Search in sources :

Example 1 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class Batfish method answerAclReachability.

@Override
public AnswerElement answerAclReachability(String aclNameRegexStr, NamedStructureEquivalenceSets<?> aclEqSets) {
    AclLinesAnswerElement answerElement = new AclLinesAnswerElement();
    Pattern aclNameRegex;
    try {
        aclNameRegex = Pattern.compile(aclNameRegexStr);
    } catch (PatternSyntaxException e) {
        throw new BatfishException("Supplied regex for nodes is not a valid java regex: \"" + aclNameRegexStr + "\"", e);
    }
    Map<String, Configuration> configurations = loadConfigurations();
    List<NodSatJob<AclLine>> jobs = new ArrayList<>();
    for (Entry<String, ?> e : aclEqSets.getSameNamedStructures().entrySet()) {
        String aclName = e.getKey();
        if (!aclNameRegex.matcher(aclName).matches()) {
            continue;
        }
        // operator error
        if (aclName.contains("~ZONE_INTERFACE_FILTER~") || aclName.contains("~INBOUND_ZONE_FILTER~")) {
            continue;
        }
        Set<?> s = (Set<?>) e.getValue();
        for (Object o : s) {
            NamedStructureEquivalenceSet<?> aclEqSet = (NamedStructureEquivalenceSet<?>) o;
            String hostname = aclEqSet.getRepresentativeElement();
            SortedSet<String> eqClassNodes = aclEqSet.getNodes();
            answerElement.addEquivalenceClass(aclName, hostname, eqClassNodes);
            Configuration c = configurations.get(hostname);
            IpAccessList acl = c.getIpAccessLists().get(aclName);
            int numLines = acl.getLines().size();
            if (numLines == 0) {
                _logger.redflag("RED_FLAG: Acl \"" + hostname + ":" + aclName + "\" contains no lines\n");
                continue;
            }
            AclReachabilityQuerySynthesizer query = new AclReachabilityQuerySynthesizer(hostname, aclName, numLines);
            Synthesizer aclSynthesizer = synthesizeAcls(Collections.singletonMap(hostname, c));
            NodSatJob<AclLine> job = new NodSatJob<>(_settings, aclSynthesizer, query);
            jobs.add(job);
        }
    }
    Map<AclLine, Boolean> output = new TreeMap<>();
    computeNodSatOutput(jobs, output);
    // rearrange output for next step
    Map<String, Map<String, List<AclLine>>> arrangedAclLines = new TreeMap<>();
    for (Entry<AclLine, Boolean> e : output.entrySet()) {
        AclLine line = e.getKey();
        String hostname = line.getHostname();
        Map<String, List<AclLine>> byAclName = arrangedAclLines.computeIfAbsent(hostname, k -> new TreeMap<>());
        String aclName = line.getAclName();
        List<AclLine> aclLines = byAclName.computeIfAbsent(aclName, k -> new ArrayList<>());
        aclLines.add(line);
    }
    // now get earliest more general lines
    List<NodFirstUnsatJob<AclLine, Integer>> step2Jobs = new ArrayList<>();
    for (Entry<String, Map<String, List<AclLine>>> e : arrangedAclLines.entrySet()) {
        String hostname = e.getKey();
        Configuration c = configurations.get(hostname);
        Synthesizer aclSynthesizer = synthesizeAcls(Collections.singletonMap(hostname, c));
        Map<String, List<AclLine>> byAclName = e.getValue();
        for (Entry<String, List<AclLine>> e2 : byAclName.entrySet()) {
            String aclName = e2.getKey();
            IpAccessList ipAccessList = c.getIpAccessLists().get(aclName);
            List<AclLine> lines = e2.getValue();
            for (int i = 0; i < lines.size(); i++) {
                AclLine line = lines.get(i);
                boolean reachable = output.get(line);
                if (!reachable) {
                    List<AclLine> toCheck = new ArrayList<>();
                    for (int j = 0; j < i; j++) {
                        AclLine earlierLine = lines.get(j);
                        boolean earlierIsReachable = output.get(earlierLine);
