Search in sources :

Example 1 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class MatchIpAccessList method evaluate.

@Override
public Result evaluate(Environment environment) {
    Result result = new Result();
    IpAccessList list = environment.getConfiguration().getIpAccessLists().get(_list);
    if (list != null) {
    // TODO
    } else {
        environment.setError(true);
        result.setBooleanValue(false);
        return result;
    }
    throw new UnsupportedOperationException("no implementation for generated method");
}
Also used : IpAccessList(org.batfish.datamodel.IpAccessList) Result(org.batfish.datamodel.routing_policy.Result)

Example 2 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class BdpEngine method collectFlowTraces.

private void collectFlowTraces(BdpDataPlane dp, String currentNodeName, Set<Edge> visitedEdges, List<FlowTraceHop> hopsSoFar, Set<FlowTrace> flowTraces, Flow originalFlow, Flow transformedFlow) {
    Ip dstIp = transformedFlow.getDstIp();
    Set<String> dstIpOwners = dp._ipOwners.get(dstIp);
    if (dstIpOwners != null && dstIpOwners.contains(currentNodeName)) {
        FlowTrace trace = new FlowTrace(FlowDisposition.ACCEPTED, hopsSoFar, FlowDisposition.ACCEPTED.toString());
        flowTraces.add(trace);
    } else {
        Node currentNode = dp._nodes.get(currentNodeName);
        String vrfName;
        if (hopsSoFar.isEmpty()) {
            vrfName = transformedFlow.getIngressVrf();
        } else {
            FlowTraceHop lastHop = hopsSoFar.get(hopsSoFar.size() - 1);
            String receivingInterface = lastHop.getEdge().getInt2();
            vrfName = currentNode._c.getInterfaces().get(receivingInterface).getVrf().getName();
        }
        VirtualRouter currentVirtualRouter = currentNode._virtualRouters.get(vrfName);
        Map<AbstractRoute, Map<String, Map<Ip, Set<AbstractRoute>>>> nextHopInterfacesByRoute = currentVirtualRouter._fib.getNextHopInterfacesByRoute(dstIp);
        Map<String, Map<Ip, Set<AbstractRoute>>> nextHopInterfacesWithRoutes = currentVirtualRouter._fib.getNextHopInterfaces(dstIp);
        if (!nextHopInterfacesWithRoutes.isEmpty()) {
            for (String nextHopInterfaceName : nextHopInterfacesWithRoutes.keySet()) {
                // SortedSet<String> routesForThisNextHopInterface = new
                // TreeSet<>(
                // nextHopInterfacesWithRoutes.get(nextHopInterfaceName)
                // .stream().map(ar -> ar.toString())
                // .collect(Collectors.toSet()));
                SortedSet<String> routesForThisNextHopInterface = new TreeSet<>();
                Ip finalNextHopIp = null;
                for (Entry<AbstractRoute, Map<String, Map<Ip, Set<AbstractRoute>>>> e : nextHopInterfacesByRoute.entrySet()) {
                    AbstractRoute routeCandidate = e.getKey();
                    Map<String, Map<Ip, Set<AbstractRoute>>> routeCandidateNextHopInterfaces = e.getValue();
                    if (routeCandidateNextHopInterfaces.containsKey(nextHopInterfaceName)) {
                        Ip nextHopIp = routeCandidate.getNextHopIp();
                        if (!nextHopIp.equals(Route.UNSET_ROUTE_NEXT_HOP_IP)) {
                            Set<Ip> finalNextHopIps = routeCandidateNextHopInterfaces.get(nextHopInterfaceName).keySet();
                            if (finalNextHopIps.size() > 1) {
                                throw new BatfishException("Can not currently handle multiple final next hop ips across multiple " + "routes leading to one next hop interface");
                            }
                            Ip newFinalNextHopIp = finalNextHopIps.iterator().next();
                            if (finalNextHopIp != null && !newFinalNextHopIp.equals(finalNextHopIp)) {
                                throw new BatfishException("Can not currently handle multiple final next hop ips for same next hop " + "interface");
                            }
                            finalNextHopIp = newFinalNextHopIp;
                        }
                        routesForThisNextHopInterface.add(routeCandidate + "_fnhip:" + finalNextHopIp);
                    }
                }
                NodeInterfacePair nextHopInterface = new NodeInterfacePair(currentNodeName, nextHopInterfaceName);
                if (nextHopInterfaceName.equals(Interface.NULL_INTERFACE_NAME)) {
                    List<FlowTraceHop> newHops = new ArrayList<>(hopsSoFar);
                    Edge newEdge = new Edge(nextHopInterface, new NodeInterfacePair(Configuration.NODE_NONE_NAME, Interface.NULL_INTERFACE_NAME));
                    FlowTraceHop newHop = new FlowTraceHop(newEdge, routesForThisNextHopInterface, hopFlow(originalFlow, transformedFlow));
                    newHops.add(newHop);
                    FlowTrace nullRouteTrace = new FlowTrace(FlowDisposition.NULL_ROUTED, newHops, FlowDisposition.NULL_ROUTED.toString());
                    flowTraces.add(nullRouteTrace);
                } else {
                    Interface outgoingInterface = dp._nodes.get(nextHopInterface.getHostname())._c.getInterfaces().get(nextHopInterface.getInterface());
                    // Apply any relevant source NAT rules.
