Examples with IpAccessList org.batfish.datamodel.IpAccessList used on opensource projects

Example 26 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class JuniperConfiguration method toZone.

private org.batfish.datamodel.Zone toZone(Zone zone) {
    FirewallFilter inboundFilter = zone.getInboundFilter();
    IpAccessList inboundFilterList = null;
    if (inboundFilter != null) {
        inboundFilter.getReferers().put(zone, "inbound filter for zone: '" + zone.getName() + "'");
        inboundFilterList = _c.getIpAccessLists().get(inboundFilter.getName());
    }
    FirewallFilter fromHostFilter = zone.getFromHostFilter();
    IpAccessList fromHostFilterList = null;
    if (fromHostFilter != null) {
        fromHostFilter.getReferers().put(zone, "filter from junos-host to zone: '" + zone.getName() + "'");
        fromHostFilterList = _c.getIpAccessLists().get(fromHostFilter.getName());
    }
    FirewallFilter toHostFilter = zone.getToHostFilter();
    IpAccessList toHostFilterList = null;
    if (toHostFilter != null) {
        toHostFilter.getReferers().put(zone, "filter from zone: '" + zone.getName() + "' to junos-host");
        toHostFilterList = _c.getIpAccessLists().get(toHostFilter.getName());
    }
    org.batfish.datamodel.Zone newZone = new org.batfish.datamodel.Zone(zone.getName(), inboundFilterList, fromHostFilterList, toHostFilterList);
    for (Entry<Interface, FirewallFilter> e : zone.getInboundInterfaceFilters().entrySet()) {
        Interface inboundInterface = e.getKey();
        FirewallFilter inboundInterfaceFilter = e.getValue();
        String inboundInterfaceName = inboundInterface.getName();
        inboundInterfaceFilter.getReferers().put(zone, "inbound interface filter for zone: '" + zone.getName() + "', interface: '" + inboundInterfaceName + "'");
        String inboundInterfaceFilterName = inboundInterfaceFilter.getName();
        org.batfish.datamodel.Interface newIface = _c.getInterfaces().get(inboundInterfaceName);
        IpAccessList inboundInterfaceFilterList = _c.getIpAccessLists().get(inboundInterfaceFilterName);
        newZone.getInboundInterfaceFilters().put(newIface.getName(), inboundInterfaceFilterList);
    }
    for (Entry<String, FirewallFilter> e : zone.getToZonePolicies().entrySet()) {
        String toZoneName = e.getKey();
        FirewallFilter toZoneFilter = e.getValue();
        toZoneFilter.getReferers().put(zone, "cross-zone firewall filter from zone: '" + zone.getName() + "' to zone: '" + toZoneName + "'");
        String toZoneFilterName = toZoneFilter.getName();
        IpAccessList toZoneFilterList = _c.getIpAccessLists().get(toZoneFilterName);
        newZone.getToZonePolicies().put(toZoneName, toZoneFilterList);
    }
    for (Interface iface : zone.getInterfaces()) {
        String ifaceName = iface.getName();
        org.batfish.datamodel.Interface newIface = _c.getInterfaces().get(ifaceName);
        newIface.setZone(newZone);
        FirewallFilter inboundInterfaceFilter = zone.getInboundInterfaceFilters().get(iface);
        IpAccessList inboundInterfaceFilterList;
        if (inboundInterfaceFilter != null) {
            String name = inboundInterfaceFilter.getName();
            inboundInterfaceFilterList = _c.getIpAccessLists().get(name);
        } else {
            inboundInterfaceFilterList = inboundFilterList;
        }
        newZone.getInboundInterfaceFilters().put(newIface.getName(), inboundInterfaceFilterList);
    }
    return newZone;
}

Example 27 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class JuniperConfiguration method toVendorIndependentConfiguration.

