use of org.batfish.datamodel.Flow in project batfish by batfish.
the class CommonUtil method initRemoteBgpNeighbors.
/**
* Initialize BGP neighbors for all nodes.
*
* @param configurations map of all configurations, keyed by hostname
* @param ipOwners mapping of Ips to a set of nodes (hostnames) that owns those IPs
* @param checkReachability whether bgp neighbor reachability should be checked
* @param flowProcessor dataplane plugin to use to check reachability. Must not be {@code null} if
* {@code checkReachability = true}
* @param dp dataplane to use to check reachability. Must not be {@code null} if {@code
* checkReachability = true}
*/
public static void initRemoteBgpNeighbors(Map<String, Configuration> configurations, Map<Ip, Set<String>> ipOwners, boolean checkReachability, @Nullable FlowProcessor flowProcessor, @Nullable DataPlane dp) {
// TODO: handle duplicate ips on different vrfs
Map<BgpNeighbor, Ip> remoteAddresses = new IdentityHashMap<>();
Map<Ip, Set<BgpNeighbor>> localAddresses = new HashMap<>();
/*
* Construct maps indicating which neighbor owns which Ip Address
*/
for (Configuration node : configurations.values()) {
String hostname = node.getHostname();
for (Vrf vrf : node.getVrfs().values()) {
BgpProcess proc = vrf.getBgpProcess();
if (proc == null) {
// nothing to do if no bgp process on this VRF
continue;
}
for (BgpNeighbor bgpNeighbor : proc.getNeighbors().values()) {
/*
* Begin by initializing candidate neighbors to an empty set
*/
bgpNeighbor.initCandidateRemoteBgpNeighbors();
// Skip things we don't handle
if (bgpNeighbor.getPrefix().getPrefixLength() < Prefix.MAX_PREFIX_LENGTH) {
throw new BatfishException(hostname + ": Do not support dynamic bgp sessions at this time: " + bgpNeighbor.getPrefix());
}
Ip remoteAddress = bgpNeighbor.getAddress();
if (remoteAddress == null) {
throw new BatfishException(hostname + ": Could not determine remote address of bgp neighbor: " + bgpNeighbor);
}
Ip localAddress = bgpNeighbor.getLocalIp();
if (localAddress == null || !ipOwners.containsKey(localAddress) || !ipOwners.get(localAddress).contains(hostname)) {
// Local address is not owned by anybody
continue;
}
remoteAddresses.put(bgpNeighbor, remoteAddress);
// Add this neighbor as owner of its local address
localAddresses.computeIfAbsent(localAddress, k -> Collections.newSetFromMap(new IdentityHashMap<>())).add(bgpNeighbor);
}
}
}
/*
* For each neighbor, construct the set of candidate neighbors, then filter out impossible
* sessions.
*/
for (Entry<BgpNeighbor, Ip> e : remoteAddresses.entrySet()) {
BgpNeighbor bgpNeighbor = e.getKey();
Ip remoteAddress = e.getValue();
Ip localAddress = bgpNeighbor.getLocalIp();
int localLocalAs = bgpNeighbor.getLocalAs();
int localRemoteAs = bgpNeighbor.getRemoteAs();
/*
* Let the set of candidate neighbors be set of neighbors that own the remoteAddress
*/
Set<BgpNeighbor> remoteBgpNeighborCandidates = localAddresses.get(remoteAddress);
if (remoteBgpNeighborCandidates == null) {
// No possible remote neighbors
continue;
}
/*
* Filter the set of candidate neighbors based on these checks:
* - Remote neighbor's remote address is the same as our local address
* - Remote neighbor's remote AS is the same as our local AS (and vice-versa)
*/
for (BgpNeighbor remoteBgpNeighborCandidate : remoteBgpNeighborCandidates) {
int remoteLocalAs = remoteBgpNeighborCandidate.getLocalAs();
int remoteRemoteAs = remoteBgpNeighborCandidate.getRemoteAs();
Ip reciprocalRemoteIp = remoteBgpNeighborCandidate.getAddress();
if (localAddress.equals(reciprocalRemoteIp) && localLocalAs == remoteRemoteAs && localRemoteAs == remoteLocalAs) {
/*
* Fairly confident establishing the session is possible here, but still check
* reachability if needed.
* We should check reachability only for eBgp multihop or iBgp
*/
if (checkReachability && (bgpNeighbor.getEbgpMultihop() || localLocalAs == remoteLocalAs)) {
/*
* Ensure that the session can be established by running traceroute in both directions
*/
if (flowProcessor == null || dp == null) {
throw new BatfishException("Cannot compute neighbor reachability without a dataplane");
}
Flow.Builder fb = new Flow.Builder();
fb.setIpProtocol(IpProtocol.TCP);
fb.setTag("neighbor-resolution");
fb.setIngressNode(bgpNeighbor.getOwner().getHostname());
fb.setSrcIp(localAddress);
fb.setDstIp(remoteAddress);
fb.setSrcPort(NamedPort.EPHEMERAL_LOWEST.number());
fb.setDstPort(NamedPort.BGP.number());
Flow forwardFlow = fb.build();
fb.setIngressNode(remoteBgpNeighborCandidate.getOwner().getHostname());
fb.setSrcIp(forwardFlow.getDstIp());
fb.setDstIp(forwardFlow.getSrcIp());
fb.setSrcPort(forwardFlow.getDstPort());
fb.setDstPort(forwardFlow.getSrcPort());
Flow backwardFlow = fb.build();
SortedMap<Flow, Set<FlowTrace>> traces = flowProcessor.processFlows(dp, ImmutableSet.of(forwardFlow, backwardFlow));
if (traces.values().stream().map(fts -> fts.stream().allMatch(ft -> ft.getDisposition() != FlowDisposition.ACCEPTED)).anyMatch(Predicate.isEqual(true))) {
/*
* If either flow has all traceroutes fail, do not consider the neighbor valid
*/
continue;
}
bgpNeighbor.getCandidateRemoteBgpNeighbors().add(remoteBgpNeighborCandidate);
} else {
bgpNeighbor.getCandidateRemoteBgpNeighbors().add(remoteBgpNeighborCandidate);
}
}
}
Set<BgpNeighbor> finalCandidates = bgpNeighbor.getCandidateRemoteBgpNeighbors();
if (finalCandidates.size() > 1) {
/* If we still have not narrowed it down to a single neighbor,
* pick based on sorted hostnames
*/
SortedMap<String, BgpNeighbor> hostnameToNeighbor = finalCandidates.stream().collect(ImmutableSortedMap.toImmutableSortedMap(String::compareTo, k -> k.getOwner().getHostname(), Function.identity()));
bgpNeighbor.setRemoteBgpNeighbor(hostnameToNeighbor.get(hostnameToNeighbor.firstKey()));
} else if (finalCandidates.size() == 1) {
bgpNeighbor.setRemoteBgpNeighbor(finalCandidates.iterator().next());
} else {
bgpNeighbor.setRemoteBgpNeighbor(null);
}
}
}
use of org.batfish.datamodel.Flow in project batfish by batfish.
the class BdpEngine method processFlows.
@Override
public SortedMap<Flow, Set<FlowTrace>> processFlows(DataPlane dataPlane, Set<Flow> flows) {
Map<Flow, Set<FlowTrace>> flowTraces = new ConcurrentHashMap<>();
BdpDataPlane dp = (BdpDataPlane) dataPlane;
flows.parallelStream().forEach(flow -> {
Set<FlowTrace> currentFlowTraces = new TreeSet<>();
flowTraces.put(flow, currentFlowTraces);
String ingressNodeName = flow.getIngressNode();
if (ingressNodeName == null) {
throw new BatfishException("Cannot construct flow trace since ingressNode is not specified");
}
Ip dstIp = flow.getDstIp();
if (dstIp == null) {
throw new BatfishException("Cannot construct flow trace since dstIp is not specified");
}
Set<Edge> visitedEdges = Collections.emptySet();
List<FlowTraceHop> hops = new ArrayList<>();
Set<String> dstIpOwners = dp._ipOwners.get(dstIp);
SortedSet<Edge> edges = new TreeSet<>();
String ingressInterfaceName = flow.getIngressInterface();
if (ingressInterfaceName != null) {
edges.add(new Edge(TRACEROUTE_INGRESS_NODE_NAME, TRACEROUTE_INGRESS_NODE_INTERFACE_NAME, ingressNodeName, ingressInterfaceName));
processCurrentNextHopInterfaceEdges(dp, TRACEROUTE_INGRESS_NODE_NAME, visitedEdges, hops, currentFlowTraces, flow, flow, dstIp, dstIpOwners, null, new TreeSet<>(), null, null, edges, false);
} else {
collectFlowTraces(dp, ingressNodeName, visitedEdges, hops, currentFlowTraces, flow, flow);
}
});
return new TreeMap<>(flowTraces);
}
use of org.batfish.datamodel.Flow in project batfish by batfish.
the class BdpEngine method applySourceNat.
/**
* Applies the given list of source NAT rules to the given flow and returns the new transformed
* flow. If {@code sourceNats} is null, empty, or does not contain any ACL rules matching the
* {@link Flow}, the original flow is returned.
*
* <p>Each {@link SourceNat} is expected to be valid: it must have a NAT IP or pool.