                    transformedFlow = applySourceNat(transformedFlow, outgoingInterface.getSourceNats());
                    SortedSet<Edge> edges = dp._topology.getInterfaceEdges().get(nextHopInterface);
                    if (edges != null) {
                        boolean continueToNextNextHopInterface = false;
                        continueToNextNextHopInterface = processCurrentNextHopInterfaceEdges(dp, currentNodeName, visitedEdges, hopsSoFar, flowTraces, originalFlow, transformedFlow, dstIp, dstIpOwners, nextHopInterfaceName, routesForThisNextHopInterface, finalNextHopIp, nextHopInterface, edges, true);
                        if (continueToNextNextHopInterface) {
                            continue;
                        }
                    } else {
                        /*
               * Should only get here for delta environment where
               * non-flow-sink interface from base has no edges in delta
               */
                        Edge neighborUnreachbleEdge = new Edge(nextHopInterface, new NodeInterfacePair(Configuration.NODE_NONE_NAME, Interface.NULL_INTERFACE_NAME));
                        FlowTraceHop neighborUnreachableHop = new FlowTraceHop(neighborUnreachbleEdge, routesForThisNextHopInterface, hopFlow(originalFlow, transformedFlow));
                        List<FlowTraceHop> newHops = new ArrayList<>(hopsSoFar);
                        newHops.add(neighborUnreachableHop);
                        /**
                         * Check if denied out. If not, make standard neighbor-unreachable trace.
                         */
                        IpAccessList outFilter = outgoingInterface.getOutgoingFilter();
                        boolean denied = false;
                        if (outFilter != null) {
                            FlowDisposition disposition = FlowDisposition.DENIED_OUT;
                            denied = flowTraceDeniedHelper(flowTraces, originalFlow, transformedFlow, newHops, outFilter, disposition);
                        }
                        if (!denied) {
                            FlowTrace trace = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, newHops, FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK.toString());
                            flowTraces.add(trace);
                        }
                    }
                }
            }
        } else {
            FlowTrace trace = new FlowTrace(FlowDisposition.NO_ROUTE, hopsSoFar, FlowDisposition.NO_ROUTE.toString());
            flowTraces.add(trace);
        }
    }
}
Also used : SortedSet(java.util.SortedSet) Set(java.util.Set) TreeSet(java.util.TreeSet) LinkedHashSet(java.util.LinkedHashSet) ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet) Ip(org.batfish.datamodel.Ip) ArrayList(java.util.ArrayList) TreeSet(java.util.TreeSet) AbstractRoute(org.batfish.datamodel.AbstractRoute) BatfishException(org.batfish.common.BatfishException) NodeInterfacePair(org.batfish.datamodel.collections.NodeInterfacePair) FlowDisposition(org.batfish.datamodel.FlowDisposition) FlowTraceHop(org.batfish.datamodel.FlowTraceHop) FlowTrace(org.batfish.datamodel.FlowTrace) IpAccessList(org.batfish.datamodel.IpAccessList) LRUMap(org.apache.commons.collections4.map.LRUMap) Map(java.util.Map) ImmutableMap(com.google.common.collect.ImmutableMap) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) SortedMap(java.util.SortedMap) HashMap(java.util.HashMap) TreeMap(java.util.TreeMap) Edge(org.batfish.datamodel.Edge) Interface(org.batfish.datamodel.Interface)

Example 3 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class Batfish method answerAclReachability.

