Example 6 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class Subnet method toConfigurationNode.
public Configuration toConfigurationNode(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
Configuration cfgNode = Utils.newAwsConfiguration(_subnetId, "aws");
// add one interface that faces the instances
String instancesIfaceName = _subnetId;
Ip instancesIfaceIp = computeInstancesIfaceIp();
InterfaceAddress instancesIfaceAddress = new InterfaceAddress(instancesIfaceIp, _cidrBlock.getPrefixLength());
Utils.newInterface(instancesIfaceName, cfgNode, instancesIfaceAddress);
// generate a prefix for the link between the VPC router and the subnet
Pair<InterfaceAddress, InterfaceAddress> vpcSubnetLinkPrefix = awsConfiguration.getNextGeneratedLinkSubnet();
InterfaceAddress subnetIfaceAddress = vpcSubnetLinkPrefix.getFirst();
InterfaceAddress vpcIfaceAddress = vpcSubnetLinkPrefix.getSecond();
// add an interface that faces the VPC router
String subnetIfaceName = _vpcId;
Interface subnetToVpc = Utils.newInterface(subnetIfaceName, cfgNode, subnetIfaceAddress);
// add a corresponding interface on the VPC router facing the subnet
Configuration vpcConfigNode = awsConfiguration.getConfigurationNodes().get(_vpcId);
String vpcIfaceName = _subnetId;
Utils.newInterface(vpcIfaceName, vpcConfigNode, vpcIfaceAddress);
// add a static route on the vpc router for this subnet
StaticRoute.Builder sb = StaticRoute.builder().setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST);
StaticRoute vpcToSubnetRoute = sb.setNetwork(_cidrBlock).setNextHopIp(subnetIfaceAddress.getIp()).build();
vpcConfigNode.getDefaultVrf().getStaticRoutes().add(vpcToSubnetRoute);
// Install a default static route towards the VPC router.
StaticRoute defaultRoute = sb.setNetwork(Prefix.ZERO).setNextHopIp(vpcIfaceAddress.getIp()).build();
cfgNode.getDefaultVrf().getStaticRoutes().add(defaultRoute);
NetworkAcl myNetworkAcl = findMyNetworkAcl(region.getNetworkAcls());
IpAccessList inAcl = myNetworkAcl.getIngressAcl();
IpAccessList outAcl = myNetworkAcl.getEgressAcl();
cfgNode.getIpAccessLists().put(inAcl.getName(), inAcl);
cfgNode.getIpAccessLists().put(outAcl.getName(), outAcl);
subnetToVpc.setIncomingFilter(inAcl);
subnetToVpc.setOutgoingFilter(outAcl);
cfgNode.getVendorFamily().getAws().setVpcId(_vpcId);
cfgNode.getVendorFamily().getAws().setSubnetId(_subnetId);
cfgNode.getVendorFamily().getAws().setRegion(region.getName());
return cfgNode;
}
Also used :
StaticRoute(org.batfish.datamodel.StaticRoute)
Configuration(org.batfish.datamodel.Configuration)
InterfaceAddress(org.batfish.datamodel.InterfaceAddress)
Ip(org.batfish.datamodel.Ip)
IpAccessList(org.batfish.datamodel.IpAccessList)
Interface(org.batfish.datamodel.Interface)
Example 7 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class NetworkAcl method getAcl.
