Search in sources :

Example 6 with RoutingPolicy

use of org.batfish.datamodel.routing_policy.RoutingPolicy in project batfish by batfish.

the class ConfigurationTest method testComputeRoutingPolicySources.

@Test
public void testComputeRoutingPolicySources() {
    String bgpExportPolicyName = "bgpExportPolicy";
    String bgpImportPolicyName = "bgpImportPolicy";
    String bgpMissingExportPolicyName = "bgpMissingExportPolicy";
    String bgpMissingImportPolicyName = null;
    String generatedRouteAttributePolicyName = "generatedRouteAttributePolicy";
    String generatedRouteGenerationPolicyName = "generatedRouteGenerationPolicy";
    String ospfExportPolicyName = "ospfExportPolicy";
    String ospfExportSubPolicyName = "ospfExportSubPolicy";
    Prefix neighborPrefix = new Prefix(Ip.ZERO, Prefix.MAX_PREFIX_LENGTH);
    Prefix generatedRoutePrefix = neighborPrefix;
    Prefix neigborWithMissingPoliciesPrefix = new Prefix(Ip.MAX, Prefix.MAX_PREFIX_LENGTH);
    Configuration c = new Configuration("test", ConfigurationFormat.CISCO_IOS);
    Vrf vrf = c.getVrfs().computeIfAbsent(Configuration.DEFAULT_VRF_NAME, Vrf::new);
    // BGP
    BgpProcess bgpProcess = new BgpProcess();
    vrf.setBgpProcess(bgpProcess);
    BgpNeighbor neighbor = bgpProcess.getNeighbors().computeIfAbsent(neighborPrefix, BgpNeighbor::new);
    neighbor.setExportPolicy(c.getRoutingPolicies().computeIfAbsent(bgpExportPolicyName, n -> new RoutingPolicy(n, c)).getName());
    neighbor.setImportPolicy(c.getRoutingPolicies().computeIfAbsent(bgpImportPolicyName, n -> new RoutingPolicy(n, c)).getName());
    BgpNeighbor neighborWithMissingPolicies = bgpProcess.getNeighbors().computeIfAbsent(neigborWithMissingPoliciesPrefix, BgpNeighbor::new);
    neighborWithMissingPolicies.setExportPolicy(bgpMissingExportPolicyName);
    neighborWithMissingPolicies.setImportPolicy(bgpMissingImportPolicyName);
    // Generated route
    GeneratedRoute gr = new GeneratedRoute.Builder().setNetwork(generatedRoutePrefix).setAttributePolicy(c.getRoutingPolicies().computeIfAbsent(generatedRouteAttributePolicyName, n -> new RoutingPolicy(n, c)).getName()).setGenerationPolicy(c.getRoutingPolicies().computeIfAbsent(generatedRouteGenerationPolicyName, n -> new RoutingPolicy(n, c)).getName()).build();
    vrf.getGeneratedRoutes().add(gr);
    // OSPF
    OspfProcess ospfProcess = new OspfProcess();
    vrf.setOspfProcess(ospfProcess);
    RoutingPolicy ospfExportPolicy = c.getRoutingPolicies().computeIfAbsent(ospfExportPolicyName, n -> new RoutingPolicy(n, c));
    ospfProcess.setExportPolicy(ospfExportPolicyName);
    ospfExportPolicy.getStatements().add(new CallStatement(c.getRoutingPolicies().computeIfAbsent(ospfExportSubPolicyName, n -> new RoutingPolicy(n, c)).getName()));
    // Compute policy sources
    Warnings w = new Warnings();
    c.computeRoutingPolicySources(w);
    // BGP tests
    assertThat(neighbor.getExportPolicySources(), equalTo(Collections.singleton(bgpExportPolicyName)));
    assertThat(neighbor.getImportPolicySources(), equalTo(Collections.singleton(bgpImportPolicyName)));
    assertThat(neighborWithMissingPolicies.getExportPolicySources(), equalTo(Collections.emptySet()));
    assertThat(neighborWithMissingPolicies.getImportPolicySources(), equalTo(Collections.emptySet()));
    // Generated route tests
    assertThat(gr.getAttributePolicySources(), equalTo(Collections.singleton(generatedRouteAttributePolicyName)));
    assertThat(gr.getGenerationPolicySources(), equalTo(Collections.singleton(generatedRouteGenerationPolicyName)));
    // OSPF tests
    assertThat(ospfProcess.getExportPolicySources(), containsInAnyOrder(ospfExportPolicyName, ospfExportSubPolicyName));
}
Also used : CallStatement(org.batfish.datamodel.routing_policy.statement.CallStatement) ImmutableMap(com.google.common.collect.ImmutableMap) CommonUtil(org.batfish.common.util.CommonUtil) Test(org.junit.Test) Assert.assertThat(org.junit.Assert.assertThat) FeatureMatcher(org.hamcrest.FeatureMatcher) ImmutableList(com.google.common.collect.ImmutableList) Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder) Matchers.sameInstance(org.hamcrest.Matchers.sameInstance) Warnings(org.batfish.common.Warnings) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) Matchers.equalTo(org.hamcrest.Matchers.equalTo) Map(java.util.Map) Matcher(org.hamcrest.Matcher) Collections(java.util.Collections) Before(org.junit.Before) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) CallStatement(org.batfish.datamodel.routing_policy.statement.CallStatement) Warnings(org.batfish.common.Warnings) Test(org.junit.Test)