*/
static Flow applySourceNat(Flow flow, @Nullable List<SourceNat> sourceNats) {
if (CommonUtil.isNullOrEmpty(sourceNats)) {
return flow;
}
Optional<SourceNat> matchingSourceNat = sourceNats.stream().filter(sourceNat -> sourceNat.getAcl() != null && sourceNat.getAcl().filter(flow).getAction() != LineAction.REJECT).findFirst();
if (!matchingSourceNat.isPresent()) {
// No NAT rule matched.
return flow;
}
SourceNat sourceNat = matchingSourceNat.get();
Ip natPoolStartIp = sourceNat.getPoolIpFirst();
if (natPoolStartIp == null) {
throw new BatfishException(String.format("Error processing Source NAT rule %s: missing NAT address or pool", sourceNat));
}
Flow.Builder transformedFlowBuilder = new Flow.Builder(flow);
transformedFlowBuilder.setSrcIp(natPoolStartIp);
return transformedFlowBuilder.build();
}
use of org.batfish.datamodel.Flow in project batfish by batfish.
the class Batfish method pathDiff.
@Override
public AnswerElement pathDiff(ReachabilitySettings reachabilitySettings) {
Settings settings = getSettings();
checkDifferentialDataPlaneQuestionDependencies();
String tag = getDifferentialFlowTag();
// load base configurations and generate base data plane
pushBaseEnvironment();
Map<String, Configuration> baseConfigurations = loadConfigurations();
Synthesizer baseDataPlaneSynthesizer = synthesizeDataPlane();
Topology baseTopology = getEnvironmentTopology();
popEnvironment();
// load diff configurations and generate diff data plane
pushDeltaEnvironment();
Map<String, Configuration> diffConfigurations = loadConfigurations();
Synthesizer diffDataPlaneSynthesizer = synthesizeDataPlane();
Topology diffTopology = getEnvironmentTopology();
popEnvironment();
pushDeltaEnvironment();
SortedSet<String> blacklistNodes = getNodeBlacklist();
Set<NodeInterfacePair> blacklistInterfaces = getInterfaceBlacklist();
SortedSet<Edge> blacklistEdges = getEdgeBlacklist();
popEnvironment();
BlacklistDstIpQuerySynthesizer blacklistQuery = new BlacklistDstIpQuerySynthesizer(null, blacklistNodes, blacklistInterfaces, blacklistEdges, baseConfigurations);
// compute composite program and flows
List<Synthesizer> commonEdgeSynthesizers = ImmutableList.of(baseDataPlaneSynthesizer, diffDataPlaneSynthesizer, baseDataPlaneSynthesizer);
List<CompositeNodJob> jobs = new ArrayList<>();
// generate local edge reachability and black hole queries
SortedSet<Edge> diffEdges = diffTopology.getEdges();
for (Edge edge : diffEdges) {
String ingressNode = edge.getNode1();
String outInterface = edge.getInt1();
String vrf = diffConfigurations.get(ingressNode).getInterfaces().get(outInterface).getVrf().getName();
ReachEdgeQuerySynthesizer reachQuery = new ReachEdgeQuerySynthesizer(ingressNode, vrf, edge, true, reachabilitySettings.getHeaderSpace());
ReachEdgeQuerySynthesizer noReachQuery = new ReachEdgeQuerySynthesizer(ingressNode, vrf, edge, true, new HeaderSpace());
noReachQuery.setNegate(true);
List<QuerySynthesizer> queries = ImmutableList.of(reachQuery, noReachQuery, blacklistQuery);
SortedSet<Pair<String, String>> nodes = ImmutableSortedSet.of(new Pair<>(ingressNode, vrf));
CompositeNodJob job = new CompositeNodJob(settings, commonEdgeSynthesizers, queries, nodes, tag);
jobs.add(job);
}
// we also need queries for nodes next to edges that are now missing,
// in the case that those nodes still exist
List<Synthesizer> missingEdgeSynthesizers = ImmutableList.of(baseDataPlaneSynthesizer, baseDataPlaneSynthesizer);
SortedSet<Edge> baseEdges = baseTopology.getEdges();
SortedSet<Edge> missingEdges = ImmutableSortedSet.copyOf(Sets.difference(baseEdges, diffEdges));
for (Edge missingEdge : missingEdges) {
String ingressNode = missingEdge.getNode1();
String outInterface = missingEdge.getInt1();
if (diffConfigurations.containsKey(ingressNode) && diffConfigurations.get(ingressNode).getInterfaces().containsKey(outInterface)) {
String vrf = diffConfigurations.get(ingressNode).getInterfaces().get(outInterface).getVrf().getName();
ReachEdgeQuerySynthesizer reachQuery = new ReachEdgeQuerySynthesizer(ingressNode, vrf, missingEdge, true, reachabilitySettings.getHeaderSpace());
List<QuerySynthesizer> queries = ImmutableList.of(reachQuery, blacklistQuery);
SortedSet<Pair<String, String>> nodes = ImmutableSortedSet.of(new Pair<>(ingressNode, vrf));
CompositeNodJob job = new CompositeNodJob(settings, missingEdgeSynthesizers, queries, nodes, tag);
jobs.add(job);
}
}
// TODO: maybe do something with nod answer element
Set<Flow> flows = computeCompositeNodOutput(jobs, new NodAnswerElement());
pushBaseEnvironment();
getDataPlanePlugin().processFlows(flows, loadDataPlane());
popEnvironment();
pushDeltaEnvironment();
getDataPlanePlugin().processFlows(flows, loadDataPlane());
popEnvironment();
AnswerElement answerElement = getHistory();
return answerElement;
}
use of org.batfish.datamodel.Flow in project batfish by batfish.
