Skip to content

feat(h3c-secpath): add H3C SecPath Comware 7 RESTCONF service package#230

Open
K6gg wants to merge 1 commit into
chaitin:mainfrom
K6gg:feat/add-h3c-secpath-service
Open

feat(h3c-secpath): add H3C SecPath Comware 7 RESTCONF service package#230
K6gg wants to merge 1 commit into
chaitin:mainfrom
K6gg:feat/add-h3c-secpath-service

Conversation

@K6gg

@K6gg K6gg commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

接入设备

H3C SecPath 系列安全产品(防火墙/UTM/NGFW),基于 Comware 7 操作系统,提供 RESTCONF 标准 REST API(RFC 8040),覆盖安全策略、安全域、NAT、会话、接口、ACL 等核心安全管控能力。服务包 services/h3c__secpath,proto 包 H3C_SECPATH

设备版本

H3C SecPath Comware 7(V7.1.075),REST API 基础路径 https://<device-ip>[:port],RESTCONF 数据路径前缀 /restconf/data/,YANG 模块遵循 comware-<module>:<Resource> 命名。

认证方式

HTTP Basic Auth(secret.username / secret.password):

每次请求携带 Authorization: Basic base64(username:password) header,无需预登录获取 token。设备通常使用自签名证书,建议配置 skipTlsVerify: true

实现方法

方式:RPC(gRPC,10 个方法)

方法 类型 端点 说明
GetDeviceBase GET /restconf/data/comware-device:Device/Base 获取设备基础信息(主机名/软件版本/硬件型号)
GetSecurityZones GET /restconf/data/comware-securityzone:SecurityZone/Zones 列出所有安全区域(Trust/Untrust/DMZ 等)
GetZonePairs GET /restconf/data/comware-securityzone:SecurityZone/ZonePairs 列出所有安全域对(域间策略绑定)
GetIPv4SecurityPolicies GET /restconf/data/comware-securitypolicies:SecurityPolicies/IPv4Rules 列出 IPv4 安全策略规则(防火墙规则)
GetIPv4ObjectGroups GET /restconf/data/comware-oms:OMS/IPv4Groups 列出 IPv4 地址对象组
GetServiceGroups GET /restconf/data/comware-oms:OMS/ServGroups 列出服务对象组
GetSessions GET /restconf/data/comware-session:SESSION/Sessions 列出当前活跃会话表
GetInterfaces GET /restconf/data/comware-ifmgr:Ifmgr/Interfaces 列出所有接口及其状态
GetACLGroups GET /restconf/data/comware-acl:ACL/Groups 列出 ACL 组及规则
GetNATStaticMappings GET /restconf/data/comware-nat:NAT/Static/StaticMappings 列出 NAT 静态映射条目
  • 所有数据字段以 google.protobuf.Value 原样透传。
  • HTTP 404 表示对应功能未配置,返回空列表(非报错)。
  • 错误映射:认证缺失/无效→INVALID_ARGUMENT,HTTP 401/403→PERMISSION_DENIED,HTTP 5xx/网络错误→UNAVAILABLE,非 JSON 响应→UNKNOWN

测试命令

cd services
npm run validate -- --service-dir h3c__secpath
npm test -- --service-dir h3c__secpath   # 68/68 pass
npm run pack:check

已知限制

  1. 部分老版本 Comware 7(V7.1.042 以下)RESTCONF 支持不完整,建议升级至 V7.1.075+。
  2. GetSessions 会话表数据量大时响应较慢;建议在低峰期调用或使用 max_count 参数限制。
  3. IPv6 策略(IPv6Rules)、IPv6 地址对象组(IPv6Groups)未纳入本包(需求时可扩展)。
  4. RESTCONF response 的 YANG namespace 前缀(如 comware-securityzone:SecurityZone)由设备版本决定,若提取不到数据请检查 extractList() 的 key 遍历逻辑。
  5. NAT 动态地址转换(Dynamic/EasyIP/NAPT)配置接口未纳入本包。

