Search in sources :

Example 6 with IpWildcard

use of org.batfish.datamodel.IpWildcard in project batfish by batfish.

the class FwFromSourcePrefixListExcept method applyTo.

@Override
public void applyTo(IpAccessListLine line, JuniperConfiguration jc, Warnings w, Configuration c) {
    PrefixList pl = jc.getPrefixLists().get(_name);
    if (pl != null) {
        pl.getReferers().put(this, "firewall from source-prefix-list except");
        if (pl.getIpv6()) {
            return;
        }
        RouteFilterList sourcePrefixList = c.getRouteFilterLists().get(_name);
        List<IpWildcard> wildcards = sourcePrefixList.getMatchingIps();
        line.setNotSrcIps(Iterables.concat(line.getNotSrcIps(), wildcards));
    } else {
        w.redFlag("Reference to undefined source prefix-list: \"" + _name + "\"");
    }
}
Also used : IpWildcard(org.batfish.datamodel.IpWildcard) RouteFilterList(org.batfish.datamodel.RouteFilterList)

Example 7 with IpWildcard

use of org.batfish.datamodel.IpWildcard in project batfish by batfish.

the class FwFromDestinationPrefixList method applyTo.

@Override
public void applyTo(IpAccessListLine line, JuniperConfiguration jc, Warnings w, Configuration c) {
    PrefixList pl = jc.getPrefixLists().get(_name);
    if (pl != null) {
        pl.getReferers().put(this, "firewall from destination-prefix-list");
        if (pl.getIpv6()) {
            return;
        }
        RouteFilterList destinationPrefixList = c.getRouteFilterLists().get(_name);
        List<IpWildcard> wildcards = destinationPrefixList.getMatchingIps();
        line.setDstIps(Iterables.concat(line.getDstIps(), wildcards));
    } else {
        w.redFlag("Reference to undefined source prefix-list: \"" + _name + "\"");
    }
}
Also used : IpWildcard(org.batfish.datamodel.IpWildcard) RouteFilterList(org.batfish.datamodel.RouteFilterList)

Example 8 with IpWildcard

use of org.batfish.datamodel.IpWildcard in project batfish by batfish.

the class DestinationClasses method addCatchAllCase.

/**
 * Adds a catch-all headerspace to the headerspace map. The catch-all case matches dstIps, does
 * not match notDstIps, and doesn't match anything matched by anything in destinationMap.
 *
 * @param dstIps A list of destination IPs that should be in the catch-all headerspace.
 * @param notDstIps A list of destination IPs that should not be in the catch-all headerspace.
 * @param destinationMap Inversion of the prefix trie -- from sets of destinations to prefixes
 */
private void addCatchAllCase(List<Prefix> dstIps, List<Prefix> notDstIps, Map<Set<String>, List<Prefix>> destinationMap) {
    HeaderSpace catchAll = createHeaderSpace(dstIps);
    catchAll.setNotDstIps(Stream.concat(notDstIps.stream(), destinationMap.values().stream().flatMap(Collection::stream)).map(IpWildcard::new).collect(Collectors.toSet()));
    if (_headerspace != null) {
        copyAllButDestinationIp(catchAll, _headerspace);
    }
    if (!catchAll.getNotDstIps().equals(catchAll.getDstIps())) {
        _headerspaceMap.put(new HashSet<>(), new Tuple<>(catchAll, new Tuple<>(null, true)));
    }
}
Also used : IpWildcard(org.batfish.datamodel.IpWildcard) Collection(java.util.Collection) HeaderSpace(org.batfish.datamodel.HeaderSpace) Tuple(org.batfish.symbolic.utils.Tuple)

Example 9 with IpWildcard

use of org.batfish.datamodel.IpWildcard in project batfish by batfish.

the class EncoderSlice method addHeaderSpaceConstraint.