@Override
public AnswerElement answerAclReachability(String aclNameRegexStr, NamedStructureEquivalenceSets<?> aclEqSets) {
    AclLinesAnswerElement answerElement = new AclLinesAnswerElement();
    Pattern aclNameRegex;
    try {
        aclNameRegex = Pattern.compile(aclNameRegexStr);
    } catch (PatternSyntaxException e) {
        throw new BatfishException("Supplied regex for nodes is not a valid java regex: \"" + aclNameRegexStr + "\"", e);
    }
    Map<String, Configuration> configurations = loadConfigurations();
    List<NodSatJob<AclLine>> jobs = new ArrayList<>();
    for (Entry<String, ?> e : aclEqSets.getSameNamedStructures().entrySet()) {
        String aclName = e.getKey();
        if (!aclNameRegex.matcher(aclName).matches()) {
            continue;
        }
        // operator error
        if (aclName.contains("~ZONE_INTERFACE_FILTER~") || aclName.contains("~INBOUND_ZONE_FILTER~")) {
            continue;
        }
        Set<?> s = (Set<?>) e.getValue();
        for (Object o : s) {
            NamedStructureEquivalenceSet<?> aclEqSet = (NamedStructureEquivalenceSet<?>) o;
            String hostname = aclEqSet.getRepresentativeElement();
            SortedSet<String> eqClassNodes = aclEqSet.getNodes();
            answerElement.addEquivalenceClass(aclName, hostname, eqClassNodes);
            Configuration c = configurations.get(hostname);
            IpAccessList acl = c.getIpAccessLists().get(aclName);
            int numLines = acl.getLines().size();
            if (numLines == 0) {
                _logger.redflag("RED_FLAG: Acl \"" + hostname + ":" + aclName + "\" contains no lines\n");
                continue;
            }
            AclReachabilityQuerySynthesizer query = new AclReachabilityQuerySynthesizer(hostname, aclName, numLines);
            Synthesizer aclSynthesizer = synthesizeAcls(Collections.singletonMap(hostname, c));
            NodSatJob<AclLine> job = new NodSatJob<>(_settings, aclSynthesizer, query);
            jobs.add(job);
        }
    }
    Map<AclLine, Boolean> output = new TreeMap<>();
    computeNodSatOutput(jobs, output);
    // rearrange output for next step
    Map<String, Map<String, List<AclLine>>> arrangedAclLines = new TreeMap<>();
    for (Entry<AclLine, Boolean> e : output.entrySet()) {
        AclLine line = e.getKey();
        String hostname = line.getHostname();
        Map<String, List<AclLine>> byAclName = arrangedAclLines.computeIfAbsent(hostname, k -> new TreeMap<>());
        String aclName = line.getAclName();
        List<AclLine> aclLines = byAclName.computeIfAbsent(aclName, k -> new ArrayList<>());
        aclLines.add(line);
    }
    // now get earliest more general lines
    List<NodFirstUnsatJob<AclLine, Integer>> step2Jobs = new ArrayList<>();
    for (Entry<String, Map<String, List<AclLine>>> e : arrangedAclLines.entrySet()) {
        String hostname = e.getKey();
        Configuration c = configurations.get(hostname);
        Synthesizer aclSynthesizer = synthesizeAcls(Collections.singletonMap(hostname, c));
        Map<String, List<AclLine>> byAclName = e.getValue();
        for (Entry<String, List<AclLine>> e2 : byAclName.entrySet()) {
            String aclName = e2.getKey();
            IpAccessList ipAccessList = c.getIpAccessLists().get(aclName);
            List<AclLine> lines = e2.getValue();
            for (int i = 0; i < lines.size(); i++) {
                AclLine line = lines.get(i);
                boolean reachable = output.get(line);
                if (!reachable) {
                    List<AclLine> toCheck = new ArrayList<>();
                    for (int j = 0; j < i; j++) {
                        AclLine earlierLine = lines.get(j);
                        boolean earlierIsReachable = output.get(earlierLine);
                        if (earlierIsReachable) {
                            toCheck.add(earlierLine);
                        }
                    }
                    EarliestMoreGeneralReachableLineQuerySynthesizer query = new EarliestMoreGeneralReachableLineQuerySynthesizer(line, toCheck, ipAccessList);
