{"id":13994042,"url":"https://github.com/google/capirca","last_synced_at":"2026-01-12T01:49:59.497Z","repository":{"id":35911320,"uuid":"40198544","full_name":"google/capirca","owner":"google","description":"Multi-platform ACL generation system","archived":false,"fork":false,"pushed_at":"2025-12-04T20:14:49.000Z","size":2985,"stargazers_count":844,"open_issues_count":54,"forks_count":210,"subscribers_count":65,"default_branch":"master","last_synced_at":"2025-12-26T09:50:38.548Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-08-04T17:25:11.000Z","updated_at":"2025-12-23T18:15:39.000Z","dependencies_parsed_at":"2023-10-14T16:31:42.990Z","dependency_job_id":"242aeaad-5188-475a-a933-bf3d39c482d1","html_url":"https://github.com/google/capirca","commit_stats":{"total_commits":859,"total_committers":90,"mean_commits":9.544444444444444,"dds":0.7834691501746216,"last_synced_commit":"6dc4688a4a9dc45d8fe0b7b83815f8c82c15d3ae"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/google/capirca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcapirca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcapirca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcapirca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcapirca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/capirca/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fcapirca/sbom","scorecard":{"id":436515,"data":{"date":"2025-08-11","repo":{"name":"github.com/google/capirca","commit":"c34b7c8aa9cbf769146517f823d7b896555a8664"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.6,"checks":[{"name":"Code-Review","score":7,"reason":"Found 21/29 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":5,"reason":"7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'packages' permission set to 'write': .github/workflows/docker.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/docker.yml:5","Warn: no topLevel permission defined: .github/workflows/main.yml:1","Warn: no topLevel permission defined: .github/workflows/pypi_release.yml:1","Warn: no topLevel permission defined: .github/workflows/windows.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/google/.github/SECURITY.md:1","Info: Found linked content: github.com/google/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md:1","Info: Found text in security policy: github.com/google/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing job operating system: .github/workflows/main.yml:42","Info: Possibly incomplete results: error parsing job operating system: .github/workflows/main.yml:46","Info: Possibly incomplete results: error parsing job operating system: .github/workflows/main.yml:56","Info: Possibly incomplete results: error parsing job operating system: .github/workflows/main.yml:63","Info: Possibly incomplete results: error parsing job operating system: .github/workflows/main.yml:67","Info: Possibly incomplete results: error parsing job operating system: .github/workflows/main.yml:78","Info: Possibly incomplete results: error parsing job operating system: .github/workflows/main.yml:86","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/docker.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/main.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/main.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/main.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/main.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/main.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/main.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi_release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/pypi_release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi_release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/pypi_release.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/windows.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/windows.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/windows.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/windows.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/windows.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/windows.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/windows.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/windows.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/windows.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/google/capirca/windows.