Example 1 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class MatchIpAccessList method evaluate.
@Override
public Result evaluate(Environment environment) {
Result result = new Result();
IpAccessList list = environment.getConfiguration().getIpAccessLists().get(_list);
if (list != null) {
// TODO
} else {
environment.setError(true);
result.setBooleanValue(false);
return result;
}
throw new UnsupportedOperationException("no implementation for generated method");
}
Also used :
IpAccessList(org.batfish.datamodel.IpAccessList)
Result(org.batfish.datamodel.routing_policy.Result)
Example 2 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class BdpEngine method collectFlowTraces.
private void collectFlowTraces(BdpDataPlane dp, String currentNodeName, Set<Edge> visitedEdges, List<FlowTraceHop> hopsSoFar, Set<FlowTrace> flowTraces, Flow originalFlow, Flow transformedFlow) {
Ip dstIp = transformedFlow.getDstIp();
Set<String> dstIpOwners = dp._ipOwners.get(dstIp);
if (dstIpOwners != null && dstIpOwners.contains(currentNodeName)) {
FlowTrace trace = new FlowTrace(FlowDisposition.ACCEPTED, hopsSoFar, FlowDisposition.ACCEPTED.toString());
flowTraces.add(trace);
} else {
Node currentNode = dp._nodes.get(currentNodeName);
String vrfName;
if (hopsSoFar.isEmpty()) {
vrfName = transformedFlow.getIngressVrf();
} else {
FlowTraceHop lastHop = hopsSoFar.get(hopsSoFar.size() - 1);
String receivingInterface = lastHop.getEdge().getInt2();
vrfName = currentNode._c.getInterfaces().get(receivingInterface).getVrf().getName();
}
VirtualRouter currentVirtualRouter = currentNode._virtualRouters.get(vrfName);
Map<AbstractRoute, Map<String, Map<Ip, Set<AbstractRoute>>>> nextHopInterfacesByRoute = currentVirtualRouter._fib.getNextHopInterfacesByRoute(dstIp);
Map<String, Map<Ip, Set<AbstractRoute>>> nextHopInterfacesWithRoutes = currentVirtualRouter._fib.getNextHopInterfaces(dstIp);
if (!nextHopInterfacesWithRoutes.isEmpty()) {
for (String nextHopInterfaceName : nextHopInterfacesWithRoutes.keySet()) {
// SortedSet<String> routesForThisNextHopInterface = new
// TreeSet<>(
// nextHopInterfacesWithRoutes.get(nextHopInterfaceName)
// .stream().map(ar -> ar.toString())
// .collect(Collectors.toSet()));
SortedSet<String> routesForThisNextHopInterface = new TreeSet<>();
Ip finalNextHopIp = null;
for (Entry<AbstractRoute, Map<String, Map<Ip, Set<AbstractRoute>>>> e : nextHopInterfacesByRoute.entrySet()) {
AbstractRoute routeCandidate = e.getKey();
Map<String, Map<Ip, Set<AbstractRoute>>> routeCandidateNextHopInterfaces = e.getValue();
if (routeCandidateNextHopInterfaces.containsKey(nextHopInterfaceName)) {
Ip nextHopIp = routeCandidate.getNextHopIp();
if (!nextHopIp.equals(Route.UNSET_ROUTE_NEXT_HOP_IP)) {
Set<Ip> finalNextHopIps = routeCandidateNextHopInterfaces.get(nextHopInterfaceName).keySet();
if (finalNextHopIps.size() > 1) {
throw new BatfishException("Can not currently handle multiple final next hop ips across multiple " + "routes leading to one next hop interface");
}
Ip newFinalNextHopIp = finalNextHopIps.iterator().next();
if (finalNextHopIp != null && !newFinalNextHopIp.equals(finalNextHopIp)) {
throw new BatfishException("Can not currently handle multiple final next hop ips for same next hop " + "interface");
}
finalNextHopIp = newFinalNextHopIp;
}
routesForThisNextHopInterface.add(routeCandidate + "_fnhip:" + finalNextHopIp);
}
}
NodeInterfacePair nextHopInterface = new NodeInterfacePair(currentNodeName, nextHopInterfaceName);
if (nextHopInterfaceName.equals(Interface.NULL_INTERFACE_NAME)) {
List<FlowTraceHop> newHops = new ArrayList<>(hopsSoFar);
Edge newEdge = new Edge(nextHopInterface, new NodeInterfacePair(Configuration.NODE_NONE_NAME, Interface.NULL_INTERFACE_NAME));
FlowTraceHop newHop = new FlowTraceHop(newEdge, routesForThisNextHopInterface, hopFlow(originalFlow, transformedFlow));
newHops.add(newHop);
FlowTrace nullRouteTrace = new FlowTrace(FlowDisposition.NULL_ROUTED, newHops, FlowDisposition.NULL_ROUTED.toString());
flowTraces.add(nullRouteTrace);
} else {
Interface outgoingInterface = dp._nodes.get(nextHopInterface.getHostname())._c.getInterfaces().get(nextHopInterface.getInterface());
// Apply any relevant source NAT rules.