Example 7 with RoutingPolicy

use of org.batfish.datamodel.routing_policy.RoutingPolicy in project batfish by batfish.

the class CiscoConfiguration method toOspfProcess.

private org.batfish.datamodel.OspfProcess toOspfProcess(OspfProcess proc, String vrfName, Configuration c, CiscoConfiguration oldConfig) {
    org.batfish.datamodel.OspfProcess newProcess = new org.batfish.datamodel.OspfProcess();
    org.batfish.datamodel.Vrf vrf = c.getVrfs().get(vrfName);
    if (proc.getMaxMetricRouterLsa()) {
        newProcess.setMaxMetricTransitLinks(OspfProcess.MAX_METRIC_ROUTER_LSA);
        if (proc.getMaxMetricIncludeStub()) {
            newProcess.setMaxMetricStubNetworks(OspfProcess.MAX_METRIC_ROUTER_LSA);
        }
        newProcess.setMaxMetricExternalNetworks(proc.getMaxMetricExternalLsa());
        newProcess.setMaxMetricSummaryNetworks(proc.getMaxMetricSummaryLsa());
    }
    newProcess.setProcessId(proc.getName());
    // establish areas and associated interfaces
    Map<Long, OspfArea> areas = newProcess.getAreas();
    Map<Long, ImmutableSortedSet.Builder<String>> areaInterfacesBuilders = new HashMap<>();
    List<OspfNetwork> networks = new ArrayList<>();
    networks.addAll(proc.getNetworks());
    Collections.sort(networks, new Comparator<OspfNetwork>() {

