Skip to main content

Use IP network and service names from Capirca

Invariant natively supports network and service definition files in the Capirca format.

Important

We recommend migrating from Capirca .def format to Aerleon YAML format if possible for several reasons:

  • The Capirca .def format is not formally specified or documented.
  • Tooling to programmatically work with Capirca .def format is very sparse.

Aerleon and Capirca files define networks and services into the same namespace.

See also: Use IP network and service names from Aerleon

Place your definition files in the def/ directory of your snapshot.

snapshot/
└── def/
    ├── networks.net
    └── services.svc

Example networks.net:

invariant/def/networks.net
DB_SERVERS = 10.50.1.10/32, 10.50.1.11/32

RFC1918 = RFC1918_10_SPACE, RFC1918_172_SPACE, RFC1918_192_SPACE

RFC1918_10_SPACE = 10.0.0.0/8

RFC1918_172_SPACE = 172.16.0.0/12

RFC1918_192_SPACE = 192.168.0.0/16

Example services.svc:

invariant/def/services.svc
HIGH_PORTS = 1024-65535/tcp, 1024-65535/udp

SSH = 22/tcp

Services can include other services.

invariant/def/services.svc
NMSP = NMSP_537, NMSP_1790

NMSP_537 = 537/tcp, 537/udp

NMSP_1790 = 1790/tcp, 1790/udp

Reference these named definitions directly in your Invariant access policy rules.

invariant/policies/my_policy.yaml
access-policy:
  - name: db-access
    ingress-network: DB_SERVERS # Use named network
    rules:
      - type: ingress-deny
        source-address: RFC1918 # Use named network
        destination-port: SSH   # Use named service

Built-in definitions for common IP networks (like RFC1918) and IANA well-known services are automatically loaded by Invariant. See Reference well-known networks and services in Invariant

See Access Policy for more details on writing rules.