                    NodFirstUnsatJob<AclLine, Integer> job = new NodFirstUnsatJob<>(_settings, aclSynthesizer, query);
                    step2Jobs.add(job);
                }
            }
        }
    }
    Map<AclLine, Integer> step2Output = new TreeMap<>();
    computeNodFirstUnsatOutput(step2Jobs, step2Output);
    for (AclLine line : output.keySet()) {
        Integer earliestMoreGeneralReachableLine = step2Output.get(line);
        line.setEarliestMoreGeneralReachableLine(earliestMoreGeneralReachableLine);
    }
    Set<Pair<String, String>> aclsWithUnreachableLines = new TreeSet<>();
    Set<Pair<String, String>> allAcls = new TreeSet<>();
    int numUnreachableLines = 0;
    int numLines = output.entrySet().size();
    for (Entry<AclLine, Boolean> e : output.entrySet()) {
        AclLine aclLine = e.getKey();
        boolean sat = e.getValue();
        String hostname = aclLine.getHostname();
        String aclName = aclLine.getAclName();
        Pair<String, String> qualifiedAclName = new Pair<>(hostname, aclName);
        allAcls.add(qualifiedAclName);
        if (!sat) {
            numUnreachableLines++;
            aclsWithUnreachableLines.add(qualifiedAclName);
        }
    }
    for (Entry<AclLine, Boolean> e : output.entrySet()) {
        AclLine aclLine = e.getKey();
        int index = aclLine.getLine();
        boolean sat = e.getValue();
        String hostname = aclLine.getHostname();
        String aclName = aclLine.getAclName();
        Pair<String, String> qualifiedAclName = new Pair<>(hostname, aclName);
        IpAccessList ipAccessList = configurations.get(hostname).getIpAccessLists().get(aclName);
        IpAccessListLine ipAccessListLine = ipAccessList.getLines().get(index);
        AclReachabilityEntry line = new AclReachabilityEntry(index, ipAccessListLine.getName());
        if (aclsWithUnreachableLines.contains(qualifiedAclName)) {
            if (sat) {
                _logger.debugf("%s:%s:%d:'%s' is REACHABLE\n", hostname, aclName, line.getIndex(), line.getName());
                answerElement.addReachableLine(hostname, ipAccessList, line);
            } else {
                _logger.debugf("%s:%s:%d:'%s' is UNREACHABLE\n\t%s\n", hostname, aclName, line.getIndex(), line.getName(), ipAccessListLine.toString());
                Integer earliestMoreGeneralLineIndex = aclLine.getEarliestMoreGeneralReachableLine();
                if (earliestMoreGeneralLineIndex != null) {
                    IpAccessListLine earliestMoreGeneralLine = ipAccessList.getLines().get(earliestMoreGeneralLineIndex);
                    line.setEarliestMoreGeneralLineIndex(earliestMoreGeneralLineIndex);
                    line.setEarliestMoreGeneralLineName(earliestMoreGeneralLine.getName());
                    if (!earliestMoreGeneralLine.getAction().equals(ipAccessListLine.getAction())) {
                        line.setDifferentAction(true);
                    }
                }
                answerElement.addUnreachableLine(hostname, ipAccessList, line);
                aclsWithUnreachableLines.add(qualifiedAclName);
            }
        } else {
            answerElement.addReachableLine(hostname, ipAccessList, line);
        }
    }
    for (Pair<String, String> qualfiedAcl : aclsWithUnreachableLines) {
        String hostname = qualfiedAcl.getFirst();
        String aclName = qualfiedAcl.getSecond();
        _logger.debugf("%s:%s has at least 1 unreachable line\n", hostname, aclName);
    }
    int numAclsWithUnreachableLines = aclsWithUnreachableLines.size();
    int numAcls = allAcls.size();
    double percentUnreachableAcls = 100d * numAclsWithUnreachableLines / numAcls;
    double percentUnreachableLines = 100d * numUnreachableLines / numLines;
    _logger.debugf("SUMMARY:\n");
    _logger.debugf("\t%d/%d (%.1f%%) acls have unreachable lines\n", numAclsWithUnreachableLines, numAcls, percentUnreachableAcls);
