Example 21 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(ExtendedAccessList eaList) {
String name = eaList.getName();
List<IpAccessListLine> lines = new ArrayList<>(eaList.getLines().size());
for (ExtendedAccessListLine fromLine : eaList.getLines()) {
IpAccessListLine newLine = new IpAccessListLine();
newLine.setName(fromLine.getName());
newLine.setAction(fromLine.getAction());
IpWildcard srcIpWildcard = fromLine.getSourceIpWildcard();
if (srcIpWildcard != null) {
newLine.setSrcIps(ImmutableSortedSet.of(srcIpWildcard));
}
IpWildcard dstIpWildcard = fromLine.getDestinationIpWildcard();
if (dstIpWildcard != null) {
newLine.setDstIps(ImmutableSortedSet.of(dstIpWildcard));
}
// TODO: src/dst address group
IpProtocol protocol = fromLine.getProtocol();
if (protocol != IpProtocol.IP) {
newLine.setIpProtocols(ImmutableSortedSet.of(protocol));
}
newLine.setDstPorts(fromLine.getDstPorts());
newLine.setSrcPorts(fromLine.getSrcPorts());
Integer icmpType = fromLine.getIcmpType();
if (icmpType != null) {
newLine.setIcmpTypes(ImmutableSortedSet.of(new SubRange(icmpType)));
}
Integer icmpCode = fromLine.getIcmpCode();
if (icmpCode != null) {
newLine.setIcmpCodes(ImmutableSortedSet.of(new SubRange(icmpCode)));
}
Set<State> states = fromLine.getStates();
newLine.setStates(states);
List<TcpFlags> tcpFlags = fromLine.getTcpFlags();
newLine.setTcpFlags(tcpFlags);
Set<Integer> dscps = fromLine.getDscps();
newLine.setDscps(dscps);
Set<Integer> ecns = fromLine.getEcns();
newLine.setEcns(ecns);
lines.add(newLine);
}
return new IpAccessList(name, lines);
}
Also used :
ArrayList(java.util.ArrayList)
IpWildcard(org.batfish.datamodel.IpWildcard)
BigInteger(java.math.BigInteger)
TcpFlags(org.batfish.datamodel.TcpFlags)
State(org.batfish.datamodel.State)
IpProtocol(org.batfish.datamodel.IpProtocol)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
SubRange(org.batfish.datamodel.SubRange)
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 22 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class Region method applySecurityGroupsAcls.
private void applySecurityGroupsAcls(Map<String, Configuration> cfgNodes) {
for (Entry<String, Set<SecurityGroup>> entry : _configurationSecurityGroups.entrySet()) {
Configuration cfgNode = cfgNodes.get(entry.getKey());
List<IpAccessListLine> inboundRules = new LinkedList<>();
List<IpAccessListLine> outboundRules = new LinkedList<>();
entry.getValue().forEach(securityGroup -> securityGroup.addInOutAccessLines(inboundRules, outboundRules, this));
// create ACLs from inboundRules and outboundRules
IpAccessList inAcl = new IpAccessList(SG_INGRESS_ACL_NAME, inboundRules);
IpAccessList outAcl = new IpAccessList(SG_EGRESS_ACL_NAME, outboundRules);
cfgNode.getIpAccessLists().put(SG_INGRESS_ACL_NAME, inAcl);
cfgNode.getIpAccessLists().put(SG_EGRESS_ACL_NAME, outAcl);
// applying the filters to all interfaces in the node
cfgNode.getInterfaces().values().forEach(iface -> {
iface.setIncomingFilter(inAcl);
iface.setOutgoingFilter(outAcl);
});
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
Configuration(org.batfish.datamodel.Configuration)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
LinkedList(java.util.LinkedList)
Example 23 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class IptablesVendorConfiguration method addAsIpAccessLists.
public void addAsIpAccessLists(Configuration config, VendorConfiguration vc, Warnings warnings) {
_lineInInterfaces = new IdentityHashMap<>();
_lineOutInterfaces = new IdentityHashMap<>();
for (Entry<String, IptablesTable> e : _tables.entrySet()) {
String tableName = e.getKey();
IptablesTable table = e.getValue();
for (Entry<String, IptablesChain> ec : table.getChains().entrySet()) {
String chainName = ec.getKey();
IptablesChain chain = ec.getValue();
String aclName = toIpAccessListName(tableName, chainName);
IpAccessList list = toIpAccessList(aclName, chain, vc);
config.getIpAccessLists().put(aclName, list);
}
}
}
Also used :
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 24 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class IptablesVendorConfiguration method applyAsOverlay.
