Example 31 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SynthesizerInputImplTest method testComputeAclActions.
@Test
public void testComputeAclActions() {
Configuration srcNode = _cb.build();
Configuration nextHop = _cb.build();
IpAccessList edgeInterfaceInAcl = _aclb.setOwner(srcNode).setLines(ImmutableList.of(IpAccessListLine.builder().setAction(LineAction.ACCEPT).build(), IpAccessListLine.builder().setAction(LineAction.REJECT).build())).build();
IpAccessList srcInterfaceOutAcl = _aclb.build();
IpAccessList iNoEdgeInAcl = _aclb.build();
IpAccessList iNoEdgeOutAcl = _aclb.build();
IpAccessList nextHopInterfaceInAcl = _aclb.setOwner(nextHop).build();
IpAccessList nextHopInterfaceOutAcl = _aclb.build();
Vrf srcVrf = _vb.setOwner(srcNode).build();
Vrf nextHopVrf = _vb.setOwner(nextHop).build();
Interface srcInterface = _ib.setOwner(srcNode).setVrf(srcVrf).setIncomingFilter(edgeInterfaceInAcl).setOutgoingFilter(srcInterfaceOutAcl).build();
/*
* Interface without an edge: Its ACLs should be absent with data plane, but present without
* data plane.
*/
_ib.setIncomingFilter(iNoEdgeInAcl).setOutgoingFilter(iNoEdgeOutAcl).build();
Interface nextHopInterface = _ib.setIncomingFilter(nextHopInterfaceInAcl).setOutgoingFilter(nextHopInterfaceOutAcl).setOwner(nextHop).setVrf(nextHopVrf).build();
Edge forwardEdge = new Edge(srcInterface, nextHopInterface);
Edge backEdge = new Edge(nextHopInterface, srcInterface);
SynthesizerInput inputWithoutDataPlane = _inputBuilder.setConfigurations(ImmutableMap.of(srcNode.getName(), srcNode, nextHop.getName(), nextHop)).build();
SynthesizerInput inputWithDataPlane = _inputBuilder.setForwardingAnalysis(MockForwardingAnalysis.builder().build()).setTopology(new Topology(ImmutableSortedSet.of(forwardEdge, backEdge))).build();
List<LineAction> expectedActions = ImmutableList.of(LineAction.ACCEPT, LineAction.REJECT);
Map<String, List<LineAction>> expectedSrcNodeWithDataPlane = ImmutableMap.of(edgeInterfaceInAcl.getName(), expectedActions, srcInterfaceOutAcl.getName(), expectedActions);
Map<String, List<LineAction>> expectedSrcNodeWithoutDataPlane = ImmutableMap.<String, List<LineAction>>builder().putAll(expectedSrcNodeWithDataPlane).put(iNoEdgeInAcl.getName(), expectedActions).put(iNoEdgeOutAcl.getName(), expectedActions).build();
Map<String, List<LineAction>> expectedNextHop = ImmutableMap.of(nextHopInterfaceInAcl.getName(), expectedActions, nextHopInterfaceOutAcl.getName(), expectedActions);
assertThat(inputWithDataPlane, hasAclActions(equalTo(ImmutableMap.of(srcNode.getName(), expectedSrcNodeWithDataPlane, nextHop.getName(), expectedNextHop))));
assertThat(inputWithoutDataPlane, hasAclActions(equalTo(ImmutableMap.of(srcNode.getName(), expectedSrcNodeWithoutDataPlane, nextHop.getName(), expectedNextHop))));
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
Configuration(org.batfish.datamodel.Configuration)
List(java.util.List)
IpAccessList(org.batfish.datamodel.IpAccessList)
ImmutableList(com.google.common.collect.ImmutableList)
IpAccessList(org.batfish.datamodel.IpAccessList)
Vrf(org.batfish.datamodel.Vrf)
Topology(org.batfish.datamodel.Topology)
Edge(org.batfish.datamodel.Edge)
SynthesizerInputMatchers.hasArpTrueEdge(org.batfish.z3.matchers.SynthesizerInputMatchers.hasArpTrueEdge)
Interface(org.batfish.datamodel.Interface)
Test(org.junit.Test)
Example 32 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SecurityGroupsTest method testDeniedSynOnlyResponse.