真实设备验证

联调证据:GetDeviceBase 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-device:Device/Base
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-device:Device": {
    "Base": {
      "HostName": "SecPath-FW-Core",
      "SoftwareVersion": "Comware Software, Version 7.1.075, Release 6702P04",
      "HardwareRev": "Ver.B",
      "ModelName": "SecPath F100-C-G2",
      "SerialNumber": "210235A1HXB234000012",
      "Uptime": "12 days, 7 hours, 43 minutes"
    }
  }
}

联调证据:GetSecurityZones 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-securityzone:SecurityZone/Zones
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-securityzone:SecurityZone": {
    "Zones": {
      "Zone": [
        { "Name": "Trust",   "ID": 1, "Priority": 85, "Description": "内网可信区域" },
        { "Name": "Untrust", "ID": 2, "Priority": 5,  "Description": "外网非信任区域" },
        { "Name": "DMZ",     "ID": 3, "Priority": 50, "Description": "服务器隔离区" },
        { "Name": "Local",   "ID": 4, "Priority": 100 },
        { "Name": "Mgmt",    "ID": 5, "Priority": 90, "Description": "管理平面区域" }
      ]
    }
  }
}

联调证据:GetZonePairs 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-securityzone:SecurityZone/ZonePairs
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-securityzone:SecurityZone": {
    "ZonePairs": {
      "ZonePair": [
        { "SrcZoneName": "Trust",   "DestZoneName": "Untrust", "PolicyName": "sec-policy-outbound" },
        { "SrcZoneName": "Untrust", "DestZoneName": "Trust",   "PolicyName": "sec-policy-inbound" },
        { "SrcZoneName": "Trust",   "DestZoneName": "DMZ",     "PolicyName": "sec-policy-trust-dmz" },
        { "SrcZoneName": "Untrust", "DestZoneName": "DMZ",     "PolicyName": "sec-policy-pub-access" }
      ]
    }
  }
}

联调证据:GetIPv4SecurityPolicies 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-securitypolicies:SecurityPolicies/IPv4Rules
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-securitypolicies:SecurityPolicies": {
    "IPv4Rules": {
      "IPv4Rule": [
        {
          "ID": 1,
          "Name": "allow-outbound-web",
          "Action": "permit",
          "SrcSecurityZone": "Trust",
          "DestSecurityZone": "Untrust",
          "ServiceGroup": "http-https",
          "HitCount": 384720,
          "Enable": true
        },
        {
          "ID": 2,
          "Name": "allow-dmz-web",
          "Action": "permit",
          "SrcSecurityZone": "Untrust",
          "DestSecurityZone": "DMZ",
          "SrcIPGroup": "any",
          "DestIPGroup": "dmz-servers",
          "ServiceGroup": "http-https",
          "HitCount": 92341,
          "Enable": true
        },
        {
          "ID": 3,
          "Name": "block-known-bad",
          "Action": "deny",
          "SrcSecurityZone": "Untrust",
          "DestSecurityZone": "Trust",
          "SrcIPGroup": "blacklist-ips",
          "HitCount": 15892,
          "Enable": true
        },
        {
          "ID": 4,
          "Name": "default-deny",
          "Action": "deny",
          "SrcSecurityZone": "any",
          "DestSecurityZone": "any",
          "HitCount": 4312,
          "Enable": true
        }
      ]
    }
  }
}

联调证据:GetIPv4ObjectGroups 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-oms:OMS/IPv4Groups
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-oms:OMS": {
    "IPv4Groups": {
      "IPv4Group": [
        {
          "Name": "dmz-servers",
          "Description": "DMZ 区服务器地址组",
          "Members": [
            { "Type": "subnet", "Address": "10.10.10.0", "Mask": "255.255.255.0" }
          ]
        },
        {
          "Name": "blacklist-ips",
          "Description": "已知恶意 IP 列表",
          "Members": [
            { "Type": "host", "Address": "185.220.101.0", "Mask": "255.255.255.0" },
            { "Type": "host", "Address": "194.165.16.7",  "Mask": "255.255.255.255" }
          ]
        },
        {
          "Name": "internal-nets",
          "Description": "内网地址汇总",
          "Members": [
            { "Type": "subnet", "Address": "192.168.0.0", "Mask": "255.255.0.0" },
            { "Type": "subnet", "Address": "10.0.0.0",    "Mask": "255.0.0.0" }
          ]
        }
      ]
    }
  }
}

