use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class RdsInstanceTest method testSecurityGroupsAcl.
@Test
public void testSecurityGroupsAcl() throws IOException {
Map<String, Configuration> configurations = loadAwsConfigurations();
assertThat(configurations, hasKey("test-rds"));
assertThat(configurations.get("test-rds").getInterfaces().entrySet(), hasSize(2));
IpAccessListLine rejectSynOnly = IpAccessListLine.builder().setTcpFlags(ImmutableSet.of(TcpFlags.SYN_ONLY)).setAction(LineAction.REJECT).build();
IpAccessList expectedIncomingFilter = new IpAccessList("~SECURITY_GROUP_INGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setSrcIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setDstPorts(Sets.newHashSet(new SubRange(45, 50))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setSrcIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build()));
IpAccessList expectedOutgoingFilter = new IpAccessList("~SECURITY_GROUP_EGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setDstIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setDstIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setSrcPorts(Sets.newHashSet(new SubRange(45, 50))).build()));
for (Interface iface : configurations.get("test-rds").getInterfaces().values()) {
assertThat(iface.getIncomingFilter(), equalTo(expectedIncomingFilter));
assertThat(iface.getOutgoingFilter(), equalTo(expectedOutgoingFilter));
}
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SecurityGroupsTest method testDeniedWrongIpResponse.
@Test
public void testDeniedWrongIpResponse() throws JSONException {
SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(8), null);
List<IpAccessListLine> inboundRules = new LinkedList<>();
List<IpAccessListLine> outboundRules = new LinkedList<>();
sg.addInOutAccessLines(inboundRules, outboundRules, _region);
IpAccessList outFilter = new IpAccessList(TEST_ACL, outboundRules);
// flow containing wrong destination IP should be rejected
_flowBuilder.setDstIp(new Ip("1.2.3.5"));
_flowBuilder.setSrcPort(22);
_flowBuilder.setTcpFlagsAck(1);
_flowBuilder.setTcpFlagsSyn(1);
assertThat(outFilter.filter(_flowBuilder.build()).getAction(), equalTo(LineAction.REJECT));
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SynthesizerInputImplTest method testComputeSourceNats.
@Test
public void testComputeSourceNats() {
Configuration srcNode = _cb.build();
Configuration nextHop = _cb.build();
Vrf srcVrf = _vb.setOwner(srcNode).build();
Vrf nextHopVrf = _vb.setOwner(nextHop).build();
Ip ip11 = new Ip("1.0.0.0");
Ip ip12 = new Ip("1.0.0.10");
Ip ip21 = new Ip("2.0.0.0");
Ip ip22 = new Ip("2.0.0.10");
IpAccessList sourceNat1Acl = _aclb.setLines(ImmutableList.of()).setOwner(srcNode).build();
IpAccessList sourceNat2Acl = _aclb.build();
SourceNat sourceNat1 = _snb.setPoolIpFirst(ip11).setPoolIpLast(ip12).setAcl(sourceNat1Acl).build();
SourceNat sourceNat2 = _snb.setPoolIpFirst(ip21).setPoolIpLast(ip22).setAcl(sourceNat2Acl).build();
Interface srcInterfaceZeroSourceNats = _ib.setOwner(srcNode).setVrf(srcVrf).setSourceNats(ImmutableList.of()).build();
Interface srcInterfaceOneSourceNat = _ib.setSourceNats(ImmutableList.of(sourceNat1)).build();
Interface srcInterfaceTwoSourceNats = _ib.setSourceNats(ImmutableList.of(sourceNat1, sourceNat2)).build();
Interface nextHopInterface = _ib.setOwner(nextHop).setVrf(nextHopVrf).setSourceNats(ImmutableList.of()).build();
Edge forwardEdge1 = new Edge(srcInterfaceZeroSourceNats, nextHopInterface);
Edge forwardEdge2 = new Edge(srcInterfaceOneSourceNat, nextHopInterface);
Edge forwardEdge3 = new Edge(srcInterfaceTwoSourceNats, nextHopInterface);
Edge backEdge1 = new Edge(nextHopInterface, srcInterfaceZeroSourceNats);
Edge backEdge2 = new Edge(nextHopInterface, srcInterfaceOneSourceNat);
Edge backEdge3 = new Edge(nextHopInterface, srcInterfaceTwoSourceNats);
SynthesizerInput inputWithoutDataPlane = _inputBuilder.setConfigurations(ImmutableMap.of(srcNode.getName(), srcNode, nextHop.getName(), nextHop)).build();
SynthesizerInput inputWithDataPlane = _inputBuilder.setForwardingAnalysis(MockForwardingAnalysis.builder().build()).setTopology(new Topology(ImmutableSortedSet.of(forwardEdge1, forwardEdge2, forwardEdge3, backEdge1, backEdge2, backEdge3))).build();