    _logger.debugf("\t%d/%d (%.1f%%) acl lines are unreachable\n", numUnreachableLines, numLines, percentUnreachableLines);
    return answerElement;
}
Also used : NamedStructureEquivalenceSet(org.batfish.datamodel.collections.NamedStructureEquivalenceSet) HostConfiguration(org.batfish.representation.host.HostConfiguration) Configuration(org.batfish.datamodel.Configuration) ImmutableConfiguration(org.apache.commons.configuration2.ImmutableConfiguration) AwsConfiguration(org.batfish.representation.aws.AwsConfiguration) IptablesVendorConfiguration(org.batfish.representation.iptables.IptablesVendorConfiguration) VendorConfiguration(org.batfish.vendor.VendorConfiguration) AclLine(org.batfish.z3.AclLine) NodFirstUnsatJob(org.batfish.z3.NodFirstUnsatJob) ArrayList(java.util.ArrayList) TreeSet(java.util.TreeSet) IpAccessList(org.batfish.datamodel.IpAccessList) ImmutableList(com.google.common.collect.ImmutableList) ArrayList(java.util.ArrayList) List(java.util.List) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) CleanBatfishException(org.batfish.common.CleanBatfishException) BatfishException(org.batfish.common.BatfishException) AclLinesAnswerElement(org.batfish.datamodel.answers.AclLinesAnswerElement) AclReachabilityEntry(org.batfish.datamodel.answers.AclLinesAnswerElement.AclReachabilityEntry) GenericConfigObject(org.batfish.datamodel.GenericConfigObject) JSONObject(org.codehaus.jettison.json.JSONObject) IpAccessList(org.batfish.datamodel.IpAccessList) Map(java.util.Map) TreeMap(java.util.TreeMap) Collectors.toMap(java.util.stream.Collectors.toMap) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) NavigableMap(java.util.NavigableMap) ConcurrentMap(java.util.concurrent.ConcurrentMap) ImmutableSortedMap(com.google.common.collect.ImmutableSortedMap) ImmutableMap(com.google.common.collect.ImmutableMap) SortedMap(java.util.SortedMap) HashMap(java.util.HashMap) TreeMultiSet(org.batfish.datamodel.collections.TreeMultiSet) ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet) SortedSet(java.util.SortedSet) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) NamedStructureEquivalenceSet(org.batfish.datamodel.collections.NamedStructureEquivalenceSet) Set(java.util.Set) TreeSet(java.util.TreeSet) LinkedHashSet(java.util.LinkedHashSet) MultiSet(org.batfish.datamodel.collections.MultiSet) AclReachabilityQuerySynthesizer(org.batfish.z3.AclReachabilityQuerySynthesizer) EarliestMoreGeneralReachableLineQuerySynthesizer(org.batfish.z3.EarliestMoreGeneralReachableLineQuerySynthesizer) ReachabilityQuerySynthesizer(org.batfish.z3.ReachabilityQuerySynthesizer) QuerySynthesizer(org.batfish.z3.QuerySynthesizer) AclReachabilityQuerySynthesizer(org.batfish.z3.AclReachabilityQuerySynthesizer) BlacklistDstIpQuerySynthesizer(org.batfish.z3.BlacklistDstIpQuerySynthesizer) StandardReachabilityQuerySynthesizer(org.batfish.z3.StandardReachabilityQuerySynthesizer) EarliestMoreGeneralReachableLineQuerySynthesizer(org.batfish.z3.EarliestMoreGeneralReachableLineQuerySynthesizer) ReachEdgeQuerySynthesizer(org.batfish.z3.ReachEdgeQuerySynthesizer) Synthesizer(org.batfish.z3.Synthesizer) MultipathInconsistencyQuerySynthesizer(org.batfish.z3.MultipathInconsistencyQuerySynthesizer) PatternSyntaxException(java.util.regex.PatternSyntaxException) Pair(org.batfish.common.Pair) NodeInterfacePair(org.batfish.datamodel.collections.NodeInterfacePair) NodSatJob(org.batfish.z3.NodSatJob) Pattern(java.util.regex.Pattern) TreeMap(java.util.TreeMap) AtomicInteger(java.util.concurrent.atomic.AtomicInteger)

Example 4 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class CiscoConfiguration method processSourceNat.

/**
 * Processes a {@link CiscoSourceNat} rule. This function performs two actions:
 *
 * <p>1. Record references to ACLs and NAT pools by the various parsed {@link CiscoSourceNat}
 * objects.
 *
 * <p>2. Convert to vendor-independent {@link SourceNat} objects if valid, aka, no undefined ACL
 * and valid output configuration.
 *
 * <p>Returns the vendor-independeng {@link SourceNat}, or {@code null} if the source NAT rule is
 * invalid.
