Search in sources :

Example 21 with Configuration

use of org.batfish.datamodel.Configuration in project batfish by batfish.

the class CiscoConfiguration method toVendorIndependentConfiguration.

@Override
public Configuration toVendorIndependentConfiguration() {
    final Configuration c = new Configuration(_hostname, _vendor);
    c.getVendorFamily().setCisco(_cf);
    c.setRoles(_roles);
    c.setDefaultInboundAction(LineAction.ACCEPT);
    c.setDefaultCrossZoneAction(LineAction.ACCEPT);
    c.setDnsServers(_dnsServers);
    c.setDnsSourceInterface(_dnsSourceInterface);
    c.setDomainName(_domainName);
    c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
    c.setTacacsServers(_tacacsServers);
    c.setTacacsSourceInterface(_tacacsSourceInterface);
    c.setNtpSourceInterface(_ntpSourceInterface);
    if (_cf.getNtp() != null) {
        c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
    }
    if (_cf.getLogging() != null) {
        c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
        c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
    }
    c.setSnmpSourceInterface(_snmpSourceInterface);
    processLines();
    processFailoverSettings();
    // remove line login authentication lists if they don't exist
    for (Line line : _cf.getLines().values()) {
        String list = line.getLoginAuthentication();
        boolean found = false;
        Aaa aaa = _cf.getAaa();
        if (aaa != null) {
            AaaAuthentication authentication = aaa.getAuthentication();
            if (authentication != null) {
                AaaAuthenticationLogin login = authentication.getLogin();
                if (login != null && login.getLists().containsKey(list)) {
                    found = true;
                }
            }
        }
        if (!found) {
            line.setLoginAuthentication(null);
        }
    }
    // initialize vrfs
    for (String vrfName : _vrfs.keySet()) {
        c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
    }
    // snmp server
    if (_snmpServer != null) {
        String snmpServerVrf = _snmpServer.getVrf();
        c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
    }
    // convert as path access lists to vendor independent format
    for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
        AsPathAccessList apList = toAsPathAccessList(pathList);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert as-path-sets to vendor independent format
    for (AsPathSet asPathSet : _asPathSets.values()) {
        AsPathAccessList apList = toAsPathAccessList(asPathSet);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert standard/expanded community lists to community lists
    for (StandardCommunityList scList : _standardCommunityLists.values()) {
        ExpandedCommunityList ecList = scList.toExpandedCommunityList();
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    // convert prefix lists to route filter lists
    for (PrefixList prefixList : _prefixLists.values()) {
        RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
        c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert ipv6 prefix lists to route6 filter lists
    for (Prefix6List prefixList : _prefix6Lists.values()) {
        Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
        c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert standard/extended access lists to access lists or route filter
    // lists
    List<ExtendedAccessList> allACLs = new ArrayList<>();
    for (StandardAccessList saList : _standardAccessLists.values()) {
        ExtendedAccessList eaList = saList.toExtendedAccessList();
        allACLs.add(eaList);
    }
    allACLs.addAll(_extendedAccessLists.values());
    for (ExtendedAccessList eaList : allACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardAccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            RouteFilterList rfList = toRouteFilterList(eaList);
            c.getRouteFilterLists().put(rfList.getName(), rfList);
        }
        IpAccessList ipaList = toIpAccessList(eaList);
        c.getIpAccessLists().put(ipaList.getName(), ipaList);
    }
    // convert standard/extended ipv6 access lists to ipv6 access lists or
    // route6 filter
    // lists
    List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
    for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
        ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
        allIpv6ACLs.add(eaList);
    }
    allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
    for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardIpv6AccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            Route6FilterList rfList = toRoute6FilterList(eaList);
            c.getRoute6FilterLists().put(rfList.getName(), rfList);
        }
        Ip6AccessList ipaList = toIp6AccessList(eaList);
        c.getIp6AccessLists().put(ipaList.getName(), ipaList);
    }
    // convert route maps to policy maps
    Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
    for (RouteMap map : _routeMaps.values()) {
        convertForPurpose(routingRouteMaps, map);
        // convert route maps to RoutingPolicy objects
        RoutingPolicy newPolicy = toRoutingPolicy(c, map);
        c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
    }
    // convert RoutePolicy to RoutingPolicy
    for (RoutePolicy routePolicy : _routePolicies.values()) {
        RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
        c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
    }
    // convert interfaces
    _interfaces.forEach((ifaceName, iface) -> {
        org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
        String vrfName = iface.getVrf();
        if (vrfName == null) {
            throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
        }
        c.getInterfaces().put(ifaceName, newInterface);
        c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
    });
    // apply vrrp settings to interfaces
    applyVrrp(c);
    // get IKE proposals
    for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
        c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
    }
    addIkePoliciesAndGateways(c);
    // ipsec proposals
    for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
        c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
    }
    // ipsec policies
    for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
        String name = e.getKey();
        IpsecProfile profile = e.getValue();
        IpsecPolicy policy = new IpsecPolicy(name);
        policy.setPfsKeyGroup(profile.getPfsGroup());
        String transformSetName = profile.getTransformSet();
        if (c.getIpsecProposals().containsKey(transformSetName)) {
            policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
        }
        c.getIpsecPolicies().put(name, policy);
    }
    // ipsec vpns
    for (Entry<String, Interface> e : _interfaces.entrySet()) {
        String name = e.getKey();
        Interface iface = e.getValue();
        Tunnel tunnel = iface.getTunnel();
        if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
            IpsecVpn ipsecVpn = new IpsecVpn(name, c);
            ipsecVpn.setBindInterface(c.getInterfaces().get(name));
            ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
            Ip source = tunnel.getSource();
            Ip destination = tunnel.getDestination();
            if (source == null || destination == null) {
                _w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
            } else {
                for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
                    if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
                        ipsecVpn.setIkeGateway(ikeGateway);
                    }
                }
                if (ipsecVpn.getIkeGateway() == null) {
                    _w.redFlag("Can't find matching IkeGateway for " + name);
                }
            }
            c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
        }
    }
    // convert routing processes
    _vrfs.forEach((vrfName, vrf) -> {
        org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
        // add snmp trap servers to main list
        if (newVrf.getSnmpServer() != null) {
            c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
        }
        // convert static routes
        for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
            newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
        }
        // convert rip process
        RipProcess ripProcess = vrf.getRipProcess();
        if (ripProcess != null) {
            org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
            newVrf.setRipProcess(newRipProcess);
        }
        // convert ospf process
        OspfProcess ospfProcess = vrf.getOspfProcess();
        if (ospfProcess != null) {
            org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
            newVrf.setOspfProcess(newOspfProcess);
        }
        // convert isis process
        IsisProcess isisProcess = vrf.getIsisProcess();
        if (isisProcess != null) {
            org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
            newVrf.setIsisProcess(newIsisProcess);
        }
        // convert bgp process
        BgpProcess bgpProcess = vrf.getBgpProcess();
        if (bgpProcess != null) {
            org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
            c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
        }
    });
    // warn about references to undefined peer groups
    for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
        String name = e.getKey();
        int line = e.getValue();
        undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
    }
    // mark references to IPv4/6 ACLs that may not appear in data model
    markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
    markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
    markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
    markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
    markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
    markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
    markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
    markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
    markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
    markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
    markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
    markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
    markAcls(CiscoStructureUsage.SSH_ACL);
    markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
    markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
    markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
    markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
    markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
    // mark references to mac-ACLs that may not appear in data model
    // TODO: fill in
    // mark references to route-maps that may not appear in data model
    markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
    markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
    markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
    markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
    // Cable
    markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
    markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
    markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
    markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
    markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
    markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
    // L2tp
    markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
    // Vpn
    markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
    markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
    markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
    // warn about unreferenced data structures
    warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
    warnUnusedCommunityLists();
    warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
    warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
    warnUnusedDocsisPolicies();
    warnUnusedDocsisPolicyRules();
    warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
    warnUnusedIpAccessLists();
    warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
    warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
    warnUnusedIpv6AccessLists();
    warnUnusedKeyrings();
    warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
    warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
    warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
    warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
    warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
    warnUnusedPeerGroups();
    warnUnusedPeerSessions();
    warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
    warnUnusedServiceClasses();
    c.simplifyRoutingPolicies();
    c.computeRoutingPolicySources(_w);
    return c;
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) AaaAuthentication(org.batfish.datamodel.vendor_family.cisco.AaaAuthentication) VendorConfiguration(org.batfish.vendor.VendorConfiguration) Configuration(org.batfish.datamodel.Configuration) ArrayList(java.util.ArrayList) Aaa(org.batfish.datamodel.vendor_family.cisco.Aaa) BatfishException(org.batfish.common.BatfishException) AsPathAccessList(org.batfish.datamodel.AsPathAccessList) CommunityList(org.batfish.datamodel.CommunityList) CommunityListLine(org.batfish.datamodel.CommunityListLine) Ip6AccessListLine(org.batfish.datamodel.Ip6AccessListLine) Route6FilterLine(org.batfish.datamodel.Route6FilterLine) Line(org.batfish.datamodel.vendor_family.cisco.Line) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) AsPathAccessListLine(org.batfish.datamodel.AsPathAccessListLine) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) IpAccessList(org.batfish.datamodel.IpAccessList) Ip(org.batfish.datamodel.Ip) SubRange(org.batfish.datamodel.SubRange) Ip6AccessList(org.batfish.datamodel.Ip6AccessList) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) Route6FilterList(org.batfish.datamodel.Route6FilterList) BigInteger(java.math.BigInteger) RouteFilterList(org.batfish.datamodel.RouteFilterList) AaaAuthenticationLogin(org.batfish.datamodel.vendor_family.cisco.AaaAuthenticationLogin)