                        if (earlierIsReachable) {
                            toCheck.add(earlierLine);
                        }
                    }
                    EarliestMoreGeneralReachableLineQuerySynthesizer query = new EarliestMoreGeneralReachableLineQuerySynthesizer(line, toCheck, ipAccessList);
                    NodFirstUnsatJob<AclLine, Integer> job = new NodFirstUnsatJob<>(_settings, aclSynthesizer, query);
                    step2Jobs.add(job);
                }
            }
        }
    }
    Map<AclLine, Integer> step2Output = new TreeMap<>();
    computeNodFirstUnsatOutput(step2Jobs, step2Output);
    for (AclLine line : output.keySet()) {
        Integer earliestMoreGeneralReachableLine = step2Output.get(line);
        line.setEarliestMoreGeneralReachableLine(earliestMoreGeneralReachableLine);
    }
    Set<Pair<String, String>> aclsWithUnreachableLines = new TreeSet<>();
    Set<Pair<String, String>> allAcls = new TreeSet<>();
    int numUnreachableLines = 0;
    int numLines = output.entrySet().size();
    for (Entry<AclLine, Boolean> e : output.entrySet()) {
        AclLine aclLine = e.getKey();
        boolean sat = e.getValue();
        String hostname = aclLine.getHostname();
        String aclName = aclLine.getAclName();
        Pair<String, String> qualifiedAclName = new Pair<>(hostname, aclName);
        allAcls.add(qualifiedAclName);
        if (!sat) {
            numUnreachableLines++;
            aclsWithUnreachableLines.add(qualifiedAclName);
        }
    }
    for (Entry<AclLine, Boolean> e : output.entrySet()) {
        AclLine aclLine = e.getKey();
        int index = aclLine.getLine();
        boolean sat = e.getValue();
        String hostname = aclLine.getHostname();
        String aclName = aclLine.getAclName();
        Pair<String, String> qualifiedAclName = new Pair<>(hostname, aclName);
        IpAccessList ipAccessList = configurations.get(hostname).getIpAccessLists().get(aclName);
        IpAccessListLine ipAccessListLine = ipAccessList.getLines().get(index);
        AclReachabilityEntry line = new AclReachabilityEntry(index, ipAccessListLine.getName());
        if (aclsWithUnreachableLines.contains(qualifiedAclName)) {
            if (sat) {
                _logger.debugf("%s:%s:%d:'%s' is REACHABLE\n", hostname, aclName, line.getIndex(), line.getName());
                answerElement.addReachableLine(hostname, ipAccessList, line);
            } else {
                _logger.debugf("%s:%s:%d:'%s' is UNREACHABLE\n\t%s\n", hostname, aclName, line.getIndex(), line.getName(), ipAccessListLine.toString());
                Integer earliestMoreGeneralLineIndex = aclLine.getEarliestMoreGeneralReachableLine();
                if (earliestMoreGeneralLineIndex != null) {
                    IpAccessListLine earliestMoreGeneralLine = ipAccessList.getLines().get(earliestMoreGeneralLineIndex);
                    line.setEarliestMoreGeneralLineIndex(earliestMoreGeneralLineIndex);
                    line.setEarliestMoreGeneralLineName(earliestMoreGeneralLine.getName());
                    if (!earliestMoreGeneralLine.getAction().equals(ipAccessListLine.getAction())) {
                        line.setDifferentAction(true);
                    }
                }
                answerElement.addUnreachableLine(hostname, ipAccessList, line);
                aclsWithUnreachableLines.add(qualifiedAclName);
            }
        } else {
            answerElement.addReachableLine(hostname, ipAccessList, line);
        }
    }
    for (Pair<String, String> qualfiedAcl : aclsWithUnreachableLines) {
        String hostname = qualfiedAcl.getFirst();
        String aclName = qualfiedAcl.getSecond();
        _logger.debugf("%s:%s has at least 1 unreachable line\n", hostname, aclName);
    }
    int numAclsWithUnreachableLines = aclsWithUnreachableLines.size();