public void applyAsOverlay(Configuration configuration, Warnings warnings) {
IpAccessList prerouting = configuration.getIpAccessLists().remove("mangle::PREROUTING");
IpAccessList postrouting = configuration.getIpAccessLists().remove("mangle::POSTROUTING");
if (!configuration.getIpAccessLists().isEmpty()) {
throw new BatfishException("Merging iptables rules for " + configuration.getName() + ": only mangle tables are supported");
}
if (prerouting != null) {
for (Interface i : configuration.getInterfaces().values()) {
String dbgName = configuration.getHostname() + ":" + i.getName();
List<IpAccessListLine> newRules = prerouting.getLines().stream().filter(l -> {
String iface = _lineInInterfaces.get(l);
return iface == null || i.getName().equals(iface);
}).collect(Collectors.toList());
if (i.getIncomingFilter() != null) {
throw new BatfishException(dbgName + " already has a filter," + " cannot combine with iptables rules!");
}
String aclName = "iptables_" + i.getName() + "_ingress";
IpAccessList acl = new IpAccessList(aclName, newRules);
if (configuration.getIpAccessLists().putIfAbsent(aclName, acl) != null) {
throw new BatfishException(dbgName + " acl " + aclName + " already exists");
}
i.setIncomingFilter(acl);
}
}
if (postrouting != null) {
for (Interface i : configuration.getInterfaces().values()) {
String dbgName = configuration.getHostname() + ":" + i.getName();
List<IpAccessListLine> newRules = postrouting.getLines().stream().filter(l -> {
String iface = _lineOutInterfaces.get(l);
return iface == null || i.getName().equals(iface);
}).collect(Collectors.toList());
if (i.getOutgoingFilter() != null) {
throw new BatfishException(dbgName + " already has a filter," + " cannot combine with iptables rules!");
}
String aclName = "iptables_" + i.getName() + "_egress";
IpAccessList acl = new IpAccessList(aclName, newRules);
if (configuration.getIpAccessLists().putIfAbsent(aclName, acl) != null) {
throw new BatfishException(dbgName + " acl " + aclName + " already exists");
}
i.setOutgoingFilter(acl);
}
}
}
Also used :
ConfigurationFormat(org.batfish.datamodel.ConfigurationFormat)
Iterables(com.google.common.collect.Iterables)
IdentityHashMap(java.util.IdentityHashMap)
SortedSet(java.util.SortedSet)
VendorConfiguration(org.batfish.vendor.VendorConfiguration)
Set(java.util.Set)
BatfishException(org.batfish.common.BatfishException)
IpAccessList(org.batfish.datamodel.IpAccessList)
Collectors(java.util.stream.Collectors)
Interface(org.batfish.datamodel.Interface)
List(java.util.List)
ImmutableList(com.google.common.collect.ImmutableList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
Warnings(org.batfish.common.Warnings)
Map(java.util.Map)
Entry(java.util.Map.Entry)
Configuration(org.batfish.datamodel.Configuration)
LineAction(org.batfish.datamodel.LineAction)
Collections(java.util.Collections)
VendorConversionException(org.batfish.common.VendorConversionException)
BatfishException(org.batfish.common.BatfishException)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
Interface(org.batfish.datamodel.Interface)
Example 25 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class BDDNetwork method computeInterfacePolicies.
/*
* For each interface in the network, creates a canonical
* representation of the import and export policies on this interface.