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating python:3.6-alpine to python:3.6-alpine@sha256:579978dec4602646fe1262f02b96371779bfb0294e92c91392707fa999c0c989","Warn: pipCommand not pinned by hash: Dockerfile:7","Warn: pipCommand not pinned by hash: Dockerfile:11","Warn: pipCommand not pinned by hash: dev-install:3","Warn: pipCommand not pinned by hash: dev-install:4","Warn: pipCommand not pinned by hash: .github/workflows/pypi_release.yml:20","Warn: pipCommand not pinned by hash: .github/workflows/pypi_release.yml:21","Info:   0 out of  13 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   6 pipCommand dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4","Warn: Project is vulnerable to: PYSEC-2018-49 / GHSA-rprw-h62v-c2w7","Warn: Project is vulnerable to: PYSEC-2022-42969","Warn: Project is vulnerable to: GHSA-jfmj-5v4g-7637"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker.yml:16"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T04:48:15.806Z","repository_id":35911320,"created_at":"2025-08-19T04:48:15.806Z","updated_at":"2025-08-19T04:48:15.806Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28331253,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T00:36:25.062Z","status":"ssl_error","status_checked_at":"2026-01-12T00:36:15.229Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-09T14:02:40.738Z","updated_at":"2026-01-12T01:49:59.489Z","avatar_url":"https://github.com/google.png","language":"Python","funding_links":[],"categories":["Python","Library"],"sub_categories":["NETCONF"],"readme":"# capirca\n\n[![BuildStatus](https://travis-ci.org/google/capirca.svg?branch=master)](https://travis-ci.org/google/capirca)\n\u003c!-- \u003ca href=\"https://github.com/google/capirca/actions/\" target=\"_blank\"\u003e\u003cimg src=\"https://github.com/google/capirca/workflows/build/badge.svg?branch=master\"\u003e\u003c/a\u003e --\u003e\n\n- [About](#about)\n- [The basics](#the-basics)\n  - [Anatomy of a policy file](#anatomy-of-a-policy-file)\n      - [Headers](#headers)\n      - [Terms](#terms)\n      - [Tokens](#tokens)\n  - [Keywords](#keywords)\n      - [Required](#required)\n      - [Optional](#optional)\n  - [Includes](#includes)\n  - [Example](#example)\n      - [Term Keywords By Generator](#term-keywords-by-generator)\n      - [Term Examples](#term-examples)\n      - [Example Policy File](#example-policy-file)\n- [Getting Started](#getting-started)\n  - [Installation](#installation)\n      - [From Source](#from-source)\n      - [Package Manager](#package-manager)\n  - [Basic Usage](#basic-usage)\n  - [Python Package](#python-package)\n  - [Running with Docker](#running-with-docker)\n- [Miscellaneous](#miscellaneous)\n\n## About\n\nCapirca is designed to utilize common definitions of networks, services and\nhigh-level policy files to facilitate the development and manipulation of\nnetwork access control lists (ACLs) for various platforms. It was developed by\nGoogle for internal use, and is now open source.\n\nCapirca consist of `capirca` Python package and the `capirca` tool.\n\nThe typical usage workflow consists of the following steps:\n\n1.  Create **object definitions** containing \"network\" and \"service\" definitions\n1.  Create a **access control policy** defining the desired state of access\n    control and referencing the **object definitions** together with desired\n    firewall platforms\n1.  Generate ACL configurations by running `capirca` command referencing the\n    access control policy and the object definitions. The command triggers a\n    **generator** for each of the firewall platforms.\n\n## The basics\n\nAt a high-level capirca rationalizes objects (networks, services) against a\nsecurity definition (.pol file) to generate a specific device configuration file\nvia a platform specific **ACL generator**. Before getting started some objects\nmust exist, the below table summarizes where objects are stored:\n\npath              | description\n----------------- | -----------------------------------------\n/def/NETWORK.net  | a list of **network objects** definitions\n/def/SERVICES.svc | a list of **service objects** definitions\n\nEach network or service definition file has a very simple structure. A token is\ndefined, e.g. `GUEST_NET`, followed by an equal sign, then followed by a\ndefinition, e.g. `10.10.10.0/24`, and optional description field, e.g. `# guest\nnetwork range`.\n\n```\nGUEST_NET = 10.10.10.0/24      # guest network range\n```\n\nThe tool populates the **access control policy** from `.pol` files in a\nparticular directory, e.g. [`policies/`](./policies/). The tool searches\nrecursively for `.pol` files and add them to the policy, .e.g `.pol` files are\nlocated in [`policies/pol`](./policies/pol).\n\nAdditionally, the `.pol` files MAY reference other policy definition files\nlocated outside of the directory by using `include` directive. Please see\n[Includes](#includes) section for documentation.\n\n### Network Objects\n\nThe files with `.net` extension contain the definitions of network objects, e.g.\nIP networks and hosts. The following definition creates `INTERNAL` and `RFC1918`\nnetwork objects in the object definitions, whether `INTERNAL` references the IP\nranges of RFC 1918 defined in the `RFC1918`.