use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class NetworkAcl method getAcl.
private IpAccessList getAcl(boolean isEgress) {
String listName = _networkAclId + (isEgress ? "_egress" : "_ingress");
Map<Integer, IpAccessListLine> lineMap = new TreeMap<>();
for (NetworkAclEntry entry : _entries) {
if ((isEgress && entry.getIsEgress()) || (!isEgress && !entry.getIsEgress())) {
IpAccessListLine line = new IpAccessListLine();
int key = entry.getRuleNumber();
LineAction action = entry.getIsAllow() ? LineAction.ACCEPT : LineAction.REJECT;
line.setAction(action);
Prefix prefix = entry.getCidrBlock();
if (!prefix.equals(Prefix.ZERO)) {
if (isEgress) {
line.setDstIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
} else {
line.setSrcIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
}
}
IpProtocol protocol = IpPermissions.toIpProtocol(entry.getProtocol());
String protocolStr = protocol != null ? protocol.toString() : "ALL";
if (protocol != null) {
line.setIpProtocols(ImmutableSortedSet.of(protocol));
}
int fromPort = entry.getFromPort();
int toPort = entry.getToPort();
SubRange portRange = new SubRange(fromPort, toPort);
if (fromPort != -1 || toPort != -1) {
if (fromPort == -1) {
fromPort = 0;
}
if (toPort == -1) {
toPort = 65535;
}
line.setDstPorts(ImmutableSortedSet.of(portRange));
}
String portStr;
if (protocol == IpProtocol.ICMP) {
// TODO: flesh these out
portStr = "some ICMP type(s)/code(s)";
} else if ((fromPort == 0 && toPort == 65535) || (fromPort == -1 && toPort == -1)) {
portStr = "ALL";
} else {
portStr = portRange.toString();
}
String actionStr = action == LineAction.ACCEPT ? "ALLOW" : "DENY";
String lineNumber = key == 32767 ? "*" : Integer.toString(key);
line.setName(String.format("%s %s %s %s %s", lineNumber, protocolStr, portStr, prefix, actionStr));
lineMap.put(key, line);
}
}
List<IpAccessListLine> lines = ImmutableList.copyOf(lineMap.values());
IpAccessList list = new IpAccessList(listName, lines);
return list;
}
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class IptablesVendorConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(String aclName, IptablesChain chain, VendorConfiguration vc) {
ImmutableList.Builder<IpAccessListLine> lines = ImmutableList.builder();
for (IptablesRule rule : chain.getRules()) {
IpAccessListLine aclLine = new IpAccessListLine();
boolean anyInterface = false;
for (IptablesMatch match : rule.getMatchList()) {
switch(match.getMatchType()) {
case DESTINATION:
aclLine.setDstIps(Iterables.concat(aclLine.getDstIps(), Collections.singleton(match.toIpWildcard())));
break;
case DESTINATION_PORT:
aclLine.setDstPorts(Iterables.concat(aclLine.getDstPorts(), match.toPortRanges()));
break;
case IN_INTERFACE:
_lineInInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
anyInterface = false;
break;
case OUT_INTERFACE:
_lineOutInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
anyInterface = false;
break;
case PROTOCOL:
aclLine.setIpProtocols(Iterables.concat(aclLine.getIpProtocols(), Collections.singleton(match.toIpProtocol())));
break;
case SOURCE:
aclLine.setSrcIps(Iterables.concat(aclLine.getSrcIps(), Collections.singleton(match.toIpWildcard())));
break;
case SOURCE_PORT:
aclLine.setSrcPorts(Iterables.concat(aclLine.getSrcPorts(), match.toPortRanges()));
break;
default:
throw new BatfishException("Unknown match type: " + match.getMatchType());
}
}
if (anyInterface) {
_lineInInterfaces.put(aclLine, null);
_lineOutInterfaces.put(aclLine, null);
}
aclLine.setName(rule.getName());
aclLine.setAction(rule.getIpAccessListLineAction());
lines.add(aclLine);
}
// add a final line corresponding to default chain policy
LineAction chainAction = chain.getIpAccessListLineAction();
IpAccessListLine defaultLine = new IpAccessListLine();
defaultLine.setAction(chainAction);
defaultLine.setName("default");
lines.add(defaultLine);
IpAccessList acl = new IpAccessList(aclName, lines.build());
return acl;
}
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class JuniperConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(FirewallFilter filter) throws VendorConversionException {
String name = filter.getName();
List<IpAccessListLine> lines = new ArrayList<>();
for (FwTerm term : filter.getTerms().values()) {