@Override
public Configuration toVendorIndependentConfiguration() throws VendorConversionException {
    String hostname = getHostname();
    _c = new Configuration(hostname, _vendor);
    _c.setAuthenticationKeyChains(convertAuthenticationKeyChains(_authenticationKeyChains));
    _c.setRoles(_roles);
    _c.setDnsServers(_dnsServers);
    _c.setDomainName(_defaultRoutingInstance.getDomainName());
    _c.setLoggingServers(_syslogHosts);
    _c.setNtpServers(_ntpServers);
    _c.setTacacsServers(_tacplusServers);
    _c.getVendorFamily().setJuniper(_jf);
    for (String riName : _routingInstances.keySet()) {
        _c.getVrfs().put(riName, new Vrf(riName));
    }
    // convert prefix lists to route filter lists
    for (Entry<String, PrefixList> e : _prefixLists.entrySet()) {
        String name = e.getKey();
        PrefixList pl = e.getValue();
        RouteFilterList rfl = new RouteFilterList(name);
        for (Prefix prefix : pl.getPrefixes()) {
            int prefixLength = prefix.getPrefixLength();
            org.batfish.datamodel.RouteFilterLine line = new org.batfish.datamodel.RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefixLength, prefixLength));
            rfl.addLine(line);
        }
        _c.getRouteFilterLists().put(name, rfl);
    }
    // remove ipv6 lines from firewall filters
    for (FirewallFilter filter : _filters.values()) {
        Set<String> toRemove = new HashSet<>();
        for (Entry<String, FwTerm> e2 : filter.getTerms().entrySet()) {
            String termName = e2.getKey();
            FwTerm term = e2.getValue();
            if (term.getIpv6()) {
                toRemove.add(termName);
            }
        }
        for (String termName : toRemove) {
            filter.getTerms().remove(termName);
        }
    }
    // remove empty firewall filters (ipv6-only filters)
    Map<String, FirewallFilter> allFilters = new LinkedHashMap<>();
    allFilters.putAll(_filters);
    for (Entry<String, FirewallFilter> e : allFilters.entrySet()) {
        String name = e.getKey();
        FirewallFilter filter = e.getValue();
        if (filter.getTerms().size() == 0) {
            _filters.remove(name);
        }
    }
    // convert firewall filters to ipaccesslists
    for (Entry<String, FirewallFilter> e : _filters.entrySet()) {
        String name = e.getKey();
        FirewallFilter filter = e.getValue();
        // TODO: support other filter families
        if (filter.getFamily() != Family.INET) {
            continue;
        }
        IpAccessList list = toIpAccessList(filter);
        _c.getIpAccessLists().put(name, list);
    }
    // objects
    for (Entry<String, FirewallFilter> e : _filters.entrySet()) {
        String name = e.getKey();
        FirewallFilter filter = e.getValue();
        if (filter.getRoutingPolicy()) {
            // TODO: support other filter families
            if (filter.getFamily() != Family.INET) {
                continue;
            }
            RoutingPolicy routingPolicy = toRoutingPolicy(filter);
            _c.getRoutingPolicies().put(name, routingPolicy);
        }
    }
    // convert route filters to route filter lists
    for (Entry<String, RouteFilter> e : _routeFilters.entrySet()) {
        String name = e.getKey();
        RouteFilter rf = e.getValue();
        if (rf.getIpv4()) {
            RouteFilterList rfl = new RouteFilterList(name);
            for (RouteFilterLine line : rf.getLines()) {
                if (line.getThens().size() == 0) {
                    line.applyTo(rfl);
                }
            }
            _c.getRouteFilterLists().put(name, rfl);
        }
        if (rf.getIpv6()) {
            Route6FilterList rfl = new Route6FilterList(name);
            for (RouteFilterLine line : rf.getLines()) {
                if (line.getThens().size() == 0) {
                    line.applyTo(rfl);
                }
            }
            _c.getRoute6FilterLists().put(name, rfl);
        }
    }
    // convert community lists
    for (Entry<String, CommunityList> e : _communityLists.entrySet()) {
        String name = e.getKey();
        CommunityList cl = e.getValue();
        org.batfish.datamodel.CommunityList newCl = toCommunityList(cl);
        _c.getCommunityLists().put(name, newCl);
    }
    // convert policy-statements to RoutingPolicy objects
    for (Entry<String, PolicyStatement> e : _policyStatements.entrySet()) {
        String name = e.getKey();
        PolicyStatement ps = e.getValue();
        RoutingPolicy routingPolicy = toRoutingPolicy(ps);
        _c.getRoutingPolicies().put(name, routingPolicy);
    }
    // convert interfaces
    Map<String, Interface> allInterfaces = new LinkedHashMap<>();