assertThat(inputWithDataPlane, hasSourceNats(hasEntry(equalTo(srcNode.getName()), hasEntry(equalTo(srcInterfaceZeroSourceNats.getName()), equalTo(ImmutableList.of())))));
assertThat(inputWithDataPlane, hasSourceNats(hasEntry(equalTo(srcNode.getName()), hasEntry(equalTo(srcInterfaceOneSourceNat.getName()), equalTo(ImmutableList.of(immutableEntry(new AclPermit(srcNode.getName(), sourceNat1Acl.getName()), new RangeMatchExpr(TransformationHeaderField.NEW_SRC_IP, TransformationHeaderField.NEW_SRC_IP.getSize(), ImmutableSet.of(Range.closed(ip11.asLong(), ip12.asLong()))))))))));
assertThat(inputWithDataPlane, hasSourceNats(hasEntry(equalTo(srcNode.getName()), hasEntry(equalTo(srcInterfaceTwoSourceNats.getName()), equalTo(ImmutableList.of(immutableEntry(new AclPermit(srcNode.getName(), sourceNat1Acl.getName()), new RangeMatchExpr(TransformationHeaderField.NEW_SRC_IP, TransformationHeaderField.NEW_SRC_IP.getSize(), ImmutableSet.of(Range.closed(ip11.asLong(), ip12.asLong())))), immutableEntry(new AclPermit(srcNode.getName(), sourceNat2Acl.getName()), new RangeMatchExpr(TransformationHeaderField.NEW_SRC_IP, TransformationHeaderField.NEW_SRC_IP.getSize(), ImmutableSet.of(Range.closed(ip21.asLong(), ip22.asLong()))))))))));
assertThat(inputWithoutDataPlane, hasSourceNats(nullValue()));
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class BdpEngine method processCurrentNextHopInterfaceEdges.
private boolean processCurrentNextHopInterfaceEdges(BdpDataPlane dp, String currentNodeName, Set<Edge> visitedEdges, List<FlowTraceHop> hopsSoFar, Set<FlowTrace> flowTraces, Flow originalFlow, Flow transformedFlow, Ip dstIp, Set<String> dstIpOwners, @Nullable String nextHopInterfaceName, SortedSet<String> routesForThisNextHopInterface, @Nullable Ip finalNextHopIp, @Nullable NodeInterfacePair nextHopInterface, SortedSet<Edge> edges, boolean arp) {
boolean continueToNextNextHopInterface = false;
int unreachableNeighbors = 0;
int potentialNeighbors = 0;
for (Edge edge : edges) {
if (!edge.getNode1().equals(currentNodeName)) {
continue;
}
potentialNeighbors++;
List<FlowTraceHop> newHops = new ArrayList<>(hopsSoFar);
Set<Edge> newVisitedEdges = new LinkedHashSet<>(visitedEdges);
FlowTraceHop newHop = new FlowTraceHop(edge, routesForThisNextHopInterface, hopFlow(originalFlow, transformedFlow));
newVisitedEdges.add(edge);
newHops.add(newHop);
/*
* Check to see whether neighbor would refrain from sending ARP reply
* (NEIGHBOR_UNREACHABLE)
*
* This occurs if:
*
* - Using interface-only route
*
* AND
*
* - Neighbor does not own arpIp
*
* AND EITHER
*
* -- Neighbor not using proxy-arp
*
* - OR
*
* -- Subnet of neighbor's receiving-interface contains arpIp
*/
if (arp) {
Ip arpIp;
Set<String> arpIpOwners;
if (finalNextHopIp == null) {
arpIp = dstIp;
arpIpOwners = dstIpOwners;
} else {
arpIp = finalNextHopIp;
arpIpOwners = dp._ipOwners.get(arpIp);
}
// using interface-only route
String node2 = edge.getNode2();
if (arpIpOwners == null || !arpIpOwners.contains(node2)) {
// neighbor does not own arpIp
String int2Name = edge.getInt2();
Interface int2 = dp._nodes.get(node2)._c.getInterfaces().get(int2Name);
boolean neighborUnreachable = false;
Boolean proxyArp = int2.getProxyArp();
if (proxyArp == null || !proxyArp) {
// TODO: proxyArp probably shouldn't be null
neighborUnreachable = true;
} else {
for (InterfaceAddress address : int2.getAllAddresses()) {
if (address.getPrefix().containsIp(arpIp)) {
neighborUnreachable = true;
break;
}
}
}
if (neighborUnreachable) {
unreachableNeighbors++;
continue;
}
}
}
if (visitedEdges.contains(edge)) {
FlowTrace trace = new FlowTrace(FlowDisposition.LOOP, newHops, FlowDisposition.LOOP.toString());
flowTraces.add(trace);
potentialNeighbors--;
continue;
}
String nextNodeName = edge.getNode2();
// now check output filter and input filter
if (nextHopInterfaceName != null) {
IpAccessList outFilter = dp._nodes.get(currentNodeName)._c.getInterfaces().get(nextHopInterfaceName).getOutgoingFilter();
if (outFilter != null) {
FlowDisposition disposition = FlowDisposition.DENIED_OUT;
boolean denied = flowTraceDeniedHelper(flowTraces, originalFlow, transformedFlow, newHops, outFilter, disposition);