private IpAccessList getAcl(boolean isEgress) {
String listName = _networkAclId + (isEgress ? "_egress" : "_ingress");
Map<Integer, IpAccessListLine> lineMap = new TreeMap<>();
for (NetworkAclEntry entry : _entries) {
if ((isEgress && entry.getIsEgress()) || (!isEgress && !entry.getIsEgress())) {
IpAccessListLine line = new IpAccessListLine();
int key = entry.getRuleNumber();
LineAction action = entry.getIsAllow() ? LineAction.ACCEPT : LineAction.REJECT;
line.setAction(action);
Prefix prefix = entry.getCidrBlock();
if (!prefix.equals(Prefix.ZERO)) {
if (isEgress) {
line.setDstIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
} else {
line.setSrcIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
}
}
IpProtocol protocol = IpPermissions.toIpProtocol(entry.getProtocol());
String protocolStr = protocol != null ? protocol.toString() : "ALL";
if (protocol != null) {
line.setIpProtocols(ImmutableSortedSet.of(protocol));
}
int fromPort = entry.getFromPort();
int toPort = entry.getToPort();
SubRange portRange = new SubRange(fromPort, toPort);
if (fromPort != -1 || toPort != -1) {
if (fromPort == -1) {
fromPort = 0;
}
if (toPort == -1) {
toPort = 65535;
}
line.setDstPorts(ImmutableSortedSet.of(portRange));
}
String portStr;
if (protocol == IpProtocol.ICMP) {
// TODO: flesh these out
portStr = "some ICMP type(s)/code(s)";
} else if ((fromPort == 0 && toPort == 65535) || (fromPort == -1 && toPort == -1)) {
portStr = "ALL";
} else {
portStr = portRange.toString();
}
String actionStr = action == LineAction.ACCEPT ? "ALLOW" : "DENY";
String lineNumber = key == 32767 ? "*" : Integer.toString(key);
line.setName(String.format("%s %s %s %s %s", lineNumber, protocolStr, portStr, prefix, actionStr));
lineMap.put(key, line);
}
}
List<IpAccessListLine> lines = ImmutableList.copyOf(lineMap.values());
IpAccessList list = new IpAccessList(listName, lines);
return list;
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
Prefix(org.batfish.datamodel.Prefix)
TreeMap(java.util.TreeMap)
IpWildcard(org.batfish.datamodel.IpWildcard)
IpProtocol(org.batfish.datamodel.IpProtocol)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
SubRange(org.batfish.datamodel.SubRange)
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 8 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class Route method toStaticRoute.
@Nullable
public StaticRoute toStaticRoute(AwsConfiguration awsConfiguration, Region region, Ip vpcAddress, @Nullable Ip igwAddress, @Nullable Ip vgwAddress, Subnet subnet, Configuration subnetCfgNode, Warnings warnings) {
// setting the common properties
StaticRoute.Builder srBuilder = StaticRoute.builder().setNetwork(_destinationCidrBlock).setAdministrativeCost(DEFAULT_STATIC_ROUTE_ADMIN).setMetric(DEFAULT_STATIC_ROUTE_COST);
if (_state == State.BLACKHOLE) {
srBuilder.setNextHopInterface(Interface.NULL_INTERFACE_NAME);
} else {
switch(_targetType) {
case Gateway:
if (_target.equals("local")) {
// send to the vpc router
srBuilder.setNextHopIp(vpcAddress);
} else {
// exception
if (_target.equals(subnet.getInternetGatewayId())) {
srBuilder.setNextHopIp(igwAddress);
} else if (_target.equals(subnet.getVpnGatewayId())) {
srBuilder.setNextHopIp(vgwAddress);
} else {
throw new BatfishException("Internet gateway \"" + _target + "\" specified in this route not accessible from this subnet");
}
}
break;
case NatGateway:
// TODO: it is NOT clear that this is the right thing to do
// for NATs with multiple interfaces, we should probably match on private IPs?
srBuilder.setNextHopIp(region.getNatGateways().get(_target).getNatGatewayAddresses().get(0)._privateIp);
break;
case NetworkInterface:
NetworkInterface networkInterface = region.getNetworkInterfaces().get(_target);
String networkInterfaceSubnetId = networkInterface.getSubnetId();
if (networkInterfaceSubnetId.equals(subnet.getId())) {
Set<Ip> networkInterfaceIps = new TreeSet<>();
networkInterfaceIps.addAll(networkInterface.getIpAddressAssociations().keySet());
Ip lowestIp = networkInterfaceIps.toArray(new Ip[] {})[0];
if (!subnet.getCidrBlock().containsIp(lowestIp)) {
throw new BatfishException("Ip of network interface specified in static route not in containing subnet");
}
srBuilder.setNextHopIp(lowestIp);
} else {