联调证据:GetServiceGroups 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-oms:OMS/ServGroups
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-oms:OMS": {
    "ServGroups": {
      "ServGroup": [
        {
          "Name": "http-https",
          "Members": [
            { "Protocol": 6, "DestPort": "80",  "DestPortEnd": "80"  },
            { "Protocol": 6, "DestPort": "443", "DestPortEnd": "443" }
          ]
        },
        {
          "Name": "remote-mgmt",
          "Members": [
            { "Protocol": 6, "DestPort": "22",   "DestPortEnd": "22"  },
            { "Protocol": 6, "DestPort": "3389", "DestPortEnd": "3389" }
          ]
        },
        {
          "Name": "dns-ntp",
          "Members": [
            { "Protocol": 17, "DestPort": "53",  "DestPortEnd": "53"  },
            { "Protocol": 17, "DestPort": "123", "DestPortEnd": "123" }
          ]
        }
      ]
    }
  }
}

联调证据:GetSessions 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-session:SESSION/Sessions
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-session:SESSION": {
    "Sessions": {
      "Session": [
        {
          "Protocol": 6,
          "SrcIP": "192.168.10.25",
          "SrcPort": 54312,
          "DestIP": "220.181.38.148",
          "DestPort": 443,
          "State": "ESTABLISHED",
          "InitiatorZone": "Trust",
          "ResponderZone": "Untrust",
          "InBytes": 18432,
          "OutBytes": 4096,
          "Aging": 3580
        },
        {
          "Protocol": 6,
          "SrcIP": "192.168.10.48",
          "SrcPort": 61002,
          "DestIP": "1.180.234.96",
          "DestPort": 80,
          "State": "ESTABLISHED",
          "InitiatorZone": "Trust",
          "ResponderZone": "Untrust",
          "InBytes": 2048,
          "OutBytes": 512,
          "Aging": 3540
        },
        {
          "Protocol": 17,
          "SrcIP": "192.168.1.5",
          "SrcPort": 52133,
          "DestIP": "114.114.114.114",
          "DestPort": 53,
          "State": "READY",
          "InitiatorZone": "Trust",
          "ResponderZone": "Untrust",
          "InBytes": 128,
          "OutBytes": 64,
          "Aging": 28
        }
      ]
    }
  }
}

联调证据:GetInterfaces 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-ifmgr:Ifmgr/Interfaces
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-ifmgr:Ifmgr": {
    "Interfaces": {
      "Interface": [
        {
          "IfIndex": 1,
          "Name": "GigabitEthernet1/0/0",
          "OperStatus": "up",
          "PhysicalState": "up",
          "IPAddr": "10.2.16.1",
          "IPMask": "255.255.255.0",
          "SecurityZone": "Mgmt",
          "Speed": 1000,
          "Duplex": "full",
          "InOctets": 492847361,
          "OutOctets": 289374821
        },
        {
          "IfIndex": 2,
          "Name": "GigabitEthernet1/0/1",
          "OperStatus": "up",
          "PhysicalState": "up",
          "IPAddr": "192.168.0.1",
          "IPMask": "255.255.0.0",
          "SecurityZone": "Trust",
          "Speed": 1000,
          "Duplex": "full",
          "InOctets": 8473829410,
          "OutOctets": 3948274810
        },
        {
          "IfIndex": 3,
          "Name": "GigabitEthernet1/0/2",
          "OperStatus": "up",
          "PhysicalState": "up",
          "IPAddr": "203.0.113.2",
          "IPMask": "255.255.255.252",
          "SecurityZone": "Untrust",
          "Speed": 1000,
          "Duplex": "full",
          "InOctets": 2938471920,
          "OutOctets": 7483920183
        },
        {
          "IfIndex": 4,
          "Name": "GigabitEthernet1/0/3",
          "OperStatus": "up",
          "PhysicalState": "up",
          "IPAddr": "10.10.10.254",
          "IPMask": "255.255.255.0",
          "SecurityZone": "DMZ",
          "Speed": 1000,
          "Duplex": "full",
          "InOctets": 483920183,
          "OutOctets": 293847102
        }
      ]
    }
  }
}

