NAME
Net::Cisco::ObjectGroup - Generate Cisco ACL object groups
VERSION
This document refers to version 0.04 of Net::Cisco::ObjectGroup.
SYNOPSIS
use Net::Cisco::ObjectGroup;
my $og = Net::Cisco::ObjectGroup->new({
type => 'icmp'
name => 'friendly_icmp',
description => 'ICMP types we like', # optional
pretty_print => 1, # optional
});
$g->push({icmp_type => 8}); # this is an echo request
$g->push({group_object => $another_objectgroup_object});
print $g->dump, "\n";
# prints the object-group configuration commands to STDOUT, something like:
object-group icmp friendly_icmp
description ICMP types we like
icmp-object echo
group-object other_icmp_types
DESCRIPTION
Use this module to manage the presentation of Cisco PIX or FWSM Object Groups. Group entries are pushed into the object in a simple parmaterized fashion, and you can then dump the content in a format that is parsable by Cisco devices.
IMPORTANT NOTE
This module's error checking is only concerned with syntactic correctness. It makes no judgement of the semantic correctness of your group entries.
For instance, newer FWSM systems use netmasks specified in terms of host address network masks (e.g. 255.255.255.0
), whereas older systems use wildcard bits (e.g. 0.0.0.255
). Net::Cisco::ObjectGroup
will not check that you use the correct type of mask, or even that your mask isn't something completely inappropriate (e.g. cabbages
).
METHODS
Net::Cisco::ObjectGroup->new
Each object group that you manage must be created through this method, which takes at least two parameters: the type
and the name
of the object group. The parameters must be provided in a single hash reference argument, like so:
my $g = Net::Cisco::ObjectGroup->new({
type => 'network',
name => 'my_new_object_group',
description => 'used for something useful', # optional
});
Optionally you may also provide a description of the group. For details of the types of object group available, and additional parameters to this method that they accept, see "GROUP TYPES", below.
Net::Cisco::ObjectGroup
is actually a factory class, and this method returns an object of the type that you requested in the type
parameter. All objects inherit from Net::Cisco::ObjectGroup::Base
, and on success this method will return an instance of one of the following:
Net::Cisco::ObjectGroup::ICMP
Net::Cisco::ObjectGroup::Network
Net::Cisco::ObjectGroup::Protocol
Net::Cisco::ObjectGroup::Service
push
Use this method to add an entry to the object group. Although according to Cisco's documentation order of the content of an object group is not significant, this module will preseve the order of pushed entries, with new entries being added to the end of the list of items in the group.
Parameters are all passed within a single hash reference argument. Which keys of that hash you populate will depend on the type of the object group on which you are operating. Logic within the module should check that you are syntactically correct, but for brevity of this documentation you are referred to the many Cisco manuals containing object group syntax usage guidelines.
See "GROUP TYPES", below, for parameter specifics.
dump
This method generates and returns the object group as it would look in a Cisco configuration file.
The returned value is a scalar, with embedded newline characters and no terminating newline, so you will need to append that as required. Note that when submitting this to, for example, a Net::Appliance::Session session via cmd()
, a newline will be automatically appended by that method.
Fully compatible Cisco commands are produced on the fly from the data stored in the Net::Cisco::ObjectGroup
object, so you can dump
and push
repeatedly to your heart's content.
GROUP TYPES
Following Cisco configuration guidelines, there are four types of object group available to you. Each of them implements a push()
object method to populate the group, with custom parameters as described below.
ICMP
The new
method to Net::Cisco::ObjectGroup
will also accept a pretty_print
parameter, which if set to a true value, enables the substitution of some numeric ICMP types for their text aliases within the output from dump
.
The push
method for ICMP object groups accepts the following parameters:
icmp_type
-
Fill this value in your parameter hash with an ICMP type. As mentioned above, it is your responsibility to enter something that the Cisco device will parse (e.g. a recognised ICMP type name or IANA assigned number).
group_object
-
Use this parameter to refer to another ICMP object group in this group entry.
