use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class FwFromSourcePrefixListExcept method applyTo.
@Override
public void applyTo(IpAccessListLine line, JuniperConfiguration jc, Warnings w, Configuration c) {
PrefixList pl = jc.getPrefixLists().get(_name);
if (pl != null) {
pl.getReferers().put(this, "firewall from source-prefix-list except");
if (pl.getIpv6()) {
return;
}
RouteFilterList sourcePrefixList = c.getRouteFilterLists().get(_name);
List<IpWildcard> wildcards = sourcePrefixList.getMatchingIps();
line.setNotSrcIps(Iterables.concat(line.getNotSrcIps(), wildcards));
} else {
w.redFlag("Reference to undefined source prefix-list: \"" + _name + "\"");
}
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class FwFromDestinationPrefixList method applyTo.
@Override
public void applyTo(IpAccessListLine line, JuniperConfiguration jc, Warnings w, Configuration c) {
PrefixList pl = jc.getPrefixLists().get(_name);
if (pl != null) {
pl.getReferers().put(this, "firewall from destination-prefix-list");
if (pl.getIpv6()) {
return;
}
RouteFilterList destinationPrefixList = c.getRouteFilterLists().get(_name);
List<IpWildcard> wildcards = destinationPrefixList.getMatchingIps();
line.setDstIps(Iterables.concat(line.getDstIps(), wildcards));
} else {
w.redFlag("Reference to undefined source prefix-list: \"" + _name + "\"");
}
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class DestinationClasses method addCatchAllCase.
/**
* Adds a catch-all headerspace to the headerspace map. The catch-all case matches dstIps, does
* not match notDstIps, and doesn't match anything matched by anything in destinationMap.
*
* @param dstIps A list of destination IPs that should be in the catch-all headerspace.
* @param notDstIps A list of destination IPs that should not be in the catch-all headerspace.
* @param destinationMap Inversion of the prefix trie -- from sets of destinations to prefixes
*/
private void addCatchAllCase(List<Prefix> dstIps, List<Prefix> notDstIps, Map<Set<String>, List<Prefix>> destinationMap) {
HeaderSpace catchAll = createHeaderSpace(dstIps);
catchAll.setNotDstIps(Stream.concat(notDstIps.stream(), destinationMap.values().stream().flatMap(Collection::stream)).map(IpWildcard::new).collect(Collectors.toSet()));
if (_headerspace != null) {
copyAllButDestinationIp(catchAll, _headerspace);
}
if (!catchAll.getNotDstIps().equals(catchAll.getDstIps())) {
_headerspaceMap.put(new HashSet<>(), new Tuple<>(catchAll, new Tuple<>(null, true)));
}
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class EncoderSlice method addHeaderSpaceConstraint.
/*
* Add constraints for the type of packets we will consider in the model.
* This can include restrictions on any packet field such as dstIp, protocol etc.
*/
private void addHeaderSpaceConstraint() {
BoolExpr acc;
if (_headerSpace.getDstIps().size() > 0) {
acc = mkFalse();
for (IpWildcard ipWildcard : _headerSpace.getDstIps()) {
BoolExpr bound = ipWildCardBound(_symbolicPacket.getDstIp(), ipWildcard);
acc = mkOr(acc, bound);
}
add(acc);
}
if (_headerSpace.getNotDstIps().size() > 0) {
acc = mkTrue();
for (IpWildcard ipWildcard : _headerSpace.getNotDstIps()) {
BoolExpr bound = ipWildCardBound(_symbolicPacket.getDstIp(), ipWildcard);
acc = mkAnd(acc, mkNot(bound));
}
add(acc);
}
if (_headerSpace.getSrcIps().size() > 0) {
acc = mkFalse();
for (IpWildcard ipWildcard : _headerSpace.getSrcIps()) {
BoolExpr bound = ipWildCardBound(_symbolicPacket.getSrcIp(), ipWildcard);
acc = mkOr(acc, bound);
}
add(acc);
}
if (_headerSpace.getNotSrcIps().size() > 0) {
acc = mkTrue();
for (IpWildcard ipWildcard : _headerSpace.getNotSrcIps()) {
BoolExpr bound = ipWildCardBound(_symbolicPacket.getSrcIp(), ipWildcard);
acc = mkAnd(acc, mkNot(bound));
}
add(acc);
}
if (_headerSpace.getSrcOrDstIps().size() > 0) {
acc = mkFalse();
for (IpWildcard ipWildcard : _headerSpace.getSrcOrDstIps()) {
BoolExpr bound1 = ipWildCardBound(_symbolicPacket.getDstIp(), ipWildcard);
BoolExpr bound2 = ipWildCardBound(_symbolicPacket.getSrcIp(), ipWildcard);
acc = mkOr(acc, bound1, bound2);
}
add(acc);
}
if (_headerSpace.getDstPorts().size() > 0) {
acc = mkFalse();
for (SubRange subRange : _headerSpace.getDstPorts()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
