Querent

Querent is an editor for query documents. A query document is a set of packet expressions with which to validate a configuration. Each expression specifies a set of packets along with firewall behavior. Validating a configuration means verifying that every packet described by an expression is handled as described in the expression. Analyzer processes query documents and configurations and outputs all packets that violate of the the expressions. Querent is a user friendly interface for constructing and maintaining those query documents.

In addition to the expressions, Querent maintains a list of macros, which are names that can be assigned values. Macros are useful as shortcuts, and to make sure that the same value is used in multiple expressions. Macros are given values in a dictionary, which is simply a listing of the values to assign to various macros. Each query document has a set of dictionaries, any of which can be selected for use by Analyzer. This is handy if one has a set of similar configurations but with different specific values. Those values can be represented by macros and each dictionary can assign the appropriate values without having to duplicate the expressions.

A query document can by run through Analyzer from the command line, or directly from Querent.

Querent has a structured editor for editing expressions.

Querent expression editor

The expression is grouped into clauses, each of which specifies a set of values for each supported packet property. A clause matches if all of the properties match, and a property matches if any of its value match. Nested packets are only checked if the enclosing clause matches, making it easy to group clauses that have common properties.

The clauses can be moved up and down, nested and unnested. The list of properties for each clause can be expanded to all supported properties for editing, or collapsed down to only those properties with values for easier understanding.

One very useful feature of a series of clauses is the ability to mark the last one as "Otherwise". Such a clause matches if none of the preceding clauses with the same parent match. This makes it easy to check a variety of packets for various behaviors and then specify a behavior for all other packets. E.g., "these packets and those and these others should be permitted, but all other packets should be denied".