transformedFlow = applySourceNat(transformedFlow, outgoingInterface.getSourceNats());
SortedSet<Edge> edges = dp._topology.getInterfaceEdges().get(nextHopInterface);
if (edges != null) {
boolean continueToNextNextHopInterface = false;
continueToNextNextHopInterface = processCurrentNextHopInterfaceEdges(dp, currentNodeName, visitedEdges, hopsSoFar, flowTraces, originalFlow, transformedFlow, dstIp, dstIpOwners, nextHopInterfaceName, routesForThisNextHopInterface, finalNextHopIp, nextHopInterface, edges, true);
if (continueToNextNextHopInterface) {
continue;
}
} else {
/*
* Should only get here for delta environment where
* non-flow-sink interface from base has no edges in delta
*/
Edge neighborUnreachbleEdge = new Edge(nextHopInterface, new NodeInterfacePair(Configuration.NODE_NONE_NAME, Interface.NULL_INTERFACE_NAME));
FlowTraceHop neighborUnreachableHop = new FlowTraceHop(neighborUnreachbleEdge, routesForThisNextHopInterface, hopFlow(originalFlow, transformedFlow));
List<FlowTraceHop> newHops = new ArrayList<>(hopsSoFar);
newHops.add(neighborUnreachableHop);
/**
* Check if denied out. If not, make standard neighbor-unreachable trace.
*/
IpAccessList outFilter = outgoingInterface.getOutgoingFilter();
boolean denied = false;
if (outFilter != null) {
FlowDisposition disposition = FlowDisposition.DENIED_OUT;
denied = flowTraceDeniedHelper(flowTraces, originalFlow, transformedFlow, newHops, outFilter, disposition);
}
if (!denied) {
FlowTrace trace = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, newHops, FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK.toString());
flowTraces.add(trace);
}
}
}
}
} else {
FlowTrace trace = new FlowTrace(FlowDisposition.NO_ROUTE, hopsSoFar, FlowDisposition.NO_ROUTE.toString());
flowTraces.add(trace);
}
}
}
Also used :
SortedSet(java.util.SortedSet)
Set(java.util.Set)
TreeSet(java.util.TreeSet)
LinkedHashSet(java.util.LinkedHashSet)
ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet)
Ip(org.batfish.datamodel.Ip)
ArrayList(java.util.ArrayList)
TreeSet(java.util.TreeSet)
AbstractRoute(org.batfish.datamodel.AbstractRoute)
BatfishException(org.batfish.common.BatfishException)
NodeInterfacePair(org.batfish.datamodel.collections.NodeInterfacePair)
FlowDisposition(org.batfish.datamodel.FlowDisposition)
FlowTraceHop(org.batfish.datamodel.FlowTraceHop)
FlowTrace(org.batfish.datamodel.FlowTrace)
IpAccessList(org.batfish.datamodel.IpAccessList)
LRUMap(org.apache.commons.collections4.map.LRUMap)
Map(java.util.Map)
ImmutableMap(com.google.common.collect.ImmutableMap)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
SortedMap(java.util.SortedMap)
HashMap(java.util.HashMap)
TreeMap(java.util.TreeMap)
Edge(org.batfish.datamodel.Edge)
Interface(org.batfish.datamodel.Interface)
Example 3 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class Batfish method answerAclReachability.
