Examples with IpAccessListLine org.batfish.datamodel.IpAccessListLine used on opensource projects

Example 16 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class SecurityGroupsTest method testClosedInterval.

@Test
public void testClosedInterval() throws JSONException {
    SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(5), null);
    List<IpAccessListLine> inboundRules = new LinkedList<>();
    List<IpAccessListLine> outboundRules = new LinkedList<>();
    sg.addInOutAccessLines(inboundRules, outboundRules, _region);
    assertThat(inboundRules, equalTo(ImmutableList.of(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setSrcIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"))).setDstPorts(Sets.newHashSet(new SubRange(45, 50))).build(), _rejectSynOnly, _allowAllReverseOutboundRule)));
}

Example 17 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class SecurityGroupsTest method testAllTrafficAllowed.

@Test
public void testAllTrafficAllowed() throws JSONException {
    SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(4), null);
    List<IpAccessListLine> inboundRules = new LinkedList<>();
    List<IpAccessListLine> outboundRules = new LinkedList<>();
    sg.addInOutAccessLines(inboundRules, outboundRules, _region);
    assertThat(inboundRules, equalTo(ImmutableList.of(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setSrcIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).setDstPorts(Sets.newHashSet()).build(), _rejectSynOnly, _allowAllReverseOutboundRule)));
}

Example 18 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class SecurityGroupsTest method testDeniedWrongIpResponse.

@Test
public void testDeniedWrongIpResponse() throws JSONException {
    SecurityGroup sg = new SecurityGroup(_securityGroups.getJSONObject(8), null);
    List<IpAccessListLine> inboundRules = new LinkedList<>();
    List<IpAccessListLine> outboundRules = new LinkedList<>();
    sg.addInOutAccessLines(inboundRules, outboundRules, _region);
    IpAccessList outFilter = new IpAccessList(TEST_ACL, outboundRules);
    // flow containing wrong destination IP should be rejected
    _flowBuilder.setDstIp(new Ip("1.2.3.5"));
    _flowBuilder.setSrcPort(22);
    _flowBuilder.setTcpFlagsAck(1);
    _flowBuilder.setTcpFlagsSyn(1);
    assertThat(outFilter.filter(_flowBuilder.build()).getAction(), equalTo(LineAction.REJECT));
}

Example 19 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class BatfishCompressionTest method testCompressionFibs_diamondNetwork.

/**
 * Test the following invariant: if a FIB appears on concrete router “r”, then a corresponding
 * abstract FIB appears on one of these representatives. For example, if there is a concrete FIB
 * from C to D, then there should be an abstract FIB from A to B, where A is in representatives(C)
 * and B is in representatives(D).
 */
@Test
public void testCompressionFibs_diamondNetwork() throws IOException {
    IpAccessListLine line = new IpAccessListLine();
    line.setDstIps(ImmutableList.of(new IpWildcard(Prefix.parse("4.4.4.4/32"))));
    SortedMap<String, Configuration> origConfigs = diamondNetwork();
    DataPlane origDataPlane = getDataPlane(origConfigs);
    Map<String, Map<String, Fib>> origFibs = origDataPlane.getFibs();
    Topology origTopology = new Topology(origDataPlane.getTopologyEdges());
    /* Node A should have a route with C as a next hop. */
    assertThat(origFibs, hasEntry(equalTo("A"), hasEntry(equalTo(Configuration.DEFAULT_VRF_NAME), hasNextHopInterfaces(hasValue(hasKey(withNode("A", isNeighborOfNode(origTopology, "C"))))))));
    // compress a new copy since it will get mutated.
    SortedMap<String, Configuration> compressedConfigs = new TreeMap<>(compressNetwork(diamondNetwork(), line));
    DataPlane compressedDataPlane = getDataPlane(compressedConfigs);
    compressedConfigs.values().forEach(BatfishCompressionTest::assertIsCompressedConfig);
    assertThat(compressedConfigs.values(), hasSize(3));
    SortedMap<String, SortedMap<String, GenericRib<AbstractRoute>>> origRibs = origDataPlane.getRibs();
    SortedMap<String, SortedMap<String, GenericRib<AbstractRoute>>> compressedRibs = compressedDataPlane.getRibs();
    compressedRibs.forEach((hostname, compressedRibsByVrf) -> compressedRibsByVrf.forEach((vrf, compressedRib) -> {
        GenericRib<AbstractRoute> origRib = origRibs.get(hostname).get(vrf);
        Set<AbstractRoute> origRoutes = origRib.getRoutes();
        Set<AbstractRoute> compressedRoutes = compressedRib.getRoutes();
        for (AbstractRoute route : compressedRoutes) {
            /* Every compressed route should appear in original RIB */
            assertThat(origRoutes, hasItem(route));
        }
    }));
    /* Compression removed B or C entirely (but not both) */
    assertThat(compressedRibs, either(not(hasKey("B"))).or(not(hasKey("C"))));
    assertThat(compressedRibs, either(hasKey("B")).or(hasKey("C")));
    String remains = compressedConfigs.containsKey("B") ? "B" : "C";
    /* The remaining node is unchanged. */
    assertThat(origRibs.get(remains).get(Configuration.DEFAULT_VRF_NAME).getRoutes(), equalTo(compressedRibs.get(remains).get(Configuration.DEFAULT_VRF_NAME).getRoutes()));
}

Example 20 with IpAccessListLine

use of org.batfish.datamodel.IpAccessListLine in project batfish by batfish.

the class CiscoConfiguration method toIpAccessList.

private IpAccessList toIpAccessList(ExtendedAccessList eaList) {
    String name = eaList.getName();
    List<IpAccessListLine> lines = new ArrayList<>(eaList.getLines().size());
    for (ExtendedAccessListLine fromLine : eaList.getLines()) {
        IpAccessListLine newLine = new IpAccessListLine();
        newLine.setName(fromLine.getName());
        newLine.setAction(fromLine.getAction());
        IpWildcard srcIpWildcard = fromLine.getSourceIpWildcard();
        if (srcIpWildcard != null) {
            newLine.setSrcIps(ImmutableSortedSet.of(srcIpWildcard));
        }
        IpWildcard dstIpWildcard = fromLine.getDestinationIpWildcard();
        if (dstIpWildcard != null) {
            newLine.setDstIps(ImmutableSortedSet.of(dstIpWildcard));
        }
        // TODO: src/dst address group
        IpProtocol protocol = fromLine.getProtocol();
        if (protocol != IpProtocol.IP) {
            newLine.setIpProtocols(ImmutableSortedSet.of(protocol));
        }
        newLine.setDstPorts(fromLine.getDstPorts());
        newLine.setSrcPorts(fromLine.getSrcPorts());
        Integer icmpType = fromLine.getIcmpType();
        if (icmpType != null) {
            newLine.setIcmpTypes(ImmutableSortedSet.of(new SubRange(icmpType)));
        }
        Integer icmpCode = fromLine.getIcmpCode();
        if (icmpCode != null) {
            newLine.setIcmpCodes(ImmutableSortedSet.of(new SubRange(icmpCode)));
        }
        Set<State> states = fromLine.getStates();
        newLine.setStates(states);
        List<TcpFlags> tcpFlags = fromLine.getTcpFlags();
        newLine.setTcpFlags(tcpFlags);
        Set<Integer> dscps = fromLine.getDscps();
        newLine.setDscps(dscps);
        Set<Integer> ecns = fromLine.getEcns();
        newLine.setEcns(ecns);
        lines.add(newLine);
    }
    return new IpAccessList(name, lines);
}