\n\n```\nRFC1918 = 10.0.0.0/8      # non-public\n          172.16.0.0/12   # non-public\n          192.168.0.0/16  # non-public\n\nINTERNAL = RFC1918\n```\n\n[Back to Top](#table-of-contents)\n\n### Service Objects\n\nThe files with `.svc` extension contain the definitions of service objects, e.g.\nports and protocols.\n\n```\nDNS = 53/tcp  # transfers\n      53/udp  # queries\n```\n\n[Back to Top](#table-of-contents)\n\n### Object Nesting\n\nThe nesting of tokens is permitted only when both tokens are of the same type.\nThe referencing of a \"network\" object by \"service\" object is not allowed, and\nvice versa.\n\nThe examples of nesting of the network and service object follow.\n\n```\nHTTP = 80/tcp               # common web\nHTTPS = 443/tcp             # SSL web\nHTTP_8080 = 8080/tcp        #  web on non-standard port\nWEB_SERVICES = HTTP HTTP_8080 HTTPS  # all our web services\nDB_SERVICES = 3306/tcp      # allow db access\n              HTTPS         # and SSL access\nNYC_NETWORK = 200.1.1.0/24  # New York office\nATL_NETWORK = 200.2.1.0/24  # Atlanta office\nDEN_NETWORK = 200.5.1.0/24  # Denver office\nREMOTE_OFFICES = NYC_NETWORK\n                 ATL_NETWORK\n                 DEN_NETWORK\n```\n\nThe network objects may reference both IPv4 and IPv6 addresses at the same time.\n\n```\nLOOPBACK = 127.0.0.1/32          # loopback in IPv4\n           ::1/128               # loopback in IPv6\nLINKLOCAL = FE80::/10            # IPv6 link local address\nNYC_NETWORK = 172.16.1.0/24      # NYC IPv4\n              2620:0:10A1::/48   # NYC IPv6\n```\n\n[Back to Top](#table-of-contents)\n\n### Anatomy of a policy file\n\nA policy file (/policies/pol/something.pol) has the security policy written\nusing capirca specific meta-language and format. There are specific sections\n(e.g: header) that tell capirca how to generate the output configuration of the\nsecurity policy.\n\n#### Headers\n\nThe header section defines:\n\n*   **target** firewall platforms (which ACL generator to use)\n*   passes **additional arguments** to the generator responsible for that\n    platform.\n\nA single header may have many targets within a section. It will result in\nmultiple outputs being generated for that policy.\n\n#### Terms\n\nThe **term** sections defines the access control rules within an ACL, it contains\nkeywords followed by an object (service or network) and policy decision (\"action\" keyword).\n\nThe term section specifies the network flow metadata for ACL matching.\n\n*   Addresses\n*   Ports\n*   Protocols\n*   Action (allow/deny)\n\nInside a `term` a mandatory keyword will be found followed by an object token\nfor rule evaluation.\n\n#### Tokens\n\nTokens are the names of services and networks loaded from the object\ndefinitions. Example:\n\ntoken_name    | definition\n------------- | --------------\n\"HTTPS\"       | 443\n\"NYC_NETWORK\" | 192.168.0.0/24\n\n### Keywords\n\n| keyword  | description                                                      |\n| -------- | ---------------------------------------------------------------- |\n| required | **must be supported by all output policy generators**            |\n| optional | available in a subset of the generators and are intended to      |\n:          : provide additional flexibility when developing policies for that :\n:          : specific target platform                                         :\n\n#### Required\n\n*   **action**\n    *   accept\n    *   deny\n    *   reject\n    *   next\n    *   reject-with-tcp-rst\n*   **comment**\n    *   a text comment enclosed in double-quotes. Comments may span multiple\n        lines if desired.\n*   **destination-address**\n    *   one or more destination address tokens.\n*   **destination-exclude**\n    *   exclude one or more address tokens from the specified\n        destination-address.\n*   **destination-port**\n    *   one or more service definition tokens.\n*   **icmp-type**\n    *   specific icmp-type code to match (IPv4/IPv6 types vary).\n        *   IPv4:\n        *   echo-reply\n        *   unreachable\n        *   source-quench\n        *   redirect\n        *   alternate-address\n        *   echo-request\n        *   router-advertisement\n        *   router-solicitation\n        *   time-exceeded\n        *   parameter-problem\n        *   timestamp-request\n        *   timestamp-reply\n        *   information-request\n        *   information-reply\n        *   mask-request\n        *   mask-reply\n        *   conversion-error\n        *   mobile-redirect\n        *   IPv6:\n        *   destination-unreachable\n        *   packet-too-big\n        *   time-exceeded\n        *   parameter-problem\n        *   echo-request\n        *   echo-reply\n        *   multicast-listener-query\n        *   multicast-listener-report\n        *   multicast-listener-done\n        *   router-solicit\n        *   router-advertisement\n        *   neighbor-solicit\n        *   neighbor-advertisement\n        *   redirect-message\n        *   router-renumbering\n        *   icmp-node-information-query\n        *   icmp-node-information-response\n        *   inverse-neighbor-discovery-solicitation\n        *   inverse-neighbor-discovery-advertisement\n        *   version-2-multicast-listener-report\n        *   home-agent-address-discovery-request\n        *   home-agent-address-discovery-reply\n        *   mobile-prefix-solicitation\n        *   mobile-prefix-advertisement\n        *   certification-path-solicitation\n        *   certification-path-advertisement\n        *   multicast-router-advertisement\n        *   multicast-router-solicitation\n        *   multicast-router-termination\n*   **option**\n    *   connection options.\n        *   **established**\n            *   only permit established connections; implements tcp-established\n                flag if protocol is tcp only, otherwise adds 1024-65535 to\n                required destination-ports.\n        *   **tcp-established**\n            *   only permit established tcp connections, usually checked based\n                on TCP flag settings. If protocol UDP is included in term, only\n                adds 1024-65535 to required destination-ports.\n        *   **sample**\n            *   not supported by all generators. Samples traffic for netflow.\n        *   **intial**\n            *   currently only supported by juniper generator. Appends\n                tcp-initial to the term.\n        *   **rst**\n            *   currently only supported by juniper generator. Appends\n                \"tcp-flags rst\" to the term.\n        *   **first-fragment**\n            *   currently only supported by juniper generator. Appends\n                'first-fragment' to the term.\n*   **protocol**\n    *   network protocols this term will match, such as tcp, udp, icmp, or a\n        numeric value.\n*   **protocol-except**\n    *   network protocols that should be excluded from the protocol\n        specification. This is rarely used.\n*   **source-address**\n    *   one or more source address tokens.\n*   **source-exclude**\n    *   exclude one or more address tokens from the specified source-address.\n*   **source-port**\n    *   one or more service definition tokens.\n*   **verbatim**\n    *   this specifies that the text enclosed within quotes should be rendered\n        into the output without interpretation or modification. This is\n        sometimes used as a temporary workaround while new required features are\n        being added.\n\n#### Optional\n\nWARNING: These terms may or may not function properly on all generators. Always\nrefer to the generator specific documentation and code base.\n\n*   **address**\n    *   one or more network address tokens matches either source or destination.\n*   **counter**\n    *   (Juniper only) enable filter-based generic routing encapsulation (GRE)\n        tunneling using the specified tunnel template.\n*   **destination-prefix**\n    *   (Juniper only) specify destination-prefix matching (e.g. source-prefix`\n        configured-neighbors-only).\n*   **ether-type**\n    *   (Juniper only) specify matching ether-type(e.g. ether-type` arp).\n*   **fragement-offset**\n    *   (Juniper only) specify a fragment offset of a fragmented packet.\n*   **logging**\n    *   (Juniper, speedway/iptables) specify that this packet should be logged\n        via syslog.\n*   **loss-priority**\n    *   (Juniper only) specify loss priority.\n*   **packet-length**\n    *   (Juniper only) specify packet length.\n*   **policer**\n    *   (Juniper only) specify which policer to apply to matching packets.\n*   **precedence**\n    *   (Juniper only) specify precendence.\n*   **qos**\n    *   (Juniper only) apply quality of service classification to matching\n        packets (e.g. qos` af4).\n*   **routing-instance**\n    *   (iptables, speedway only) specify specific interface a term should apply\n        to (e.g. source-interface` eth3).\n*   **source-prefix**\n    *   (Juniper only) specify source-prefix matching (e.g. source-prefix,\n        configured-neighbors-only).\n*   **traffic-type**\n    *   (Juniper only) specify traffic-type.\n\n### Includes\n\nPolicy files support the use of `#include` statements. An include may be used to\navoid duplication of commonly used text, such as a group of terms that permit or\nblock specific types of traffic.\n\nAn include directive will result in the contents of the included file being\ninjected into the current policy file in the exact location of the `#include`\ndirective. An example include:\n\n```\n#include 'includes/untrusted-networks-blocking.inc'\n```\nNOTE: Includes are only read from the subdirectories of your base_directory,\nall other directories will error out.