@Override
public AnswerElement answerAclReachability(String aclNameRegexStr, NamedStructureEquivalenceSets<?> aclEqSets) {
AclLinesAnswerElement answerElement = new AclLinesAnswerElement();
Pattern aclNameRegex;
try {
aclNameRegex = Pattern.compile(aclNameRegexStr);
} catch (PatternSyntaxException e) {
throw new BatfishException("Supplied regex for nodes is not a valid java regex: \"" + aclNameRegexStr + "\"", e);
}
Map<String, Configuration> configurations = loadConfigurations();
List<NodSatJob<AclLine>> jobs = new ArrayList<>();
for (Entry<String, ?> e : aclEqSets.getSameNamedStructures().entrySet()) {
String aclName = e.getKey();
if (!aclNameRegex.matcher(aclName).matches()) {
continue;
}
// operator error
if (aclName.contains("~ZONE_INTERFACE_FILTER~") || aclName.contains("~INBOUND_ZONE_FILTER~")) {
continue;
}
Set<?> s = (Set<?>) e.getValue();
for (Object o : s) {
NamedStructureEquivalenceSet<?> aclEqSet = (NamedStructureEquivalenceSet<?>) o;
String hostname = aclEqSet.getRepresentativeElement();
SortedSet<String> eqClassNodes = aclEqSet.getNodes();
answerElement.addEquivalenceClass(aclName, hostname, eqClassNodes);
Configuration c = configurations.get(hostname);
IpAccessList acl = c.getIpAccessLists().get(aclName);
int numLines = acl.getLines().size();
if (numLines == 0) {
_logger.redflag("RED_FLAG: Acl \"" + hostname + ":" + aclName + "\" contains no lines\n");
continue;
}
AclReachabilityQuerySynthesizer query = new AclReachabilityQuerySynthesizer(hostname, aclName, numLines);
Synthesizer aclSynthesizer = synthesizeAcls(Collections.singletonMap(hostname, c));
NodSatJob<AclLine> job = new NodSatJob<>(_settings, aclSynthesizer, query);
jobs.add(job);
}
}
Map<AclLine, Boolean> output = new TreeMap<>();
computeNodSatOutput(jobs, output);
// rearrange output for next step
Map<String, Map<String, List<AclLine>>> arrangedAclLines = new TreeMap<>();
for (Entry<AclLine, Boolean> e : output.entrySet()) {
AclLine line = e.getKey();
String hostname = line.getHostname();
Map<String, List<AclLine>> byAclName = arrangedAclLines.computeIfAbsent(hostname, k -> new TreeMap<>());
String aclName = line.getAclName();
List<AclLine> aclLines = byAclName.computeIfAbsent(aclName, k -> new ArrayList<>());
aclLines.add(line);
}
// now get earliest more general lines
List<NodFirstUnsatJob<AclLine, Integer>> step2Jobs = new ArrayList<>();
for (Entry<String, Map<String, List<AclLine>>> e : arrangedAclLines.entrySet()) {
String hostname = e.getKey();
Configuration c = configurations.get(hostname);
Synthesizer aclSynthesizer = synthesizeAcls(Collections.singletonMap(hostname, c));
Map<String, List<AclLine>> byAclName = e.getValue();
for (Entry<String, List<AclLine>> e2 : byAclName.entrySet()) {
String aclName = e2.getKey();
IpAccessList ipAccessList = c.getIpAccessLists().get(aclName);
List<AclLine> lines = e2.getValue();
for (int i = 0; i < lines.size(); i++) {
AclLine line = lines.get(i);
boolean reachable = output.get(line);
if (!reachable) {
List<AclLine> toCheck = new ArrayList<>();
for (int j = 0; j < i; j++) {
AclLine earlierLine = lines.get(j);
boolean earlierIsReachable = output.get(earlierLine);
if (earlierIsReachable) {
toCheck.add(earlierLine);
}
}
EarliestMoreGeneralReachableLineQuerySynthesizer query = new EarliestMoreGeneralReachableLineQuerySynthesizer(line, toCheck, ipAccessList);
NodFirstUnsatJob<AclLine, Integer> job = new NodFirstUnsatJob<>(_settings, aclSynthesizer, query);
step2Jobs.add(job);
}
}
}
}
Map<AclLine, Integer> step2Output = new TreeMap<>();
computeNodFirstUnsatOutput(step2Jobs, step2Output);