String networkInterfaceVpcId = region.getSubnets().get(networkInterfaceSubnetId).getVpcId();
String vpcId = subnet.getVpcId();
if (!vpcId.equals(networkInterfaceVpcId)) {
throw new BatfishException("Cannot peer with interface on different VPC");
}
// need to create a link between subnet on which route is created
// and instance containing network interface
String subnetIfaceName = _target;
Pair<InterfaceAddress, InterfaceAddress> instanceLink = awsConfiguration.getNextGeneratedLinkSubnet();
InterfaceAddress subnetIfaceAddress = instanceLink.getFirst();
Utils.newInterface(subnetIfaceName, subnetCfgNode, subnetIfaceAddress);
// set up instance interface
String instanceId = networkInterface.getAttachmentInstanceId();
String instanceIfaceName = subnet.getId();
Configuration instanceCfgNode = awsConfiguration.getConfigurationNodes().get(instanceId);
InterfaceAddress instanceIfaceAddress = instanceLink.getSecond();
Interface instanceIface = Utils.newInterface(instanceIfaceName, instanceCfgNode, instanceIfaceAddress);
instanceIface.setIncomingFilter(instanceCfgNode.getIpAccessLists().getOrDefault(Region.SG_INGRESS_ACL_NAME, new IpAccessList(Region.SG_INGRESS_ACL_NAME, new LinkedList<>())));
instanceIface.setOutgoingFilter(instanceCfgNode.getIpAccessLists().getOrDefault(Region.SG_EGRESS_ACL_NAME, new IpAccessList(Region.SG_EGRESS_ACL_NAME, new LinkedList<>())));
Ip nextHopIp = instanceIfaceAddress.getIp();
srBuilder.setNextHopIp(nextHopIp);
}
break;
case VpcPeeringConnection:
// create route for vpc peering connection
String vpcPeeringConnectionid = _target;
VpcPeeringConnection vpcPeeringConnection = region.getVpcPeeringConnections().get(vpcPeeringConnectionid);
String localVpcId = subnet.getVpcId();
String accepterVpcId = vpcPeeringConnection.getAccepterVpcId();
String requesterVpcId = vpcPeeringConnection.getRequesterVpcId();
String remoteVpcId = localVpcId.equals(accepterVpcId) ? requesterVpcId : accepterVpcId;
Configuration remoteVpcCfgNode = awsConfiguration.getConfigurationNodes().get(remoteVpcId);
if (remoteVpcCfgNode == null) {
warnings.redFlag("VPC \"" + localVpcId + "\" cannot peer with non-existent VPC: \"" + remoteVpcId + "\"");
return null;
}
// set up subnet interface if necessary
String subnetIfaceName = remoteVpcId;
String remoteVpcIfaceName = subnet.getId();
Ip remoteVpcIfaceIp;
if (!subnetCfgNode.getDefaultVrf().getInterfaces().containsKey(subnetIfaceName)) {
// create prefix on which subnet and remote vpc router will
// connect
Pair<InterfaceAddress, InterfaceAddress> peeringLink = awsConfiguration.getNextGeneratedLinkSubnet();
InterfaceAddress subnetIfaceAddress = peeringLink.getFirst();
Utils.newInterface(subnetIfaceName, subnetCfgNode, subnetIfaceAddress);
// set up remote vpc router interface
InterfaceAddress remoteVpcIfaceAddress = peeringLink.getSecond();
Interface remoteVpcIface = new Interface(remoteVpcIfaceName, remoteVpcCfgNode);
remoteVpcCfgNode.getInterfaces().put(remoteVpcIfaceName, remoteVpcIface);
remoteVpcCfgNode.getDefaultVrf().getInterfaces().put(remoteVpcIfaceName, remoteVpcIface);
remoteVpcIface.setAddress(remoteVpcIfaceAddress);
remoteVpcIface.getAllAddresses().add(remoteVpcIfaceAddress);
}
// interface pair exists now, so just retrieve existing information
remoteVpcIfaceIp = remoteVpcCfgNode.getDefaultVrf().getInterfaces().get(remoteVpcIfaceName).getAddress().getIp();
// initialize static route on new link
srBuilder.setNextHopIp(remoteVpcIfaceIp);
break;
case Instance:
// TODO: create route for instance
warnings.redFlag("Skipping creating route to " + _destinationCidrBlock + " for instance: \"" + _target + "\"");
return null;
default:
throw new BatfishException("Unsupported target type: " + _targetType);
}
}
return srBuilder.build();
}
Also used :
BatfishException(org.batfish.common.BatfishException)
StaticRoute(org.batfish.datamodel.StaticRoute)
Configuration(org.batfish.datamodel.Configuration)
InterfaceAddress(org.batfish.datamodel.InterfaceAddress)
Ip(org.batfish.datamodel.Ip)
TreeSet(java.util.TreeSet)
IpAccessList(org.batfish.datamodel.IpAccessList)
Interface(org.batfish.datamodel.Interface)
Nullable(javax.annotation.Nullable)
Example 9 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class RouteMapMatchIpAccessListLine method toBooleanExpr.