    for (Interface iface : _interfaces.values()) {
        allInterfaces.putAll(iface.getUnits());
    }
    for (NodeDevice nd : _nodeDevices.values()) {
        for (Interface iface : nd.getInterfaces().values()) {
            allInterfaces.putAll(iface.getUnits());
        }
    }
    for (Entry<String, Interface> eUnit : allInterfaces.entrySet()) {
        String unitName = eUnit.getKey();
        Interface unitIface = eUnit.getValue();
        unitIface.inheritUnsetFields();
        org.batfish.datamodel.Interface newUnitIface = toInterface(unitIface);
        _c.getInterfaces().put(unitName, newUnitIface);
        Vrf vrf = newUnitIface.getVrf();
        String vrfName = vrf.getName();
        vrf.getInterfaces().put(unitName, newUnitIface);
        _routingInstances.get(vrfName).getInterfaces().put(unitName, unitIface);
    }
    // set router-id
    if (_defaultRoutingInstance.getRouterId() == null) {
        Interface loopback0 = _defaultRoutingInstance.getInterfaces().get(FIRST_LOOPBACK_INTERFACE_NAME);
        if (loopback0 != null) {
            Interface loopback0unit0 = loopback0.getUnits().get(FIRST_LOOPBACK_INTERFACE_NAME + ".0");
            if (loopback0unit0 != null) {
                InterfaceAddress address = loopback0unit0.getPrimaryAddress();
                if (address != null) {
                    // now we should set router-id
                    Ip routerId = address.getIp();
                    _defaultRoutingInstance.setRouterId(routerId);
                }
            }
        }
    }
    // copy ike proposals
    _c.getIkeProposals().putAll(_ikeProposals);
    // convert ike policies
    for (Entry<String, IkePolicy> e : _ikePolicies.entrySet()) {
        String name = e.getKey();
        IkePolicy oldIkePolicy = e.getValue();
        org.batfish.datamodel.IkePolicy newPolicy = toIkePolicy(oldIkePolicy);
        _c.getIkePolicies().put(name, newPolicy);
    }
    // convert ike gateways
    for (Entry<String, IkeGateway> e : _ikeGateways.entrySet()) {
        String name = e.getKey();
        IkeGateway oldIkeGateway = e.getValue();
        org.batfish.datamodel.IkeGateway newIkeGateway = toIkeGateway(oldIkeGateway);
        _c.getIkeGateways().put(name, newIkeGateway);
    }
    // copy ipsec proposals
    _c.getIpsecProposals().putAll(_ipsecProposals);
    // convert ipsec policies
    for (Entry<String, IpsecPolicy> e : _ipsecPolicies.entrySet()) {
        String name = e.getKey();
        IpsecPolicy oldIpsecPolicy = e.getValue();
        org.batfish.datamodel.IpsecPolicy newPolicy = toIpsecPolicy(oldIpsecPolicy);
        _c.getIpsecPolicies().put(name, newPolicy);
    }
    // convert ipsec vpns
    for (Entry<String, IpsecVpn> e : _ipsecVpns.entrySet()) {
        String name = e.getKey();
        IpsecVpn oldIpsecVpn = e.getValue();
        org.batfish.datamodel.IpsecVpn newIpsecVpn = toIpsecVpn(oldIpsecVpn);
        _c.getIpsecVpns().put(name, newIpsecVpn);
    }
    // zones
    for (Zone zone : _zones.values()) {
        org.batfish.datamodel.Zone newZone = toZone(zone);
        _c.getZones().put(zone.getName(), newZone);
    }
    // default zone behavior
    _c.setDefaultCrossZoneAction(_defaultCrossZoneAction);
    _c.setDefaultInboundAction(_defaultInboundAction);
    for (Entry<String, RoutingInstance> e : _routingInstances.entrySet()) {
        String riName = e.getKey();
        RoutingInstance ri = e.getValue();
        Vrf vrf = _c.getVrfs().get(riName);
        // dhcp relay
        for (Entry<String, DhcpRelayGroup> e2 : ri.getDhcpRelayGroups().entrySet()) {
            DhcpRelayGroup rg = e2.getValue();
            List<org.batfish.datamodel.Interface> interfaces = new ArrayList<>();
            if (rg.getAllInterfaces()) {
                interfaces.addAll(_c.getInterfaces().values());
            } else {
                for (String ifaceName : rg.getInterfaces()) {
                    org.batfish.datamodel.Interface iface = _c.getInterfaces().get(ifaceName);
                    interfaces.add(iface);
                }
            }
            String asgName = rg.getActiveServerGroup();
            if (asgName != null) {
                DhcpRelayServerGroup asg = ri.getDhcpRelayServerGroups().get(asgName);
                if (asg == null) {
                    int asgLine = rg.getActiveServerGroupLine();
                    undefined(JuniperStructureType.DHCP_RELAY_SERVER_GROUP, asgName, JuniperStructureUsage.DHCP_RELAY_GROUP_ACTIVE_SERVER_GROUP, asgLine);
                } else {
                    for (org.batfish.datamodel.Interface iface : interfaces) {
                        iface.getDhcpRelayAddresses().addAll(asg.getServers());
                    }
