use of org.batfish.datamodel.Configuration in project batfish by batfish.
the class CiscoConfiguration method toVendorIndependentConfiguration.
@Override
public Configuration toVendorIndependentConfiguration() {
final Configuration c = new Configuration(_hostname, _vendor);
c.getVendorFamily().setCisco(_cf);
c.setRoles(_roles);
c.setDefaultInboundAction(LineAction.ACCEPT);
c.setDefaultCrossZoneAction(LineAction.ACCEPT);
c.setDnsServers(_dnsServers);
c.setDnsSourceInterface(_dnsSourceInterface);
c.setDomainName(_domainName);
c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
c.setTacacsServers(_tacacsServers);
c.setTacacsSourceInterface(_tacacsSourceInterface);
c.setNtpSourceInterface(_ntpSourceInterface);
if (_cf.getNtp() != null) {
c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
}
if (_cf.getLogging() != null) {
c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
}
c.setSnmpSourceInterface(_snmpSourceInterface);
processLines();
processFailoverSettings();
// remove line login authentication lists if they don't exist
for (Line line : _cf.getLines().values()) {
String list = line.getLoginAuthentication();
boolean found = false;
Aaa aaa = _cf.getAaa();
if (aaa != null) {
AaaAuthentication authentication = aaa.getAuthentication();
if (authentication != null) {
AaaAuthenticationLogin login = authentication.getLogin();
if (login != null && login.getLists().containsKey(list)) {
found = true;
}
}
}
if (!found) {
line.setLoginAuthentication(null);
}
}
// initialize vrfs
for (String vrfName : _vrfs.keySet()) {
c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
}
// snmp server
if (_snmpServer != null) {
String snmpServerVrf = _snmpServer.getVrf();
c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
}
// convert as path access lists to vendor independent format
for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
AsPathAccessList apList = toAsPathAccessList(pathList);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert as-path-sets to vendor independent format
for (AsPathSet asPathSet : _asPathSets.values()) {
AsPathAccessList apList = toAsPathAccessList(asPathSet);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert standard/expanded community lists to community lists
for (StandardCommunityList scList : _standardCommunityLists.values()) {
ExpandedCommunityList ecList = scList.toExpandedCommunityList();
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
// convert prefix lists to route filter lists
for (PrefixList prefixList : _prefixLists.values()) {
RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert ipv6 prefix lists to route6 filter lists
for (Prefix6List prefixList : _prefix6Lists.values()) {
Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert standard/extended access lists to access lists or route filter
// lists
List<ExtendedAccessList> allACLs = new ArrayList<>();
for (StandardAccessList saList : _standardAccessLists.values()) {
ExtendedAccessList eaList = saList.toExtendedAccessList();
allACLs.add(eaList);
}
allACLs.addAll(_extendedAccessLists.values());
for (ExtendedAccessList eaList : allACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardAccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
RouteFilterList rfList = toRouteFilterList(eaList);
c.getRouteFilterLists().put(rfList.getName(), rfList);
}
IpAccessList ipaList = toIpAccessList(eaList);
c.getIpAccessLists().put(ipaList.getName(), ipaList);
}
// convert standard/extended ipv6 access lists to ipv6 access lists or
// route6 filter
// lists
List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
allIpv6ACLs.add(eaList);
}
allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardIpv6AccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
Route6FilterList rfList = toRoute6FilterList(eaList);
c.getRoute6FilterLists().put(rfList.getName(), rfList);
}
Ip6AccessList ipaList = toIp6AccessList(eaList);
c.getIp6AccessLists().put(ipaList.getName(), ipaList);
}
// convert route maps to policy maps
Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
for (RouteMap map : _routeMaps.values()) {
convertForPurpose(routingRouteMaps, map);
// convert route maps to RoutingPolicy objects
RoutingPolicy newPolicy = toRoutingPolicy(c, map);
c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
}
// convert RoutePolicy to RoutingPolicy
for (RoutePolicy routePolicy : _routePolicies.values()) {
RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
}
// convert interfaces
_interfaces.forEach((ifaceName, iface) -> {
org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
String vrfName = iface.getVrf();
if (vrfName == null) {
throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
}
c.getInterfaces().put(ifaceName, newInterface);
c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
});
// apply vrrp settings to interfaces
applyVrrp(c);
// get IKE proposals
for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
}
addIkePoliciesAndGateways(c);
// ipsec proposals
for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
}
// ipsec policies
for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
String name = e.getKey();
IpsecProfile profile = e.getValue();
IpsecPolicy policy = new IpsecPolicy(name);
policy.setPfsKeyGroup(profile.getPfsGroup());
String transformSetName = profile.getTransformSet();
if (c.getIpsecProposals().containsKey(transformSetName)) {
policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
}
c.getIpsecPolicies().put(name, policy);
}
// ipsec vpns
for (Entry<String, Interface> e : _interfaces.entrySet()) {
String name = e.getKey();
Interface iface = e.getValue();
Tunnel tunnel = iface.getTunnel();
if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
IpsecVpn ipsecVpn = new IpsecVpn(name, c);