acc = mkOr(acc, bound);
}
add(acc);
}
if (_headerSpace.getNotDstPorts().size() > 0) {
acc = mkTrue();
for (SubRange subRange : _headerSpace.getNotDstPorts()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
acc = mkAnd(acc, mkNot(bound));
}
add(acc);
}
if (_headerSpace.getSrcPorts().size() > 0) {
acc = mkFalse();
for (SubRange subRange : _headerSpace.getSrcPorts()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
acc = mkOr(acc, bound);
}
add(acc);
}
if (_headerSpace.getNotSrcPorts().size() > 0) {
acc = mkTrue();
for (SubRange subRange : _headerSpace.getNotSrcPorts()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
acc = mkAnd(acc, mkNot(bound));
}
add(acc);
}
if (_headerSpace.getSrcOrDstPorts().size() > 0) {
acc = mkFalse();
for (SubRange subRange : _headerSpace.getSrcOrDstPorts()) {
BoolExpr bound1 = subRangeBound(_symbolicPacket.getDstPort(), subRange);
BoolExpr bound2 = subRangeBound(_symbolicPacket.getSrcPort(), subRange);
acc = mkOr(acc, bound1, bound2);
}
add(acc);
}
if (_headerSpace.getIcmpTypes().size() > 0) {
acc = mkFalse();
for (SubRange subRange : _headerSpace.getIcmpTypes()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpType(), subRange);
acc = mkOr(acc, bound);
}
add(acc);
}
if (_headerSpace.getNotIcmpTypes().size() > 0) {
acc = mkTrue();
for (SubRange subRange : _headerSpace.getNotIcmpTypes()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpType(), subRange);
acc = mkAnd(acc, mkNot(bound));
}
add(acc);
}
if (_headerSpace.getIcmpCodes().size() > 0) {
acc = mkFalse();
for (SubRange subRange : _headerSpace.getIcmpCodes()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpCode(), subRange);
acc = mkOr(acc, bound);
}
add(acc);
}
if (_headerSpace.getNotIcmpCodes().size() > 0) {
acc = mkTrue();
for (SubRange subRange : _headerSpace.getNotIcmpCodes()) {
BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpCode(), subRange);
acc = mkAnd(acc, mkNot(bound));
}
add(acc);
}
if (_headerSpace.getIpProtocols().size() > 0) {
acc = mkFalse();
for (IpProtocol ipProtocol : _headerSpace.getIpProtocols()) {
BoolExpr bound = mkEq(_symbolicPacket.getIpProtocol(), mkInt(ipProtocol.number()));
acc = mkOr(acc, bound);
}
add(acc);
}
if (_headerSpace.getNotIpProtocols().size() > 0) {
acc = mkTrue();
for (IpProtocol ipProtocol : _headerSpace.getNotIpProtocols()) {
BoolExpr bound = mkEq(_symbolicPacket.getIpProtocol(), mkInt(ipProtocol.number()));
acc = mkAnd(acc, mkNot(bound));
}
add(acc);
}
// TODO: need to implement fragment offsets, Ecns, states, etc
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class PropertyChecker method inferDestinationHeaderSpace.
private void inferDestinationHeaderSpace(Graph g, Collection<GraphEdge> destPorts, HeaderLocationQuestion q) {
// Skip inference if the destination IP headerspace does not need to be inferred.
if (!q.getHeaderSpace().getDstIps().isEmpty()) {
return;
}
// Infer relevant destination IP headerspace from interfaces
HeaderSpace headerSpace = q.getHeaderSpace();
for (GraphEdge ge : destPorts) {
// it can be any prefix, so we leave it unconstrained
if (g.isExternal(ge)) {
headerSpace.setDstIps(Collections.emptySet());
headerSpace.setNotDstIps(Collections.emptySet());
break;
}
// If we don't know what is on the other end
if (ge.getPeer() == null) {
Prefix pfx = ge.getStart().getAddress().getPrefix();
IpWildcard dst = new IpWildcard(pfx);
headerSpace.setDstIps(Iterables.concat(headerSpace.getDstIps(), Collections.singleton(dst)));
} else {
// If host, add the subnet but not the neighbor's address
if (g.isHost(ge.getRouter())) {
Prefix pfx = ge.getStart().getAddress().getPrefix();
IpWildcard dst = new IpWildcard(pfx);
headerSpace.setDstIps(Iterables.concat(headerSpace.getDstIps(), Collections.singleton(dst)));
Ip ip = ge.getEnd().getAddress().getIp();
IpWildcard dst2 = new IpWildcard(ip);
headerSpace.setNotDstIps(Iterables.concat(headerSpace.getNotDstIps(), Collections.singleton(dst2)));
} else {
// Otherwise, we add the exact address
Ip ip = ge.getStart().getAddress().getIp();
IpWildcard dst = new IpWildcard(ip);
headerSpace.setDstIps(Iterables.concat(headerSpace.getDstIps(), Collections.singleton(dst)));
}
}
}
}
Aggregations