Example 22 with Configuration

use of org.batfish.datamodel.Configuration in project batfish by batfish.

the class Subnet method toConfigurationNode.

public Configuration toConfigurationNode(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
    Configuration cfgNode = Utils.newAwsConfiguration(_subnetId, "aws");
    // add one interface that faces the instances
    String instancesIfaceName = _subnetId;
    Ip instancesIfaceIp = computeInstancesIfaceIp();
    InterfaceAddress instancesIfaceAddress = new InterfaceAddress(instancesIfaceIp, _cidrBlock.getPrefixLength());
    Utils.newInterface(instancesIfaceName, cfgNode, instancesIfaceAddress);
    // generate a prefix for the link between the VPC router and the subnet
    Pair<InterfaceAddress, InterfaceAddress> vpcSubnetLinkPrefix = awsConfiguration.getNextGeneratedLinkSubnet();
    InterfaceAddress subnetIfaceAddress = vpcSubnetLinkPrefix.getFirst();
    InterfaceAddress vpcIfaceAddress = vpcSubnetLinkPrefix.getSecond();
    // add an interface that faces the VPC router
    String subnetIfaceName = _vpcId;
    Interface subnetToVpc = Utils.newInterface(subnetIfaceName, cfgNode, subnetIfaceAddress);
    // add a corresponding interface on the VPC router facing the subnet
    Configuration vpcConfigNode = awsConfiguration.getConfigurationNodes().get(_vpcId);
    String vpcIfaceName = _subnetId;
    Utils.newInterface(vpcIfaceName, vpcConfigNode, vpcIfaceAddress);
    // add a static route on the vpc router for this subnet
    StaticRoute.Builder sb = StaticRoute.builder().setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST);
    StaticRoute vpcToSubnetRoute = sb.setNetwork(_cidrBlock).setNextHopIp(subnetIfaceAddress.getIp()).build();
    vpcConfigNode.getDefaultVrf().getStaticRoutes().add(vpcToSubnetRoute);
    // Install a default static route towards the VPC router.
    StaticRoute defaultRoute = sb.setNetwork(Prefix.ZERO).setNextHopIp(vpcIfaceAddress.getIp()).build();
    cfgNode.getDefaultVrf().getStaticRoutes().add(defaultRoute);
    NetworkAcl myNetworkAcl = findMyNetworkAcl(region.getNetworkAcls());
    IpAccessList inAcl = myNetworkAcl.getIngressAcl();
    IpAccessList outAcl = myNetworkAcl.getEgressAcl();
    cfgNode.getIpAccessLists().put(inAcl.getName(), inAcl);
    cfgNode.getIpAccessLists().put(outAcl.getName(), outAcl);
    subnetToVpc.setIncomingFilter(inAcl);
    subnetToVpc.setOutgoingFilter(outAcl);
    cfgNode.getVendorFamily().getAws().setVpcId(_vpcId);
    cfgNode.getVendorFamily().getAws().setSubnetId(_subnetId);
    cfgNode.getVendorFamily().getAws().setRegion(region.getName());
    return cfgNode;
}
Also used : StaticRoute(org.batfish.datamodel.StaticRoute) Configuration(org.batfish.datamodel.Configuration) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Ip(org.batfish.datamodel.Ip) IpAccessList(org.batfish.datamodel.IpAccessList) Interface(org.batfish.datamodel.Interface)

