use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SynthesizerInputImplTest method testComputeAclActions.
@Test
public void testComputeAclActions() {
Configuration srcNode = _cb.build();
Configuration nextHop = _cb.build();
IpAccessList edgeInterfaceInAcl = _aclb.setOwner(srcNode).setLines(ImmutableList.of(IpAccessListLine.builder().setAction(LineAction.ACCEPT).build(), IpAccessListLine.builder().setAction(LineAction.REJECT).build())).build();
IpAccessList srcInterfaceOutAcl = _aclb.build();
IpAccessList iNoEdgeInAcl = _aclb.build();
IpAccessList iNoEdgeOutAcl = _aclb.build();
IpAccessList nextHopInterfaceInAcl = _aclb.setOwner(nextHop).build();
IpAccessList nextHopInterfaceOutAcl = _aclb.build();
Vrf srcVrf = _vb.setOwner(srcNode).build();
Vrf nextHopVrf = _vb.setOwner(nextHop).build();
Interface srcInterface = _ib.setOwner(srcNode).setVrf(srcVrf).setIncomingFilter(edgeInterfaceInAcl).setOutgoingFilter(srcInterfaceOutAcl).build();
/*
* Interface without an edge: Its ACLs should be absent with data plane, but present without
* data plane.
*/
_ib.setIncomingFilter(iNoEdgeInAcl).setOutgoingFilter(iNoEdgeOutAcl).build();
Interface nextHopInterface = _ib.setIncomingFilter(nextHopInterfaceInAcl).setOutgoingFilter(nextHopInterfaceOutAcl).setOwner(nextHop).setVrf(nextHopVrf).build();
Edge forwardEdge = new Edge(srcInterface, nextHopInterface);
Edge backEdge = new Edge(nextHopInterface, srcInterface);
SynthesizerInput inputWithoutDataPlane = _inputBuilder.setConfigurations(ImmutableMap.of(srcNode.getName(), srcNode, nextHop.getName(), nextHop)).build();
SynthesizerInput inputWithDataPlane = _inputBuilder.setForwardingAnalysis(MockForwardingAnalysis.builder().build()).setTopology(new Topology(ImmutableSortedSet.of(forwardEdge, backEdge))).build();
List<LineAction> expectedActions = ImmutableList.of(LineAction.ACCEPT, LineAction.REJECT);
Map<String, List<LineAction>> expectedSrcNodeWithDataPlane = ImmutableMap.of(edgeInterfaceInAcl.getName(), expectedActions, srcInterfaceOutAcl.getName(), expectedActions);
Map<String, List<LineAction>> expectedSrcNodeWithoutDataPlane = ImmutableMap.<String, List<LineAction>>builder().putAll(expectedSrcNodeWithDataPlane).put(iNoEdgeInAcl.getName(), expectedActions).put(iNoEdgeOutAcl.getName(), expectedActions).build();
Map<String, List<LineAction>> expectedNextHop = ImmutableMap.of(nextHopInterfaceInAcl.getName(), expectedActions, nextHopInterfaceOutAcl.getName(), expectedActions);
assertThat(inputWithDataPlane, hasAclActions(equalTo(ImmutableMap.of(srcNode.getName(), expectedSrcNodeWithDataPlane, nextHop.getName(), expectedNextHop))));
assertThat(inputWithoutDataPlane, hasAclActions(equalTo(ImmutableMap.of(srcNode.getName(), expectedSrcNodeWithoutDataPlane, nextHop.getName(), expectedNextHop))));
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SecurityGroupsTest method testDeniedSynOnlyResponse.
@Test
public void testDeniedSynOnlyResponse() throws JSONException {
SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(8), null);
List<IpAccessListLine> inboundRules = new LinkedList<>();
List<IpAccessListLine> outboundRules = new LinkedList<>();
sg.addInOutAccessLines(inboundRules, outboundRules, _region);
IpAccessList outFilter = new IpAccessList(TEST_ACL, outboundRules);
// flow containing SYN and ~ACK should be rejected
_flowBuilder.setDstIp(new Ip("1.2.3.4"));
_flowBuilder.setSrcPort(22);
_flowBuilder.setTcpFlagsAck(0);
_flowBuilder.setTcpFlagsSyn(1);
assertThat(outFilter.filter(_flowBuilder.build()).getAction(), equalTo(LineAction.REJECT));
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SecurityGroupsTest method testAllowedSynAckResponse.
@Test
public void testAllowedSynAckResponse() throws JSONException {
SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(8), null);
List<IpAccessListLine> inboundRules = new LinkedList<>();
List<IpAccessListLine> outboundRules = new LinkedList<>();
sg.addInOutAccessLines(inboundRules, outboundRules, _region);
IpAccessList outFilter = new IpAccessList(TEST_ACL, outboundRules);
// flow containing SYN and ACK should be accepted
_flowBuilder.setDstIp(new Ip("1.2.3.4"));
_flowBuilder.setSrcPort(22);
_flowBuilder.setTcpFlagsAck(1);
_flowBuilder.setTcpFlagsSyn(1);
assertThat(outFilter.filter(_flowBuilder.build()).getAction(), equalTo(LineAction.ACCEPT));
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfigurationTest method processSourceNatDropsRuleMissingPool.
@Test
public void processSourceNatDropsRuleMissingPool() {
CiscoSourceNat nat = new CiscoSourceNat();
nat.setAclName(ACL);
nat.setNatPool(POOL);
assertThat(_config.processSourceNat(nat, _interface, Collections.singletonMap(ACL, new IpAccessList(ACL, Collections.emptyList()))), nullValue());
assertDefined(CiscoStructureType.IP_ACCESS_LIST, ACL, CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
assertUndefined(CiscoStructureType.NAT_POOL, POOL, CiscoStructureUsage.IP_NAT_SOURCE_POOL);
}
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfigurationTest method processSourceNatIsConverted.
@Test
public void processSourceNatIsConverted() {
CiscoSourceNat nat = new CiscoSourceNat();
nat.setAclName(ACL);
nat.setNatPool(POOL);
NatPool pool = new NatPool(POOL, 5);
pool.setFirst(IP);
pool.setLast(IP);
_config.getNatPools().put(POOL, pool);
SourceNat convertedNat = _config.processSourceNat(nat, _interface, Collections.singletonMap(ACL, new IpAccessList(ACL, Collections.emptyList())));
assertThat(convertedNat, notNullValue());
assertThat(convertedNat.getAcl().getName(), equalTo(ACL));
assertThat(convertedNat.getPoolIpFirst(), equalTo(IP));
assertThat(_config.getAnswerElement().getUndefinedReferences().size(), equalTo(0));
}
Aggregations