 */
@Nullable
SourceNat processSourceNat(CiscoSourceNat nat, Interface iface, Map<String, IpAccessList> ipAccessLists) {
    String sourceNatAclName = nat.getAclName();
    if (sourceNatAclName == null) {
        // Source NAT rules must have an ACL; this rule is invalid.
        return null;
    }
    SourceNat convertedNat = new SourceNat();
    /* source nat acl */
    IpAccessList sourceNatAcl = ipAccessLists.get(sourceNatAclName);
    int sourceNatAclLine = nat.getAclNameLine();
    if (sourceNatAcl == null) {
        undefined(CiscoStructureType.IP_ACCESS_LIST, sourceNatAclName, CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST, sourceNatAclLine);
    } else {
        convertedNat.setAcl(sourceNatAcl);
        String msg = "source nat acl for interface: " + iface.getName();
        ExtendedAccessList sourceNatExtendedAccessList = _extendedAccessLists.get(sourceNatAclName);
        if (sourceNatExtendedAccessList != null) {
            sourceNatExtendedAccessList.getReferers().put(iface, msg);
        }
        StandardAccessList sourceNatStandardAccessList = _standardAccessLists.get(sourceNatAclName);
        if (sourceNatStandardAccessList != null) {
            sourceNatStandardAccessList.getReferers().put(iface, msg);
        }
    }
    /* source nat pool */
    String sourceNatPoolName = nat.getNatPool();
    if (sourceNatPoolName != null) {
        int sourceNatPoolLine = nat.getNatPoolLine();
        NatPool sourceNatPool = _natPools.get(sourceNatPoolName);
        if (sourceNatPool != null) {
            sourceNatPool.getReferers().put(iface, "source nat pool for interface: " + iface.getName());
            Ip firstIp = sourceNatPool.getFirst();
            if (firstIp != null) {
                Ip lastIp = sourceNatPool.getLast();
                convertedNat.setPoolIpFirst(firstIp);
                convertedNat.setPoolIpLast(lastIp);
            }
        } else {
            undefined(CiscoStructureType.NAT_POOL, sourceNatPoolName, CiscoStructureUsage.IP_NAT_SOURCE_POOL, sourceNatPoolLine);
        }
    }
    // The source NAT rule is valid iff it has an ACL and a pool of IPs to NAT into.
    if (convertedNat.getAcl() != null && convertedNat.getPoolIpFirst() != null) {
        return convertedNat;
    } else {
        return null;
    }
}
Also used : SourceNat(org.batfish.datamodel.SourceNat) Ip(org.batfish.datamodel.Ip) IpAccessList(org.batfish.datamodel.IpAccessList) Nullable(javax.annotation.Nullable)

Example 5 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class CiscoConfiguration method toVendorIndependentConfiguration.

@Override
public Configuration toVendorIndependentConfiguration() {
    final Configuration c = new Configuration(_hostname, _vendor);
    c.getVendorFamily().setCisco(_cf);
    c.setRoles(_roles);
    c.setDefaultInboundAction(LineAction.ACCEPT);
    c.setDefaultCrossZoneAction(LineAction.ACCEPT);
    c.setDnsServers(_dnsServers);
    c.setDnsSourceInterface(_dnsSourceInterface);
    c.setDomainName(_domainName);
    c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
    c.setTacacsServers(_tacacsServers);
    c.setTacacsSourceInterface(_tacacsSourceInterface);
    c.setNtpSourceInterface(_ntpSourceInterface);
    if (_cf.getNtp() != null) {
        c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
    }
    if (_cf.getLogging() != null) {
        c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
        c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
    }
    c.setSnmpSourceInterface(_snmpSourceInterface);
    processLines();
    processFailoverSettings();
    // remove line login authentication lists if they don't exist
    for (Line line : _cf.getLines().values()) {
        String list = line.getLoginAuthentication();
        boolean found = false;
        Aaa aaa = _cf.getAaa();
        if (aaa != null) {
            AaaAuthentication authentication = aaa.getAuthentication();
            if (authentication != null) {
                AaaAuthenticationLogin login = authentication.getLogin();
                if (login != null && login.getLists().containsKey(list)) {
                    found = true;
                }
            }
        }
        if (!found) {
            line.setLoginAuthentication(null);
        }
    }
    // initialize vrfs
    for (String vrfName : _vrfs.keySet()) {
        c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
    }
    // snmp server
    if (_snmpServer != null) {
        String snmpServerVrf = _snmpServer.getVrf();
        c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
    }
    // convert as path access lists to vendor independent format
    for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
        AsPathAccessList apList = toAsPathAccessList(pathList);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert as-path-sets to vendor independent format
    for (AsPathSet asPathSet : _asPathSets.values()) {
        AsPathAccessList apList = toAsPathAccessList(asPathSet);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert standard/expanded community lists to community lists
    for (StandardCommunityList scList : _standardCommunityLists.values()) {
        ExpandedCommunityList ecList = scList.toExpandedCommunityList();
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    // convert prefix lists to route filter lists
    for (PrefixList prefixList : _prefixLists.values()) {
        RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
        c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert ipv6 prefix lists to route6 filter lists
    for (Prefix6List prefixList : _prefix6Lists.values()) {
        Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
        c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert standard/extended access lists to access lists or route filter
    // lists
    List<ExtendedAccessList> allACLs = new ArrayList<>();