for (AclLine line : output.keySet()) {
Integer earliestMoreGeneralReachableLine = step2Output.get(line);
line.setEarliestMoreGeneralReachableLine(earliestMoreGeneralReachableLine);
}
Set<Pair<String, String>> aclsWithUnreachableLines = new TreeSet<>();
Set<Pair<String, String>> allAcls = new TreeSet<>();
int numUnreachableLines = 0;
int numLines = output.entrySet().size();
for (Entry<AclLine, Boolean> e : output.entrySet()) {
AclLine aclLine = e.getKey();
boolean sat = e.getValue();
String hostname = aclLine.getHostname();
String aclName = aclLine.getAclName();
Pair<String, String> qualifiedAclName = new Pair<>(hostname, aclName);
allAcls.add(qualifiedAclName);
if (!sat) {
numUnreachableLines++;
aclsWithUnreachableLines.add(qualifiedAclName);
}
}
for (Entry<AclLine, Boolean> e : output.entrySet()) {
AclLine aclLine = e.getKey();
int index = aclLine.getLine();
boolean sat = e.getValue();
String hostname = aclLine.getHostname();
String aclName = aclLine.getAclName();
Pair<String, String> qualifiedAclName = new Pair<>(hostname, aclName);
IpAccessList ipAccessList = configurations.get(hostname).getIpAccessLists().get(aclName);
IpAccessListLine ipAccessListLine = ipAccessList.getLines().get(index);
AclReachabilityEntry line = new AclReachabilityEntry(index, ipAccessListLine.getName());
if (aclsWithUnreachableLines.contains(qualifiedAclName)) {
if (sat) {
_logger.debugf("%s:%s:%d:'%s' is REACHABLE\n", hostname, aclName, line.getIndex(), line.getName());
answerElement.addReachableLine(hostname, ipAccessList, line);
} else {
_logger.debugf("%s:%s:%d:'%s' is UNREACHABLE\n\t%s\n", hostname, aclName, line.getIndex(), line.getName(), ipAccessListLine.toString());
Integer earliestMoreGeneralLineIndex = aclLine.getEarliestMoreGeneralReachableLine();
if (earliestMoreGeneralLineIndex != null) {
IpAccessListLine earliestMoreGeneralLine = ipAccessList.getLines().get(earliestMoreGeneralLineIndex);
line.setEarliestMoreGeneralLineIndex(earliestMoreGeneralLineIndex);
line.setEarliestMoreGeneralLineName(earliestMoreGeneralLine.getName());
if (!earliestMoreGeneralLine.getAction().equals(ipAccessListLine.getAction())) {
line.setDifferentAction(true);
}
}
answerElement.addUnreachableLine(hostname, ipAccessList, line);
aclsWithUnreachableLines.add(qualifiedAclName);
}
} else {
answerElement.addReachableLine(hostname, ipAccessList, line);
}
}
for (Pair<String, String> qualfiedAcl : aclsWithUnreachableLines) {
String hostname = qualfiedAcl.getFirst();
String aclName = qualfiedAcl.getSecond();
_logger.debugf("%s:%s has at least 1 unreachable line\n", hostname, aclName);
}
int numAclsWithUnreachableLines = aclsWithUnreachableLines.size();
int numAcls = allAcls.size();
double percentUnreachableAcls = 100d * numAclsWithUnreachableLines / numAcls;
double percentUnreachableLines = 100d * numUnreachableLines / numLines;
_logger.debugf("SUMMARY:\n");
_logger.debugf("\t%d/%d (%.1f%%) acls have unreachable lines\n", numAclsWithUnreachableLines, numAcls, percentUnreachableAcls);
_logger.debugf("\t%d/%d (%.1f%%) acl lines are unreachable\n", numUnreachableLines, numLines, percentUnreachableLines);
return answerElement;
}
Also used :
NamedStructureEquivalenceSet(org.batfish.datamodel.collections.NamedStructureEquivalenceSet)
HostConfiguration(org.batfish.representation.host.HostConfiguration)
Configuration(org.batfish.datamodel.Configuration)
ImmutableConfiguration(org.apache.commons.configuration2.ImmutableConfiguration)
AwsConfiguration(org.batfish.representation.aws.AwsConfiguration)