\n\nThe `.inc` file extension and the `includes/` folder is not required but it is\nrecommended to be used as a best practice and for easier readability.\n\n### Example\n\nWARNING: Not all generators have the same configuration options or feature set.\n\n```\nheader {\n  target:: paloalto from-zone internal to-zone external\n}\n\nterm ping-gdns{\n  source-address:: INTERNAL\n  destination-address:: GOOGLE_DNS\n  protocol:: icmp\n  action:: accept\n}\n```\n\nThe above example tells capirca to use paloalto.py to generate a platform\nspecific configuration for Palo Alto.\n\nThe security policy is written within the term section using the meta-language:\n\n*   name/description: ping-gdns\n*   source: any INTERNAL network (check /def/NETWORK.net definition of\n    'INTERNAL')\n*   destination: service object named GOOGLE_DNS\n*   protocol: icmp\n*   action: accept\n\nThe above ACL controls traffic in one direction only (outbound towards the\nservice) and there should be another header and term to control the traffic in\nthe opposite direction. Unless the target generator features the ability to\nautomatically create bi-directional configuration from a single ACL term. Always\ncheck the documentation of the generator or validate the output generated to\nvalidate final configuration and policy interpretation.\n\n#### Term Keywords By Generator\n\nThe following list contains links to the documentation of the individual policy\ngenerators:\n\n\u003c!-- begin-generator-term-links --\u003e\n\n*   [`arista`](./doc/generators/arista.md): Arista\n*   [`arista_tp`](./doc/generators/arista_tp.md): Arista Traffic Policy\n*   [`aruba`](./doc/generators/aruba.md): Aruba\n*   [`brocade`](./doc/generators/brocade.md): Brocade\n*   [`cisco`](./doc/generators/cisco.md): Cisco\n*   [`ciscoasa`](./doc/generators/ciscoasa.md): Cisco ASA\n*   [`cisconx`](./doc/generators/cisconx.md): Cisco NX\n*   [`ciscoxr`](./doc/generators/ciscoxr.md): Cisco XR\n*   [`cloudarmor`](./doc/generators/cloudarmor.md): cloudarmor\n*   [`gce`](./doc/generators/gce.md): GCE\n*   `gcp_hf`\n*   [`ipset`](./doc/generators/ipset.md): ipset\n*   [`iptables`](./doc/generators/iptables.md): iptables\n*   [`juniper`](./doc/generators/juniper.md): Juniper\n*   [`juniperevo`](./doc/generators/juniperevo.md): Juniper EVO\n*   [`junipermsmpc`](./doc/generators/junipermsmpc.md): Juniper\n*   [`junipersrx`](./doc/generators/junipersrx.md): Juniper SRX\n*   [`k8s`](./doc/generators/k8s.md): Kubernetes NetworkPolicy\n*   [`nftables`](./doc/generators/nftables.md): nftables\n*   [`nsxv`](./doc/generators/nsxv.md): NSX\n*   [`nsxt`](./doc/generators/nsxt.md): NSX-T\n*   [`packetfilter`](./doc/generators/packetfilter.md): PacketFilter\n*   [`paloaltofw`](./doc/generators/paloaltofw.md): Palo Alto PANOS\n*   [`pcap`](./doc/generators/pcap.md): PcapFilter\n*   [`sonic`](./doc/generators/sonic.md): SONiC ACLs in config_db.json format\n*   [`speedway`](./doc/generators/speedway.md): Speedway\n*   [`srxlo`](./doc/generators/srxlo.md): Stateless Juniper ACL\n*   [`windows_advfirewall`](./doc/generators/windows_advfirewall.md): Windows\n    Advanced Firewall \u003c!-- begin-generator-term-links --\u003e\n\n[Back to Top](#table-of-contents)\n\n#### Term Examples\n\nThe following are examples of how to construct a term, and assumes that naming\ndefinition tokens used have been defined in the definitions files.\n\n*   Block incoming bogons and spoofed traffic\n\n```\nterm block-bogons {\n  source-address:: BOGONS RFC1918\n  source-address:: COMPANY_INTERNAL\n  action:: deny\n}\n```\n\n*   Permit Public to Web Servers\n\n```\nterm permit-to-web-servers {\n  destination-address:: WEB_SERVERS\n  destination-port:: HTTP\n  protocol:: tcp\n  action:: accept\n}\n```\n\n*   Permit Replies to DNS Servers From Primaries\n\n```\nterm permit-dns-tcp-replies {\n  source-address:: DNS_PRIMARIES\n  destination-address:: DNS_SECONDARIES\n  source-address:: DNS\n  protocol:: tcp\n  option:: tcp-established\n  action:: accept\n}\n```\n\n*   Permit All Corporate Networks, Except New York, to FTP Server\n\nThis will \"subtract\" the `CORP_NYC_NETBLOCK` from the `CORP_NETBLOCKS` token.\nFor example, assume `CORP_NETBLOCKS` includes `200.0.0.0/20`, and\n`CORP_NYC_NETBLOCK` is defined as `200.2.0.0/24`. The `source-exclude` will\nremove the NYC netblock from the permitted source addresses. If the excluded\naddress is not contained with the source address, nothing is changed.\n\n```\nterm allow-inbound-ftp-from-corp {\n  source-address:: CORP_NETBLOCKS\n  source-exclude:: CORP_NYC_NETBLOCK\n  destination-port:: FTP\n  protocol:: tcp\n  action:: accept\n}\n```\n\n[Back to Top](#table-of-contents)\n\n#### Example Policy File\n\nBelow is an example policy file for a Juniper target platform. It contains two\nfilters, each with a handful of terms. This examples assumes that the network\nand service naming definition tokens have been defined.