@Test
public void testDeniedSynOnlyResponse() throws JSONException {
SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(8), null);
List<IpAccessListLine> inboundRules = new LinkedList<>();
List<IpAccessListLine> outboundRules = new LinkedList<>();
sg.addInOutAccessLines(inboundRules, outboundRules, _region);
IpAccessList outFilter = new IpAccessList(TEST_ACL, outboundRules);
// flow containing SYN and ~ACK should be rejected
_flowBuilder.setDstIp(new Ip("1.2.3.4"));
_flowBuilder.setSrcPort(22);
_flowBuilder.setTcpFlagsAck(0);
_flowBuilder.setTcpFlagsSyn(1);
assertThat(outFilter.filter(_flowBuilder.build()).getAction(), equalTo(LineAction.REJECT));
}
Also used :
Ip(org.batfish.datamodel.Ip)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
LinkedList(java.util.LinkedList)
Test(org.junit.Test)
Example 33 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class SecurityGroupsTest method testAllowedSynAckResponse.
@Test
public void testAllowedSynAckResponse() throws JSONException {
SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(8), null);
List<IpAccessListLine> inboundRules = new LinkedList<>();
List<IpAccessListLine> outboundRules = new LinkedList<>();
sg.addInOutAccessLines(inboundRules, outboundRules, _region);
IpAccessList outFilter = new IpAccessList(TEST_ACL, outboundRules);
// flow containing SYN and ACK should be accepted
_flowBuilder.setDstIp(new Ip("1.2.3.4"));
_flowBuilder.setSrcPort(22);
_flowBuilder.setTcpFlagsAck(1);
_flowBuilder.setTcpFlagsSyn(1);
assertThat(outFilter.filter(_flowBuilder.build()).getAction(), equalTo(LineAction.ACCEPT));
}
Also used :
Ip(org.batfish.datamodel.Ip)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
LinkedList(java.util.LinkedList)
Test(org.junit.Test)
Example 34 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfigurationTest method processSourceNatDropsRuleMissingPool.
@Test
public void processSourceNatDropsRuleMissingPool() {
CiscoSourceNat nat = new CiscoSourceNat();
nat.setAclName(ACL);
nat.setNatPool(POOL);
assertThat(_config.processSourceNat(nat, _interface, Collections.singletonMap(ACL, new IpAccessList(ACL, Collections.emptyList()))), nullValue());
assertDefined(CiscoStructureType.IP_ACCESS_LIST, ACL, CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
assertUndefined(CiscoStructureType.NAT_POOL, POOL, CiscoStructureUsage.IP_NAT_SOURCE_POOL);
}
Also used :
IpAccessList(org.batfish.datamodel.IpAccessList)
Test(org.junit.Test)
Example 35 with IpAccessList
use of org.batfish.datamodel.IpAccessList in project batfish by batfish.
the class CiscoConfigurationTest method processSourceNatIsConverted.
@Test
public void processSourceNatIsConverted() {
CiscoSourceNat nat = new CiscoSourceNat();
nat.setAclName(ACL);
nat.setNatPool(POOL);
NatPool pool = new NatPool(POOL, 5);
pool.setFirst(IP);
pool.setLast(IP);
_config.getNatPools().put(POOL, pool);
SourceNat convertedNat = _config.processSourceNat(nat, _interface, Collections.singletonMap(ACL, new IpAccessList(ACL, Collections.emptyList())));
assertThat(convertedNat, notNullValue());
assertThat(convertedNat.getAcl().getName(), equalTo(ACL));
assertThat(convertedNat.getPoolIpFirst(), equalTo(IP));
assertThat(_config.getAnswerElement().getUndefinedReferences().size(), equalTo(0));
}
Also used :
SourceNat(org.batfish.datamodel.SourceNat)
IpAccessList(org.batfish.datamodel.IpAccessList)
Test(org.junit.Test)
Aggregations
IpAccessList (org.batfish.datamodel.IpAccessList)37
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)19
Configuration (org.batfish.datamodel.Configuration)17
Ip (org.batfish.datamodel.Ip)16
Interface (org.batfish.datamodel.Interface)14
ArrayList (java.util.ArrayList)10
Test (org.junit.Test)10
BatfishException (org.batfish.common.BatfishException)9
List (java.util.List)7
IpWildcard (org.batfish.datamodel.IpWildcard)7
LineAction (org.batfish.datamodel.LineAction)7
SubRange (org.batfish.datamodel.SubRange)7
ImmutableList (com.google.common.collect.ImmutableList)6
Set (java.util.Set)6
TreeSet (java.util.TreeSet)6
Edge (org.batfish.datamodel.Edge)6
InterfaceAddress (org.batfish.datamodel.InterfaceAddress)6
Prefix (org.batfish.datamodel.Prefix)6
SourceNat (org.batfish.datamodel.SourceNat)6
Map (java.util.Map)5