    int numAcls = allAcls.size();
    double percentUnreachableAcls = 100d * numAclsWithUnreachableLines / numAcls;
    double percentUnreachableLines = 100d * numUnreachableLines / numLines;
    _logger.debugf("SUMMARY:\n");
    _logger.debugf("\t%d/%d (%.1f%%) acls have unreachable lines\n", numAclsWithUnreachableLines, numAcls, percentUnreachableAcls);
    _logger.debugf("\t%d/%d (%.1f%%) acl lines are unreachable\n", numUnreachableLines, numLines, percentUnreachableLines);
    return answerElement;
}
Also used : NamedStructureEquivalenceSet(org.batfish.datamodel.collections.NamedStructureEquivalenceSet) HostConfiguration(org.batfish.representation.host.HostConfiguration) Configuration(org.batfish.datamodel.Configuration) ImmutableConfiguration(org.apache.commons.configuration2.ImmutableConfiguration) AwsConfiguration(org.batfish.representation.aws.AwsConfiguration) IptablesVendorConfiguration(org.batfish.representation.iptables.IptablesVendorConfiguration) VendorConfiguration(org.batfish.vendor.VendorConfiguration) AclLine(org.batfish.z3.AclLine) NodFirstUnsatJob(org.batfish.z3.NodFirstUnsatJob) ArrayList(java.util.ArrayList) TreeSet(java.util.TreeSet) IpAccessList(org.batfish.datamodel.IpAccessList) ImmutableList(com.google.common.collect.ImmutableList) ArrayList(java.util.ArrayList) List(java.util.List) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) CleanBatfishException(org.batfish.common.CleanBatfishException) BatfishException(org.batfish.common.BatfishException) AclLinesAnswerElement(org.batfish.datamodel.answers.AclLinesAnswerElement) AclReachabilityEntry(org.batfish.datamodel.answers.AclLinesAnswerElement.AclReachabilityEntry) GenericConfigObject(org.batfish.datamodel.GenericConfigObject) JSONObject(org.codehaus.jettison.json.JSONObject) IpAccessList(org.batfish.datamodel.IpAccessList) Map(java.util.Map) TreeMap(java.util.TreeMap) Collectors.toMap(java.util.stream.Collectors.toMap) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) NavigableMap(java.util.NavigableMap) ConcurrentMap(java.util.concurrent.ConcurrentMap) ImmutableSortedMap(com.google.common.collect.ImmutableSortedMap) ImmutableMap(com.google.common.collect.ImmutableMap) SortedMap(java.util.SortedMap) HashMap(java.util.HashMap) TreeMultiSet(org.batfish.datamodel.collections.TreeMultiSet) ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet) SortedSet(java.util.SortedSet) ImmutableSet(com.google.common.collect.ImmutableSet) HashSet(java.util.HashSet) NamedStructureEquivalenceSet(org.batfish.datamodel.collections.NamedStructureEquivalenceSet) Set(java.util.Set) TreeSet(java.util.TreeSet) LinkedHashSet(java.util.LinkedHashSet) MultiSet(org.batfish.datamodel.collections.MultiSet) AclReachabilityQuerySynthesizer(org.batfish.z3.AclReachabilityQuerySynthesizer) EarliestMoreGeneralReachableLineQuerySynthesizer(org.batfish.z3.EarliestMoreGeneralReachableLineQuerySynthesizer) ReachabilityQuerySynthesizer(org.batfish.z3.ReachabilityQuerySynthesizer) QuerySynthesizer(org.batfish.z3.QuerySynthesizer) AclReachabilityQuerySynthesizer(org.batfish.z3.AclReachabilityQuerySynthesizer) BlacklistDstIpQuerySynthesizer(org.batfish.z3.BlacklistDstIpQuerySynthesizer) StandardReachabilityQuerySynthesizer(org.batfish.z3.StandardReachabilityQuerySynthesizer) EarliestMoreGeneralReachableLineQuerySynthesizer(org.batfish.z3.EarliestMoreGeneralReachableLineQuerySynthesizer) ReachEdgeQuerySynthesizer(org.batfish.z3.ReachEdgeQuerySynthesizer) Synthesizer(org.batfish.z3.Synthesizer) MultipathInconsistencyQuerySynthesizer(org.batfish.z3.MultipathInconsistencyQuerySynthesizer) PatternSyntaxException(java.util.regex.PatternSyntaxException) Pair(org.batfish.common.Pair) NodeInterfacePair(org.batfish.datamodel.collections.NodeInterfacePair) NodSatJob(org.batfish.z3.NodSatJob) Pattern(java.util.regex.Pattern) TreeMap(java.util.TreeMap) AtomicInteger(java.util.concurrent.atomic.AtomicInteger)