ipsecVpn.setBindInterface(c.getInterfaces().get(name));
ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
Ip source = tunnel.getSource();
Ip destination = tunnel.getDestination();
if (source == null || destination == null) {
_w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
} else {
for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
ipsecVpn.setIkeGateway(ikeGateway);
}
}
if (ipsecVpn.getIkeGateway() == null) {
_w.redFlag("Can't find matching IkeGateway for " + name);
}
}
c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
}
}
// convert routing processes
_vrfs.forEach((vrfName, vrf) -> {
org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
// add snmp trap servers to main list
if (newVrf.getSnmpServer() != null) {
c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
}
// convert static routes
for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
}
// convert rip process
RipProcess ripProcess = vrf.getRipProcess();
if (ripProcess != null) {
org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
newVrf.setRipProcess(newRipProcess);
}
// convert ospf process
OspfProcess ospfProcess = vrf.getOspfProcess();
if (ospfProcess != null) {
org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
newVrf.setOspfProcess(newOspfProcess);
}
// convert isis process
IsisProcess isisProcess = vrf.getIsisProcess();
if (isisProcess != null) {
org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
newVrf.setIsisProcess(newIsisProcess);
}
// convert bgp process
BgpProcess bgpProcess = vrf.getBgpProcess();
if (bgpProcess != null) {
org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
}
});
// warn about references to undefined peer groups
for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
String name = e.getKey();
int line = e.getValue();
undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
}
// mark references to IPv4/6 ACLs that may not appear in data model
markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
markAcls(CiscoStructureUsage.SSH_ACL);
markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
// mark references to mac-ACLs that may not appear in data model
// TODO: fill in
// mark references to route-maps that may not appear in data model
markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
// Cable
markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
// L2tp
markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
// Vpn
markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
// warn about unreferenced data structures
warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
warnUnusedCommunityLists();
warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
warnUnusedDocsisPolicies();
warnUnusedDocsisPolicyRules();
warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
warnUnusedIpAccessLists();
warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
warnUnusedIpv6AccessLists();
warnUnusedKeyrings();
warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
warnUnusedPeerGroups();
warnUnusedPeerSessions();
warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
warnUnusedServiceClasses();
c.simplifyRoutingPolicies();
c.computeRoutingPolicySources(_w);
return c;
}
use of org.batfish.datamodel.Configuration in project batfish by batfish.
the class Subnet method toConfigurationNode.
public Configuration toConfigurationNode(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
Configuration cfgNode = Utils.newAwsConfiguration(_subnetId, "aws");
// add one interface that faces the instances
String instancesIfaceName = _subnetId;
Ip instancesIfaceIp = computeInstancesIfaceIp();
InterfaceAddress instancesIfaceAddress = new InterfaceAddress(instancesIfaceIp, _cidrBlock.getPrefixLength());
Utils.newInterface(instancesIfaceName, cfgNode, instancesIfaceAddress);
// generate a prefix for the link between the VPC router and the subnet
Pair<InterfaceAddress, InterfaceAddress> vpcSubnetLinkPrefix = awsConfiguration.getNextGeneratedLinkSubnet();
InterfaceAddress subnetIfaceAddress = vpcSubnetLinkPrefix.getFirst();
InterfaceAddress vpcIfaceAddress = vpcSubnetLinkPrefix.getSecond();
// add an interface that faces the VPC router
String subnetIfaceName = _vpcId;
Interface subnetToVpc = Utils.newInterface(subnetIfaceName, cfgNode, subnetIfaceAddress);
// add a corresponding interface on the VPC router facing the subnet
Configuration vpcConfigNode = awsConfiguration.getConfigurationNodes().get(_vpcId);
String vpcIfaceName = _subnetId;
Utils.newInterface(vpcIfaceName, vpcConfigNode, vpcIfaceAddress);
// add a static route on the vpc router for this subnet
StaticRoute.Builder sb = StaticRoute.builder().setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST);
StaticRoute vpcToSubnetRoute = sb.setNetwork(_cidrBlock).setNextHopIp(subnetIfaceAddress.getIp()).build();
vpcConfigNode.getDefaultVrf().getStaticRoutes().add(vpcToSubnetRoute);
// Install a default static route towards the VPC router.
StaticRoute defaultRoute = sb.setNetwork(Prefix.ZERO).setNextHopIp(vpcIfaceAddress.getIp()).build();
cfgNode.getDefaultVrf().getStaticRoutes().add(defaultRoute);
NetworkAcl myNetworkAcl = findMyNetworkAcl(region.getNetworkAcls());
IpAccessList inAcl = myNetworkAcl.getIngressAcl();
IpAccessList outAcl = myNetworkAcl.getEgressAcl();
cfgNode.getIpAccessLists().put(inAcl.getName(), inAcl);
cfgNode.getIpAccessLists().put(outAcl.getName(), outAcl);
subnetToVpc.setIncomingFilter(inAcl);
subnetToVpc.setOutgoingFilter(outAcl);
cfgNode.getVendorFamily().getAws().setVpcId(_vpcId);
cfgNode.getVendorFamily().getAws().setSubnetId(_subnetId);
cfgNode.getVendorFamily().getAws().setRegion(region.getName());
return cfgNode;
}
use of org.batfish.datamodel.Configuration in project batfish by batfish.