// action
LineAction action;
if (term.getThens().contains(FwThenAccept.INSTANCE)) {
action = LineAction.ACCEPT;
} else if (term.getThens().contains(FwThenDiscard.INSTANCE)) {
action = LineAction.REJECT;
} else if (term.getThens().contains(FwThenNextTerm.INSTANCE)) {
// TODO: throw error if any transformation is being done
continue;
} else if (term.getThens().contains(FwThenNop.INSTANCE)) {
// we assume for now that any 'nop' operations imply acceptance
action = LineAction.ACCEPT;
} else {
_w.redFlag("missing action in firewall filter: '" + name + "', term: '" + term.getName() + "'");
action = LineAction.REJECT;
}
IpAccessListLine line = new IpAccessListLine();
line.setName(term.getName());
line.setAction(action);
for (FwFrom from : term.getFroms()) {
from.applyTo(line, this, _w, _c);
}
boolean addLine = term.getFromApplications().isEmpty() && term.getFromHostProtocols().isEmpty() && term.getFromHostServices().isEmpty();
for (FwFromHostProtocol from : term.getFromHostProtocols()) {
from.applyTo(lines, _w);
}
for (FwFromHostService from : term.getFromHostServices()) {
from.applyTo(lines, _w);
}
for (FwFromApplication fromApplication : term.getFromApplications()) {
fromApplication.applyTo(line, lines, _w);
}
if (addLine) {
lines.add(line);
}
}
IpAccessList list = new IpAccessList(name, lines);
return list;
}
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class PsFromPrefixListFilterLonger method toBooleanExpr.
@Override
public BooleanExpr toBooleanExpr(JuniperConfiguration jc, Configuration c, Warnings warnings) {
PrefixList pl = jc.getPrefixLists().get(_prefixList);
if (pl != null) {
pl.getReferers().put(this, "from prefix-list-filter longer");
if (pl.getIpv6()) {
return BooleanExprs.False.toStaticBooleanExpr();
}
RouteFilterList rf = c.getRouteFilterLists().get(_prefixList);
String longerListName = "~" + _prefixList + "~LONGER~";
RouteFilterList longerList = c.getRouteFilterLists().get(longerListName);
if (longerList == null) {
longerList = new RouteFilterList(longerListName);
for (RouteFilterLine line : rf.getLines()) {
Prefix prefix = line.getPrefix();
LineAction action = line.getAction();
SubRange longerLineRange = new SubRange(line.getLengthRange().getStart() + 1, Prefix.MAX_PREFIX_LENGTH);
if (longerLineRange.getStart() > Prefix.MAX_PREFIX_LENGTH) {
warnings.redFlag("'prefix-list-filter " + _prefixList + " longer' cannot match more specific prefix than " + prefix);
continue;
}
RouteFilterLine orLongerLine = new RouteFilterLine(action, prefix, longerLineRange);
longerList.addLine(orLongerLine);
c.getRouteFilterLists().put(longerListName, longerList);
}
}
return new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(longerListName));
} else {
warnings.redFlag("Reference to undefined prefix-list: \"" + _prefixList + "\"");
return BooleanExprs.False.toStaticBooleanExpr();
}
}
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class PsFromPrefixListFilterOrLonger method toBooleanExpr.
@Override
public BooleanExpr toBooleanExpr(JuniperConfiguration jc, Configuration c, Warnings warnings) {
PrefixList pl = jc.getPrefixLists().get(_prefixList);
if (pl != null) {
pl.getReferers().put(this, "from prefix-list-filter or-longer");
if (pl.getIpv6()) {
return BooleanExprs.False.toStaticBooleanExpr();
}
RouteFilterList rf = c.getRouteFilterLists().get(_prefixList);
String orLongerListName = "~" + _prefixList + "~ORLONGER~";
RouteFilterList orLongerList = c.getRouteFilterLists().get(orLongerListName);
if (orLongerList == null) {
orLongerList = new RouteFilterList(orLongerListName);
for (RouteFilterLine line : rf.getLines()) {
Prefix prefix = line.getPrefix();
LineAction action = line.getAction();
SubRange orLongerLineRange = new SubRange(line.getLengthRange().getStart(), Prefix.MAX_PREFIX_LENGTH);
RouteFilterLine orLongerLine = new RouteFilterLine(action, prefix, orLongerLineRange);
orLongerList.addLine(orLongerLine);
c.getRouteFilterLists().put(orLongerListName, orLongerList);
}
}
return new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(orLongerListName));
} else {
warnings.redFlag("Reference to undefined prefix-list: \"" + _prefixList + "\"");
return BooleanExprs.False.toStaticBooleanExpr();
}
}
Aggregations