/*
   * Add constraints for the type of packets we will consider in the model.
   * This can include restrictions on any packet field such as dstIp, protocol etc.
   */
private void addHeaderSpaceConstraint() {
    BoolExpr acc;
    if (_headerSpace.getDstIps().size() > 0) {
        acc = mkFalse();
        for (IpWildcard ipWildcard : _headerSpace.getDstIps()) {
            BoolExpr bound = ipWildCardBound(_symbolicPacket.getDstIp(), ipWildcard);
            acc = mkOr(acc, bound);
        }
        add(acc);
    }
    if (_headerSpace.getNotDstIps().size() > 0) {
        acc = mkTrue();
        for (IpWildcard ipWildcard : _headerSpace.getNotDstIps()) {
            BoolExpr bound = ipWildCardBound(_symbolicPacket.getDstIp(), ipWildcard);
            acc = mkAnd(acc, mkNot(bound));
        }
        add(acc);
    }
    if (_headerSpace.getSrcIps().size() > 0) {
        acc = mkFalse();
        for (IpWildcard ipWildcard : _headerSpace.getSrcIps()) {
            BoolExpr bound = ipWildCardBound(_symbolicPacket.getSrcIp(), ipWildcard);
            acc = mkOr(acc, bound);
        }
        add(acc);
    }
    if (_headerSpace.getNotSrcIps().size() > 0) {
        acc = mkTrue();
        for (IpWildcard ipWildcard : _headerSpace.getNotSrcIps()) {
            BoolExpr bound = ipWildCardBound(_symbolicPacket.getSrcIp(), ipWildcard);
            acc = mkAnd(acc, mkNot(bound));
        }
        add(acc);
    }
    if (_headerSpace.getSrcOrDstIps().size() > 0) {
        acc = mkFalse();
        for (IpWildcard ipWildcard : _headerSpace.getSrcOrDstIps()) {
            BoolExpr bound1 = ipWildCardBound(_symbolicPacket.getDstIp(), ipWildcard);
            BoolExpr bound2 = ipWildCardBound(_symbolicPacket.getSrcIp(), ipWildcard);
            acc = mkOr(acc, bound1, bound2);
        }
        add(acc);
    }
    if (_headerSpace.getDstPorts().size() > 0) {
        acc = mkFalse();
        for (SubRange subRange : _headerSpace.getDstPorts()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
            acc = mkOr(acc, bound);
        }
        add(acc);
    }
    if (_headerSpace.getNotDstPorts().size() > 0) {
        acc = mkTrue();
        for (SubRange subRange : _headerSpace.getNotDstPorts()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
            acc = mkAnd(acc, mkNot(bound));
        }
        add(acc);
    }
    if (_headerSpace.getSrcPorts().size() > 0) {
        acc = mkFalse();
        for (SubRange subRange : _headerSpace.getSrcPorts()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
            acc = mkOr(acc, bound);
        }
        add(acc);
    }
    if (_headerSpace.getNotSrcPorts().size() > 0) {
        acc = mkTrue();
        for (SubRange subRange : _headerSpace.getNotSrcPorts()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getDstPort(), subRange);
            acc = mkAnd(acc, mkNot(bound));
        }
        add(acc);
    }
    if (_headerSpace.getSrcOrDstPorts().size() > 0) {
        acc = mkFalse();
        for (SubRange subRange : _headerSpace.getSrcOrDstPorts()) {
            BoolExpr bound1 = subRangeBound(_symbolicPacket.getDstPort(), subRange);
            BoolExpr bound2 = subRangeBound(_symbolicPacket.getSrcPort(), subRange);
            acc = mkOr(acc, bound1, bound2);
        }
        add(acc);
    }
    if (_headerSpace.getIcmpTypes().size() > 0) {
        acc = mkFalse();
        for (SubRange subRange : _headerSpace.getIcmpTypes()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpType(), subRange);
            acc = mkOr(acc, bound);
        }
        add(acc);
    }
    if (_headerSpace.getNotIcmpTypes().size() > 0) {
        acc = mkTrue();
        for (SubRange subRange : _headerSpace.getNotIcmpTypes()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpType(), subRange);
            acc = mkAnd(acc, mkNot(bound));
        }
        add(acc);
    }
    if (_headerSpace.getIcmpCodes().size() > 0) {
        acc = mkFalse();
        for (SubRange subRange : _headerSpace.getIcmpCodes()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpCode(), subRange);
            acc = mkOr(acc, bound);
        }
        add(acc);
    }
    if (_headerSpace.getNotIcmpCodes().size() > 0) {
        acc = mkTrue();
        for (SubRange subRange : _headerSpace.getNotIcmpCodes()) {
            BoolExpr bound = subRangeBound(_symbolicPacket.getIcmpCode(), subRange);
            acc = mkAnd(acc, mkNot(bound));
        }
        add(acc);
    }
    if (_headerSpace.getIpProtocols().size() > 0) {
        acc = mkFalse();
        for (IpProtocol ipProtocol : _headerSpace.getIpProtocols()) {
            BoolExpr bound = mkEq(_symbolicPacket.getIpProtocol(), mkInt(ipProtocol.number()));
            acc = mkOr(acc, bound);
        }
        add(acc);
    }
    if (_headerSpace.getNotIpProtocols().size() > 0) {
        acc = mkTrue();
        for (IpProtocol ipProtocol : _headerSpace.getNotIpProtocols()) {
            BoolExpr bound = mkEq(_symbolicPacket.getIpProtocol(), mkInt(ipProtocol.number()));
            acc = mkAnd(acc, mkNot(bound));
        }
        add(acc);
    }
// TODO: need to implement fragment offsets, Ecns, states, etc
}
Also used : IpWildcard(org.batfish.datamodel.IpWildcard) BoolExpr(com.microsoft.z3.BoolExpr) IpProtocol(org.batfish.datamodel.IpProtocol) SubRange(org.batfish.datamodel.SubRange)

