Fortinet FortiGate - Official Support for Capirca

capirca/aclgen.py

@@ -40,6 +40,7 @@
 from capirca.lib import cloudarmor
 from capirca.lib import gce
 from capirca.lib import gcp_hf
+from capirca.lib import fortigate
 from capirca.lib import ipset
 from capirca.lib import iptables
 from capirca.lib import juniper
@@ -199,6 +200,7 @@ def RenderFile(base_directory, input_file, output_directory, definitions,
   win_afw = False
   xacl = False
   paloalto = False
+  fcl = False
 
   try:
     with open(input_file) as f:
@@ -268,6 +270,8 @@ def RenderFile(base_directory, input_file, output_directory, definitions,
     paloalto = copy.deepcopy(pol)
   if 'cloudarmor' in platforms:
     gca = copy.deepcopy(pol)
+  if 'fortigate' in platforms:
+    fcl = copy.deepcopy(pol)
 
   if not output_directory.endswith('/'):
     output_directory += '/'
@@ -366,11 +370,17 @@ def RenderFile(base_directory, input_file, output_directory, definitions,
       acl_obj = cloudarmor.CloudArmor(gca, exp_info)
       RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
                 input_file, write_files)
+
+    if fcl:
+      acl_obj = fortigate.Fortigate(fcl, exp_info)
+      RenderACL(str(acl_obj), acl_obj.SUFFIX, output_directory,
+                input_file, write_files)
+
   # TODO(robankeny) add additional errors.
   except (juniper.Error, junipermsmpc.Error, junipersrx.Error, cisco.Error,
           ipset.Error, iptables.Error, speedway.Error, pcap.Error,
           aclgenerator.Error, aruba.Error, nftables.Error, gce.Error,
-          cloudarmor.Error) as e:
+          cloudarmor.Error, fortigate.Error) as e:
     raise ACLGeneratorError(
         'Error generating target ACL for %s:\n%s' % (input_file, e))
 

capirca/lib/cloudarmor.py

@@ -105,39 +105,43 @@ def ConvertToDict(self, priority_index):
             'srcIpRanges': saddrs,
         }
     }
-
     # If scrIpRanges within a single term exceed _MAX_IP_RANGES_PER_TERM,
     # split into multiple terms
     source_addr_chunks = [
         saddrs[x:x+self._MAX_IP_RANGES_PER_TERM] for x in range(
             0, len(saddrs), self._MAX_IP_RANGES_PER_TERM)]
 
-    split_rule_count = len(source_addr_chunks)
-
-    for i, chunk in enumerate(source_addr_chunks):
+    if not source_addr_chunks:
       rule = copy.deepcopy(term_dict)
-      if split_rule_count > 1:
-        term_position_suffix = ' [%d/%d]' % (i+1, split_rule_count)
-        desc_limit = self._MAX_TERM_COMMENT_LENGTH - len(term_position_suffix)
-        rule['description'] = (rule.get('description', '')[:desc_limit]
-                               + term_position_suffix)
-
-      rule['priority'] = priority_index + i
-      rule['match'] = {
-          'versionedExpr': 'SRC_IPS_V1',
-          'config': {
-              'srcIpRanges': [str(saddr) for saddr in chunk],
-          }
-      }
+      rule['priority'] = priority_index
+      rule['match']['config']['srcIpRanges'] = ['*']
       rules.append(rule)
 
+    else:
+      split_rule_count = len(source_addr_chunks)
+      for i, chunk in enumerate(source_addr_chunks):
+        rule = copy.deepcopy(term_dict)
+        if split_rule_count > 1:
+          term_position_suffix = ' [%d/%d]' % (i+1, split_rule_count)
+          desc_limit = self._MAX_TERM_COMMENT_LENGTH - len(term_position_suffix)
+          rule['description'] = (rule.get('description', '')[:desc_limit]
+                                 + term_position_suffix)
+
+        rule['priority'] = priority_index + i
+        rule['match'] = {
+            'versionedExpr': 'SRC_IPS_V1',
+            'config': {
+                'srcIpRanges': [str(saddr) for saddr in chunk],
+            }
+        }
+        rules.append(rule)
+
     # TODO(robankeny@): Review this log entry to make it cleaner/more useful.
     # Right now, it prints the entire term which might be huge
     if len(source_addr_chunks) > 1:
       logging.debug('Current term [%s] was split into %d sub-terms since '
                     '_MAX_IP_RANGES_PER_TERM was exceeded',
                     str(term_dict), len(source_addr_chunks))
-
     return rules