        // sort so longest prefixes are first
        @Override
        public int compare(OspfNetwork lhs, OspfNetwork rhs) {
            int lhsPrefixLength = lhs.getPrefix().getPrefixLength();
            int rhsPrefixLength = rhs.getPrefix().getPrefixLength();
            // intentionally swapped
            int result = Integer.compare(rhsPrefixLength, lhsPrefixLength);
            if (result == 0) {
                long lhsIp = lhs.getPrefix().getStartIp().asLong();
                long rhsIp = rhs.getPrefix().getStartIp().asLong();
                result = Long.compare(lhsIp, rhsIp);
            }
            return result;
        }
    });
    // Set RFC 1583 compatibility
    newProcess.setRfc1583Compatible(proc.getRfc1583Compatible());
    for (Entry<String, org.batfish.datamodel.Interface> e : vrf.getInterfaces().entrySet()) {
        String ifaceName = e.getKey();
        org.batfish.datamodel.Interface iface = e.getValue();
        InterfaceAddress interfaceAddress = iface.getAddress();
        if (interfaceAddress == null) {
            continue;
        }
        for (OspfNetwork network : networks) {
            Prefix networkPrefix = network.getPrefix();
            Ip networkAddress = networkPrefix.getStartIp();
            Ip maskedInterfaceAddress = interfaceAddress.getIp().getNetworkAddress(networkPrefix.getPrefixLength());
            if (maskedInterfaceAddress.equals(networkAddress)) {
                // we have a longest prefix match
                long areaNum = network.getArea();
                OspfArea newArea = areas.computeIfAbsent(areaNum, OspfArea::new);
                ImmutableSortedSet.Builder<String> newAreaInterfacesBuilder = areaInterfacesBuilders.computeIfAbsent(areaNum, n -> ImmutableSortedSet.naturalOrder());
                newAreaInterfacesBuilder.add(ifaceName);
                iface.setOspfArea(newArea);
                iface.setOspfEnabled(true);
                boolean passive = proc.getPassiveInterfaceList().contains(iface.getName()) || (proc.getPassiveInterfaceDefault() && !proc.getActiveInterfaceList().contains(iface.getName()));
                iface.setOspfPassive(passive);
                break;
            }
        }
        areaInterfacesBuilders.forEach((areaNum, interfacesBuilder) -> areas.get(areaNum).setInterfaces(interfacesBuilder.build()));
    }
    // create summarization filters for inter-area routes
    for (Entry<Long, Map<Prefix, OspfAreaSummary>> e1 : proc.getSummaries().entrySet()) {
        long areaLong = e1.getKey();
        Map<Prefix, OspfAreaSummary> summaries = e1.getValue();
        OspfArea area = areas.get(areaLong);
        String summaryFilterName = "~OSPF_SUMMARY_FILTER:" + vrfName + ":" + areaLong + "~";
        RouteFilterList summaryFilter = new RouteFilterList(summaryFilterName);
        c.getRouteFilterLists().put(summaryFilterName, summaryFilter);
        if (area == null) {
            area = new OspfArea(areaLong);
            areas.put(areaLong, area);
        }
        area.setSummaryFilter(summaryFilterName);
        for (Entry<Prefix, OspfAreaSummary> e2 : summaries.entrySet()) {
            Prefix prefix = e2.getKey();
            OspfAreaSummary summary = e2.getValue();
            int prefixLength = prefix.getPrefixLength();
            int filterMinPrefixLength = summary.getAdvertised() ? Math.min(Prefix.MAX_PREFIX_LENGTH, prefixLength + 1) : prefixLength;
            summaryFilter.addLine(new RouteFilterLine(LineAction.REJECT, prefix, new SubRange(filterMinPrefixLength, Prefix.MAX_PREFIX_LENGTH)));
        }
        area.setSummaries(ImmutableSortedMap.copyOf(summaries));
        summaryFilter.addLine(new RouteFilterLine(LineAction.ACCEPT, Prefix.ZERO, new SubRange(0, Prefix.MAX_PREFIX_LENGTH)));
    }
    String ospfExportPolicyName = "~OSPF_EXPORT_POLICY:" + vrfName + "~";
    RoutingPolicy ospfExportPolicy = new RoutingPolicy(ospfExportPolicyName, c);
    c.getRoutingPolicies().put(ospfExportPolicyName, ospfExportPolicy);
    List<Statement> ospfExportStatements = ospfExportPolicy.getStatements();
    newProcess.setExportPolicy(ospfExportPolicyName);
    // policy map for default information