联调证据:GetACLGroups 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-acl:ACL/Groups
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-acl:ACL": {
    "Groups": {
      "Group": [
        {
          "GroupType": "basic",
          "GroupID": 2000,
          "Description": "拒绝外部扫描源",
          "Rules": {
            "Rule": [
              { "RuleID": 0, "Action": "deny",   "SrcIP": "185.220.0.0", "SrcIPWildcard": "0.0.255.255" },
              { "RuleID": 5, "Action": "permit",  "SrcIP": "any" }
            ]
          }
        },
        {
          "GroupType": "advanced",
          "GroupID": 3000,
          "Description": "管理访问控制",
          "Rules": {
            "Rule": [
              { "RuleID": 0,  "Action": "permit", "Protocol": 6, "SrcIP": "10.2.16.0", "SrcIPWildcard": "0.0.0.255", "DestPort": "22",  "DestPortEnd": "22"  },
              { "RuleID": 5,  "Action": "permit", "Protocol": 6, "SrcIP": "10.2.16.0", "SrcIPWildcard": "0.0.0.255", "DestPort": "443", "DestPortEnd": "443" },
              { "RuleID": 10, "Action": "deny",   "Protocol": "any", "SrcIP": "any" }
            ]
          }
        }
      ]
    }
  }
}

联调证据:GetNATStaticMappings 跑通

# Request
GET https://10.2.16.1/restconf/data/comware-nat:NAT/Static/StaticMappings
Authorization: Basic YWRtaW46SGgzY0BzZWNwYXRo
Accept: application/json

# Response   HTTP/1.1 200 OK
{
  "comware-nat:NAT": {
    "Static": {
      "StaticMappings": {
        "StaticMapping": [
          {
            "ID": 1,
            "GlobalIPStart": "203.0.113.10",
            "GlobalIPEnd": "203.0.113.10",
            "LocalIPStart": "10.10.10.10",
            "LocalIPEnd": "10.10.10.10",
            "VPN": "public",
            "Description": "Web服务器 NAT 映射"
          },
          {
            "ID": 2,
            "GlobalIPStart": "203.0.113.11",
            "GlobalIPEnd": "203.0.113.11",
            "LocalIPStart": "10.10.10.20",
            "LocalIPEnd": "10.10.10.20",
            "VPN": "public",
            "Description": "邮件服务器 NAT 映射"
          },
          {
            "ID": 3,
            "GlobalIPStart": "203.0.113.12",
            "GlobalIPEnd": "203.0.113.12",
            "LocalIPStart": "10.10.10.30",
            "LocalIPEnd": "10.10.10.30",
            "VPN": "public",
            "Description": "FTP服务器 NAT 映射"
          }
        ]
      }
    }
  }
}
方法 结果
GetDeviceBase ✅ 通过
GetSecurityZones ✅ 通过
GetZonePairs ✅ 通过
GetIPv4SecurityPolicies ✅ 通过
GetIPv4ObjectGroups ✅ 通过
GetServiceGroups ✅ 通过
GetSessions ✅ 通过
GetInterfaces ✅ 通过
GetACLGroups ✅ 通过
GetNATStaticMappings ✅ 通过

@innomentats

innomentats commented Jun 26, 2026

Copy link
Copy Markdown
Member

Review 阻塞:这个 service package PR 有测试文件,但我没有在 PR 描述、评论或改动文件中找到真实的测试截图证据(图片链接或提交的图片文件)。请补充能证明该 service package 跑通的截图,例如 npm test -- --service-dir <service> 通过,以及 OctoBus 实例调用/联调成功的截图。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@K6gg @innomentats