[j-nsp] Re: [nsp] Announcing aclmaker-1.04rc1, with check for unused ACLs (fwd)

Pekka Savola pekkas at netcore.fi
Tue Jan 13 10:43:34 EST 2004 

On Mon, 12 Jan 2004, John Kristoff wrote:

I augmented this quite a bit:
 - add support for RPF checks in filters
 - add support for policies
 - add support for prefix-lists (this is especially tricky w/ calling 
   prefix-lists from firewall configs, but should work reasonably well)
 - also support more complex policies like ( foo && bar ) and [ unf ort ]

didn't seem to cause false positives (quickly looking) at least in
our network but there are probably some cases where it may fail.

have fun.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-------------- next part --------------
#!/bin/sh
#
# filter-usage - list firewall filters from stored configs that are not in use
#
# requires: perl5 or later in the path
#           find, grep, sort and uniq in the path
#           Juniper JUNOS stored configs
#
# 2004-01-12,jtk
#
# psavola 2004-01-13

if [ $# -eq 0 ] ; then
   echo "  Usage:   $0 path-to-router-config-file-directory"
   echo "  Usage:   $0 a-single-router-config-file"
   echo "Example:   $0 /var/configs"
   echo "Example:   $0 /var/configs/chicago-confg"
   exit 1
fi

search() {

    # filter

    for filter in `egrep "^ *filter .*{$" $confg | sort | uniq | perl -ne '/^ *filter (\S+) .*{$/ ; print "$1\n"'` ; do

        if [ `egrep -c "^ *(input|output|rpf-check fail-filter) $filter(\;|mode loose)$" $confg` = 0 ] ; then

            echo $confg:acl=$filter unused

        fi
    done

    # prefix-list

    for prefix in `egrep "^ *prefix-list .*{$" $confg | sort | uniq | perl -ne '/^ *prefix-list (\S+) .*{$/ ; print "$1\n"'` ; do

	# note: this is nasty stuff: prefix lists can also be seen in firewall configs like:
        # from {
        #      prefix-list {
        #                  foo;
        # .. so the only way to even try to catch that is to try to guess it
	# using the whitespaces.  This kills off some real negatives, but doesn't
	# cause false positives
        if [ `egrep -c "(((source-|destination-)?prefix-list)| {18,}) $prefix\;$" $confg` = 0 ] ; then

            echo $confg:prefix-list=$prefix unused

        fi
    done

    # policy

    for policy in `egrep "^ *policy-statement .*{$" $confg | sort | uniq | perl -ne '/^ *policy-statement (\S+) .*{$/ ; print "$1\n"'` ; do
        if [ `egrep -c "^ *((bootstrap-)?(import|export)|(from|to) policy) .*$policy.*\;$" $confg` = 0 ] ; then

            echo $confg:policy=$policy unused

        fi
    done

}

if test -f "$1" ; then
    confg=$1
    search
elif test -d "$1" ; then
    for confg in `find $1/.* $1/* -prune ! -type d -exec ls {} \;` ; do
        search
    done
fi

# end script

More information about the juniper-nsp mailing list