use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class PropertyChecker method checkRoutingLoop.
/*
* Checks for routing loops in the network. For efficiency reasons,
* we only check for loops with routers that use static routes since
* these can override the usual loop-prevention mechanisms.
*/
public AnswerElement checkRoutingLoop(HeaderQuestion q) {
Graph graph = new Graph(_batfish);
// Collect all relevant destinations
List<Prefix> prefixes = new ArrayList<>();
graph.getStaticRoutes().forEach((router, ifaceName, srs) -> {
for (StaticRoute sr : srs) {
prefixes.add(sr.getNetwork());
}
});
SortedSet<IpWildcard> pfxs = new TreeSet<>();
for (Prefix prefix : prefixes) {
pfxs.add(new IpWildcard(prefix));
}
q.getHeaderSpace().setDstIps(pfxs);
// Collect all routers that use static routes as a
// potential node along a loop
List<String> routers = new ArrayList<>();
for (Entry<String, Configuration> entry : graph.getConfigurations().entrySet()) {
String router = entry.getKey();
Configuration conf = entry.getValue();
if (conf.getDefaultVrf().getStaticRoutes().size() > 0) {
routers.add(router);
}
}
Encoder enc = new Encoder(_settings, graph, q);
enc.computeEncoding();
Context ctx = enc.getCtx();
EncoderSlice slice = enc.getMainSlice();
PropertyAdder pa = new PropertyAdder(slice);
BoolExpr someLoop = ctx.mkBool(false);
for (String router : routers) {
BoolExpr hasLoop = pa.instrumentLoop(router);
someLoop = ctx.mkOr(someLoop, hasLoop);
}
enc.add(someLoop);
VerificationResult result = enc.verify().getFirst();
return new SmtOneAnswerElement(result);
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class BDDAcl method computeWildcardMatch.
/*
* Convert a set of wildcards and a packet field to a symbolic boolean expression
*/
private BDD computeWildcardMatch(Set<IpWildcard> wcs, BDDInteger field, @Nullable Set<Prefix> ignored) {
BDD acc = _factory.zero();
for (IpWildcard wc : wcs) {
if (!wc.isPrefix()) {
throw new BatfishException("ERROR: computeDstWildcards, non sequential mask detected");
}
Prefix p = wc.toPrefix();
// if (!PrefixUtils.isContainedBy(p, ignored)) {
acc = acc.or(isRelevantFor(p, field));
// }
}
return acc;
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class BoolExprTransformerTest method testVisitHeaderSpaceMatchExpr.
@Test
public void testVisitHeaderSpaceMatchExpr() {
long ipCounter = 1L;
int intCounter = 1;
HeaderSpace.Builder<?, ?> hb = IpAccessListLine.builder();
BooleanExpr expr = new HeaderSpaceMatchExpr(hb.setDscps(ImmutableSet.of(intCounter++, intCounter++)).setDstIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setDstPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setDstProtocols(ImmutableSet.of(Protocol.DNS, Protocol.HTTP)).setEcns(ImmutableSet.of(intCounter++, intCounter++)).setFragmentOffsets(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setIcmpCodes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setIcmpTypes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setIpProtocols(ImmutableSet.of(IpProtocol.AHP, IpProtocol.ARGUS)).setNegate(true).setNotDscps(ImmutableSet.of(intCounter++, intCounter++)).setNotDstIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setNotDstPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotDstProtocols(ImmutableSet.of(Protocol.HTTPS, Protocol.TELNET)).setNotEcns(ImmutableSet.of(intCounter++, intCounter++)).setNotFragmentOffsets(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotIcmpCodes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotIcmpTypes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotIpProtocols(ImmutableSet.of(IpProtocol.BNA, IpProtocol.XNET)).setNotPacketLengths(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotSrcIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setNotSrcPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotSrcProtocols(ImmutableSet.of(Protocol.SSH, Protocol.TCP)).setPacketLengths(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setSrcIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setSrcOrDstIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setSrcOrDstPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setSrcOrDstProtocols(ImmutableSet.of(Protocol.UDP, Protocol.HTTP)).setSrcPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setSrcProtocols(ImmutableSet.of(Protocol.HTTPS, Protocol.DNS)).setStates(ImmutableSet.of(State.ESTABLISHED, State.NEW)).setTcpFlags(ImmutableSet.of(TcpFlags.builder().setAck(true).setUseAck(true).build(), TcpFlags.builder().setUseCwr(true).build())).build());
assertThat(toBoolExpr(expr, _input, _nodContext), instanceOf(BoolExpr.class));
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class IpSpaceBooleanExprTransformerTest method testVisitIpWildcard.
@Test
public void testVisitIpWildcard() {
IpWildcard wildcard = new IpWildcard(new Ip("1.2.0.4"), new Ip(0x0000FF00L));
BooleanExpr matchExpr = wildcard.accept(SRC_IP_SPACE_BOOLEAN_EXPR_TRANSFORMER);
assertThat(matchExpr, equalTo(HeaderSpaceMatchExpr.matchSrcIp(ImmutableSet.of(wildcard))));
}
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class ElasticsearchDomainTest method testSecurityGroupsAcl.
@Test
public void testSecurityGroupsAcl() throws IOException {
Map<String, Configuration> configurations = loadAwsConfigurations();
assertThat(configurations, hasKey("es-domain"));
assertThat(configurations.get("es-domain").getInterfaces().entrySet(), hasSize(2));
IpAccessListLine rejectSynOnly = IpAccessListLine.builder().setTcpFlags(ImmutableSet.of(TcpFlags.SYN_ONLY)).setAction(LineAction.REJECT).build();
IpAccessList expectedIncomingFilter = new IpAccessList("~SECURITY_GROUP_INGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setSrcIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setDstPorts(Sets.newHashSet(new SubRange(45, 50))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setSrcIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build()));
IpAccessList expectedOutgoingFilter = new IpAccessList("~SECURITY_GROUP_EGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setDstIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setDstIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setSrcPorts(Sets.newHashSet(new SubRange(45, 50))).build()));
for (Interface iface : configurations.get("es-domain").getInterfaces().values()) {
assertThat(iface.getIncomingFilter(), equalTo(expectedIncomingFilter));
assertThat(iface.getOutgoingFilter(), equalTo(expectedOutgoingFilter));
}
}
Aggregations