                }
            }
        }
        // snmp
        SnmpServer snmpServer = ri.getSnmpServer();
        vrf.setSnmpServer(snmpServer);
        if (snmpServer != null) {
            for (SnmpCommunity community : snmpServer.getCommunities().values()) {
                String listName = community.getAccessList();
                if (listName != null) {
                    int listLine = community.getAccessListLine();
                    PrefixList prefixList = _prefixLists.get(listName);
                    if (prefixList != null) {
                        prefixList.getReferers().put(community, "prefix-list for community: " + community.getName());
                    } else {
                        undefined(JuniperStructureType.PREFIX_LIST, listName, JuniperStructureUsage.SNMP_COMMUNITY_PREFIX_LIST, listLine);
                    }
                }
            }
        }
        // static routes
        for (StaticRoute route : _defaultRoutingInstance.getRibs().get(RoutingInformationBase.RIB_IPV4_UNICAST).getStaticRoutes().values()) {
            org.batfish.datamodel.StaticRoute newStaticRoute = toStaticRoute(route);
            vrf.getStaticRoutes().add(newStaticRoute);
        }
        // aggregate routes
        for (AggregateRoute route : _defaultRoutingInstance.getRibs().get(RoutingInformationBase.RIB_IPV4_UNICAST).getAggregateRoutes().values()) {
            org.batfish.datamodel.GeneratedRoute newAggregateRoute = toAggregateRoute(route);
            vrf.getGeneratedRoutes().add(newAggregateRoute);
        }
        // generated routes
        for (GeneratedRoute route : _defaultRoutingInstance.getRibs().get(RoutingInformationBase.RIB_IPV4_UNICAST).getGeneratedRoutes().values()) {
            org.batfish.datamodel.GeneratedRoute newGeneratedRoute = toGeneratedRoute(route);
            vrf.getGeneratedRoutes().add(newGeneratedRoute);
        }
        // create ospf process
        if (ri.getOspfAreas().size() > 0) {
            OspfProcess oproc = createOspfProcess(ri);
            vrf.setOspfProcess(oproc);
        }
        // create is-is process
        // is-is runs only if iso address is configured on lo0 unit 0
        Interface loopback0 = _defaultRoutingInstance.getInterfaces().get(FIRST_LOOPBACK_INTERFACE_NAME);
        if (loopback0 != null) {
            Interface loopback0unit0 = loopback0.getUnits().get(FIRST_LOOPBACK_INTERFACE_NAME + ".0");
            if (loopback0unit0 != null) {
                IsoAddress isisNet = loopback0unit0.getIsoAddress();
                if (isisNet != null) {
                    // now we should create is-is process
                    IsisProcess proc = createIsisProcess(ri, isisNet);
                    vrf.setIsisProcess(proc);
                }
            }
        }
        // create bgp process
        if (ri.getNamedBgpGroups().size() > 0 || ri.getIpBgpGroups().size() > 0) {
            BgpProcess proc = createBgpProcess(ri);
            vrf.setBgpProcess(proc);
        }
    }
    // mark forwarding table export policy if it exists
    String forwardingTableExportPolicyName = _defaultRoutingInstance.getForwardingTableExportPolicy();
    if (forwardingTableExportPolicyName != null) {
        int forwardingTableExportPolicyLine = _defaultRoutingInstance.getForwardingTableExportPolicyLine();
        PolicyStatement forwardingTableExportPolicy = _policyStatements.get(forwardingTableExportPolicyName);
        if (forwardingTableExportPolicy != null) {
            setPolicyStatementReferent(forwardingTableExportPolicyName, _defaultRoutingInstance, "Forwarding-table export policy");
        } else {
            undefined(JuniperStructureType.POLICY_STATEMENT, forwardingTableExportPolicyName, JuniperStructureUsage.FORWARDING_TABLE_EXPORT_POLICY, forwardingTableExportPolicyLine);
        }
    }
    // mark references to authentication key chain that may not appear in data model
    markAuthenticationKeyChains(JuniperStructureUsage.AUTHENTICATION_KEY_CHAINS_POLICY, _c);
    markStructure(JuniperStructureType.FIREWALL_FILTER, JuniperStructureUsage.INTERFACE_FILTER, _filters);
    // warn about unreferenced data structures
    warnUnreferencedAuthenticationKeyChains();
    warnUnreferencedBgpGroups();
    warnUnreferencedDhcpRelayServerGroups();
    warnUnreferencedPolicyStatements();
    warnUnreferencedFirewallFilters();
    warnUnreferencedIkeProposals();
    warnUnreferencedIkePolicies();
    warnUnreferencedIkeGateways();
    warnUnreferencedIpsecProposals();
    warnUnreferencedIpsecPolicies();
    warnUnusedPrefixLists();
    warnEmptyPrefixLists();
    warnAndDisableUnreferencedStInterfaces();
    _c.computeRoutingPolicySources(_w);
    return _c;
}