IptablesVendorConfiguration(org.batfish.representation.iptables.IptablesVendorConfiguration)
VendorConfiguration(org.batfish.vendor.VendorConfiguration)
AclLine(org.batfish.z3.AclLine)
NodFirstUnsatJob(org.batfish.z3.NodFirstUnsatJob)
ArrayList(java.util.ArrayList)
TreeSet(java.util.TreeSet)
IpAccessList(org.batfish.datamodel.IpAccessList)
ImmutableList(com.google.common.collect.ImmutableList)
ArrayList(java.util.ArrayList)
List(java.util.List)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
CleanBatfishException(org.batfish.common.CleanBatfishException)
BatfishException(org.batfish.common.BatfishException)
AclLinesAnswerElement(org.batfish.datamodel.answers.AclLinesAnswerElement)
AclReachabilityEntry(org.batfish.datamodel.answers.AclLinesAnswerElement.AclReachabilityEntry)
GenericConfigObject(org.batfish.datamodel.GenericConfigObject)
JSONObject(org.codehaus.jettison.json.JSONObject)
IpAccessList(org.batfish.datamodel.IpAccessList)
Map(java.util.Map)
TreeMap(java.util.TreeMap)
Collectors.toMap(java.util.stream.Collectors.toMap)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
NavigableMap(java.util.NavigableMap)
ConcurrentMap(java.util.concurrent.ConcurrentMap)
ImmutableSortedMap(com.google.common.collect.ImmutableSortedMap)
ImmutableMap(com.google.common.collect.ImmutableMap)
SortedMap(java.util.SortedMap)
HashMap(java.util.HashMap)
TreeMultiSet(org.batfish.datamodel.collections.TreeMultiSet)
ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet)
SortedSet(java.util.SortedSet)
ImmutableSet(com.google.common.collect.ImmutableSet)
HashSet(java.util.HashSet)
NamedStructureEquivalenceSet(org.batfish.datamodel.collections.NamedStructureEquivalenceSet)
Set(java.util.Set)
TreeSet(java.util.TreeSet)
LinkedHashSet(java.util.LinkedHashSet)
MultiSet(org.batfish.datamodel.collections.MultiSet)
AclReachabilityQuerySynthesizer(org.batfish.z3.AclReachabilityQuerySynthesizer)
EarliestMoreGeneralReachableLineQuerySynthesizer(org.batfish.z3.EarliestMoreGeneralReachableLineQuerySynthesizer)
ReachabilityQuerySynthesizer(org.batfish.z3.ReachabilityQuerySynthesizer)
QuerySynthesizer(org.batfish.z3.QuerySynthesizer)
AclReachabilityQuerySynthesizer(org.batfish.z3.AclReachabilityQuerySynthesizer)
BlacklistDstIpQuerySynthesizer(org.batfish.z3.BlacklistDstIpQuerySynthesizer)
StandardReachabilityQuerySynthesizer(org.batfish.z3.StandardReachabilityQuerySynthesizer)
EarliestMoreGeneralReachableLineQuerySynthesizer(org.batfish.z3.EarliestMoreGeneralReachableLineQuerySynthesizer)
ReachEdgeQuerySynthesizer(org.batfish.z3.ReachEdgeQuerySynthesizer)
Synthesizer(org.batfish.z3.Synthesizer)
MultipathInconsistencyQuerySynthesizer(org.batfish.z3.MultipathInconsistencyQuerySynthesizer)
PatternSyntaxException(java.util.regex.PatternSyntaxException)
Pair(org.batfish.common.Pair)
NodeInterfacePair(org.batfish.datamodel.collections.NodeInterfacePair)
NodSatJob(org.batfish.z3.NodSatJob)
Pattern(java.util.regex.Pattern)
TreeMap(java.util.TreeMap)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
Example 4 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfiguration method processSourceNat.
/**
* Processes a {@link CiscoSourceNat} rule. This function performs two actions:
*
* <p>1. Record references to ACLs and NAT pools by the various parsed {@link CiscoSourceNat}
* objects.
*
* <p>2. Convert to vendor-independent {@link SourceNat} objects if valid, aka, no undefined ACL
* and valid output configuration.
*
* <p>Returns the vendor-independeng {@link SourceNat}, or {@code null} if the source NAT rule is
* invalid.
