Example 11 with IpWildcard
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class PropertyChecker method checkRoutingLoop.
/*
* Checks for routing loops in the network. For efficiency reasons,
* we only check for loops with routers that use static routes since
* these can override the usual loop-prevention mechanisms.
*/
public AnswerElement checkRoutingLoop(HeaderQuestion q) {
Graph graph = new Graph(_batfish);
// Collect all relevant destinations
List<Prefix> prefixes = new ArrayList<>();
graph.getStaticRoutes().forEach((router, ifaceName, srs) -> {
for (StaticRoute sr : srs) {
prefixes.add(sr.getNetwork());
}
});
SortedSet<IpWildcard> pfxs = new TreeSet<>();
for (Prefix prefix : prefixes) {
pfxs.add(new IpWildcard(prefix));
}
q.getHeaderSpace().setDstIps(pfxs);
// Collect all routers that use static routes as a
// potential node along a loop
List<String> routers = new ArrayList<>();
for (Entry<String, Configuration> entry : graph.getConfigurations().entrySet()) {
String router = entry.getKey();
Configuration conf = entry.getValue();
if (conf.getDefaultVrf().getStaticRoutes().size() > 0) {
routers.add(router);
}
}
Encoder enc = new Encoder(_settings, graph, q);
enc.computeEncoding();
Context ctx = enc.getCtx();
EncoderSlice slice = enc.getMainSlice();
PropertyAdder pa = new PropertyAdder(slice);
BoolExpr someLoop = ctx.mkBool(false);
for (String router : routers) {
BoolExpr hasLoop = pa.instrumentLoop(router);
someLoop = ctx.mkOr(someLoop, hasLoop);
}
enc.add(someLoop);
VerificationResult result = enc.verify().getFirst();
return new SmtOneAnswerElement(result);
}
Also used :
Context(com.microsoft.z3.Context)
BoolExpr(com.microsoft.z3.BoolExpr)
StaticRoute(org.batfish.datamodel.StaticRoute)
Configuration(org.batfish.datamodel.Configuration)
ArrayList(java.util.ArrayList)
SmtOneAnswerElement(org.batfish.symbolic.answers.SmtOneAnswerElement)
Prefix(org.batfish.datamodel.Prefix)
IpWildcard(org.batfish.datamodel.IpWildcard)
Graph(org.batfish.symbolic.Graph)
TreeSet(java.util.TreeSet)
Example 12 with IpWildcard
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class BDDAcl method computeWildcardMatch.
/*
* Convert a set of wildcards and a packet field to a symbolic boolean expression
*/
private BDD computeWildcardMatch(Set<IpWildcard> wcs, BDDInteger field, @Nullable Set<Prefix> ignored) {
BDD acc = _factory.zero();
for (IpWildcard wc : wcs) {
if (!wc.isPrefix()) {
throw new BatfishException("ERROR: computeDstWildcards, non sequential mask detected");
}
Prefix p = wc.toPrefix();
// if (!PrefixUtils.isContainedBy(p, ignored)) {
acc = acc.or(isRelevantFor(p, field));
// }
}
return acc;
}
Also used :
IpWildcard(org.batfish.datamodel.IpWildcard)
BatfishException(org.batfish.common.BatfishException)
BDD(net.sf.javabdd.BDD)
Prefix(org.batfish.datamodel.Prefix)
Example 13 with IpWildcard
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class BoolExprTransformerTest method testVisitHeaderSpaceMatchExpr.
@Test
public void testVisitHeaderSpaceMatchExpr() {
long ipCounter = 1L;
int intCounter = 1;
HeaderSpace.Builder<?, ?> hb = IpAccessListLine.builder();
BooleanExpr expr = new HeaderSpaceMatchExpr(hb.setDscps(ImmutableSet.of(intCounter++, intCounter++)).setDstIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setDstPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setDstProtocols(ImmutableSet.of(Protocol.DNS, Protocol.HTTP)).setEcns(ImmutableSet.of(intCounter++, intCounter++)).setFragmentOffsets(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setIcmpCodes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setIcmpTypes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setIpProtocols(ImmutableSet.of(IpProtocol.AHP, IpProtocol.ARGUS)).setNegate(true).setNotDscps(ImmutableSet.of(intCounter++, intCounter++)).setNotDstIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setNotDstPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotDstProtocols(ImmutableSet.of(Protocol.HTTPS, Protocol.TELNET)).setNotEcns(ImmutableSet.of(intCounter++, intCounter++)).setNotFragmentOffsets(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotIcmpCodes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotIcmpTypes(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotIpProtocols(ImmutableSet.of(IpProtocol.BNA, IpProtocol.XNET)).setNotPacketLengths(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotSrcIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setNotSrcPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setNotSrcProtocols(ImmutableSet.of(Protocol.SSH, Protocol.TCP)).setPacketLengths(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setSrcIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setSrcOrDstIps(ImmutableSet.of(new IpWildcard(new Ip(ipCounter++)), new IpWildcard(new Ip(ipCounter++)))).setSrcOrDstPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setSrcOrDstProtocols(ImmutableSet.of(Protocol.UDP, Protocol.HTTP)).setSrcPorts(ImmutableSet.of(new SubRange(intCounter++, intCounter++), new SubRange(intCounter++, intCounter++))).setSrcProtocols(ImmutableSet.of(Protocol.HTTPS, Protocol.DNS)).setStates(ImmutableSet.of(State.ESTABLISHED, State.NEW)).setTcpFlags(ImmutableSet.of(TcpFlags.builder().setAck(true).setUseAck(true).build(), TcpFlags.builder().setUseCwr(true).build())).build());
assertThat(toBoolExpr(expr, _input, _nodContext), instanceOf(BoolExpr.class));
}
Also used :
IpWildcard(org.batfish.datamodel.IpWildcard)
BoolExpr(com.microsoft.z3.BoolExpr)
BoolExprTransformer.toBoolExpr(org.batfish.z3.expr.visitors.BoolExprTransformer.toBoolExpr)
Ip(org.batfish.datamodel.Ip)
HeaderSpace(org.batfish.datamodel.HeaderSpace)
HeaderSpaceMatchExpr(org.batfish.z3.expr.HeaderSpaceMatchExpr)
SubRange(org.batfish.datamodel.SubRange)
BooleanExpr(org.batfish.z3.expr.BooleanExpr)
Test(org.junit.Test)
Example 14 with IpWildcard
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class IpSpaceBooleanExprTransformerTest method testVisitIpWildcard.