Example 10 with IpWildcard

use of org.batfish.datamodel.IpWildcard in project batfish by batfish.

the class PropertyChecker method inferDestinationHeaderSpace.

private void inferDestinationHeaderSpace(Graph g, Collection<GraphEdge> destPorts, HeaderLocationQuestion q) {
    // Skip inference if the destination IP headerspace does not need to be inferred.
    if (!q.getHeaderSpace().getDstIps().isEmpty()) {
        return;
    }
    // Infer relevant destination IP headerspace from interfaces
    HeaderSpace headerSpace = q.getHeaderSpace();
    for (GraphEdge ge : destPorts) {
        // it can be any prefix, so we leave it unconstrained
        if (g.isExternal(ge)) {
            headerSpace.setDstIps(Collections.emptySet());
            headerSpace.setNotDstIps(Collections.emptySet());
            break;
        }
        // If we don't know what is on the other end
        if (ge.getPeer() == null) {
            Prefix pfx = ge.getStart().getAddress().getPrefix();
            IpWildcard dst = new IpWildcard(pfx);
            headerSpace.setDstIps(Iterables.concat(headerSpace.getDstIps(), Collections.singleton(dst)));
        } else {
            // If host, add the subnet but not the neighbor's address
            if (g.isHost(ge.getRouter())) {
                Prefix pfx = ge.getStart().getAddress().getPrefix();
                IpWildcard dst = new IpWildcard(pfx);
                headerSpace.setDstIps(Iterables.concat(headerSpace.getDstIps(), Collections.singleton(dst)));
                Ip ip = ge.getEnd().getAddress().getIp();
                IpWildcard dst2 = new IpWildcard(ip);
                headerSpace.setNotDstIps(Iterables.concat(headerSpace.getNotDstIps(), Collections.singleton(dst2)));
            } else {
                // Otherwise, we add the exact address
                Ip ip = ge.getStart().getAddress().getIp();
                IpWildcard dst = new IpWildcard(ip);
                headerSpace.setDstIps(Iterables.concat(headerSpace.getDstIps(), Collections.singleton(dst)));
            }
        }
    }
}
Also used : IpWildcard(org.batfish.datamodel.IpWildcard) Ip(org.batfish.datamodel.Ip) HeaderSpace(org.batfish.datamodel.HeaderSpace) Prefix(org.batfish.datamodel.Prefix) GraphEdge(org.batfish.symbolic.GraphEdge)

Aggregations

IpWildcard (org.batfish.datamodel.IpWildcard)63 Test (org.junit.Test)38 Ip (org.batfish.datamodel.Ip)18 IpAccessListLine (org.batfish.datamodel.IpAccessListLine)17 SubRange (org.batfish.datamodel.SubRange)16 HeaderSpace (org.batfish.datamodel.HeaderSpace)12 Prefix (org.batfish.datamodel.Prefix)9 LinkedList (java.util.LinkedList)8 Configuration (org.batfish.datamodel.Configuration)8 Context (com.microsoft.z3.Context)7 Interface (org.batfish.datamodel.Interface)7 IpAccessList (org.batfish.datamodel.IpAccessList)6 IpProtocol (org.batfish.datamodel.IpProtocol)6 BoolExpr (com.microsoft.z3.BoolExpr)5 TreeSet (java.util.TreeSet)5 BatfishException (org.batfish.common.BatfishException)5 RouteFilterList (org.batfish.datamodel.RouteFilterList)5 ImmutableSortedMap (com.google.common.collect.ImmutableSortedMap)4 Status (com.microsoft.z3.Status)4 Map (java.util.Map)4