the class CounterExample method buildFlowTrace.
/*
* Build flow information for a given hop along a path
*/
Tuple<Flow, FlowTrace> buildFlowTrace(Encoder enc, String router) {
EncoderSlice slice = enc.getMainSlice();
SymbolicPacket pkt = slice.getSymbolicPacket();
SymbolicDecisions decisions = slice.getSymbolicDecisions();
Flow f = buildFlow(pkt, router);
SortedSet<String> visited = new TreeSet<>();
List<FlowTraceHop> hops = new ArrayList<>();
String current = router;
while (true) {
visited.add(current);
// Get the forwarding variables
Map<GraphEdge, BoolExpr> dfwd = decisions.getDataForwarding().get(current);
Map<GraphEdge, BoolExpr> cfwd = decisions.getControlForwarding().get(current);
Map<GraphEdge, BoolExpr> across = enc.getMainSlice().getForwardsAcross().get(current);
// Find the route used
SymbolicRoute r = decisions.getBestNeighbor().get(current);
Protocol proto = buildProcotol(r, slice, current);
Prefix pfx = buildPrefix(r, f);
// pick the next router
boolean found = false;
for (Entry<GraphEdge, BoolExpr> entry : dfwd.entrySet()) {
GraphEdge ge = entry.getKey();
BoolExpr dexpr = entry.getValue();
BoolExpr cexpr = cfwd.get(ge);
BoolExpr aexpr = across.get(ge);
String route = buildRoute(pfx, proto, ge);
if (isTrue(dexpr)) {
hops.add(buildFlowTraceHop(ge, route));
if (ge.getPeer() != null && visited.contains(ge.getPeer())) {
FlowTrace ft = new FlowTrace(FlowDisposition.LOOP, hops, "LOOP");
return new Tuple<>(f, ft);
}
if (isFalse(aexpr)) {
Interface i = ge.getEnd();
IpAccessList acl = i.getIncomingFilter();
FilterResult fr = acl.filter(f);
String line = "default deny";
if (fr.getMatchLine() != null) {
line = acl.getLines().get(fr.getMatchLine()).getName();
}
String note = String.format("DENIED_IN{%s}{%s}", acl.getName(), line);
FlowTrace ft = new FlowTrace(FlowDisposition.DENIED_IN, hops, note);
return new Tuple<>(f, ft);
}
boolean isLoopback = slice.getGraph().isLoopback(ge);
if (isLoopback) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
if (ge.getPeer() == null) {
boolean isBgpPeering = slice.getGraph().getEbgpNeighbors().get(ge) != null;
if (isBgpPeering) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
} else {
FlowTrace ft = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, hops, "NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK");
return new Tuple<>(f, ft);
}
}
if (slice.getGraph().isHost(ge.getPeer())) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
current = ge.getPeer();
found = true;
break;
} else if (isTrue(cexpr)) {
hops.add(buildFlowTraceHop(ge, route));
Interface i = ge.getStart();
IpAccessList acl = i.getOutgoingFilter();
FilterResult fr = acl.filter(f);
IpAccessListLine line = acl.getLines().get(fr.getMatchLine());
String note = String.format("DENIED_OUT{%s}{%s}", acl.getName(), line.getName());
FlowTrace ft = new FlowTrace(FlowDisposition.DENIED_OUT, hops, note);
return new Tuple<>(f, ft);
}
}
if (!found) {
BoolExpr permitted = r.getPermitted();
if (boolVal(permitted)) {
// Check if there is an accepting interface
for (GraphEdge ge : slice.getGraph().getEdgeMap().get(current)) {
Interface i = ge.getStart();
Ip ip = i.getAddress().getIp();
if (ip.equals(f.getDstIp())) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
}
FlowTrace ft = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, hops, "NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK");
return new Tuple<>(f, ft);
}
FlowTrace ft = new FlowTrace(FlowDisposition.NO_ROUTE, hops, "NO_ROUTE");
return new Tuple<>(f, ft);
}
}
}
Aggregations