    if (proc.getDefaultInformationOriginate()) {
        If ospfExportDefault = new If();
        ospfExportStatements.add(ospfExportDefault);
        ospfExportDefault.setComment("OSPF export default route");
        Conjunction ospfExportDefaultConditions = new Conjunction();
        List<Statement> ospfExportDefaultStatements = ospfExportDefault.getTrueStatements();
        ospfExportDefaultConditions.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new ExplicitPrefixSet(new PrefixSpace(Collections.singleton(new PrefixRange(Prefix.ZERO, new SubRange(0, 0)))))));
        long metric = proc.getDefaultInformationMetric();
        ospfExportDefaultStatements.add(new SetMetric(new LiteralLong(metric)));
        OspfMetricType metricType = proc.getDefaultInformationMetricType();
        ospfExportDefaultStatements.add(new SetOspfMetricType(metricType));
        // add default export map with metric
        String defaultOriginateMapName = proc.getDefaultInformationOriginateMap();
        boolean useAggregateDefaultOnly;
        if (defaultOriginateMapName != null) {
            int defaultOriginateMapLine = proc.getDefaultInformationOriginateMapLine();
            useAggregateDefaultOnly = true;
            RoutingPolicy ospfDefaultGenerationPolicy = c.getRoutingPolicies().get(defaultOriginateMapName);
            if (ospfDefaultGenerationPolicy == null) {
                undefined(CiscoStructureType.ROUTE_MAP, defaultOriginateMapName, CiscoStructureUsage.OSPF_DEFAULT_ORIGINATE_ROUTE_MAP, defaultOriginateMapLine);
            } else {
                RouteMap generationRouteMap = _routeMaps.get(defaultOriginateMapName);
                generationRouteMap.getReferers().put(proc, "ospf default-originate route-map");
                GeneratedRoute.Builder route = new GeneratedRoute.Builder();
                route.setNetwork(Prefix.ZERO);
                route.setAdmin(MAX_ADMINISTRATIVE_COST);
                route.setGenerationPolicy(defaultOriginateMapName);
                newProcess.getGeneratedRoutes().add(route.build());
            }
        } else if (proc.getDefaultInformationOriginateAlways()) {
            useAggregateDefaultOnly = true;
            // add generated aggregate with no precondition
            GeneratedRoute.Builder route = new GeneratedRoute.Builder();
            route.setNetwork(Prefix.ZERO);
            route.setAdmin(MAX_ADMINISTRATIVE_COST);
            newProcess.getGeneratedRoutes().add(route.build());
        } else {
            // do not generate an aggregate default route;
            // just redistribute any existing default route with the new metric
            useAggregateDefaultOnly = false;
        }
        if (useAggregateDefaultOnly) {
            ospfExportDefaultConditions.getConjuncts().add(new MatchProtocol(RoutingProtocol.AGGREGATE));
        }
        ospfExportDefaultStatements.add(Statements.ExitAccept.toStaticStatement());
        ospfExportDefault.setGuard(ospfExportDefaultConditions);
    }
    // policy for redistributing connected routes
    // TODO: honor subnets option
    OspfRedistributionPolicy rcp = proc.getRedistributionPolicies().get(RoutingProtocol.CONNECTED);
    if (rcp != null) {
        If ospfExportConnected = new If();
        ospfExportConnected.setComment("OSPF export connected routes");
        Conjunction ospfExportConnectedConditions = new Conjunction();
        ospfExportConnectedConditions.getConjuncts().add(new MatchProtocol(RoutingProtocol.CONNECTED));
        List<Statement> ospfExportConnectedStatements = ospfExportConnected.getTrueStatements();
        Long metric = rcp.getMetric();
        OspfMetricType metricType = rcp.getMetricType();
        ospfExportConnectedStatements.add(new SetOspfMetricType(metricType));
        boolean explicitMetric = metric != null;
        if (!explicitMetric) {
            metric = proc.getDefaultMetric(_vendor, RoutingProtocol.CONNECTED);
        }
        ospfExportStatements.add(new SetMetric(new LiteralLong(metric)));
        ospfExportStatements.add(ospfExportConnected);
        // add default export map with metric
        String exportConnectedRouteMapName = rcp.getRouteMap();
        if (exportConnectedRouteMapName != null) {