\n\n```\nheader {\n  comment:: \"edge input filter for sample network.\"\n  target:: juniper edge-inbound\n}\nterm discard-spoofs {\n  source-address:: RFC1918\n  action:: deny\n}\nterm permit-ipsec-access {\n  source-address:: REMOTE_OFFICES\n  destination-address:: VPN_HUB\n  protocol:: 50\n  action:: accept\n}\nterm permit-ike-access {\n  source-address:: REMOTE_OFFICES\n  destination-address:: VPN_HUB\n  protocol:: udp\n  destination-port:: IKE\n  action:: accept\n}\nterm permit-public-web-access {\n  destination-address:: WEB_SERVERS\n  destination-port:: HTTP HTTPS HTTP_8080\n  protocol:: tcp\n  action:: accept\n}\nterm permit-tcp-replies {\n  option:: tcp-established\n  action:: accept\n}\nterm default-deny {\n  action:: deny\n}\n\nheader {\n  comment:: \"edge output filter for sample network.\"\n  target:: juniper edge-outbound\n}\nterm drop-internal-sourced-outbound {\n  destination-address:: INTERNAL\n  destination-address:: RESERVED\n  action:: deny\n}\nterm reject-internal {\n  source-address:: INTERNAL\n  action:: reject\n}\nterm default-accept {\n  action:: accept\n}\n```\n\n[Back to Top](#table-of-contents)\n\n## Getting Started\n\n### Installation\n\n#### From Source\n\nIf `setuptools` Python package is not installed on your system, install it: For\nexample, the following commands installs the package with `apt` package manager.\n\n```bash\nsudo apt-get install python3-pip python3-setuptools\n```\n\nNext, to install `capirca` from source, clone the `capirca` repository and run\nits installer:\n\n```bash\ngit clone https://github.com/google/capirca.git\ncd capirca/\npython3 setup.py install --user\n```\n\nTypically, when provided `--user` argument, the installer creates the following\nfiles, where `3.8` is Python version and `2.0.0` is the version of `capirca`:\n\n*   `~/.local/bin/capirca`\n*   `~/.local/lib/python3.8/site-packages/capirca-2.0.0-py3.8.egg`\n\nIf necessary, remove build files:\n\n```bash\nrm -rf build capirca.egg-info dist\n```\n\nNext, test `capirca` by generating sample output filters for Cisco, Juniper,\niptables, and other firewall platforms.\n\n```bash\n~/.local/bin/aclgen\n```\n\nThe generation of sample output while in the `capirca`'s source code directory\ndoes not require command line parameters, because `capirca` inherits default\nsettings from the following configuration (see `capirca/utils/config.py`).\n\n```json\n{\n    'base_directory': './policies',\n    'definitions_directory': './def',\n    'policy_file': None,\n    'output_directory': './filters',\n    'optimize': False,\n    'recursive': True,\n    'debug': False,\n    'verbose': False,\n    'ignore_directories': ['DEPRECATED', 'def'],\n    'max_renderers': 10,\n    'shade_check': False,\n    'exp_info': 2\n}\n```\n\nAlthough the `policy_file` is `None`, the tool processes all policies located in\n`base_directory`, i.e. `./policies`. The tool loads network and service\ndefinitions from `definitions_directory`. The tool output generated ACLs to the\nroot of the source directory because `output_directory` is `./filters`.\n\n[Back to Top](#table-of-contents)\n\n#### Package Manager\n\nCurrently, the PyPI is out of date. Nevertheless, a user can install an older\nversion of `capirca` with `pip`:\n\n```py\npip install capirca --user\n```\n\n[Back to Top](#table-of-contents)\n\n### Basic Usage\n\nThere are a number of command-line arguments that can be used with `capirca`.\n\n```\n$ ~/.local/bin/capirca --helpfull\n\n       USAGE: capirca [flags]\nflags:\n\nabsl.app:\n  -?,--[no]help: show this help\n    (default: 'false')\n  --[no]helpfull: show full help\n    (default: 'false')\n  --[no]helpshort: show this help\n    (default: 'false')\n  --[no]helpxml: like --helpfull, but generates XML output\n    (default: 'false')\n  --[no]only_check_args: Set to true to validate args and exit.\n    (default: 'false')\n  --[no]pdb: Alias for --pdb_post_mortem.\n    (default: 'false')\n  --[no]pdb_post_mortem: Set to true to handle uncaught exceptions with PDB post mortem.\n    (default: 'false')\n  --profile_file: Dump profile information to a file (for python -m pstats). Implies --run_with_profiling.\n  --[no]run_with_pdb: Set to true for PDB debug mode\n    (default: 'false')\n  --[no]run_with_profiling: Set to true for profiling the script. Execution will be slower, and the output format might change over time.\n    (default: 'false')\n  --[no]use_cprofile_for_profiling: Use cProfile instead of the profile module for profiling. This has no effect unless --run_with_profiling\n    is set.\n    (default: 'true')\n\nabsl.logging:\n  --[no]alsologtostderr: also log to stderr?