Example 6 with LineAction
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class NetworkAcl method getAcl.
private IpAccessList getAcl(boolean isEgress) {
String listName = _networkAclId + (isEgress ? "_egress" : "_ingress");
Map<Integer, IpAccessListLine> lineMap = new TreeMap<>();
for (NetworkAclEntry entry : _entries) {
if ((isEgress && entry.getIsEgress()) || (!isEgress && !entry.getIsEgress())) {
IpAccessListLine line = new IpAccessListLine();
int key = entry.getRuleNumber();
LineAction action = entry.getIsAllow() ? LineAction.ACCEPT : LineAction.REJECT;
line.setAction(action);
Prefix prefix = entry.getCidrBlock();
if (!prefix.equals(Prefix.ZERO)) {
if (isEgress) {
line.setDstIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
} else {
line.setSrcIps(ImmutableSortedSet.of(new IpWildcard(prefix)));
}
}
IpProtocol protocol = IpPermissions.toIpProtocol(entry.getProtocol());
String protocolStr = protocol != null ? protocol.toString() : "ALL";
if (protocol != null) {
line.setIpProtocols(ImmutableSortedSet.of(protocol));
}
int fromPort = entry.getFromPort();
int toPort = entry.getToPort();
SubRange portRange = new SubRange(fromPort, toPort);
if (fromPort != -1 || toPort != -1) {
if (fromPort == -1) {
fromPort = 0;
}
if (toPort == -1) {
toPort = 65535;
}
line.setDstPorts(ImmutableSortedSet.of(portRange));
}
String portStr;
if (protocol == IpProtocol.ICMP) {
// TODO: flesh these out
portStr = "some ICMP type(s)/code(s)";
} else if ((fromPort == 0 && toPort == 65535) || (fromPort == -1 && toPort == -1)) {
portStr = "ALL";
} else {
portStr = portRange.toString();
}
String actionStr = action == LineAction.ACCEPT ? "ALLOW" : "DENY";
String lineNumber = key == 32767 ? "*" : Integer.toString(key);
line.setName(String.format("%s %s %s %s %s", lineNumber, protocolStr, portStr, prefix, actionStr));
lineMap.put(key, line);
}
}
List<IpAccessListLine> lines = ImmutableList.copyOf(lineMap.values());
IpAccessList list = new IpAccessList(listName, lines);
return list;
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
Prefix(org.batfish.datamodel.Prefix)
TreeMap(java.util.TreeMap)
IpWildcard(org.batfish.datamodel.IpWildcard)
IpProtocol(org.batfish.datamodel.IpProtocol)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
SubRange(org.batfish.datamodel.SubRange)
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 7 with LineAction
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class IptablesVendorConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(String aclName, IptablesChain chain, VendorConfiguration vc) {
ImmutableList.Builder<IpAccessListLine> lines = ImmutableList.builder();
for (IptablesRule rule : chain.getRules()) {
IpAccessListLine aclLine = new IpAccessListLine();
boolean anyInterface = false;
for (IptablesMatch match : rule.getMatchList()) {
switch(match.getMatchType()) {
case DESTINATION:
aclLine.setDstIps(Iterables.concat(aclLine.getDstIps(), Collections.singleton(match.toIpWildcard())));
break;
case DESTINATION_PORT:
aclLine.setDstPorts(Iterables.concat(aclLine.getDstPorts(), match.toPortRanges()));
break;
case IN_INTERFACE:
_lineInInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
anyInterface = false;
break;
case OUT_INTERFACE:
_lineOutInterfaces.put(aclLine, vc.canonicalizeInterfaceName(match.toInterfaceName()));
anyInterface = false;
break;
case PROTOCOL:
aclLine.setIpProtocols(Iterables.concat(aclLine.getIpProtocols(), Collections.singleton(match.toIpProtocol())));
break;
case SOURCE:
aclLine.setSrcIps(Iterables.concat(aclLine.getSrcIps(), Collections.singleton(match.toIpWildcard())));
break;
case SOURCE_PORT:
aclLine.setSrcPorts(Iterables.concat(aclLine.getSrcPorts(), match.toPortRanges()));
break;
default:
throw new BatfishException("Unknown match type: " + match.getMatchType());
}
}
if (anyInterface) {
_lineInInterfaces.put(aclLine, null);
_lineOutInterfaces.put(aclLine, null);
}
aclLine.setName(rule.getName());
aclLine.setAction(rule.getIpAccessListLineAction());
lines.add(aclLine);
}
// add a final line corresponding to default chain policy
LineAction chainAction = chain.getIpAccessListLineAction();
IpAccessListLine defaultLine = new IpAccessListLine();
defaultLine.setAction(chainAction);
defaultLine.setName("default");
lines.add(defaultLine);
IpAccessList acl = new IpAccessList(aclName, lines.build());
return acl;
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
BatfishException(org.batfish.common.BatfishException)
ImmutableList(com.google.common.collect.ImmutableList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 8 with LineAction
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class JuniperConfiguration method toIpAccessList.
