Example 11 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class JuniperConfiguration method toInterface.
private org.batfish.datamodel.Interface toInterface(Interface iface) {
String name = iface.getName();
org.batfish.datamodel.Interface newIface = new org.batfish.datamodel.Interface(name, _c);
newIface.setDeclaredNames(ImmutableSortedSet.of(name));
Integer mtu = iface.getMtu();
if (mtu != null) {
newIface.setMtu(mtu);
}
newIface.setVrrpGroups(iface.getVrrpGroups());
newIface.setVrf(_c.getVrfs().get(iface.getRoutingInstance()));
Zone zone = _interfaceZones.get(iface);
if (zone != null) {
String zoneName = zone.getName();
// filter for interface in zone
FirewallFilter zoneInboundInterfaceFilter = zone.getInboundInterfaceFilters().get(iface);
if (zoneInboundInterfaceFilter != null) {
String zoneInboundInterfaceFilterName = zoneInboundInterfaceFilter.getName();
zoneInboundInterfaceFilter.getReferers().put(iface, "Interface: '" + iface.getName() + "' refers to inbound filter for interface in zone : '" + zoneName + "'");
IpAccessList zoneInboundInterfaceFilterList = _c.getIpAccessLists().get(zoneInboundInterfaceFilterName);
newIface.setInboundFilter(zoneInboundInterfaceFilterList);
} else {
// filter for zone
FirewallFilter zoneInboundFilter = zone.getInboundFilter();
String zoneInboundFilterName = zoneInboundFilter.getName();
zoneInboundFilter.getReferers().put(iface, "Interface: '" + iface.getName() + "' refers to inbound filter for zone : '" + zoneName + "'");
IpAccessList zoneInboundFilterList = _c.getIpAccessLists().get(zoneInboundFilterName);
newIface.setInboundFilter(zoneInboundFilterList);
}
}
String inAclName = iface.getIncomingFilter();
if (inAclName != null) {
int inAclLine = iface.getIncomingFilterLine();
IpAccessList inAcl = _c.getIpAccessLists().get(inAclName);
if (inAcl == null) {
undefined(JuniperStructureType.FIREWALL_FILTER, inAclName, JuniperStructureUsage.INTERFACE_INCOMING_FILTER, inAclLine);
} else {
FirewallFilter inFilter = _filters.get(inAclName);
inFilter.getReferers().put(iface, "Incoming ACL for interface: " + iface.getName());
newIface.setIncomingFilter(inAcl);
if (inFilter.getRoutingPolicy()) {
RoutingPolicy routingPolicy = _c.getRoutingPolicies().get(inAclName);
if (routingPolicy != null) {
newIface.setRoutingPolicy(inAclName);
} else {
throw new BatfishException("Expected interface routing-policy to exist");
}
}
}
}
String outAclName = iface.getOutgoingFilter();
if (outAclName != null) {
int outAclLine = iface.getOutgoingFilterLine();
IpAccessList outAcl = _c.getIpAccessLists().get(outAclName);
if (outAcl == null) {
undefined(JuniperStructureType.FIREWALL_FILTER, outAclName, JuniperStructureUsage.INTERFACE_OUTGOING_FILTER, outAclLine);
} else {
_filters.get(outAclName).getReferers().put(iface, "Outgoing ACL for interface: " + iface.getName());
newIface.setOutgoingFilter(outAcl);
}
}
if (iface.getPrimaryAddress() != null) {
newIface.setAddress(iface.getPrimaryAddress());
}
newIface.setAllAddresses(iface.getAllAddresses());
newIface.setActive(iface.getActive());
newIface.setAccessVlan(iface.getAccessVlan());
newIface.setNativeVlan(iface.getNativeVlan());
newIface.setSwitchportMode(iface.getSwitchportMode());
SwitchportEncapsulationType swe = iface.getSwitchportTrunkEncapsulation();
if (swe == null) {
swe = SwitchportEncapsulationType.DOT1Q;
}
newIface.setSwitchportTrunkEncapsulation(swe);
newIface.setBandwidth(iface.getBandwidth());
// isis settings