\n    (default: 'false')\n  --log_dir: directory to write logfiles into\n    (default: '')\n  --logger_levels: Specify log level of loggers. The format is a CSV list of `name:level`. Where `name` is the logger name used with\n    `logging.getLogger()`, and `level` is a level name  (INFO, DEBUG, etc). e.g. `myapp.foo:INFO,other.logger:DEBUG`\n    (default: '')\n  --[no]logtostderr: Should only log to stderr?\n    (default: 'false')\n  --[no]showprefixforinfo: If False, do not prepend prefix to info messages when it's logged to stderr, --verbosity is set to INFO level,\n    and python logging is used.\n    (default: 'true')\n  --stderrthreshold: log messages at this level, or more severe, to stderr in addition to the logfile.  Possible values are 'debug', 'info',\n    'warning', 'error', and 'fatal'.  Obsoletes --alsologtostderr. Using --alsologtostderr cancels the effect of this flag. Please also note\n    that this flag is subject to --verbosity and requires logfile not be stderr.\n    (default: 'fatal')\n  -v,--verbosity: Logging verbosity level. Messages logged at this level or lower will be included. Set to 1 for debug logging. If the flag\n    was not set or supplied, the value will be changed from the default of -1 (warning) to 0 (info) after flags are parsed.\n    (default: '-1')\n    (an integer)\n\ncapirca.capirca:\n  --base_directory: The base directory to look for acls; typically where you'd find ./corp and ./prod\n    (default: './policies')\n  --config_file: A yaml file with the configuration options for capirca;\n    repeat this option to specify a list of values\n  --[no]debug: Debug messages\n    (default: 'false')\n  --definitions_directory: Directory where the definitions can be found.\n    (default: './def')\n  --exp_info: Print a info message when a term is set to expire in that many weeks.\n    (default: '2')\n    (an integer)\n  --ignore_directories: Don't descend into directories that look like this string\n    (default: 'DEPRECATED,def')\n    (a comma separated list)\n  --max_renderers: Max number of rendering processes to use.\n    (default: '10')\n    (an integer)\n  -o,--[no]optimize: Turn on optimization.\n    (default: 'False')\n  --output_directory: Directory to output the rendered acls.\n    (default: './filters')\n  --policy_file: Individual policy file to generate.\n  --[no]recursive: Descend recursively from the base directory rendering acls\n    (default: 'true')\n  --[no]shade_check: Raise an error when a term is completely shaded by a prior term.\n    (default: 'false')\n  --[no]verbose: Verbose messages\n    (default: 'false')\n\nabsl.flags:\n  --flagfile: Insert flag definitions from the given file into the command line.\n    (default: '')\n  --undefok: comma-separated list of flag names that it is okay to specify on the command line even if the program does not define a flag\n    with that name.  IMPORTANT: flags in this list that have arguments MUST use the --flag=value format.\n    (default: '')\n```\n\nNotably, the `--config_file PATH` argument allows passing one or more yaml\nconfiguration files. These files will be prioritized from left to right, i.e.\nany duplicate configurations will be overriden, not merged.\n\nThe command line arguments take precendence over any settings passed via the\nconfiguration files.\n\nThe default `capirca` configurations in a YAML format follows:\n\n```yaml\n---\nbase_directory: ./policies\ndefinitions_directory: ./def\noutput_directory: ./\noptimize: false\nrecursive: true\ndebug: false\nverbose: false\nignore_directories:\n  - DEPRECATED\n  - def\nmax_renderers: 10\nshade_check: true\nexp_info: 2\n```\n\n[Back to Top](#table-of-contents)\n\n### Python Package\n\nThe `capirca` tool uses `capirca` Python package.\n\nTherefore, there is a way to access `capirca` programmatically.\n\n*   `policies/sample_paloalto.pol`\n*   `def/SERVICES.svc`\n*   `def/NETWORK.net`\n\nProvided you have the following files in your directory, the following code\nsnippets create a `naming` definitions object, policy object, and render\ngenerator filter output.\n\n**NOTE**: Paste the code snippets one line at a time.\n\nFirst, start Python interpreter:\n\n```\n$ python3\nPython 3.8.7 (default, Dec 22 2020, 10:37:26)\n[GCC 10.2.0] on linux\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n\u003e\u003e\u003e\n```\n\nNext, import `naming` library and create `naming` object from definitions files\nin `./def` directory.\n\n```py\nfrom pprint import pprint\nfrom capirca.lib import naming\ndefs = naming.Naming('./def')\npprint(defs)\n\u003ccapirca.lib.naming.Naming object at 0x7f8421b57280\u003e\n```\n\nThe `defs` object follows:\n\n```\n\u003ccapirca.lib.naming.Naming object at 0x7f8421b57280\u003e\n```\n\nThe `Naming` object has various methods. The `GetServiceNames` method returns\nthe service name tokens.