Example 23 with Configuration

use of org.batfish.datamodel.Configuration in project batfish by batfish.

the class Utils method newAwsConfiguration.

public static Configuration newAwsConfiguration(String name, String domainName) {
    Configuration c = FACTORY.configurationBuilder().setHostname(name).setDomainName(domainName).setConfigurationFormat(ConfigurationFormat.AWS).setDefaultInboundAction(LineAction.ACCEPT).setDefaultCrossZoneAction(LineAction.ACCEPT).build();
    FACTORY.vrfBuilder().setName(Configuration.DEFAULT_VRF_NAME).setOwner(c).build();
    c.getVendorFamily().setAws(new AwsFamily());
    return c;
}
Also used : Configuration(org.batfish.datamodel.Configuration) AwsFamily(org.batfish.datamodel.vendor_family.AwsFamily)

Example 24 with Configuration

use of org.batfish.datamodel.Configuration in project batfish by batfish.

the class VpnConnection method applyToVpnGateway.

public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
    if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
        warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
        return;
    }
    Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
    for (int i = 0; i < _ipsecTunnels.size(); i++) {
        int idNum = i + 1;
        String vpnId = _vpnConnectionId + "-" + idNum;
        IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
        if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
            throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
        }
        // create representation structures and add to configuration node
        IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
        vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
        IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
        vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
        ipsecVpn.setIpsecPolicy(ipsecPolicy);
        IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
        vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
        ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
        IkeGateway ikeGateway = new IkeGateway(vpnId);
        vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
        ipsecVpn.setIkeGateway(ikeGateway);
        IkePolicy ikePolicy = new IkePolicy(vpnId);
        vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
        ikeGateway.setIkePolicy(ikePolicy);
        IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
        vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
        ikePolicy.getProposals().put(vpnId, ikeProposal);
        String externalInterfaceName = "external" + idNum;
        InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
        Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
        String vpnInterfaceName = "vpn" + idNum;
        InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
        Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
        // Set fields within representation structures
        // ipsec
        ipsecVpn.setBindInterface(vpnInterface);
        ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
        ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
        ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
        ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
        ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
        // ike
        ikeGateway.setExternalInterface(externalInterface);
        ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
        ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
        if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
            ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
            ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
        }
        ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
        ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
        ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
        ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
        // bgp (if configured)
        if (ipsecTunnel.getVgwBgpAsn() != -1) {
            BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
            if (proc == null) {
                proc = new BgpProcess();
                proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
                proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
                vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
            }
            BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
            cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
            cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
            cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
            cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            cgBgpNeighbor.setSendCommunity(false);
            VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
            List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
            if (attachmentVpcIds.size() != 1) {
                throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
            }
            String vpcId = attachmentVpcIds.get(0);
            // iBGP connection to VPC
            Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
            Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
            Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
            BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
            proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
            vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
            vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vgwToVpcBgpNeighbor.setSendCommunity(true);
            // iBGP connection from VPC
            BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
            BgpProcess vpcProc = new BgpProcess();
            vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
            vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
            vpcProc.setRouterId(vpcIfaceAddress);
            vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
            vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
            vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vpcToVgwBgpNeighbor.setSendCommunity(true);
            String rpRejectAllName = "~REJECT_ALL~";
            String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
            If acceptIffEbgp = new If();
            acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
            acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
            RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
            vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
            vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
            RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
            vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
            String rpAcceptAllName = "~ACCEPT_ALL~";
            RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
            vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
            RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
            vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
            Vpc vpc = region.getVpcs().get(vpcId);
            String originationPolicyName = vpnId + "_origination";
            RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
            cgBgpNeighbor.setExportPolicy(originationPolicyName);
            If originationIf = new If();
            List<Statement> statements = originationRoutingPolicy.getStatements();
            statements.add(originationIf);
            statements.add(Statements.ExitReject.toStaticStatement());
            originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
            originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
            RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
            vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
            vpc.getCidrBlockAssociations().forEach(prefix -> {
                RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
                originationRouteFilter.addLine(matchOutgoingPrefix);
            });
            Conjunction conj = new Conjunction();
            originationIf.setGuard(conj);
            conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
            conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
        }
        // static routes (if configured)
        for (Prefix staticRoutePrefix : _routes) {
            StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
            vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) Configuration(org.batfish.datamodel.Configuration) BgpProcess(org.batfish.datamodel.BgpProcess) LiteralOrigin(org.batfish.datamodel.routing_policy.expr.LiteralOrigin) NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet) Ip(org.batfish.datamodel.Ip) Prefix(org.batfish.datamodel.Prefix) SelfNextHop(org.batfish.datamodel.routing_policy.expr.SelfNextHop) BgpNeighbor(org.batfish.datamodel.BgpNeighbor) IpsecProposal(org.batfish.datamodel.IpsecProposal) Conjunction(org.batfish.datamodel.routing_policy.expr.Conjunction) SubRange(org.batfish.datamodel.SubRange) SetNextHop(org.batfish.datamodel.routing_policy.statement.SetNextHop) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) IkeProposal(org.batfish.datamodel.IkeProposal) BatfishException(org.batfish.common.BatfishException) StaticRoute(org.batfish.datamodel.StaticRoute) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Statement(org.batfish.datamodel.routing_policy.statement.Statement) MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet) SetOrigin(org.batfish.datamodel.routing_policy.statement.SetOrigin) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) MatchProtocol(org.batfish.datamodel.routing_policy.expr.MatchProtocol) DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) RouteFilterList(org.batfish.datamodel.RouteFilterList) IkePolicy(org.batfish.datamodel.IkePolicy) If(org.batfish.datamodel.routing_policy.statement.If) Interface(org.batfish.datamodel.Interface)