*/
@Nullable
SourceNat processSourceNat(CiscoSourceNat nat, Interface iface, Map<String, IpAccessList> ipAccessLists) {
String sourceNatAclName = nat.getAclName();
if (sourceNatAclName == null) {
// Source NAT rules must have an ACL; this rule is invalid.
return null;
}
SourceNat convertedNat = new SourceNat();
/* source nat acl */
IpAccessList sourceNatAcl = ipAccessLists.get(sourceNatAclName);
int sourceNatAclLine = nat.getAclNameLine();
if (sourceNatAcl == null) {
undefined(CiscoStructureType.IP_ACCESS_LIST, sourceNatAclName, CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST, sourceNatAclLine);
} else {
convertedNat.setAcl(sourceNatAcl);
String msg = "source nat acl for interface: " + iface.getName();
ExtendedAccessList sourceNatExtendedAccessList = _extendedAccessLists.get(sourceNatAclName);
if (sourceNatExtendedAccessList != null) {
sourceNatExtendedAccessList.getReferers().put(iface, msg);
}
StandardAccessList sourceNatStandardAccessList = _standardAccessLists.get(sourceNatAclName);
if (sourceNatStandardAccessList != null) {
sourceNatStandardAccessList.getReferers().put(iface, msg);
}
}
/* source nat pool */
String sourceNatPoolName = nat.getNatPool();
if (sourceNatPoolName != null) {
int sourceNatPoolLine = nat.getNatPoolLine();
NatPool sourceNatPool = _natPools.get(sourceNatPoolName);
if (sourceNatPool != null) {
sourceNatPool.getReferers().put(iface, "source nat pool for interface: " + iface.getName());
Ip firstIp = sourceNatPool.getFirst();
if (firstIp != null) {
Ip lastIp = sourceNatPool.getLast();
convertedNat.setPoolIpFirst(firstIp);
convertedNat.setPoolIpLast(lastIp);
}
} else {
undefined(CiscoStructureType.NAT_POOL, sourceNatPoolName, CiscoStructureUsage.IP_NAT_SOURCE_POOL, sourceNatPoolLine);
}
}
// The source NAT rule is valid iff it has an ACL and a pool of IPs to NAT into.
if (convertedNat.getAcl() != null && convertedNat.getPoolIpFirst() != null) {
return convertedNat;
} else {
return null;
}
}
Also used :
SourceNat(org.batfish.datamodel.SourceNat)
Ip(org.batfish.datamodel.Ip)
IpAccessList(org.batfish.datamodel.IpAccessList)
Nullable(javax.annotation.Nullable)
Example 5 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfiguration method toVendorIndependentConfiguration.
@Override
public Configuration toVendorIndependentConfiguration() {
final Configuration c = new Configuration(_hostname, _vendor);
c.getVendorFamily().setCisco(_cf);
c.setRoles(_roles);
c.setDefaultInboundAction(LineAction.ACCEPT);
c.setDefaultCrossZoneAction(LineAction.ACCEPT);
c.setDnsServers(_dnsServers);
c.setDnsSourceInterface(_dnsSourceInterface);
c.setDomainName(_domainName);
c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
c.setTacacsServers(_tacacsServers);
c.setTacacsSourceInterface(_tacacsSourceInterface);
c.setNtpSourceInterface(_ntpSourceInterface);
if (_cf.getNtp() != null) {
c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
}
if (_cf.getLogging() != null) {
c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
}
c.setSnmpSourceInterface(_snmpSourceInterface);
processLines();
processFailoverSettings();
// remove line login authentication lists if they don't exist
for (Line line : _cf.getLines().values()) {
String list = line.getLoginAuthentication();
boolean found = false;
Aaa aaa = _cf.getAaa();
if (aaa != null) {
AaaAuthentication authentication = aaa.getAuthentication();
if (authentication != null) {
AaaAuthenticationLogin login = authentication.getLogin();
if (login != null && login.getLists().containsKey(list)) {
found = true;
}
}
}
if (!found) {
line.setLoginAuthentication(null);
}
}
// initialize vrfs
for (String vrfName : _vrfs.keySet()) {
c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
}
// snmp server
if (_snmpServer != null) {
String snmpServerVrf = _snmpServer.getVrf();
c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
}
// convert as path access lists to vendor independent format
for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
AsPathAccessList apList = toAsPathAccessList(pathList);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert as-path-sets to vendor independent format
for (AsPathSet asPathSet : _asPathSets.values()) {
AsPathAccessList apList = toAsPathAccessList(asPathSet);
c.getAsPathAccessLists().put(apList.getName(), apList);
}
// convert standard/expanded community lists to community lists
for (StandardCommunityList scList : _standardCommunityLists.values()) {
ExpandedCommunityList ecList = scList.toExpandedCommunityList();
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