            int exportConnectedRouteMapLine = rcp.getRouteMapLine();
            RouteMap exportConnectedRouteMap = _routeMaps.get(exportConnectedRouteMapName);
            if (exportConnectedRouteMap == null) {
                undefined(CiscoStructureType.ROUTE_MAP, exportConnectedRouteMapName, CiscoStructureUsage.OSPF_REDISTRIBUTE_CONNECTED_MAP, exportConnectedRouteMapLine);
            } else {
                exportConnectedRouteMap.getReferers().put(proc, "ospf redistribute connected route-map");
                ospfExportConnectedConditions.getConjuncts().add(new CallExpr(exportConnectedRouteMapName));
            }
        }
        ospfExportConnectedStatements.add(Statements.ExitAccept.toStaticStatement());
        ospfExportConnected.setGuard(ospfExportConnectedConditions);
    }
    // policy map for redistributing static routes
    // TODO: honor subnets option
    OspfRedistributionPolicy rsp = proc.getRedistributionPolicies().get(RoutingProtocol.STATIC);
    if (rsp != null) {
        If ospfExportStatic = new If();
        ospfExportStatic.setComment("OSPF export static routes");
        Conjunction ospfExportStaticConditions = new Conjunction();
        ospfExportStaticConditions.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
        List<Statement> ospfExportStaticStatements = ospfExportStatic.getTrueStatements();
        ospfExportStaticConditions.getConjuncts().add(new Not(new MatchPrefixSet(new DestinationNetwork(), new ExplicitPrefixSet(new PrefixSpace(Collections.singleton(new PrefixRange(Prefix.ZERO, new SubRange(0, 0))))))));
        Long metric = rsp.getMetric();
        OspfMetricType metricType = rsp.getMetricType();
        ospfExportStaticStatements.add(new SetOspfMetricType(metricType));
        boolean explicitMetric = metric != null;
        if (!explicitMetric) {
            metric = proc.getDefaultMetric(_vendor, RoutingProtocol.STATIC);
        }
        ospfExportStatements.add(new SetMetric(new LiteralLong(metric)));
        ospfExportStatements.add(ospfExportStatic);
        // add export map with metric
        String exportStaticRouteMapName = rsp.getRouteMap();
        if (exportStaticRouteMapName != null) {
            int exportStaticRouteMapLine = rsp.getRouteMapLine();
            RouteMap exportStaticRouteMap = _routeMaps.get(exportStaticRouteMapName);
            if (exportStaticRouteMap == null) {
                undefined(CiscoStructureType.ROUTE_MAP, exportStaticRouteMapName, CiscoStructureUsage.OSPF_REDISTRIBUTE_STATIC_MAP, exportStaticRouteMapLine);
            } else {
                exportStaticRouteMap.getReferers().put(proc, "ospf redistribute static route-map");
                ospfExportStaticConditions.getConjuncts().add(new CallExpr(exportStaticRouteMapName));
            }
        }
        ospfExportStaticStatements.add(Statements.ExitAccept.toStaticStatement());
        ospfExportStatic.setGuard(ospfExportStaticConditions);
    }
    // policy map for redistributing bgp routes
    // TODO: honor subnets option
    OspfRedistributionPolicy rbp = proc.getRedistributionPolicies().get(RoutingProtocol.BGP);
    if (rbp != null) {
        If ospfExportBgp = new If();
        ospfExportBgp.setComment("OSPF export bgp routes");
        Conjunction ospfExportBgpConditions = new Conjunction();
        ospfExportBgpConditions.getConjuncts().add(new MatchProtocol(RoutingProtocol.BGP));
        List<Statement> ospfExportBgpStatements = ospfExportBgp.getTrueStatements();
        ospfExportBgpConditions.getConjuncts().add(new Not(new MatchPrefixSet(new DestinationNetwork(), new ExplicitPrefixSet(new PrefixSpace(Collections.singleton(new PrefixRange(Prefix.ZERO, new SubRange(0, 0))))))));
        Long metric = rbp.getMetric();
        OspfMetricType metricType = rbp.getMetricType();
        ospfExportBgpStatements.add(new SetOspfMetricType(metricType));
        boolean explicitMetric = metric != null;
        if (!explicitMetric) {
            metric = proc.getDefaultMetric(_vendor, RoutingProtocol.BGP);
        }
        ospfExportStatements.add(new SetMetric(new LiteralLong(metric)));
        ospfExportStatements.add(ospfExportBgp);