    for (StandardAccessList saList : _standardAccessLists.values()) {
        ExtendedAccessList eaList = saList.toExtendedAccessList();
        allACLs.add(eaList);
    }
    allACLs.addAll(_extendedAccessLists.values());
    for (ExtendedAccessList eaList : allACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardAccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            RouteFilterList rfList = toRouteFilterList(eaList);
            c.getRouteFilterLists().put(rfList.getName(), rfList);
        }
        IpAccessList ipaList = toIpAccessList(eaList);
        c.getIpAccessLists().put(ipaList.getName(), ipaList);
    }
    // convert standard/extended ipv6 access lists to ipv6 access lists or
    // route6 filter
    // lists
    List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
    for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
        ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
        allIpv6ACLs.add(eaList);
    }
    allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
    for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardIpv6AccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            Route6FilterList rfList = toRoute6FilterList(eaList);
            c.getRoute6FilterLists().put(rfList.getName(), rfList);
        }
        Ip6AccessList ipaList = toIp6AccessList(eaList);
        c.getIp6AccessLists().put(ipaList.getName(), ipaList);
    }
    // convert route maps to policy maps
    Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
    for (RouteMap map : _routeMaps.values()) {
        convertForPurpose(routingRouteMaps, map);
        // convert route maps to RoutingPolicy objects
        RoutingPolicy newPolicy = toRoutingPolicy(c, map);
        c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
    }
    // convert RoutePolicy to RoutingPolicy
    for (RoutePolicy routePolicy : _routePolicies.values()) {
        RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
        c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
    }
    // convert interfaces
    _interfaces.forEach((ifaceName, iface) -> {
        org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
        String vrfName = iface.getVrf();
        if (vrfName == null) {
            throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
        }
        c.getInterfaces().put(ifaceName, newInterface);
        c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
    });
    // apply vrrp settings to interfaces
    applyVrrp(c);
    // get IKE proposals
    for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
        c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
    }
    addIkePoliciesAndGateways(c);
    // ipsec proposals
    for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
        c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
    }
    // ipsec policies
    for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
        String name = e.getKey();
        IpsecProfile profile = e.getValue();
        IpsecPolicy policy = new IpsecPolicy(name);
        policy.setPfsKeyGroup(profile.getPfsGroup());
        String transformSetName = profile.getTransformSet();
        if (c.getIpsecProposals().containsKey(transformSetName)) {
            policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
        }
        c.getIpsecPolicies().put(name, policy);
    }
    // ipsec vpns
    for (Entry<String, Interface> e : _interfaces.entrySet()) {
        String name = e.getKey();
        Interface iface = e.getValue();
        Tunnel tunnel = iface.getTunnel();
        if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
            IpsecVpn ipsecVpn = new IpsecVpn(name, c);
            ipsecVpn.setBindInterface(c.getInterfaces().get(name));
            ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
            Ip source = tunnel.getSource();
            Ip destination = tunnel.getDestination();
            if (source == null || destination == null) {
                _w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
            } else {
                for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
                    if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
                        ipsecVpn.setIkeGateway(ikeGateway);
                    }
                }
                if (ipsecVpn.getIkeGateway() == null) {
                    _w.redFlag("Can't find matching IkeGateway for " + name);
                }
            }
            c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
        }
    }
    // convert routing processes
    _vrfs.forEach((vrfName, vrf) -> {
        org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
        // add snmp trap servers to main list
        if (newVrf.getSnmpServer() != null) {
            c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
        }
        // convert static routes
        for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
            newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
        }
        // convert rip process
        RipProcess ripProcess = vrf.getRipProcess();
        if (ripProcess != null) {
            org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
            newVrf.setRipProcess(newRipProcess);
        }
        // convert ospf process
        OspfProcess ospfProcess = vrf.getOspfProcess();
        if (ospfProcess != null) {
            org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
            newVrf.setOspfProcess(newOspfProcess);
        }
        // convert isis process
        IsisProcess isisProcess = vrf.getIsisProcess();
        if (isisProcess != null) {
            org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
            newVrf.setIsisProcess(newIsisProcess);
        }
        // convert bgp process
        BgpProcess bgpProcess = vrf.getBgpProcess();
        if (bgpProcess != null) {