the class Utils method newAwsConfiguration.
public static Configuration newAwsConfiguration(String name, String domainName) {
Configuration c = FACTORY.configurationBuilder().setHostname(name).setDomainName(domainName).setConfigurationFormat(ConfigurationFormat.AWS).setDefaultInboundAction(LineAction.ACCEPT).setDefaultCrossZoneAction(LineAction.ACCEPT).build();
FACTORY.vrfBuilder().setName(Configuration.DEFAULT_VRF_NAME).setOwner(c).build();
c.getVendorFamily().setAws(new AwsFamily());
return c;
}
use of org.batfish.datamodel.Configuration in project batfish by batfish.
the class VpnConnection method applyToVpnGateway.
public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
return;
}
Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
for (int i = 0; i < _ipsecTunnels.size(); i++) {
int idNum = i + 1;
String vpnId = _vpnConnectionId + "-" + idNum;
IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
}
// create representation structures and add to configuration node
IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
ipsecVpn.setIpsecPolicy(ipsecPolicy);
IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
IkeGateway ikeGateway = new IkeGateway(vpnId);
vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
ipsecVpn.setIkeGateway(ikeGateway);
IkePolicy ikePolicy = new IkePolicy(vpnId);
vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
ikeGateway.setIkePolicy(ikePolicy);
IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
ikePolicy.getProposals().put(vpnId, ikeProposal);
String externalInterfaceName = "external" + idNum;
InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
String vpnInterfaceName = "vpn" + idNum;
InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
// Set fields within representation structures
// ipsec
ipsecVpn.setBindInterface(vpnInterface);
ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
// ike
ikeGateway.setExternalInterface(externalInterface);
ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
}
ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
// bgp (if configured)
if (ipsecTunnel.getVgwBgpAsn() != -1) {
BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
if (proc == null) {
proc = new BgpProcess();
proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
}
BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
cgBgpNeighbor.setSendCommunity(false);
VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
if (attachmentVpcIds.size() != 1) {
throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
}
String vpcId = attachmentVpcIds.get(0);
// iBGP connection to VPC
Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vgwToVpcBgpNeighbor.setSendCommunity(true);
// iBGP connection from VPC
BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
BgpProcess vpcProc = new BgpProcess();
vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
vpcProc.setRouterId(vpcIfaceAddress);
vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
vpcToVgwBgpNeighbor.setSendCommunity(true);
String rpRejectAllName = "~REJECT_ALL~";
String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
If acceptIffEbgp = new If();
acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
String rpAcceptAllName = "~ACCEPT_ALL~";
RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
Vpc vpc = region.getVpcs().get(vpcId);
String originationPolicyName = vpnId + "_origination";
RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
cgBgpNeighbor.setExportPolicy(originationPolicyName);
If originationIf = new If();
List<Statement> statements = originationRoutingPolicy.getStatements();
statements.add(originationIf);
statements.add(Statements.ExitReject.toStaticStatement());
originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
vpc.getCidrBlockAssociations().forEach(prefix -> {
RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
originationRouteFilter.addLine(matchOutgoingPrefix);
});
Conjunction conj = new Conjunction();
originationIf.setGuard(conj);
conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
}
// static routes (if configured)
for (Prefix staticRoutePrefix : _routes) {
StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
}
}
}
use of org.batfish.datamodel.Configuration in project batfish by batfish.
the class VpnGateway method toConfigurationNode.
public Configuration toConfigurationNode(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
Configuration cfgNode = Utils.newAwsConfiguration(_vpnGatewayId, "aws");
cfgNode.getVendorFamily().getAws().setRegion(region.getName());
for (String vpcId : _attachmentVpcIds) {
String vgwIfaceName = vpcId;
Pair<InterfaceAddress, InterfaceAddress> vpcLink = awsConfiguration.getNextGeneratedLinkSubnet();
InterfaceAddress vgwIfaceAddress = vpcLink.getFirst();
Utils.newInterface(vgwIfaceName, cfgNode, vgwIfaceAddress);
// add the interface to the vpc router
Configuration vpcConfigNode = awsConfiguration.getConfigurationNodes().get(vpcId);
String vpcIfaceName = _vpnGatewayId;
Interface vpcIface = new Interface(vpcIfaceName, vpcConfigNode);
InterfaceAddress vpcIfaceAddress = vpcLink.getSecond();
vpcIface.setAddress(vpcIfaceAddress);
Utils.newInterface(vpcIfaceName, vpcConfigNode, vpcIfaceAddress);
// associate this gateway with the vpc
region.getVpcs().get(vpcId).setVpnGatewayId(_vpnGatewayId);
// add a route on the gateway to the vpc
Vpc vpc = region.getVpcs().get(vpcId);
vpc.getCidrBlockAssociations().forEach(prefix -> {
StaticRoute vgwVpcRoute = StaticRoute.builder().setNetwork(prefix).setNextHopIp(vpcIfaceAddress.getIp()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
cfgNode.getDefaultVrf().getStaticRoutes().add(vgwVpcRoute);
});
}
return cfgNode;
}
Aggregations