Example 2 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class SecurityGroup method addReverseAcls.

private void addReverseAcls(List<IpAccessListLine> inboundRules, List<IpAccessListLine> outboundRules) {
    List<IpAccessListLine> reverseInboundRules = inboundRules.stream().map(ipAccessListLine -> IpAccessListLine.builder().setIpProtocols(ipAccessListLine.getIpProtocols()).setAction(ipAccessListLine.getAction()).setDstIps(ipAccessListLine.getSrcIps()).setSrcPorts(ipAccessListLine.getDstPorts()).build()).collect(ImmutableList.toImmutableList());
    List<IpAccessListLine> reverseOutboundRules = outboundRules.stream().map(ipAccessListLine -> IpAccessListLine.builder().setIpProtocols(ipAccessListLine.getIpProtocols()).setAction(ipAccessListLine.getAction()).setSrcIps(ipAccessListLine.getDstIps()).setSrcPorts(ipAccessListLine.getDstPorts()).build()).collect(ImmutableList.toImmutableList());
    // denying SYN-only packets to prevent new TCP connections
    IpAccessListLine rejectSynOnly = IpAccessListLine.builder().setTcpFlags(ImmutableSet.of(TcpFlags.SYN_ONLY)).setAction(LineAction.REJECT).build();
    inboundRules.add(rejectSynOnly);
    outboundRules.add(rejectSynOnly);
    // adding reverse inbound/outbound rules for stateful allowance of packets
    inboundRules.addAll(reverseOutboundRules);
    outboundRules.addAll(reverseInboundRules);
}
Also used : ImmutableSet(com.google.common.collect.ImmutableSet) Set(java.util.Set) JSONObject(org.codehaus.jettison.json.JSONObject) JSONArray(org.codehaus.jettison.json.JSONArray) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Serializable(java.io.Serializable) HashSet(java.util.HashSet) List(java.util.List) TcpFlags(org.batfish.datamodel.TcpFlags) ImmutableList(com.google.common.collect.ImmutableList) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) JSONException(org.codehaus.jettison.json.JSONException) Configuration(org.batfish.datamodel.Configuration) LineAction(org.batfish.datamodel.LineAction) LinkedList(java.util.LinkedList) IpWildcard(org.batfish.datamodel.IpWildcard) BatfishLogger(org.batfish.common.BatfishLogger) IpAccessListLine(org.batfish.datamodel.IpAccessListLine)

Example 3 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class NetworkAcl method getAcl.

private IpAccessList getAcl(boolean isEgress) {
    String listName = _networkAclId + (isEgress ? "_egress" : "_ingress");
    Map<Integer, IpAccessListLine> lineMap = new TreeMap<>();
    for (NetworkAclEntry entry : _entries) {
        if ((isEgress && entry.getIsEgress()) || (!isEgress && !entry.getIsEgress())) {
            IpAccessListLine line = new IpAccessListLine();
            int key = entry.getRuleNumber();
            LineAction action = entry.getIsAllow() ? LineAction.ACCEPT : LineAction.REJECT;
            line.setAction(action);
            Prefix prefix = entry.getCidrBlock();
            if (!prefix.equals(Prefix.ZERO)) {
                if (isEgress) {
                    line.setDstIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
                } else {
                    line.setSrcIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
                }
            }
            IpProtocol protocol = IpPermissions.toIpProtocol(entry.getProtocol());
            String protocolStr = protocol != null ? protocol.toString() : "ALL";
            if (protocol != null) {
                line.setIpProtocols(ImmutableSortedSet.of(protocol));
            }
            int fromPort = entry.getFromPort();
            int toPort = entry.getToPort();
            SubRange portRange = new SubRange(fromPort, toPort);
            if (fromPort != -1 || toPort != -1) {
                if (fromPort == -1) {
                    fromPort = 0;
                }
                if (toPort == -1) {
                    toPort = 65535;
                }
                line.setDstPorts(ImmutableSortedSet.of(portRange));
            }
            String portStr;
            if (protocol == IpProtocol.ICMP) {
                // TODO: flesh these out
                portStr = "some ICMP type(s)/code(s)";
            } else if ((fromPort == 0 && toPort == 65535) || (fromPort == -1 && toPort == -1)) {
                portStr = "ALL";
            } else {
                portStr = portRange.toString();
            }
            String actionStr = action == LineAction.ACCEPT ? "ALLOW" : "DENY";
            String lineNumber = key == 32767 ? "*" : Integer.toString(key);
            line.setName(String.format("%s %s %s %s %s", lineNumber, protocolStr, portStr, prefix, actionStr));
            lineMap.put(key, line);
        }
    }
    List<IpAccessListLine> lines = ImmutableList.copyOf(lineMap.values());
    IpAccessList list = new IpAccessList(listName, lines);
    return list;
}
Also used : LineAction(org.batfish.datamodel.LineAction) Prefix(org.batfish.datamodel.Prefix) TreeMap(java.util.TreeMap) IpWildcard(org.batfish.datamodel.IpWildcard) IpProtocol(org.batfish.datamodel.IpProtocol) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) SubRange(org.batfish.datamodel.SubRange) IpAccessList(org.batfish.datamodel.IpAccessList)

Example 4 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class IpPermissions method toEgressIpAccessListLine.

public IpAccessListLine toEgressIpAccessListLine(Region region) {
    IpAccessListLine line = toIpAccessListLine();
    line.setDstIps(collectIpWildCards(region));
    return line;
}
Also used : IpAccessListLine(org.batfish.datamodel.IpAccessListLine)

Example 5 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class IptablesVendorConfiguration method toIpAccessList.

private IpAccessList toIpAccessList(String aclName, IptablesChain chain, VendorConfiguration vc) {
    ImmutableList.Builder<IpAccessListLine> lines = ImmutableList.builder();
    for (IptablesRule rule : chain.getRules()) {
        IpAccessListLine aclLine = new IpAccessListLine();
        boolean anyInterface = false;
        for (IptablesMatch match : rule.getMatchList()) {
            switch(match.getMatchType()) {
                case DESTINATION:
                    aclLine.setDstIps(Iterables.concat(aclLine.getDstIps(), Collections.singleton(match.toIpWildcard())));
                    break;
                case DESTINATION_PORT:
                    aclLine.setDstPorts(Iterables.concat(aclLine.getDstPorts(), match.toPortRanges()));
                    break;
                case IN_INTERFACE:
                    _lineInInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
                    anyInterface = false;
                    break;
                case OUT_INTERFACE:
                    _lineOutInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
                    anyInterface = false;
                    break;
                case PROTOCOL:
                    aclLine.setIpProtocols(Iterables.concat(aclLine.getIpProtocols(), Collections.singleton(match.toIpProtocol())));
                    break;
                case SOURCE:
                    aclLine.setSrcIps(Iterables.concat(aclLine.getSrcIps(), Collections.singleton(match.toIpWildcard())));
                    break;
                case SOURCE_PORT:
                    aclLine.setSrcPorts(Iterables.concat(aclLine.getSrcPorts(), match.toPortRanges()));
                    break;
                default:
                    throw new BatfishException("Unknown match type: " + match.getMatchType());
            }
        }
        if (anyInterface) {
            _lineInInterfaces.put(aclLine, null);
            _lineOutInterfaces.put(aclLine, null);
        }
        aclLine.setName(rule.getName());
        aclLine.setAction(rule.getIpAccessListLineAction());
        lines.add(aclLine);
    }
    // add a final line corresponding to default chain policy
    LineAction chainAction = chain.getIpAccessListLineAction();
    IpAccessListLine defaultLine = new IpAccessListLine();
    defaultLine.setAction(chainAction);
    defaultLine.setName("default");
    lines.add(defaultLine);
    IpAccessList acl = new IpAccessList(aclName, lines.build());
    return acl;
}
Also used : LineAction(org.batfish.datamodel.LineAction) BatfishException(org.batfish.common.BatfishException) ImmutableList(com.google.common.collect.ImmutableList) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) IpAccessList(org.batfish.datamodel.IpAccessList)

Aggregations

IpAccessListLine (org.batfish.datamodel.IpAccessListLine)35 IpWildcard (org.batfish.datamodel.IpWildcard)17 Test (org.junit.Test)17 IpAccessList (org.batfish.datamodel.IpAccessList)15 LinkedList (java.util.LinkedList)13 SubRange (org.batfish.datamodel.SubRange)12 Configuration (org.batfish.datamodel.Configuration)8 ImmutableList (com.google.common.collect.ImmutableList)6 ArrayList (java.util.ArrayList)6 Interface (org.batfish.datamodel.Interface)6 Set (java.util.Set)5 BatfishException (org.batfish.common.BatfishException)5 Ip (org.batfish.datamodel.Ip)5 LineAction (org.batfish.datamodel.LineAction)5 IpProtocol (org.batfish.datamodel.IpProtocol)4 HashSet (java.util.HashSet)3 List (java.util.List)3 Map (java.util.Map)3 TreeMap (java.util.TreeMap)3 Prefix (org.batfish.datamodel.Prefix)3