        // add export map with metric
        String exportBgpRouteMapName = rbp.getRouteMap();
        if (exportBgpRouteMapName != null) {
            int exportBgpRouteMapLine = rbp.getRouteMapLine();
            RouteMap exportBgpRouteMap = _routeMaps.get(exportBgpRouteMapName);
            if (exportBgpRouteMap == null) {
                undefined(CiscoStructureType.ROUTE_MAP, exportBgpRouteMapName, CiscoStructureUsage.OSPF_REDISTRIBUTE_BGP_MAP, exportBgpRouteMapLine);
            } else {
                exportBgpRouteMap.getReferers().put(proc, "ospf redistribute bgp route-map");
                ospfExportBgpConditions.getConjuncts().add(new CallExpr(exportBgpRouteMapName));
            }
        }
        ospfExportBgpStatements.add(Statements.ExitAccept.toStaticStatement());
        ospfExportBgp.setGuard(ospfExportBgpConditions);
    }
    newProcess.setReferenceBandwidth(proc.getReferenceBandwidth());
    Ip routerId = proc.getRouterId();
    if (routerId == null) {
        Map<String, Interface> interfacesToCheck;
        Map<String, Interface> allInterfaces = oldConfig.getInterfaces();
        Map<String, Interface> loopbackInterfaces = new HashMap<>();
        for (Entry<String, Interface> e : allInterfaces.entrySet()) {
            String ifaceName = e.getKey();
            Interface iface = e.getValue();
            if (ifaceName.toLowerCase().startsWith("loopback") && iface.getActive() && iface.getAddress() != null) {
                loopbackInterfaces.put(ifaceName, iface);
            }
        }
        if (loopbackInterfaces.isEmpty()) {
            interfacesToCheck = allInterfaces;
        } else {
            interfacesToCheck = loopbackInterfaces;
        }
        Ip highestIp = Ip.ZERO;
        for (Interface iface : interfacesToCheck.values()) {
            if (!iface.getActive()) {
                continue;
            }
            for (InterfaceAddress address : iface.getAllAddresses()) {
                Ip ip = address.getIp();
                if (highestIp.asLong() < ip.asLong()) {
                    highestIp = ip;
                }
            }
        }
        if (highestIp == Ip.ZERO) {
            _w.redFlag("No candidates for OSPF router-id");
            return null;
        }
        routerId = highestIp;
    }
    newProcess.setRouterId(routerId);
    return newProcess;
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) SetMetric(org.batfish.datamodel.routing_policy.statement.SetMetric) CallExpr(org.batfish.datamodel.routing_policy.expr.CallExpr) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) PrefixSpace(org.batfish.datamodel.PrefixSpace) LiteralLong(org.batfish.datamodel.routing_policy.expr.LiteralLong) MatchProtocol(org.batfish.datamodel.routing_policy.expr.MatchProtocol) Not(org.batfish.datamodel.routing_policy.expr.Not) ExplicitPrefixSet(org.batfish.datamodel.routing_policy.expr.ExplicitPrefixSet) OspfMetricType(org.batfish.datamodel.OspfMetricType) SetOspfMetricType(org.batfish.datamodel.routing_policy.statement.SetOspfMetricType) LiteralLong(org.batfish.datamodel.routing_policy.expr.LiteralLong) GeneratedRoute(org.batfish.datamodel.GeneratedRoute) Map(java.util.Map) ImmutableSortedMap(com.google.common.collect.ImmutableSortedMap) TreeMap(java.util.TreeMap) ImmutableMap(com.google.common.collect.ImmutableMap) SortedMap(java.util.SortedMap) HashMap(java.util.HashMap) If(org.batfish.datamodel.routing_policy.statement.If) Ip(org.batfish.datamodel.Ip) Prefix(org.batfish.datamodel.Prefix) ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet) Conjunction(org.batfish.datamodel.routing_policy.expr.Conjunction) SubRange(org.batfish.datamodel.SubRange) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) PrefixRange(org.batfish.datamodel.PrefixRange) OspfArea(org.batfish.datamodel.OspfArea) CallStatement(org.batfish.datamodel.routing_policy.statement.CallStatement) Statement(org.batfish.datamodel.routing_policy.statement.Statement) MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork) RouteFilterList(org.batfish.datamodel.RouteFilterList) OspfAreaSummary(org.batfish.datamodel.OspfAreaSummary) SetOspfMetricType(org.batfish.datamodel.routing_policy.statement.SetOspfMetricType)