IsisInterfaceSettings isisSettings = iface.getIsisSettings();
IsisInterfaceLevelSettings isisL1Settings = isisSettings.getLevel1Settings();
newIface.setIsisL1InterfaceMode(IsisInterfaceMode.UNSET);
if (isisL1Settings.getEnabled()) {
if (isisSettings.getPassive()) {
newIface.setIsisL1InterfaceMode(IsisInterfaceMode.PASSIVE);
} else if (isisSettings.getEnabled()) {
newIface.setIsisL1InterfaceMode(IsisInterfaceMode.ACTIVE);
}
}
IsisInterfaceLevelSettings isisL2Settings = isisSettings.getLevel2Settings();
newIface.setIsisL2InterfaceMode(IsisInterfaceMode.UNSET);
if (isisL2Settings.getEnabled()) {
if (isisSettings.getPassive()) {
newIface.setIsisL2InterfaceMode(IsisInterfaceMode.PASSIVE);
} else if (isisSettings.getEnabled()) {
newIface.setIsisL2InterfaceMode(IsisInterfaceMode.ACTIVE);
}
}
Integer l1Metric = isisSettings.getLevel1Settings().getMetric();
Integer l2Metric = isisSettings.getLevel2Settings().getMetric();
if (l1Metric != null && l2Metric != null && (l1Metric.intValue() != l2Metric.intValue())) {
_w.unimplemented("distinct metrics for is-is level1 and level2 on an interface");
} else if (l1Metric != null) {
newIface.setIsisCost(l1Metric);
} else if (l2Metric != null) {
newIface.setIsisCost(l2Metric);
}
// TODO: enable/disable individual levels
return newIface;
}
Also used :
BatfishException(org.batfish.common.BatfishException)
RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy)
IpAccessList(org.batfish.datamodel.IpAccessList)
SwitchportEncapsulationType(org.batfish.datamodel.SwitchportEncapsulationType)
Example 12 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class JuniperConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(FirewallFilter filter) throws VendorConversionException {
String name = filter.getName();
List<IpAccessListLine> lines = new ArrayList<>();
for (FwTerm term : filter.getTerms().values()) {
// action
LineAction action;
if (term.getThens().contains(FwThenAccept.INSTANCE)) {
action = LineAction.ACCEPT;
} else if (term.getThens().contains(FwThenDiscard.INSTANCE)) {
action = LineAction.REJECT;
} else if (term.getThens().contains(FwThenNextTerm.INSTANCE)) {
// TODO: throw error if any transformation is being done
continue;
} else if (term.getThens().contains(FwThenNop.INSTANCE)) {
// we assume for now that any 'nop' operations imply acceptance
action = LineAction.ACCEPT;
} else {
_w.redFlag("missing action in firewall filter: '" + name + "', term: '" + term.getName() + "'");
action = LineAction.REJECT;
}
IpAccessListLine line = new IpAccessListLine();
line.setName(term.getName());
line.setAction(action);
for (FwFrom from : term.getFroms()) {
from.applyTo(line, this, _w, _c);
}
boolean addLine = term.getFromApplications().isEmpty() && term.getFromHostProtocols().isEmpty() && term.getFromHostServices().isEmpty();
for (FwFromHostProtocol from : term.getFromHostProtocols()) {
from.applyTo(lines, _w);
}
for (FwFromHostService from : term.getFromHostServices()) {
from.applyTo(lines, _w);
}
for (FwFromApplication fromApplication : term.getFromApplications()) {
fromApplication.applyTo(line, lines, _w);
}
if (addLine) {
lines.add(line);
}
}
IpAccessList list = new IpAccessList(name, lines);
return list;
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
ArrayList(java.util.ArrayList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 13 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class EncoderSlice method initAclFunctions.
/*
* Initialize boolean expressions to represent ACLs on each interface.