private IpAccessList toIpAccessList(FirewallFilter filter) throws VendorConversionException {
String name = filter.getName();
List<IpAccessListLine> lines = new ArrayList<>();
for (FwTerm term : filter.getTerms().values()) {
// action
LineAction action;
if (term.getThens().contains(FwThenAccept.INSTANCE)) {
action = LineAction.ACCEPT;
} else if (term.getThens().contains(FwThenDiscard.INSTANCE)) {
action = LineAction.REJECT;
} else if (term.getThens().contains(FwThenNextTerm.INSTANCE)) {
// TODO: throw error if any transformation is being done
continue;
} else if (term.getThens().contains(FwThenNop.INSTANCE)) {
// we assume for now that any 'nop' operations imply acceptance
action = LineAction.ACCEPT;
} else {
_w.redFlag("missing action in firewall filter: '" + name + "', term: '" + term.getName() + "'");
action = LineAction.REJECT;
}
IpAccessListLine line = new IpAccessListLine();
line.setName(term.getName());
line.setAction(action);
for (FwFrom from : term.getFroms()) {
from.applyTo(line, this, _w, _c);
}
boolean addLine = term.getFromApplications().isEmpty() && term.getFromHostProtocols().isEmpty() && term.getFromHostServices().isEmpty();
for (FwFromHostProtocol from : term.getFromHostProtocols()) {
from.applyTo(lines, _w);
}
for (FwFromHostService from : term.getFromHostServices()) {
from.applyTo(lines, _w);
}
for (FwFromApplication fromApplication : term.getFromApplications()) {
fromApplication.applyTo(line, lines, _w);
}
if (addLine) {
lines.add(line);
}
}
IpAccessList list = new IpAccessList(name, lines);
return list;
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
ArrayList(java.util.ArrayList)
IpAccessListLine(org.batfish.datamodel.IpAccessListLine)
IpAccessList(org.batfish.datamodel.IpAccessList)
Example 9 with LineAction
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class PsFromPrefixListFilterLonger method toBooleanExpr.
@Override
public BooleanExpr toBooleanExpr(JuniperConfiguration jc, Configuration c, Warnings warnings) {
PrefixList pl = jc.getPrefixLists().get(_prefixList);
if (pl != null) {
pl.getReferers().put(this, "from prefix-list-filter longer");
if (pl.getIpv6()) {
return BooleanExprs.False.toStaticBooleanExpr();
}
RouteFilterList rf = c.getRouteFilterLists().get(_prefixList);
String longerListName = "~" + _prefixList + "~LONGER~";
RouteFilterList longerList = c.getRouteFilterLists().get(longerListName);
if (longerList == null) {
longerList = new RouteFilterList(longerListName);
for (RouteFilterLine line : rf.getLines()) {
Prefix prefix = line.getPrefix();
LineAction action = line.getAction();
SubRange longerLineRange = new SubRange(line.getLengthRange().getStart() + 1, Prefix.MAX_PREFIX_LENGTH);
if (longerLineRange.getStart() > Prefix.MAX_PREFIX_LENGTH) {
warnings.redFlag("'prefix-list-filter " + _prefixList + " longer' cannot match more specific prefix than " + prefix);
continue;
}
RouteFilterLine orLongerLine = new RouteFilterLine(action, prefix, longerLineRange);
longerList.addLine(orLongerLine);
c.getRouteFilterLists().put(longerListName, longerList);
}
}
return new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(longerListName));
} else {
warnings.redFlag("Reference to undefined prefix-list: \"" + _prefixList + "\"");
return BooleanExprs.False.toStaticBooleanExpr();
}
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork)
RouteFilterList(org.batfish.datamodel.RouteFilterList)
NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet)
MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet)
Prefix(org.batfish.datamodel.Prefix)
SubRange(org.batfish.datamodel.SubRange)
RouteFilterLine(org.batfish.datamodel.RouteFilterLine)
Example 10 with LineAction
use of org.batfish.datamodel.LineAction in project batfish by batfish.