Example 28 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class BdpDataPlanePluginTest method makeAcl.

private static IpAccessList makeAcl(String name, LineAction action) {
    IpAccessListLine aclLine = new IpAccessListLine();
    aclLine.setAction(action);
    return new IpAccessList(name, singletonList(aclLine));
}

Example 29 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class NodJobTest method setupConfigs.

private void setupConfigs() {
    NetworkFactory nf = new NetworkFactory();
    Configuration.Builder cb = nf.configurationBuilder().setConfigurationFormat(ConfigurationFormat.CISCO_IOS);
    Interface.Builder ib = nf.interfaceBuilder().setActive(true).setBandwidth(1E9d);
    IpAccessList.Builder aclb = nf.aclBuilder();
    IpAccessListLine.Builder acllb = IpAccessListLine.builder();
    SourceNat.Builder snb = SourceNat.builder();
    Vrf.Builder vb = nf.vrfBuilder();
    _srcNode = cb.build();
    _dstNode = cb.build();
    _srcVrf = vb.setOwner(_srcNode).build();
    _originateVrf = new OriginateVrf(_srcNode.getHostname(), _srcVrf.getName());
    Vrf dstVrf = vb.setOwner(_dstNode).build();
    Prefix p1 = Prefix.parse("1.0.0.0/31");
    Ip poolIp1 = new Ip("1.0.0.10");
    // apply NAT to all packets
    IpAccessList sourceNat1Acl = aclb.setLines(ImmutableList.of(acllb.setSrcIps(ImmutableList.of(new IpWildcard("3.0.0.0/32"))).setAction(LineAction.ACCEPT).build())).setOwner(_srcNode).build();
    SourceNat sourceNat1 = // Would be easier to understand, and Nuno says it will likely be more efficient.
    snb.setPoolIpFirst(poolIp1).setPoolIpLast(poolIp1).setAcl(sourceNat1Acl).build();
    ib.setOwner(_srcNode).setVrf(_srcVrf).setAddress(new InterfaceAddress(p1.getStartIp(), p1.getPrefixLength())).setSourceNats(ImmutableList.of(sourceNat1)).build();
    ib.setOwner(_dstNode).setVrf(dstVrf).setAddress(new InterfaceAddress(p1.getEndIp(), p1.getPrefixLength())).setSourceNats(ImmutableList.of()).build();
    // For the destination
    Prefix pDest = Prefix.parse("2.0.0.0/32");
    ib.setOwner(_dstNode).setVrf(dstVrf).setAddress(new InterfaceAddress(pDest.getEndIp(), pDest.getPrefixLength())).build();
    StaticRoute.Builder bld = StaticRoute.builder().setNetwork(pDest);
    _srcVrf.getStaticRoutes().add(bld.setNextHopIp(p1.getEndIp()).build());
    _configs = ImmutableSortedMap.of(_srcNode.getName(), _srcNode, _dstNode.getName(), _dstNode);
}

Example 30 with IpAccessList

use of org.batfish.datamodel.IpAccessList in project batfish by batfish.

the class SynthesizerInputImplTest method testComputeAclConditions.