*/
private void initAclFunctions() {
for (Entry<String, List<GraphEdge>> entry : getGraph().getEdgeMap().entrySet()) {
String router = entry.getKey();
List<GraphEdge> edges = entry.getValue();
for (GraphEdge ge : edges) {
Interface i = ge.getStart();
IpAccessList outbound = i.getOutgoingFilter();
if (outbound != null) {
String outName = String.format("%d_%s_%s_%s_%s_%s", _encoder.getId(), _sliceName, router, i.getName(), "OUTBOUND", outbound.getName());
BoolExpr outAcl = getCtx().mkBoolConst(outName);
BoolExpr outAclFunc = computeACL(outbound);
add(mkEq(outAcl, outAclFunc));
_outboundAcls.put(ge, outAcl);
}
IpAccessList inbound = i.getIncomingFilter();
if (inbound != null) {
String inName = String.format("%d_%s_%s_%s_%s_%s", _encoder.getId(), _sliceName, router, i.getName(), "INBOUND", inbound.getName());
BoolExpr inAcl = getCtx().mkBoolConst(inName);
BoolExpr inAclFunc = computeACL(inbound);
add(mkEq(inAcl, inAclFunc));
_inboundAcls.put(ge, inAcl);
}
}
}
}
Also used :
BoolExpr(com.microsoft.z3.BoolExpr)
IpAccessList(org.batfish.datamodel.IpAccessList)
ArrayList(java.util.ArrayList)
List(java.util.List)
IpAccessList(org.batfish.datamodel.IpAccessList)
GraphEdge(org.batfish.symbolic.GraphEdge)
Interface(org.batfish.datamodel.Interface)
Example 14 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CounterExample method buildFlowTrace.
/*
* Build flow information for a given hop along a path
*/
Tuple<Flow, FlowTrace> buildFlowTrace(Encoder enc, String router) {
EncoderSlice slice = enc.getMainSlice();
SymbolicPacket pkt = slice.getSymbolicPacket();
SymbolicDecisions decisions = slice.getSymbolicDecisions();
Flow f = buildFlow(pkt, router);
SortedSet<String> visited = new TreeSet<>();
List<FlowTraceHop> hops = new ArrayList<>();
String current = router;
while (true) {
visited.add(current);
// Get the forwarding variables
Map<GraphEdge, BoolExpr> dfwd = decisions.getDataForwarding().get(current);
Map<GraphEdge, BoolExpr> cfwd = decisions.getControlForwarding().get(current);
Map<GraphEdge, BoolExpr> across = enc.getMainSlice().getForwardsAcross().get(current);
// Find the route used
SymbolicRoute r = decisions.getBestNeighbor().get(current);
Protocol proto = buildProcotol(r, slice, current);
Prefix pfx = buildPrefix(r, f);
// pick the next router
boolean found = false;
for (Entry<GraphEdge, BoolExpr> entry : dfwd.entrySet()) {
GraphEdge ge = entry.getKey();
BoolExpr dexpr = entry.getValue();
BoolExpr cexpr = cfwd.get(ge);
BoolExpr aexpr = across.get(ge);
String route = buildRoute(pfx, proto, ge);
if (isTrue(dexpr)) {
hops.add(buildFlowTraceHop(ge, route));
if (ge.getPeer() != null && visited.contains(ge.getPeer())) {
FlowTrace ft = new FlowTrace(FlowDisposition.LOOP, hops, "LOOP");
return new Tuple<>(f, ft);
}
if (isFalse(aexpr)) {
Interface i = ge.getEnd();
IpAccessList acl = i.getIncomingFilter();
FilterResult fr = acl.filter(f);
String line = "default deny";
if (fr.getMatchLine() != null) {
line = acl.getLines().get(fr.getMatchLine()).getName();
}
String note = String.format("DENIED_IN{%s}{%s}", acl.getName(), line);
FlowTrace ft = new FlowTrace(FlowDisposition.DENIED_IN, hops, note);
return new Tuple<>(f, ft);
}
boolean isLoopback = slice.getGraph().isLoopback(ge);
if (isLoopback) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
if (ge.getPeer() == null) {
boolean isBgpPeering = slice.getGraph().getEbgpNeighbors().get(ge) != null;
if (isBgpPeering) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
} else {
FlowTrace ft = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, hops, "NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK");
return new Tuple<>(f, ft);
}
}
if (slice.getGraph().isHost(ge.getPeer())) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
current = ge.getPeer();
found = true;
break;
} else if (isTrue(cexpr)) {
hops.add(buildFlowTraceHop(ge, route));
Interface i = ge.getStart();
IpAccessList acl = i.getOutgoingFilter();
FilterResult fr = acl.filter(f);
IpAccessListLine line = acl.getLines().get(fr.getMatchLine());