Example 25 with Configuration

use of org.batfish.datamodel.Configuration in project batfish by batfish.

the class VpnGateway method toConfigurationNode.

public Configuration toConfigurationNode(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
    Configuration cfgNode = Utils.newAwsConfiguration(_vpnGatewayId, "aws");
    cfgNode.getVendorFamily().getAws().setRegion(region.getName());
    for (String vpcId : _attachmentVpcIds) {
        String vgwIfaceName = vpcId;
        Pair<InterfaceAddress, InterfaceAddress> vpcLink = awsConfiguration.getNextGeneratedLinkSubnet();
        InterfaceAddress vgwIfaceAddress = vpcLink.getFirst();
        Utils.newInterface(vgwIfaceName, cfgNode, vgwIfaceAddress);
        // add the interface to the vpc router
        Configuration vpcConfigNode = awsConfiguration.getConfigurationNodes().get(vpcId);
        String vpcIfaceName = _vpnGatewayId;
        Interface vpcIface = new Interface(vpcIfaceName, vpcConfigNode);
        InterfaceAddress vpcIfaceAddress = vpcLink.getSecond();
        vpcIface.setAddress(vpcIfaceAddress);
        Utils.newInterface(vpcIfaceName, vpcConfigNode, vpcIfaceAddress);
        // associate this gateway with the vpc
        region.getVpcs().get(vpcId).setVpnGatewayId(_vpnGatewayId);
        // add a route on the gateway to the vpc
        Vpc vpc = region.getVpcs().get(vpcId);
        vpc.getCidrBlockAssociations().forEach(prefix -> {
            StaticRoute vgwVpcRoute = StaticRoute.builder().setNetwork(prefix).setNextHopIp(vpcIfaceAddress.getIp()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
            cfgNode.getDefaultVrf().getStaticRoutes().add(vgwVpcRoute);
        });
    }
    return cfgNode;
}
Also used : StaticRoute(org.batfish.datamodel.StaticRoute) Configuration(org.batfish.datamodel.Configuration) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Interface(org.batfish.datamodel.Interface)

Aggregations

Configuration (org.batfish.datamodel.Configuration)170 Test (org.junit.Test)69 Interface (org.batfish.datamodel.Interface)55 Ip (org.batfish.datamodel.Ip)49 Vrf (org.batfish.datamodel.Vrf)45 HashMap (java.util.HashMap)44 Topology (org.batfish.datamodel.Topology)38 VendorConfiguration (org.batfish.vendor.VendorConfiguration)35 Prefix (org.batfish.datamodel.Prefix)33 Edge (org.batfish.datamodel.Edge)32 InterfaceAddress (org.batfish.datamodel.InterfaceAddress)30 Map (java.util.Map)29 Set (java.util.Set)29 TreeMap (java.util.TreeMap)29 BatfishException (org.batfish.common.BatfishException)28 IpAccessList (org.batfish.datamodel.IpAccessList)26 ArrayList (java.util.ArrayList)25 HashSet (java.util.HashSet)25 List (java.util.List)25 SortedSet (java.util.SortedSet)24