CommunityList cList = toCommunityList(ecList);
c.getCommunityLists().put(cList.getName(), cList);
}
// convert prefix lists to route filter lists
for (PrefixList prefixList : _prefixLists.values()) {
RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert ipv6 prefix lists to route6 filter lists
for (Prefix6List prefixList : _prefix6Lists.values()) {
Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
}
// convert standard/extended access lists to access lists or route filter
// lists
List<ExtendedAccessList> allACLs = new ArrayList<>();
for (StandardAccessList saList : _standardAccessLists.values()) {
ExtendedAccessList eaList = saList.toExtendedAccessList();
allACLs.add(eaList);
}
allACLs.addAll(_extendedAccessLists.values());
for (ExtendedAccessList eaList : allACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardAccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
RouteFilterList rfList = toRouteFilterList(eaList);
c.getRouteFilterLists().put(rfList.getName(), rfList);
}
IpAccessList ipaList = toIpAccessList(eaList);
c.getIpAccessLists().put(ipaList.getName(), ipaList);
}
// convert standard/extended ipv6 access lists to ipv6 access lists or
// route6 filter
// lists
List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
allIpv6ACLs.add(eaList);
}
allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
if (usedForRouting(eaList)) {
String msg = "used for routing";
StandardIpv6AccessList parent = eaList.getParent();
if (parent != null) {
parent.getReferers().put(this, msg);
} else {
eaList.getReferers().put(this, msg);
}
Route6FilterList rfList = toRoute6FilterList(eaList);
c.getRoute6FilterLists().put(rfList.getName(), rfList);
}
Ip6AccessList ipaList = toIp6AccessList(eaList);
c.getIp6AccessLists().put(ipaList.getName(), ipaList);
}
// convert route maps to policy maps
Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
for (RouteMap map : _routeMaps.values()) {
convertForPurpose(routingRouteMaps, map);
// convert route maps to RoutingPolicy objects
RoutingPolicy newPolicy = toRoutingPolicy(c, map);
c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
}
// convert RoutePolicy to RoutingPolicy
for (RoutePolicy routePolicy : _routePolicies.values()) {
RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
}
// convert interfaces
_interfaces.forEach((ifaceName, iface) -> {
org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
String vrfName = iface.getVrf();
if (vrfName == null) {
throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
}
c.getInterfaces().put(ifaceName, newInterface);
c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
});
// apply vrrp settings to interfaces
applyVrrp(c);
// get IKE proposals
for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
}
addIkePoliciesAndGateways(c);
// ipsec proposals
for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
}
// ipsec policies
for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
String name = e.getKey();
IpsecProfile profile = e.getValue();
IpsecPolicy policy = new IpsecPolicy(name);
policy.setPfsKeyGroup(profile.getPfsGroup());
String transformSetName = profile.getTransformSet();
if (c.getIpsecProposals().containsKey(transformSetName)) {
policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
}
c.getIpsecPolicies().put(name, policy);
}
// ipsec vpns
for (Entry<String, Interface> e : _interfaces.entrySet()) {
String name = e.getKey();
Interface iface = e.getValue();
Tunnel tunnel = iface.getTunnel();
if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
IpsecVpn ipsecVpn = new IpsecVpn(name, c);
ipsecVpn.setBindInterface(c.getInterfaces().get(name));
ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
Ip source = tunnel.getSource();
Ip destination = tunnel.getDestination();
if (source == null || destination == null) {
_w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
} else {
for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
ipsecVpn.setIkeGateway(ikeGateway);
}
}
if (ipsecVpn.getIkeGateway() == null) {
_w.redFlag("Can't find matching IkeGateway for " + name);
}
}
c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
}
}
// convert routing processes
_vrfs.forEach((vrfName, vrf) -> {
org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
// add snmp trap servers to main list
if (newVrf.getSnmpServer() != null) {
c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
}
// convert static routes
for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
}
// convert rip process
RipProcess ripProcess = vrf.getRipProcess();