String note = String.format("DENIED_OUT{%s}{%s}", acl.getName(), line.getName());
FlowTrace ft = new FlowTrace(FlowDisposition.DENIED_OUT, hops, note);
return new Tuple<>(f, ft);
}
}
if (!found) {
BoolExpr permitted = r.getPermitted();
if (boolVal(permitted)) {
// Check if there is an accepting interface
for (GraphEdge ge : slice.getGraph().getEdgeMap().get(current)) {
Interface i = ge.getStart();
Ip ip = i.getAddress().getIp();
if (ip.equals(f.getDstIp())) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
}
FlowTrace ft = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, hops, "NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK");
return new Tuple<>(f, ft);
}
FlowTrace ft = new FlowTrace(FlowDisposition.NO_ROUTE, hops, "NO_ROUTE");
return new Tuple<>(f, ft);
}
}
}
Also used :
BoolExpr(com.microsoft.z3.BoolExpr)
Ip(org.batfish.datamodel.Ip)
ArrayList(java.util.ArrayList)
Prefix(org.batfish.datamodel.Prefix)
TreeSet(java.util.TreeSet)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpProtocol(org.batfish.datamodel.IpProtocol)
RoutingProtocol(org.batfish.datamodel.RoutingProtocol)
Protocol(org.batfish.symbolic.Protocol)
Flow(org.batfish.datamodel.Flow)
FlowTraceHop(org.batfish.datamodel.FlowTraceHop)
FlowTrace(org.batfish.datamodel.FlowTrace)
IpAccessList(org.batfish.datamodel.IpAccessList)
FilterResult(org.batfish.datamodel.FilterResult)
GraphEdge(org.batfish.symbolic.GraphEdge)
Tuple(org.batfish.symbolic.utils.Tuple)
Interface(org.batfish.datamodel.Interface)
Example 15 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class ElasticsearchDomainTest method testSecurityGroupsAcl.
@Test
public void testSecurityGroupsAcl() throws IOException {
Map<String, Configuration> configurations = loadAwsConfigurations();
assertThat(configurations, hasKey("es-domain"));
assertThat(configurations.get("es-domain").getInterfaces().entrySet(), hasSize(2));
IpAccessListLine rejectSynOnly = IpAccessListLine.builder().setTcpFlags(ImmutableSet.of(TcpFlags.SYN_ONLY)).setAction(LineAction.REJECT).build();
IpAccessList expectedIncomingFilter = new IpAccessList("~SECURITY_GROUP_INGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setSrcIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setDstPorts(Sets.newHashSet(new SubRange(45, 50))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setSrcIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build()));
IpAccessList expectedOutgoingFilter = new IpAccessList("~SECURITY_GROUP_EGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setDstIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setDstIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setSrcPorts(Sets.newHashSet(new SubRange(45, 50))).build()));
for (Interface iface : configurations.get("es-domain").getInterfaces().values()) {
assertThat(iface.getIncomingFilter(), equalTo(expectedIncomingFilter));
assertThat(iface.getOutgoingFilter(), equalTo(expectedOutgoingFilter));
}
}
Also used :
IpWildcard(org.batfish.datamodel.IpWildcard)
Configuration(org.batfish.datamodel.Configuration)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
SubRange(org.batfish.datamodel.SubRange)
Interface(org.batfish.datamodel.Interface)
Test(org.junit.Test)
Aggregations
IpAccessList (org.batfish.datamodel.IpAccessList)37
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)19
Configuration (org.batfish.datamodel.Configuration)17
Ip (org.batfish.datamodel.Ip)16
Interface (org.batfish.datamodel.Interface)14
ArrayList (java.util.ArrayList)10
Test (org.junit.Test)10
BatfishException (org.batfish.common.BatfishException)9
List (java.util.List)7
IpWildcard (org.batfish.datamodel.IpWildcard)7
LineAction (org.batfish.datamodel.LineAction)7
SubRange (org.batfish.datamodel.SubRange)7
ImmutableList (com.google.common.collect.ImmutableList)6
Set (java.util.Set)6
TreeSet (java.util.TreeSet)6
Edge (org.batfish.datamodel.Edge)6
InterfaceAddress (org.batfish.datamodel.InterfaceAddress)6
Prefix (org.batfish.datamodel.Prefix)6
SourceNat (org.batfish.datamodel.SourceNat)6
Map (java.util.Map)5