if (denied) {
potentialNeighbors--;
continue;
}
}
}
IpAccessList inFilter = dp._nodes.get(nextNodeName)._c.getInterfaces().get(edge.getInt2()).getIncomingFilter();
if (inFilter != null) {
FlowDisposition disposition = FlowDisposition.DENIED_IN;
boolean denied = flowTraceDeniedHelper(flowTraces, originalFlow, transformedFlow, newHops, inFilter, disposition);
if (denied) {
potentialNeighbors--;
continue;
}
}
// recurse
collectFlowTraces(dp, nextNodeName, newVisitedEdges, newHops, flowTraces, originalFlow, transformedFlow);
}
if (arp && unreachableNeighbors > 0 && unreachableNeighbors == potentialNeighbors) {
FlowTrace trace = neighborUnreachableTrace(hopsSoFar, nextHopInterface, routesForThisNextHopInterface, originalFlow, transformedFlow);
flowTraces.add(trace);
continueToNextNextHopInterface = true;
}
return continueToNextNextHopInterface;
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfiguration method toInterface.
private org.batfish.datamodel.Interface toInterface(Interface iface, Map<String, IpAccessList> ipAccessLists, Configuration c) {
String name = iface.getName();
org.batfish.datamodel.Interface newIface = new org.batfish.datamodel.Interface(name, c);
String vrfName = iface.getVrf();
Vrf vrf = _vrfs.computeIfAbsent(vrfName, Vrf::new);
newIface.setDescription(iface.getDescription());
newIface.setActive(iface.getActive());
newIface.setAutoState(iface.getAutoState());
newIface.setVrf(c.getVrfs().get(vrfName));
newIface.setBandwidth(iface.getBandwidth());
if (iface.getDhcpRelayClient()) {
newIface.getDhcpRelayAddresses().addAll(_dhcpRelayServers);
} else {
newIface.getDhcpRelayAddresses().addAll(iface.getDhcpRelayAddresses());
}
newIface.setMtu(getInterfaceMtu(iface));
newIface.setOspfPointToPoint(iface.getOspfPointToPoint());
newIface.setProxyArp(iface.getProxyArp());
newIface.setSpanningTreePortfast(iface.getSpanningTreePortfast());
newIface.setSwitchport(iface.getSwitchport());
newIface.setDeclaredNames(ImmutableSortedSet.copyOf(iface.getDeclaredNames()));
// All prefixes is the combination of the interface prefix + any secondary prefixes.
ImmutableSet.Builder<InterfaceAddress> allPrefixes = ImmutableSet.builder();
if (iface.getAddress() != null) {
newIface.setAddress(iface.getAddress());
allPrefixes.add(iface.getAddress());
}
allPrefixes.addAll(iface.getSecondaryAddresses());
newIface.setAllAddresses(allPrefixes.build());
Long ospfAreaLong = iface.getOspfArea();
if (ospfAreaLong != null) {
OspfProcess proc = vrf.getOspfProcess();
if (proc != null) {
if (iface.getOspfActive()) {
proc.getActiveInterfaceList().add(name);
}
if (iface.getOspfPassive()) {
proc.getPassiveInterfaceList().add(name);
}
for (InterfaceAddress address : newIface.getAllAddresses()) {
Prefix prefix = address.getPrefix();
OspfNetwork ospfNetwork = new OspfNetwork(prefix, ospfAreaLong);
proc.getNetworks().add(ospfNetwork);
}
} else {
_w.redFlag("Interface: '" + name + "' contains OSPF settings, but there is no OSPF process");
}
}
boolean level1 = false;
boolean level2 = false;
IsisProcess isisProcess = vrf.getIsisProcess();
if (isisProcess != null) {
switch(isisProcess.getLevel()) {
case LEVEL_1:
level1 = true;
break;
case LEVEL_1_2:
level1 = true;
level2 = true;
break;
case LEVEL_2:
level2 = true;
break;
default:
throw new VendorConversionException("Invalid IS-IS level");
}
}
if (level1) {
newIface.setIsisL1InterfaceMode(iface.getIsisInterfaceMode());
} else {
newIface.setIsisL1InterfaceMode(IsisInterfaceMode.UNSET);
}
if (level2) {
newIface.setIsisL2InterfaceMode(iface.getIsisInterfaceMode());
} else {
newIface.setIsisL2InterfaceMode(IsisInterfaceMode.UNSET);
}
newIface.setIsisCost(iface.getIsisCost());
newIface.setOspfCost(iface.getOspfCost());
newIface.setOspfDeadInterval(iface.getOspfDeadInterval());
newIface.setOspfHelloMultiplier(iface.getOspfHelloMultiplier());
// switch settings
newIface.setAccessVlan(iface.getAccessVlan());
newIface.setNativeVlan(iface.getNativeVlan());
newIface.setSwitchportMode(iface.getSwitchportMode());
SwitchportEncapsulationType encapsulation = iface.getSwitchportTrunkEncapsulation();
if (encapsulation == null) {
// no encapsulation set, so use default..