            org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
            c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
        }
    });
    // warn about references to undefined peer groups
    for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
        String name = e.getKey();
        int line = e.getValue();
        undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
    }
    // mark references to IPv4/6 ACLs that may not appear in data model
    markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
    markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
    markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
    markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
    markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
    markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
    markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
    markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
    markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
    markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
    markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
    markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
    markAcls(CiscoStructureUsage.SSH_ACL);
    markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
    markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
    markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
    markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
    markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
    // mark references to mac-ACLs that may not appear in data model
    // TODO: fill in
    // mark references to route-maps that may not appear in data model
    markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
    markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
    markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
    markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
    // Cable
    markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
    markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
    markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
    markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
    markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
    markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
    // L2tp
    markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
    // Vpn
    markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
    markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
    markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
    // warn about unreferenced data structures
    warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
    warnUnusedCommunityLists();
    warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
    warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
    warnUnusedDocsisPolicies();
    warnUnusedDocsisPolicyRules();
    warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
    warnUnusedIpAccessLists();
    warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
    warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
    warnUnusedIpv6AccessLists();
    warnUnusedKeyrings();
    warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
    warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
    warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
    warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
    warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
    warnUnusedPeerGroups();
    warnUnusedPeerSessions();
    warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
    warnUnusedServiceClasses();
    c.simplifyRoutingPolicies();
    c.computeRoutingPolicySources(_w);
    return c;
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) AaaAuthentication(org.batfish.datamodel.vendor_family.cisco.AaaAuthentication) VendorConfiguration(org.batfish.vendor.VendorConfiguration) Configuration(org.batfish.datamodel.Configuration) ArrayList(java.util.ArrayList) Aaa(org.batfish.datamodel.vendor_family.cisco.Aaa) BatfishException(org.batfish.common.BatfishException) AsPathAccessList(org.batfish.datamodel.AsPathAccessList) CommunityList(org.batfish.datamodel.CommunityList) CommunityListLine(org.batfish.datamodel.CommunityListLine) Ip6AccessListLine(org.batfish.datamodel.Ip6AccessListLine) Route6FilterLine(org.batfish.datamodel.Route6FilterLine) Line(org.batfish.datamodel.vendor_family.cisco.Line) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) AsPathAccessListLine(org.batfish.datamodel.AsPathAccessListLine) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) IpAccessList(org.batfish.datamodel.IpAccessList) Ip(org.batfish.datamodel.Ip) SubRange(org.batfish.datamodel.SubRange) Ip6AccessList(org.batfish.datamodel.Ip6AccessList) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) Route6FilterList(org.batfish.datamodel.Route6FilterList) BigInteger(java.math.BigInteger) RouteFilterList(org.batfish.datamodel.RouteFilterList) AaaAuthenticationLogin(org.batfish.datamodel.vendor_family.cisco.AaaAuthenticationLogin)

Aggregations

IpAccessList (org.batfish.datamodel.IpAccessList)37 IpAccessListLine (org.batfish.datamodel.IpAccessListLine)19 Configuration (org.batfish.datamodel.Configuration)17 Ip (org.batfish.datamodel.Ip)16 Interface (org.batfish.datamodel.Interface)14 ArrayList (java.util.ArrayList)10 Test (org.junit.Test)10 BatfishException (org.batfish.common.BatfishException)9 List (java.util.List)7 IpWildcard (org.batfish.datamodel.IpWildcard)7 LineAction (org.batfish.datamodel.LineAction)7 SubRange (org.batfish.datamodel.SubRange)7 ImmutableList (com.google.common.collect.ImmutableList)6 Set (java.util.Set)6 TreeSet (java.util.TreeSet)6 Edge (org.batfish.datamodel.Edge)6 InterfaceAddress (org.batfish.datamodel.InterfaceAddress)6 Prefix (org.batfish.datamodel.Prefix)6 SourceNat (org.batfish.datamodel.SourceNat)6 Map (java.util.Map)5