@Test
public void testComputeAclConditions() {
    Configuration c = _cb.build();
    IpAccessList aclWithoutLines = _aclb.setOwner(c).build();
    _acllb.setAction(LineAction.ACCEPT);
    IpAccessList aclWithLines = _aclb.setLines(ImmutableList.<IpAccessListLine>of(_acllb.setDstIps(ImmutableSet.of(new IpWildcard(new Ip("1.2.3.4")))).build(), _acllb.setDstIps(ImmutableSet.of(new IpWildcard(new Ip("5.6.7.8")))).build())).build();
    SynthesizerInput input = _inputBuilder.setConfigurations(ImmutableMap.of(c.getName(), c)).build();
    assertThat(input, hasAclConditions(equalTo(ImmutableMap.of(c.getName(), ImmutableMap.of(aclWithoutLines.getName(), ImmutableList.of(), aclWithLines.getName(), ImmutableList.of(new HeaderSpaceMatchExpr(aclWithLines.getLines().get(0)), new HeaderSpaceMatchExpr(aclWithLines.getLines().get(1))))))));
    Configuration srcNode = _cb.build();
    Configuration nextHop = _cb.build();
    Vrf srcVrf = _vb.setOwner(srcNode).build();
    Vrf nextHopVrf = _vb.setOwner(nextHop).build();
    Ip ip11 = new Ip("1.0.0.0");
    Ip ip12 = new Ip("1.0.0.10");
    Ip ip21 = new Ip("2.0.0.0");
    Ip ip22 = new Ip("2.0.0.10");
    IpAccessList sourceNat1Acl = _aclb.setLines(ImmutableList.of()).setOwner(srcNode).build();
    IpAccessList sourceNat2Acl = _aclb.build();
    SourceNat sourceNat1 = _snb.setPoolIpFirst(ip11).setPoolIpLast(ip12).setAcl(sourceNat1Acl).build();
    SourceNat sourceNat2 = _snb.setPoolIpFirst(ip21).setPoolIpLast(ip22).setAcl(sourceNat2Acl).build();
    Interface srcInterfaceZeroSourceNats = _ib.setOwner(srcNode).setVrf(srcVrf).setSourceNats(ImmutableList.of()).build();
    Interface srcInterfaceOneSourceNat = _ib.setSourceNats(ImmutableList.of(sourceNat1)).build();
    Interface srcInterfaceTwoSourceNats = _ib.setSourceNats(ImmutableList.of(sourceNat1, sourceNat2)).build();
    Interface nextHopInterface = _ib.setOwner(nextHop).setVrf(nextHopVrf).setSourceNats(ImmutableList.of()).build();
    Edge forwardEdge1 = new Edge(srcInterfaceZeroSourceNats, nextHopInterface);
    Edge forwardEdge2 = new Edge(srcInterfaceOneSourceNat, nextHopInterface);
    Edge forwardEdge3 = new Edge(srcInterfaceTwoSourceNats, nextHopInterface);
    Edge backEdge1 = new Edge(nextHopInterface, srcInterfaceZeroSourceNats);
    Edge backEdge2 = new Edge(nextHopInterface, srcInterfaceOneSourceNat);
    Edge backEdge3 = new Edge(nextHopInterface, srcInterfaceTwoSourceNats);
    SynthesizerInput inputWithDataPlane = _inputBuilder.setConfigurations(ImmutableMap.of(srcNode.getName(), srcNode, nextHop.getName(), nextHop)).setForwardingAnalysis(MockForwardingAnalysis.builder().build()).setTopology(new Topology(ImmutableSortedSet.of(forwardEdge1, forwardEdge2, forwardEdge3, backEdge1, backEdge2, backEdge3))).build();
    assertThat(inputWithDataPlane, hasAclConditions(equalTo(ImmutableMap.of(srcNode.getName(), ImmutableMap.of(sourceNat1Acl.getName(), ImmutableList.of(), sourceNat2Acl.getName(), ImmutableList.of()), nextHop.getName(), ImmutableMap.of()))));
}