@Override
public BooleanExpr toBooleanExpr(Configuration c, CiscoConfiguration cc, Warnings w) {
Disjunction d = new Disjunction();
List<BooleanExpr> disjuncts = d.getDisjuncts();
for (String listName : _listNames) {
Object list;
IpAccessList ipAccessList = null;
RouteFilterList routeFilterList = null;
if (_routing) {
routeFilterList = c.getRouteFilterLists().get(listName);
list = routeFilterList;
} else {
ipAccessList = c.getIpAccessLists().get(listName);
list = ipAccessList;
}
if (list == null) {
cc.undefined(CiscoStructureType.IP_ACCESS_LIST, listName, CiscoStructureUsage.ROUTE_MAP_MATCH_IP_ACCESS_LIST, _statementLine);
} else {
String msg = "route-map match ip access-list line";
ExtendedAccessList extendedAccessList = cc.getExtendedAcls().get(listName);
if (extendedAccessList != null) {
extendedAccessList.getReferers().put(this, msg);
}
StandardAccessList standardAccessList = cc.getStandardAcls().get(listName);
if (standardAccessList != null) {
standardAccessList.getReferers().put(this, msg);
}
if (_routing) {
disjuncts.add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(listName)));
} else {
disjuncts.add(new MatchIpAccessList(listName));
}
}
}
return d.simplify();
}
Also used :
NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet)
MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet)
Disjunction(org.batfish.datamodel.routing_policy.expr.Disjunction)
DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork)
RouteFilterList(org.batfish.datamodel.RouteFilterList)
MatchIpAccessList(org.batfish.datamodel.routing_policy.expr.MatchIpAccessList)
MatchIpAccessList(org.batfish.datamodel.routing_policy.expr.MatchIpAccessList)
IpAccessList(org.batfish.datamodel.IpAccessList)
BooleanExpr(org.batfish.datamodel.routing_policy.expr.BooleanExpr)
Example 10 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class IptablesVendorConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(String aclName, IptablesChain chain, VendorConfiguration vc) {
ImmutableList.Builder<IpAccessListLine> lines = ImmutableList.builder();
for (IptablesRule rule : chain.getRules()) {
IpAccessListLine aclLine = new IpAccessListLine();
boolean anyInterface = false;
for (IptablesMatch match : rule.getMatchList()) {
switch(match.getMatchType()) {
case DESTINATION:
aclLine.setDstIps(Iterables.concat(aclLine.getDstIps(), Collections.singleton(match.toIpWildcard())));
break;
case DESTINATION_PORT:
aclLine.setDstPorts(Iterables.concat(aclLine.getDstPorts(), match.toPortRanges()));
break;
case IN_INTERFACE:
_lineInInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
anyInterface = false;
break;
case OUT_INTERFACE:
_lineOutInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
anyInterface = false;
break;
case PROTOCOL:
aclLine.setIpProtocols(Iterables.concat(aclLine.getIpProtocols(), Collections.singleton(match.toIpProtocol())));
break;
case SOURCE:
aclLine.setSrcIps(Iterables.concat(aclLine.getSrcIps(), Collections.singleton(match.toIpWildcard())));
break;
case SOURCE_PORT:
aclLine.setSrcPorts(Iterables.concat(aclLine.getSrcPorts(), match.toPortRanges()));
break;
default:
throw new BatfishException("Unknown match type: " + match.getMatchType());
}
}
if (anyInterface) {
_lineInInterfaces.put(aclLine, null);
_lineOutInterfaces.put(aclLine, null);
}
aclLine.setName(rule.getName());
aclLine.setAction(rule.getIpAccessListLineAction());
lines.add(aclLine);
}
// add a final line corresponding to default chain policy
LineAction chainAction = chain.getIpAccessListLineAction();
IpAccessListLine defaultLine = new IpAccessListLine();
defaultLine.setAction(chainAction);
defaultLine.setName("default");
lines.add(defaultLine);
IpAccessList acl = new IpAccessList(aclName, lines.build());
return acl;
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
BatfishException(org.batfish.common.BatfishException)
ImmutableList(com.google.common.collect.ImmutableList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
Aggregations
IpAccessList (org.batfish.datamodel.IpAccessList)37
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)19
Configuration (org.batfish.datamodel.Configuration)17
Ip (org.batfish.datamodel.Ip)16
Interface (org.batfish.datamodel.Interface)14
ArrayList (java.util.ArrayList)10
Test (org.junit.Test)10
BatfishException (org.batfish.common.BatfishException)9
List (java.util.List)7
IpWildcard (org.batfish.datamodel.IpWildcard)7
LineAction (org.batfish.datamodel.LineAction)7
SubRange (org.batfish.datamodel.SubRange)7
ImmutableList (com.google.common.collect.ImmutableList)6
Set (java.util.Set)6
TreeSet (java.util.TreeSet)6
Edge (org.batfish.datamodel.Edge)6
InterfaceAddress (org.batfish.datamodel.InterfaceAddress)6
Prefix (org.batfish.datamodel.Prefix)6
SourceNat (org.batfish.datamodel.SourceNat)6
Map (java.util.Map)5