// TODO: check if this is OK
encapsulation = SwitchportEncapsulationType.DOT1Q;
}
newIface.setSwitchportTrunkEncapsulation(encapsulation);
newIface.addAllowedRanges(iface.getAllowedVlans());
String incomingFilterName = iface.getIncomingFilter();
if (incomingFilterName != null) {
int incomingFilterLine = iface.getIncomingFilterLine();
IpAccessList incomingFilter = ipAccessLists.get(incomingFilterName);
if (incomingFilter == null) {
undefined(CiscoStructureType.IP_ACCESS_LIST, incomingFilterName, CiscoStructureUsage.INTERFACE_INCOMING_FILTER, incomingFilterLine);
} else {
String msg = "incoming acl for interface: " + iface.getName();
ExtendedAccessList incomingExtendedAccessList = _extendedAccessLists.get(incomingFilterName);
if (incomingExtendedAccessList != null) {
incomingExtendedAccessList.getReferers().put(iface, msg);
}
StandardAccessList incomingStandardAccessList = _standardAccessLists.get(incomingFilterName);
if (incomingStandardAccessList != null) {
incomingStandardAccessList.getReferers().put(iface, msg);
}
}
newIface.setIncomingFilter(incomingFilter);
}
String outgoingFilterName = iface.getOutgoingFilter();
if (outgoingFilterName != null) {
int outgoingFilterLine = iface.getOutgoingFilterLine();
IpAccessList outgoingFilter = ipAccessLists.get(outgoingFilterName);
if (outgoingFilter == null) {
undefined(CiscoStructureType.IP_ACCESS_LIST, outgoingFilterName, CiscoStructureUsage.INTERFACE_OUTGOING_FILTER, outgoingFilterLine);
} else {
String msg = "outgoing acl for interface: " + iface.getName();
ExtendedAccessList outgoingExtendedAccessList = _extendedAccessLists.get(outgoingFilterName);
if (outgoingExtendedAccessList != null) {
outgoingExtendedAccessList.getReferers().put(iface, msg);
}
StandardAccessList outgoingStandardAccessList = _standardAccessLists.get(outgoingFilterName);
if (outgoingStandardAccessList != null) {
outgoingStandardAccessList.getReferers().put(iface, msg);
}
}
newIface.setOutgoingFilter(outgoingFilter);
}
List<CiscoSourceNat> origSourceNats = iface.getSourceNats();
if (origSourceNats != null) {
// Process each of the CiscoSourceNats:
// 1) Collect references to ACLs and NAT pools.
// 2) For valid CiscoSourceNat rules, add them to the newIface source NATs list.
newIface.setSourceNats(origSourceNats.stream().map(nat -> processSourceNat(nat, iface, ipAccessLists)).filter(Objects::nonNull).collect(ImmutableList.toImmutableList()));
}
String routingPolicyName = iface.getRoutingPolicy();
if (routingPolicyName != null) {
int routingPolicyLine = iface.getRoutingPolicyLine();
RouteMap routingPolicyRouteMap = _routeMaps.get(routingPolicyName);
if (routingPolicyRouteMap == null) {
undefined(CiscoStructureType.ROUTE_MAP, routingPolicyName, CiscoStructureUsage.INTERFACE_POLICY_ROUTING_MAP, routingPolicyLine);
} else {
routingPolicyRouteMap.getReferers().put(iface, "routing policy for interface: " + iface.getName());
}
newIface.setRoutingPolicy(routingPolicyName);
}
return newIface;
}
Aggregations