the class PsFromPrefixListFilterOrLonger method toBooleanExpr.
@Override
public BooleanExpr toBooleanExpr(JuniperConfiguration jc, Configuration c, Warnings warnings) {
PrefixList pl = jc.getPrefixLists().get(_prefixList);
if (pl != null) {
pl.getReferers().put(this, "from prefix-list-filter or-longer");
if (pl.getIpv6()) {
return BooleanExprs.False.toStaticBooleanExpr();
}
RouteFilterList rf = c.getRouteFilterLists().get(_prefixList);
String orLongerListName = "~" + _prefixList + "~ORLONGER~";
RouteFilterList orLongerList = c.getRouteFilterLists().get(orLongerListName);
if (orLongerList == null) {
orLongerList = new RouteFilterList(orLongerListName);
for (RouteFilterLine line : rf.getLines()) {
Prefix prefix = line.getPrefix();
LineAction action = line.getAction();
SubRange orLongerLineRange = new SubRange(line.getLengthRange().getStart(), Prefix.MAX_PREFIX_LENGTH);
RouteFilterLine orLongerLine = new RouteFilterLine(action, prefix, orLongerLineRange);
orLongerList.addLine(orLongerLine);
c.getRouteFilterLists().put(orLongerListName, orLongerList);
}
}
return new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(orLongerListName));
} else {
warnings.redFlag("Reference to undefined prefix-list: \"" + _prefixList + "\"");
return BooleanExprs.False.toStaticBooleanExpr();
}
}
Also used :
LineAction(org.batfish.datamodel.LineAction)
DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork)
RouteFilterList(org.batfish.datamodel.RouteFilterList)
NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet)
MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet)
Prefix(org.batfish.datamodel.Prefix)
SubRange(org.batfish.datamodel.SubRange)
RouteFilterLine(org.batfish.datamodel.RouteFilterLine)
Aggregations
LineAction (org.batfish.datamodel.LineAction)21
SubRange (org.batfish.datamodel.SubRange)9
Prefix (org.batfish.datamodel.Prefix)5
ArrayList (java.util.ArrayList)4
TreeSet (java.util.TreeSet)4
IpAccessList (org.batfish.datamodel.IpAccessList)4
IpWildcard (org.batfish.datamodel.IpWildcard)4
ImmutableList (com.google.common.collect.ImmutableList)3
Ip (org.batfish.datamodel.Ip)3
Ip6 (org.batfish.datamodel.Ip6)3
IpAccessListLine (org.batfish.datamodel.IpAccessListLine)3
IpProtocol (org.batfish.datamodel.IpProtocol)3
RouteFilterLine (org.batfish.datamodel.RouteFilterLine)3
List (java.util.List)2
Ip6Wildcard (org.batfish.datamodel.Ip6Wildcard)2
Prefix6 (org.batfish.datamodel.Prefix6)2
RouteFilterList (org.batfish.datamodel.RouteFilterList)2
State (org.batfish.datamodel.State)2
TcpFlags (org.batfish.datamodel.TcpFlags)2
DestinationNetwork (org.batfish.datamodel.routing_policy.expr.DestinationNetwork)2