Network
The push
method for Network object groups accepts the following parameters:
net_addr
,netmask
-
At a minimum, if configuring a network address, you must pass the
net_addr
parameter. Ifnetmask
is omitted, then thenet_addr
is assumed to be a host address (32 bit netmask). Otherwise, specify a netmask innetmask
. group_object
-
Use this parameter to refer to another Network object group in this group entry.
Protocol
The new
method to Net::Cisco::ObjectGroup
will also accept a pretty_print
parameter, which if set to a true value, enables the substitution of some protocol numbers for their text aliases within the output from dump
.
The push
method for Protocol object groups accepts the following parameters:
protocol
-
Fill this value in your parameter hash with a protocol type. As mentioned above, it is your responsibility to enter something that the Cisco device will parse (e.g. a recognised protocol name or IANA assigned number).
group_object
-
Use this parameter to refer to another Protocol object group in this group entry.
Service
The new
method to Net::Cisco::ObjectGroup
will also accept a pretty_print
parameter, which if set to a true value, enables the substitution of some port numbers for their corresponding service names within the output from dump
.
The new
method for Service object groups requires the following additional parameter:
protocol
-
Service object groups must be specified with any of three possible IP protocol groups,
tcp
,udp
ortcp-udp
in this parameter.
The push
method for Service object groups accepts the following parameters:
svc_op
,svc
,svc_hi
-
If specifying one or more services (rather than a group, as below), then at a minimum the
svc_op
andsvc
parameters must be completed.svc_op
may be eithereq
orrange
, and if the latter thenscv_hi
must also contain the corresponding service to make a range.As mentioned above, it is your responsibility to enter values for
svc
andsvc_hi
that the Cisco device will parse (e.g. a recognised service name or IANA assigned number). group_object
-
Use this parameter to refer to another Service object group in this group entry.
You may encounter the following diagnostic messages from Protocol groups:
missing parameter "protocol" when creating service group
-
This is a required parameter to the
new()
class method when specifying an object group type ofservice
(orport
). unrecognized protocol type:
...-
You have used an unrecognized value for the
protocol
parameter tonew()
. missing service operator
-
The
svc_op
parameter is missing in your call topush()
. unrecognized service operator:
...-
You have used an unrecognized value for the
svc_op
parameter topush()
.
DIAGNOSTICS
must specify either group-object or
...-
At a minimum please supply an object group or other required parameter.
cannot specify both group-object and
...-
Likewise you should not specify both an object group and type-specific paramters.
bad group-object
-
Referenced object groups must be of the same type as the group they are referenced from.
missing parameter "type"
-
You forgot to specify the
type
parameter toNet::Cisco::ObjectGroup->new
. unrecognized object-group type:
...-
The group type must be one of
icmp
,network
,protocol
,service
orport
. missing parameter "name"
-
You forgot to specify the
name
parameter toNet::Cisco::ObjectGroup->new
. bad object-group name:
...-
Object group names must be between one and 64 characters comprising only upper and lowercase letters, digits, underscore, period and hyphen.
bad description
-
The length of the description must not exceed 200 characters.
DEPENDENCIES
Other than the contents of the standard Perl distribution, you will need the following:
UNIVERSAL::require
Class::Data::Inheritable
Class::Accessor >= 0.25
BUGS
If you spot a bug or are experiencing difficulties that are not explained within the documentation, please send an email to oliver@cpan.org or submit a bug to the RT system (http://rt.cpan.org/). It would help greatly if you are able to pinpoint problems or even supply a patch.
SEE ALSO
Net::Cisco::AccessList::Extended, Net::Appliance::Session
AUTHOR
Oliver Gorwits <oliver.gorwits@oucs.ox.ac.uk>
COPYRIGHT & LICENSE
Copyright (c) The University of Oxford 2006. All Rights Reserved.
This program is free software; you can redistribute it and/or modify it under the terms of version 2 of the GNU General Public License as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA