Example 6 with IpAccessListLine
use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.
the class BaseApplication method applyTo.
@Override
public void applyTo(IpAccessListLine srcLine, List<IpAccessListLine> lines, Warnings w) {
Collection<Term> terms;
if (_terms.isEmpty()) {
terms = Collections.singletonList(_mainTerm);
} else {
terms = _terms.values();
}
for (Term term : terms) {
IpAccessListLine newLine = new IpAccessListLine();
newLine.setDstIps(srcLine.getDstIps());
newLine.setSrcIps(srcLine.getSrcIps());
newLine.setAction(srcLine.getAction());
term.applyTo(newLine);
lines.add(newLine);
}
}
Also used :
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
Example 7 with IpAccessListLine
use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.
the class JuniperConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(FirewallFilter filter) throws VendorConversionException {
String name = filter.getName();
List<IpAccessListLine> lines = new ArrayList<>();
for (FwTerm term : filter.getTerms().values()) {
// action
LineAction action;
if (term.getThens().contains(FwThenAccept.INSTANCE)) {
action = LineAction.ACCEPT;
} else if (term.getThens().contains(FwThenDiscard.INSTANCE)) {
action = LineAction.REJECT;
} else if (term.getThens().contains(FwThenNextTerm.INSTANCE)) {
// TODO: throw error if any transformation is being done
continue;
} else if (term.getThens().contains(FwThenNop.INSTANCE)) {
// we assume for now that any 'nop' operations imply acceptance
action = LineAction.ACCEPT;
} else {
_w.redFlag("missing action in firewall filter: '" + name + "', term: '" + term.getName() + "'");
action = LineAction.REJECT;
}
IpAccessListLine line = new IpAccessListLine();
line.setName(term.getName());
line.setAction(action);
for (FwFrom from : term.getFroms()) {
from.applyTo(line, this, _w, _c);
}
boolean addLine = term.getFromApplications().isEmpty() && term.getFromHostProtocols().isEmpty() && term.getFromHostServices().isEmpty();
for (FwFromHostProtocol from : term.getFromHostProtocols()) {
from.applyTo(lines, _w);
}
for (FwFromHostService from : term.getFromHostServices()) {
from.applyTo(lines, _w);
}
for (FwFromApplication fromApplication : term.getFromApplications()) {
fromApplication.applyTo(line, lines, _w);
}
if (addLine) {
lines.add(line);
}
}
IpAccessList list = new IpAccessList(name, lines);
return list;
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
ArrayList(java.util.ArrayList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 8 with IpAccessListLine
use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.
the class EncoderSlice method computeACL.
/*
* Convert an Access Control List (ACL) to a symbolic boolean expression.
* The default action in an ACL is to deny all traffic.
*/
private BoolExpr computeACL(IpAccessList acl) {
// Check if there is an ACL first
if (acl == null) {
return mkTrue();
}
BoolExpr acc = mkFalse();
List<IpAccessListLine> lines = new ArrayList<>(acl.getLines());
Collections.reverse(lines);
for (IpAccessListLine l : lines) {
BoolExpr local = null;
if (l.getDstIps() != null) {
BoolExpr val = computeWildcardMatch(l.getDstIps(), _symbolicPacket.getDstIp());
val = l.getDstIps().isEmpty() ? mkTrue() : val;
local = val;
}
if (l.getSrcIps() != null) {
BoolExpr val = computeWildcardMatch(l.getSrcIps(), _symbolicPacket.getSrcIp());
val = l.getDstIps().isEmpty() ? mkTrue() : val;
local = (local == null ? val : mkAnd(local, val));
}
if (l.getDscps() != null && !l.getDscps().isEmpty()) {
throw new BatfishException("detected dscps");
}
if (l.getDstPorts() != null) {
BoolExpr val = computeValidRange(l.getDstPorts(), _symbolicPacket.getDstPort());
val = l.getDstPorts().isEmpty() ? mkTrue() : val;
local = (local == null ? val : mkAnd(local, val));
}
if (l.getSrcPorts() != null) {
BoolExpr val = computeValidRange(l.getSrcPorts(), _symbolicPacket.getSrcPort());
val = l.getSrcPorts().isEmpty() ? mkTrue() : val;
local = (local == null ? val : mkAnd(local, val));
}
if (l.getEcns() != null && !l.getEcns().isEmpty()) {
throw new BatfishException("detected ecns");
}
if (l.getTcpFlags() != null) {
BoolExpr val = computeTcpFlags(l.getTcpFlags());
val = l.getTcpFlags().isEmpty() ? mkTrue() : val;
local = (local == null ? val : mkAnd(local, val));
}
if (l.getFragmentOffsets() != null && !l.getFragmentOffsets().isEmpty()) {
throw new BatfishException("detected fragment offsets");
}
if (l.getIcmpCodes() != null) {
BoolExpr val = computeValidRange(l.getIcmpCodes(), _symbolicPacket.getIcmpCode());
val = l.getIcmpCodes().isEmpty() ? mkTrue() : val;
local = (local == null ? val : mkAnd(local, val));
}
if (l.getIcmpTypes() != null) {
BoolExpr val = computeValidRange(l.getIcmpTypes(), _symbolicPacket.getIcmpType());
val = l.getIcmpTypes().isEmpty() ? mkTrue() : val;
local = (local == null ? val : mkAnd(local, val));
}
if (l.getStates() != null && !l.getStates().isEmpty()) {
throw new BatfishException("detected states");
}
if (l.getIpProtocols() != null) {
BoolExpr val = computeIpProtocols(l.getIpProtocols());
val = l.getIpProtocols().isEmpty() ? mkTrue() : val;
local = (local == null ? val : mkAnd(local, val));
}
if (l.getNotDscps() != null && !l.getNotDscps().isEmpty()) {
throw new BatfishException("detected NOT dscps");
}
if (l.getNotDstIps() != null && !l.getNotDstIps().isEmpty()) {
throw new BatfishException("detected NOT dst ip");
}
if (l.getNotSrcIps() != null && !l.getNotSrcIps().isEmpty()) {
throw new BatfishException("detected NOT src ip");
}
if (l.getNotDstPorts() != null && !l.getNotDstPorts().isEmpty()) {
throw new BatfishException("detected NOT dst port");
}
if (l.getNotSrcPorts() != null && !l.getNotSrcPorts().isEmpty()) {
throw new BatfishException("detected NOT src port");
}
if (l.getNotEcns() != null && !l.getNotEcns().isEmpty()) {
throw new BatfishException("detected NOT ecns");
}
if (l.getNotIcmpCodes() != null && !l.getNotIcmpCodes().isEmpty()) {
throw new BatfishException("detected NOT icmp codes");
}
if (l.getNotIcmpTypes() != null && !l.getNotIcmpTypes().isEmpty()) {
throw new BatfishException("detected NOT icmp types");
}
if (l.getNotFragmentOffsets() != null && !l.getNotFragmentOffsets().isEmpty()) {
throw new BatfishException("detected NOT fragment offset");
}
if (l.getNotIpProtocols() != null && !l.getNotIpProtocols().isEmpty()) {
throw new BatfishException("detected NOT ip protocols");
}
if (local != null) {
BoolExpr ret;
if (l.getAction() == LineAction.ACCEPT) {
ret = mkTrue();
} else {
ret = mkFalse();
}
if (l.getNegate()) {
local = mkNot(local);
}
acc = mkIf(local, ret, acc);
}
}
return acc;
}
Also used :
BoolExpr(com.microsoft.z3.BoolExpr)
BatfishException(org.batfish.common.BatfishException)
ArrayList(java.util.ArrayList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
Example 9 with IpAccessListLine
use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.
the class CounterExample method buildFlowTrace.
/*
* Build flow information for a given hop along a path
*/
Tuple<Flow, FlowTrace> buildFlowTrace(Encoder enc, String router) {
EncoderSlice slice = enc.getMainSlice();
SymbolicPacket pkt = slice.getSymbolicPacket();
SymbolicDecisions decisions = slice.getSymbolicDecisions();
Flow f = buildFlow(pkt, router);
SortedSet<String> visited = new TreeSet<>();
List<FlowTraceHop> hops = new ArrayList<>();
String current = router;
while (true) {
visited.add(current);
// Get the forwarding variables
Map<GraphEdge, BoolExpr> dfwd = decisions.getDataForwarding().get(current);
Map<GraphEdge, BoolExpr> cfwd = decisions.getControlForwarding().get(current);
Map<GraphEdge, BoolExpr> across = enc.getMainSlice().getForwardsAcross().get(current);
// Find the route used
SymbolicRoute r = decisions.getBestNeighbor().get(current);
Protocol proto = buildProcotol(r, slice, current);
Prefix pfx = buildPrefix(r, f);
// pick the next router
boolean found = false;
for (Entry<GraphEdge, BoolExpr> entry : dfwd.entrySet()) {
GraphEdge ge = entry.getKey();
BoolExpr dexpr = entry.getValue();
BoolExpr cexpr = cfwd.get(ge);
BoolExpr aexpr = across.get(ge);
String route = buildRoute(pfx, proto, ge);
if (isTrue(dexpr)) {
hops.add(buildFlowTraceHop(ge, route));
if (ge.getPeer() != null && visited.contains(ge.getPeer())) {
FlowTrace ft = new FlowTrace(FlowDisposition.LOOP, hops, "LOOP");
return new Tuple<>(f, ft);
}
if (isFalse(aexpr)) {
Interface i = ge.getEnd();
IpAccessList acl = i.getIncomingFilter();
FilterResult fr = acl.filter(f);
String line = "default deny";
if (fr.getMatchLine() != null) {
line = acl.getLines().get(fr.getMatchLine()).getName();
}
String note = String.format("DENIED_IN{%s}{%s}", acl.getName(), line);
FlowTrace ft = new FlowTrace(FlowDisposition.DENIED_IN, hops, note);
return new Tuple<>(f, ft);
}
boolean isLoopback = slice.getGraph().isLoopback(ge);
if (isLoopback) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
if (ge.getPeer() == null) {
boolean isBgpPeering = slice.getGraph().getEbgpNeighbors().get(ge) != null;
if (isBgpPeering) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
} else {
FlowTrace ft = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, hops, "NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK");
return new Tuple<>(f, ft);
}
}
if (slice.getGraph().isHost(ge.getPeer())) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
current = ge.getPeer();
found = true;
break;
} else if (isTrue(cexpr)) {
hops.add(buildFlowTraceHop(ge, route));
Interface i = ge.getStart();
IpAccessList acl = i.getOutgoingFilter();
FilterResult fr = acl.filter(f);
IpAccessListLine line = acl.getLines().get(fr.getMatchLine());
String note = String.format("DENIED_OUT{%s}{%s}", acl.getName(), line.getName());
FlowTrace ft = new FlowTrace(FlowDisposition.DENIED_OUT, hops, note);
return new Tuple<>(f, ft);
}
}
if (!found) {
BoolExpr permitted = r.getPermitted();
if (boolVal(permitted)) {
// Check if there is an accepting interface
for (GraphEdge ge : slice.getGraph().getEdgeMap().get(current)) {
Interface i = ge.getStart();
Ip ip = i.getAddress().getIp();
if (ip.equals(f.getDstIp())) {
FlowTrace ft = new FlowTrace(FlowDisposition.ACCEPTED, hops, "ACCEPTED");
return new Tuple<>(f, ft);
}
}
FlowTrace ft = new FlowTrace(FlowDisposition.NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK, hops, "NEIGHBOR_UNREACHABLE_OR_EXITS_NETWORK");
return new Tuple<>(f, ft);
}
FlowTrace ft = new FlowTrace(FlowDisposition.NO_ROUTE, hops, "NO_ROUTE");
return new Tuple<>(f, ft);
}
}
}
Also used :
BoolExpr(com.microsoft.z3.BoolExpr)
Ip(org.batfish.datamodel.Ip)
ArrayList(java.util.ArrayList)
Prefix(org.batfish.datamodel.Prefix)
TreeSet(java.util.TreeSet)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpProtocol(org.batfish.datamodel.IpProtocol)
RoutingProtocol(org.batfish.datamodel.RoutingProtocol)
Protocol(org.batfish.symbolic.Protocol)
Flow(org.batfish.datamodel.Flow)
FlowTraceHop(org.batfish.datamodel.FlowTraceHop)
FlowTrace(org.batfish.datamodel.FlowTrace)
IpAccessList(org.batfish.datamodel.IpAccessList)
FilterResult(org.batfish.datamodel.FilterResult)
GraphEdge(org.batfish.symbolic.GraphEdge)
Tuple(org.batfish.symbolic.utils.Tuple)
Interface(org.batfish.datamodel.Interface)
Example 10 with IpAccessListLine
use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.
the class BDDAcl method computeACL.
/*
* Convert an Access Control List (ACL) to a symbolic boolean expression.
* The default action in an ACL is to deny all traffic.
*/
private void computeACL(@Nullable Set<Prefix> networks) {
// Check if there is an ACL first
if (_acl == null) {
_bdd = _factory.one();
}
_bdd = _factory.zero();
List<IpAccessListLine> lines = new ArrayList<>(_acl.getLines());
Collections.reverse(lines);
for (IpAccessListLine l : lines) {
// System.out.println("ACL Line: " + l.getName() + ", " + l.getAction());
BDD local = null;
if (l.getDstIps() != null) {
BDD val = computeWildcardMatch(l.getDstIps(), _pkt.getDstIp(), networks);
val = l.getDstIps().isEmpty() ? _factory.one() : val;
local = val;
}
if (l.getSrcIps() != null) {
BDD val = computeWildcardMatch(l.getSrcIps(), _pkt.getSrcIp(), null);
val = l.getDstIps().isEmpty() ? _factory.one() : val;
local = (local == null ? val : local.and(val));
}
if (l.getDscps() != null && !l.getDscps().isEmpty()) {
throw new BatfishException("detected dscps");
}
if (l.getDstPorts() != null) {
BDD val = computeValidRange(l.getDstPorts(), _pkt.getDstPort());
val = l.getDstPorts().isEmpty() ? _factory.one() : val;
local = (local == null ? val : local.and(val));
}
if (l.getSrcPorts() != null) {
BDD val = computeValidRange(l.getSrcPorts(), _pkt.getSrcPort());
val = l.getSrcPorts().isEmpty() ? _factory.one() : val;
local = (local == null ? val : local.and(val));
}
if (l.getEcns() != null && !l.getEcns().isEmpty()) {
throw new BatfishException("detected ecns");
}
if (l.getTcpFlags() != null) {
BDD val = computeTcpFlags(l.getTcpFlags());
val = l.getTcpFlags().isEmpty() ? _factory.one() : val;
local = (local == null ? val : local.and(val));
}
if (l.getFragmentOffsets() != null && !l.getFragmentOffsets().isEmpty()) {
throw new BatfishException("detected fragment offsets");
}
if (l.getIcmpCodes() != null) {
BDD val = computeValidRange(l.getIcmpCodes(), _pkt.getIcmpCode());
val = l.getIcmpCodes().isEmpty() ? _factory.one() : val;
local = (local == null ? val : local.and(val));
}
if (l.getIcmpTypes() != null) {
BDD val = computeValidRange(l.getIcmpTypes(), _pkt.getIcmpType());
val = l.getIcmpTypes().isEmpty() ? _factory.one() : val;
local = (local == null ? val : local.and(val));
}
if (l.getStates() != null && !l.getStates().isEmpty()) {
throw new BatfishException("detected states");
}
if (l.getIpProtocols() != null) {
BDD val = computeIpProtocols(l.getIpProtocols());
val = l.getIpProtocols().isEmpty() ? _factory.one() : val;
local = (local == null ? val : local.and(val));
}
if (l.getNotDscps() != null && !l.getNotDscps().isEmpty()) {
throw new BatfishException("detected NOT dscps");
}
if (l.getNotDstIps() != null && !l.getNotDstIps().isEmpty()) {
throw new BatfishException("detected NOT dst ip");
}
if (l.getNotSrcIps() != null && !l.getNotSrcIps().isEmpty()) {
throw new BatfishException("detected NOT src ip");
}
if (l.getNotDstPorts() != null && !l.getNotDstPorts().isEmpty()) {
throw new BatfishException("detected NOT dst port");
}
if (l.getNotSrcPorts() != null && !l.getNotSrcPorts().isEmpty()) {
throw new BatfishException("detected NOT src port");
}
if (l.getNotEcns() != null && !l.getNotEcns().isEmpty()) {
throw new BatfishException("detected NOT ecns");
}
if (l.getNotIcmpCodes() != null && !l.getNotIcmpCodes().isEmpty()) {
throw new BatfishException("detected NOT icmp codes");
}
if (l.getNotIcmpTypes() != null && !l.getNotIcmpTypes().isEmpty()) {
throw new BatfishException("detected NOT icmp types");
}
if (l.getNotFragmentOffsets() != null && !l.getNotFragmentOffsets().isEmpty()) {
throw new BatfishException("detected NOT fragment offset");
}
if (l.getNotIpProtocols() != null && !l.getNotIpProtocols().isEmpty()) {
throw new BatfishException("detected NOT ip protocols");
}
if (local != null) {
BDD ret;
if (l.getAction() == LineAction.ACCEPT) {
ret = _factory.one();
} else {
ret = _factory.zero();
}
if (l.getNegate()) {
local = local.not();
}
_bdd = local.ite(ret, _bdd);
}
}
}
Also used :
BatfishException(org.batfish.common.BatfishException)
BDD(net.sf.javabdd.BDD)
ArrayList(java.util.ArrayList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
Aggregations
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)35
IpWildcard (org.batfish.datamodel.IpWildcard)17
Test (org.junit.Test)17
IpAccessList (org.batfish.datamodel.IpAccessList)15
LinkedList (java.util.LinkedList)13
SubRange (org.batfish.datamodel.SubRange)12
Configuration (org.batfish.datamodel.Configuration)8
ImmutableList (com.google.common.collect.ImmutableList)6
ArrayList (java.util.ArrayList)6
Interface (org.batfish.datamodel.Interface)6
Set (java.util.Set)5
BatfishException (org.batfish.common.BatfishException)5
Ip (org.batfish.datamodel.Ip)5
LineAction (org.batfish.datamodel.LineAction)5
IpProtocol (org.batfish.datamodel.IpProtocol)4
HashSet (java.util.HashSet)3
List (java.util.List)3
Map (java.util.Map)3
TreeMap (java.util.TreeMap)3
Prefix (org.batfish.datamodel.Prefix)3
