1] redundant-ether-options redundancy-group 1\n";
}
when ("zone") {
$zone = $cells[-1];
print "set security zones security-zone $zone interfaces $interface\n";
push @srx_config, "set security zones security-zone $zone interfaces $interface\n";
}
when ("ip") {
local $cells_num = @cells;
if ($cells_num == 4) {
local $ip = $cells[-2];
local $netmask = get_netmask($cells[-1]);
print "set interfaces $interface family inet address $ip/$netmask\n";
push @srx_config, "set interfaces $interface family inet address $ip/$netmask\n";
}
}
when ("manage") {
print "set security zones security-zone $zone interfaces $interface host-inbound-traffic system-services $cells[-1]\n";
push @srx_config, "set security zones security-zone $zone interfaces $interface host-inbound-traffic system-services $cells[-1]\n";
}
}
$n++;
}
push @hillstone_config, $texts[$n];
if ( (@hillstone_config && @srx_config) && defined $opt_c ) {
set_compare(\@hillstone_config, \@srx_config);
}
return;
}
sub set_route {
local $routing_instance;
local (@hillstone_config, @srx_config);
push @hillstone_config, $texts[$second_n];
$second_n++;
until($texts[$second_n] eq "exit") {
$routing_instance = "@_";
local @cells = split/\s+/, $texts[$second_n];
local $cells_num = @cells;
push @hillstone_config, $texts[$second_n];
given($cells[1]) {
when ("route") {
if ($cells_num == 4) {
print "set routing-instances $routing_instance routing-options static route $cells[-2] next-hop $cells[-1]\n";
push @srx_config, "set routing-instances $routing_instance routing-options static route $cells[-2] next-hop $cells[-1]\n";
}
elsif ($cells_num == 5) {
print "set routing-instances $routing_instance routing-options static route $cells[2] next-hop $cells[-1]\n";
push @srx_config, "set routing-instances $routing_instance routing-options static route $cells[2] next-hop $cells[-1]\n";
}
elsif ($cells_num == 7 && $cells[-2] eq "description") {
print "set routing-instances $routing_instance routing-options static route $cells[2] next-hop $cells[-3]\n";
print "edit routing-instances $routing_instance routing-options static\n";
print "annotate route $cells[2] $cells[-1]\n";
print "top\n";
push @srx_config, "set routing-instances $routing_instance routing-options static route $cells[2] next-hop $cells[-3]\n";
push @srx_config, "edit routing-instances $routing_instance routing-options static\n";
push @srx_config, "annotate route $cells[2] $cells[-1]\n";
push @srx_config, "top\n";
}
}
}
$second_n++;
}
print "set routing-instances $routing_instance instance-type virtual-router\n" if defined($routing_instance);
if (defined $routing_instance) {
push @srx_config, "set routing-instances $routing_instance instance-type virtual-router\n";
}
push @hillstone_config, $texts[$second_n];
if ( (@hillstone_config && @srx_config) && defined $opt_c ) {
set_compare(\@hillstone_config, \@srx_config);
}
}
#The BEGIN part process some staff
BEGIN {
if ($#ARGV < 0 || $#ARGV > 5) { die "\nUsage:\tperl hilston2srx.pl [ -c <compare-file.xlsx> ] <config.file>\n
Flags:\t-c file for compare between hillstone and srx configuration\n"; }
#getopts('c:', \%options); save options to hash %options
getopts('c:'); #save options to Getopt::Std side effect sets $opt_*
if (system("/usr/bin/dos2unix $ARGV[0]") != 0) {
print "command failed!: dos2unix:\n";
exit;
}
# save all content of config to a variable, we will process the variable instead of <>
open my $config, '<', $ARGV[0] or die "can't open file:$!\n"; #open the config filehandle
$text = do { local $/; <$config> };
$text =~ s#\"##g;
close $config;
}
# replace the ssg's predefine services with srx's predefine applications
while (($key, $value) = each %hilston_srx_services) {
$text =~ s/\b$key\b/$value/gm;
}
if (defined $opt_c) {
print "Creating excel for compare...\n";
$workbook = Excel::Writer::XLSX->new( $opt_c ) or die "Can't open excel as $!\n";
$hillstone_format = $workbook->add_format();
$srx_format = $workbook->add_format();
$hillstone_format->set_color( 'green' );
$hillstone_format->set_align( 'left' );
$hillstone_format->set_align( 'vjustify' );
$hillstone_format->set_align( 'vcenter' );
$hillstone_format->set_text_wrap();
$srx_format->set_color( 'blue' );
$srx_format->set_align( 'left' );
$srx_format->set_align( 'vjustify' );
$srx_format->set_text_wrap();
$srx_format->set_align( 'vcenter' );
$worksheet = $workbook->add_worksheet( 'hillstone&&srx' ) or die "Can't open excel table hilston and srx\n";
}
else {
print "Compare not needed\n";
}
@texts = split(/\n/, $text);
# remove blank lines
@texts = grep { !/(^$|^\n$|^\s+$)/ } @texts;
# remove white at begein and end
@texts = map { s/^\s+|\s+$//gr } @texts;
# first cycle for address, service, rule, interface, zone
while ($texts[$n]) {
my @configs = split/\s+/, $texts[$n];
given($configs[0]) {
when ("address") {
set_address_books ($configs[-1]);
}
when ($_ eq "service" || $_ eq "servgroup") {
set_services ($configs[0], $configs[-1]);
}
when ("rule") {
set_polices ($configs[-1]);
}
when ("interface") {
set_interface_zone($configs[-1]);
}
}
$n++;
}
# second cycle for route
while ($texts[$second_n]) {
my @configs = split/\s+/, $texts[$second_n];
my $routing_instance;
given($configs[1]) {
when ("vrouter") {
set_route ($configs[-1]);
}
}
$second_n++;
}
$workbook->close();
# the last jobs
END {
print "set applications application traceroute-icmp term t1 protocol icmp\n";
print "set applications application traceroute-icmp term t1 icmp-type 8\n";
print "set applications application traceroute-icmp term t1 icmp-code 0\n";
print "set applications application traceroute-udp term t1 protocol udp\n";
print "set applications application traceroute-udp term t1 destination-port 33400-34000\n";
print "set applications application SNMP term 1 protocol udp\n";
print "set applications application SNMP term 1 destination-port 161-162\n";
print "set applications application SNMP term 1 inactivity-timeout 30\n";
print "set applications application SNMP term 2 protocol tcp\n";
print "set applications application SNMP term 2 destination-port 161-162\n";
print "set applications application SNMP term 2 inactivity-timeout 30\n";
print "set applications application DNS term t1 alg dns\n";
print "set applications application DNS term t1 protocol udp\n";
print "set applications application DNS term t1 destination-port 53\n";
print "set applications application DNS term t2 alg dns\n";
print "set applications application DNS term t2 protocol tcp\n";
print "set applications application DNS term t2 destination-port 53\n";
print "set applications application-set TRACEROUTE application traceroute-icmp\n";
print "set applications application-set TRACEROUTE application traceroute-udp\n";
}