\n\n```\n\u003e\u003e\u003e dir(defs)\n['GetIpParents', 'GetNet', 'GetNetAddr', 'GetNetChildren', 'GetServiceNames',\n \u003c...intentionally omitted ..\u003e\n'unseen_networks', 'unseen_services']\n\u003e\u003e\u003e\n\n\u003e\u003e\u003e pprint(defs.GetServiceNames())\n['WHOIS',\n 'SSH',\n \u003c...intentionally omitted ..\u003e\n 'TRACEROUTE']\n\u003e\u003e\u003e\n```\n\nThen, import `policy` library, read in the policy configuration data from\n`./policies/sample_paloalto.pol`, and create a policy object.\n\n```py\nfrom capirca.lib import policy\nconf = open('./policies/sample_paloalto.pol').read()\npol = policy.ParsePolicy(conf, defs, optimize=True)\n```\n\nThe policy object follows:\n\n```\n\u003e\u003e\u003e pprint(pol)\nPolicy: {Target[paloalto], Comments [], Apply groups: [], except: []:[ name: ping-gdns\n  source_address: [IPv4('10.0.0.0/8'), IPv4('172.16.0.0/12'), IPv4('192.168.0.0/16')]\n  destination_address: [IPv4('8.8.4.4/32'), IPv4('8.8.8.8/32'), IPv6('2001:4860:4860::8844/128'), IPv6('2001:4860:4860::8888/128')]\n  protocol: ['icmp']\n  action: ['accept'],  name: dns-gdns\n  source_address: [IPv4('10.0.0.0/8'), IPv4('172.16.0.0/12'), IPv4('192.168.0.0/16')]\n  destination_address: [IPv4('8.8.4.4/32'), IPv4('8.8.8.8/32'), IPv6('2001:4860:4860::8844/128'), IPv6('2001:4860:4860::8888/128')]\n  protocol: ['tcp']\n  destination_port: [(53, 53)]\n  action: ['accept'],  name: allow-web-outbound\n  source_address: [IPv4('10.0.0.0/8'), IPv4('172.16.0.0/12'), IPv4('192.168.0.0/16')]\n  protocol: ['tcp']\n  destination_port: [(80, 80), (443, 443)]\n  action: ['accept']], Target[paloalto], Comments [], Apply groups: [], except: []:[ name: allow-icmp\n  protocol: ['icmp']\n  action: ['accept'],  name: allow-only-pan-app\n  action: ['accept']\n  pan_application: ['http'],  name: allow-web-inbound\n  destination_address: [IPv4('200.1.1.1/32'), IPv4('200.1.1.2/32')]\n  protocol: ['tcp']\n  destination_port: [(80, 80), (443, 443)]\n  action: ['accept']\n  pan_application: ['ssl', 'http']]}\n\u003e\u003e\u003e\n```\n\nNext, import a generator library (here `paloaltofw` for Palo Alto firewalls) and\noutput a policy in the desired format.\n\n```py\nfrom capirca.lib import paloaltofw\nfor header in pol.headers:\n  if 'paloalto' in header.platforms:\n    jcl = True\n  if jcl:\n    output = paloaltofw.PaloAltoFW(pol, 1)\n    print(output)\n```\n\nThe following code initiates Palo Alto firewall ACL model with the default\nexpiration of 1 week.\n\n```\npaloaltofw.PaloAltoFW(pol, 1)\n```\n\n[Back to Top](#table-of-contents)\n\n### Running with Docker\n\nIf your use case is to just use the CLI and you don't want to go through the\nprocess of installing `capirca`, you can use the dockerized version of the tool.\n\nWhen using `docker`, mount your working directory to the `/data` directory of\nthe container and pass command-line arguments in the following way.\n\n```bash\ndocker run -v \"${PWD}:/data\" docker.pkg.github.com/google/capirca/capirca:latest\ndocker run -v \"${PWD}:/data\" docker.pkg.github.com/google/capirca/capirca:latest --helpfull\ndocker run -v \"${PWD}:/data\" docker.pkg.github.com/google/capirca/capirca:latest --config_file /data/path/to/config\n```\n\n[Back to Top](#table-of-contents)\n\n## Miscellaneous\n\n### Security considerations\n\nThe Capirca threat model assumes some control and verification of policy\ndefinitions (in .pol files). This is either through human user verification,\nor that policies are generated by upstream systems that enforce correctness.\n\nIt is recommended that the ACL generated by Capirca is always tested for\ncorrectness before being applied to production. Not all generators support every\nfeature, configuration option or term keywords. When something is unsupported,\nCapirca will error out. But due to the sensitive nature of network ACLs, it is\nalways recommended to test any new generator being used, or new policies being\ngenerated.\n\n### Additional documentation\n\n*   [aclcheck library](./doc/wiki/AclCheck-library.md)\n*   [policy reader library](./doc/wiki/PolicyReader-library.md)\n*   [policy library](./doc/wiki/Policy-library.md)\n*   [naming library](./doc/wiki/Naming-library.md)\n*   [capirca design doc](./doc/wiki/Capirca-design.md)\n\nExternal links, resources and references:\n\n*   [Brief Overview (4 slides):](https://docs.google.com/present/embed?id=dhtc9k26_13cz9fphfb\u0026autoStart=true\u0026loop=true\u0026size=1)\n*   [Nanog49; Enterprise QoS](http://www.nanog.org/meetings/nanog49/presentations/Tuesday/Chung-EnterpriseQoS-final.pdf)\n*   [Capirca Slack at NetworkToCode](https://networktocode.slack.com/)\n\n[Back to Top](#table-of-contents)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fcapirca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fcapirca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fcapirca/lists"}