@Test
public void testVisitIpWildcard() {
IpWildcard wildcard = new IpWildcard(new Ip("1.2.0.4"), new Ip(0x0000FF00L));
BooleanExpr matchExpr = wildcard.accept(SRC_IP_SPACE_BOOLEAN_EXPR_TRANSFORMER);
assertThat(matchExpr, equalTo(HeaderSpaceMatchExpr.matchSrcIp(ImmutableSet.of(wildcard))));
}
Also used :
IpWildcard(org.batfish.datamodel.IpWildcard)
Ip(org.batfish.datamodel.Ip)
BooleanExpr(org.batfish.z3.expr.BooleanExpr)
Test(org.junit.Test)
Example 15 with IpWildcard
use of org.batfish.datamodel.IpWildcard in project batfish by batfish.
the class ElasticsearchDomainTest method testSecurityGroupsAcl.
@Test
public void testSecurityGroupsAcl() throws IOException {
Map<String, Configuration> configurations = loadAwsConfigurations();
assertThat(configurations, hasKey("es-domain"));
assertThat(configurations.get("es-domain").getInterfaces().entrySet(), hasSize(2));
IpAccessListLine rejectSynOnly = IpAccessListLine.builder().setTcpFlags(ImmutableSet.of(TcpFlags.SYN_ONLY)).setAction(LineAction.REJECT).build();
IpAccessList expectedIncomingFilter = new IpAccessList("~SECURITY_GROUP_INGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setSrcIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setDstPorts(Sets.newHashSet(new SubRange(45, 50))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setSrcIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build()));
IpAccessList expectedOutgoingFilter = new IpAccessList("~SECURITY_GROUP_EGRESS_ACL~", Lists.newArrayList(IpAccessListLine.builder().setAction(LineAction.ACCEPT).setDstIps(Sets.newHashSet(new IpWildcard("0.0.0.0/0"))).build(), rejectSynOnly, IpAccessListLine.builder().setAction(LineAction.ACCEPT).setIpProtocols(Sets.newHashSet(IpProtocol.TCP)).setDstIps(Sets.newHashSet(new IpWildcard("1.2.3.4/32"), new IpWildcard("10.193.16.105/32"))).setSrcPorts(Sets.newHashSet(new SubRange(45, 50))).build()));
for (Interface iface : configurations.get("es-domain").getInterfaces().values()) {
assertThat(iface.getIncomingFilter(), equalTo(expectedIncomingFilter));
assertThat(iface.getOutgoingFilter(), equalTo(expectedOutgoingFilter));
}
}
Also used :
IpWildcard(org.batfish.datamodel.IpWildcard)
Configuration(org.batfish.datamodel.Configuration)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
SubRange(org.batfish.datamodel.SubRange)
Interface(org.batfish.datamodel.Interface)
Test(org.junit.Test)
Aggregations
IpWildcard (org.batfish.datamodel.IpWildcard)63
Test (org.junit.Test)38
Ip (org.batfish.datamodel.Ip)18
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)17
SubRange (org.batfish.datamodel.SubRange)16
HeaderSpace (org.batfish.datamodel.HeaderSpace)12
Prefix (org.batfish.datamodel.Prefix)9
LinkedList (java.util.LinkedList)8
Configuration (org.batfish.datamodel.Configuration)8
Context (com.microsoft.z3.Context)7
Interface (org.batfish.datamodel.Interface)7
IpAccessList (org.batfish.datamodel.IpAccessList)6
IpProtocol (org.batfish.datamodel.IpProtocol)6
BoolExpr (com.microsoft.z3.BoolExpr)5
TreeSet (java.util.TreeSet)5
BatfishException (org.batfish.common.BatfishException)5
RouteFilterList (org.batfish.datamodel.RouteFilterList)5
ImmutableSortedMap (com.google.common.collect.ImmutableSortedMap)4
Status (com.microsoft.z3.Status)4
Map (java.util.Map)4