*/
private void computeInterfacePolicies() {
for (Entry<String, Configuration> entry : _graph.getConfigurations().entrySet()) {
String router = entry.getKey();
// Skip if doesn't match the node regex
Matcher m = _nodeSpecifier.getRegex().matcher(router);
if (!m.matches()) {
continue;
}
Configuration conf = entry.getValue();
List<GraphEdge> edges = _graph.getEdgeMap().get(router);
for (GraphEdge ge : edges) {
// Import BGP policy
RoutingPolicy importBgp = _graph.findImportRoutingPolicy(router, Protocol.BGP, ge);
if (importBgp != null) {
BDDRoute rec = computeBDD(_graph, conf, importBgp, true);
_importBgpPolicies.put(ge, rec);
}
// Export BGP policy
RoutingPolicy exportBgp = _graph.findExportRoutingPolicy(router, Protocol.BGP, ge);
if (exportBgp != null) {
BDDRoute rec = computeBDD(_graph, conf, exportBgp, true);
_exportBgpPolicies.put(ge, rec);
}
IpAccessList in = ge.getStart().getIncomingFilter();
IpAccessList out = ge.getStart().getOutgoingFilter();
// Incoming ACL
if (in != null) {
BDDAcl x = BDDAcl.create(conf, in, true);
_inAcls.put(ge, x);
}
// Outgoing ACL
if (out != null) {
BDDAcl x = BDDAcl.create(conf, out, true);
_outAcls.put(ge, x);
}
}
}
for (Entry<String, List<GraphEdge>> entry : _graph.getEdgeMap().entrySet()) {
String router = entry.getKey();
// Skip if doesn't match the node regex
Matcher m = _nodeSpecifier.getRegex().matcher(router);
if (!m.matches()) {
continue;
}
List<GraphEdge> edges = entry.getValue();
Configuration conf = _graph.getConfigurations().get(router);
for (GraphEdge ge : edges) {
BDDRoute bgpIn = _importBgpPolicies.get(ge);
BDDRoute bgpOut = _exportBgpPolicies.get(ge);
BDDAcl aclIn = _inAcls.get(ge);
BDDAcl aclOut = _outAcls.get(ge);
Integer ospfCost = ge.getStart().getOspfCost();
SortedSet<Pair<Prefix, Integer>> staticPrefixes = new TreeSet<>();
SortedSet<StaticRoute> staticRoutes = conf.getDefaultVrf().getStaticRoutes();
for (StaticRoute sr : staticRoutes) {
Prefix pfx = sr.getNetwork();
Integer adminCost = sr.getAdministrativeCost();
Pair<Prefix, Integer> tup = new Pair<>(pfx, adminCost);
staticPrefixes.add(tup);
}
InterfacePolicy ipol = new InterfacePolicy(aclIn, bgpIn, null, staticPrefixes);
InterfacePolicy epol = new InterfacePolicy(aclOut, bgpOut, ospfCost, null);
_importPolicyMap.put(ge, ipol);
_exportPolicyMap.put(ge, epol);
}
}
}
Also used :
StaticRoute(org.batfish.datamodel.StaticRoute)
Configuration(org.batfish.datamodel.Configuration)
Matcher(java.util.regex.Matcher)
RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy)
Prefix(org.batfish.datamodel.Prefix)
InterfacePolicy(org.batfish.symbolic.abstraction.InterfacePolicy)
TreeSet(java.util.TreeSet)
IpAccessList(org.batfish.datamodel.IpAccessList)
List(java.util.List)
IpAccessList(org.batfish.datamodel.IpAccessList)
GraphEdge(org.batfish.symbolic.GraphEdge)
Pair(org.batfish.common.Pair)
Aggregations
IpAccessList (org.batfish.datamodel.IpAccessList)37
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)19
Configuration (org.batfish.datamodel.Configuration)17
Ip (org.batfish.datamodel.Ip)16
Interface (org.batfish.datamodel.Interface)14
ArrayList (java.util.ArrayList)10
Test (org.junit.Test)10
BatfishException (org.batfish.common.BatfishException)9
List (java.util.List)7
IpWildcard (org.batfish.datamodel.IpWildcard)7
LineAction (org.batfish.datamodel.LineAction)7
SubRange (org.batfish.datamodel.SubRange)7
ImmutableList (com.google.common.collect.ImmutableList)6
Set (java.util.Set)6
TreeSet (java.util.TreeSet)6
Edge (org.batfish.datamodel.Edge)6
InterfaceAddress (org.batfish.datamodel.InterfaceAddress)6
Prefix (org.batfish.datamodel.Prefix)6
SourceNat (org.batfish.datamodel.SourceNat)6
Map (java.util.Map)5