if (ripProcess != null) {
org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
newVrf.setRipProcess(newRipProcess);
}
// convert ospf process
OspfProcess ospfProcess = vrf.getOspfProcess();
if (ospfProcess != null) {
org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
newVrf.setOspfProcess(newOspfProcess);
}
// convert isis process
IsisProcess isisProcess = vrf.getIsisProcess();
if (isisProcess != null) {
org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
newVrf.setIsisProcess(newIsisProcess);
}
// convert bgp process
BgpProcess bgpProcess = vrf.getBgpProcess();
if (bgpProcess != null) {
org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
}
});
// warn about references to undefined peer groups
for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
String name = e.getKey();
int line = e.getValue();
undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
}
// mark references to IPv4/6 ACLs that may not appear in data model
markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
markAcls(CiscoStructureUsage.SSH_ACL);
markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
// mark references to mac-ACLs that may not appear in data model
// TODO: fill in
// mark references to route-maps that may not appear in data model
markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
// Cable
markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
// L2tp
markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
// Vpn
markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
// warn about unreferenced data structures
warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
warnUnusedCommunityLists();
warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
warnUnusedDocsisPolicies();
warnUnusedDocsisPolicyRules();
warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
warnUnusedIpAccessLists();
warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
warnUnusedIpv6AccessLists();
warnUnusedKeyrings();
warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
warnUnusedPeerGroups();
warnUnusedPeerSessions();
warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
warnUnusedServiceClasses();
c.simplifyRoutingPolicies();
c.computeRoutingPolicySources(_w);
return c;
}
Also used :
IpsecVpn(org.batfish.datamodel.IpsecVpn)
AaaAuthentication(org.batfish.datamodel.vendor_family.cisco.AaaAuthentication)
VendorConfiguration(org.batfish.vendor.VendorConfiguration)
Configuration(org.batfish.datamodel.Configuration)
ArrayList(java.util.ArrayList)
Aaa(org.batfish.datamodel.vendor_family.cisco.Aaa)
BatfishException(org.batfish.common.BatfishException)
AsPathAccessList(org.batfish.datamodel.AsPathAccessList)
CommunityList(org.batfish.datamodel.CommunityList)
CommunityListLine(org.batfish.datamodel.CommunityListLine)
Ip6AccessListLine(org.batfish.datamodel.Ip6AccessListLine)
Route6FilterLine(org.batfish.datamodel.Route6FilterLine)
Line(org.batfish.datamodel.vendor_family.cisco.Line)
RouteFilterLine(org.batfish.datamodel.RouteFilterLine)
AsPathAccessListLine(org.batfish.datamodel.AsPathAccessListLine)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpsecPolicy(org.batfish.datamodel.IpsecPolicy)
IkeGateway(org.batfish.datamodel.IkeGateway)
IpAccessList(org.batfish.datamodel.IpAccessList)
Ip(org.batfish.datamodel.Ip)
SubRange(org.batfish.datamodel.SubRange)
Ip6AccessList(org.batfish.datamodel.Ip6AccessList)
RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy)
Route6FilterList(org.batfish.datamodel.Route6FilterList)
BigInteger(java.math.BigInteger)
RouteFilterList(org.batfish.datamodel.RouteFilterList)
AaaAuthenticationLogin(org.batfish.datamodel.vendor_family.cisco.AaaAuthenticationLogin)
Aggregations
IpAccessList (org.batfish.datamodel.IpAccessList)37
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)19
Configuration (org.batfish.datamodel.Configuration)17
Ip (org.batfish.datamodel.Ip)16
Interface (org.batfish.datamodel.Interface)14
ArrayList (java.util.ArrayList)10
Test (org.junit.Test)10
BatfishException (org.batfish.common.BatfishException)9
List (java.util.List)7
IpWildcard (org.batfish.datamodel.IpWildcard)7
LineAction (org.batfish.datamodel.LineAction)7
SubRange (org.batfish.datamodel.SubRange)7
ImmutableList (com.google.common.collect.ImmutableList)6
Set (java.util.Set)6
TreeSet (java.util.TreeSet)6
Edge (org.batfish.datamodel.Edge)6
InterfaceAddress (org.batfish.datamodel.InterfaceAddress)6
Prefix (org.batfish.datamodel.Prefix)6
SourceNat (org.batfish.datamodel.SourceNat)6
Map (java.util.Map)5