Example 8 with RoutingPolicy

use of org.batfish.datamodel.routing_policy.RoutingPolicy in project batfish by batfish.

the class CiscoConfiguration method toVendorIndependentConfiguration.

@Override
public Configuration toVendorIndependentConfiguration() {
    final Configuration c = new Configuration(_hostname, _vendor);
    c.getVendorFamily().setCisco(_cf);
    c.setRoles(_roles);
    c.setDefaultInboundAction(LineAction.ACCEPT);
    c.setDefaultCrossZoneAction(LineAction.ACCEPT);
    c.setDnsServers(_dnsServers);
    c.setDnsSourceInterface(_dnsSourceInterface);
    c.setDomainName(_domainName);
    c.setNormalVlanRange(new SubRange(VLAN_NORMAL_MIN_CISCO, VLAN_NORMAL_MAX_CISCO));
    c.setTacacsServers(_tacacsServers);
    c.setTacacsSourceInterface(_tacacsSourceInterface);
    c.setNtpSourceInterface(_ntpSourceInterface);
    if (_cf.getNtp() != null) {
        c.setNtpServers(new TreeSet<>(_cf.getNtp().getServers().keySet()));
    }
    if (_cf.getLogging() != null) {
        c.setLoggingSourceInterface(_cf.getLogging().getSourceInterface());
        c.setLoggingServers(new TreeSet<>(_cf.getLogging().getHosts().keySet()));
    }
    c.setSnmpSourceInterface(_snmpSourceInterface);
    processLines();
    processFailoverSettings();
    // remove line login authentication lists if they don't exist
    for (Line line : _cf.getLines().values()) {
        String list = line.getLoginAuthentication();
        boolean found = false;
        Aaa aaa = _cf.getAaa();
        if (aaa != null) {
            AaaAuthentication authentication = aaa.getAuthentication();
            if (authentication != null) {
                AaaAuthenticationLogin login = authentication.getLogin();
                if (login != null && login.getLists().containsKey(list)) {
                    found = true;
                }
            }
        }
        if (!found) {
            line.setLoginAuthentication(null);
        }
    }
    // initialize vrfs
    for (String vrfName : _vrfs.keySet()) {
        c.getVrfs().put(vrfName, new org.batfish.datamodel.Vrf(vrfName));
    }
    // snmp server
    if (_snmpServer != null) {
        String snmpServerVrf = _snmpServer.getVrf();
        c.getVrfs().get(snmpServerVrf).setSnmpServer(_snmpServer);
    }
    // convert as path access lists to vendor independent format
    for (IpAsPathAccessList pathList : _asPathAccessLists.values()) {
        AsPathAccessList apList = toAsPathAccessList(pathList);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert as-path-sets to vendor independent format
    for (AsPathSet asPathSet : _asPathSets.values()) {
        AsPathAccessList apList = toAsPathAccessList(asPathSet);
        c.getAsPathAccessLists().put(apList.getName(), apList);
    }
    // convert standard/expanded community lists to community lists
    for (StandardCommunityList scList : _standardCommunityLists.values()) {
        ExpandedCommunityList ecList = scList.toExpandedCommunityList();
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    for (ExpandedCommunityList ecList : _expandedCommunityLists.values()) {
        CommunityList cList = toCommunityList(ecList);
        c.getCommunityLists().put(cList.getName(), cList);
    }
    // convert prefix lists to route filter lists
    for (PrefixList prefixList : _prefixLists.values()) {
        RouteFilterList newRouteFilterList = toRouteFilterList(prefixList);
        c.getRouteFilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert ipv6 prefix lists to route6 filter lists
    for (Prefix6List prefixList : _prefix6Lists.values()) {
        Route6FilterList newRouteFilterList = toRoute6FilterList(prefixList);
        c.getRoute6FilterLists().put(newRouteFilterList.getName(), newRouteFilterList);
    }
    // convert standard/extended access lists to access lists or route filter
    // lists
    List<ExtendedAccessList> allACLs = new ArrayList<>();
    for (StandardAccessList saList : _standardAccessLists.values()) {
        ExtendedAccessList eaList = saList.toExtendedAccessList();
        allACLs.add(eaList);
    }
    allACLs.addAll(_extendedAccessLists.values());
    for (ExtendedAccessList eaList : allACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardAccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            RouteFilterList rfList = toRouteFilterList(eaList);
            c.getRouteFilterLists().put(rfList.getName(), rfList);
        }
        IpAccessList ipaList = toIpAccessList(eaList);
        c.getIpAccessLists().put(ipaList.getName(), ipaList);
    }
    // convert standard/extended ipv6 access lists to ipv6 access lists or
    // route6 filter
    // lists
    List<ExtendedIpv6AccessList> allIpv6ACLs = new ArrayList<>();
    for (StandardIpv6AccessList saList : _standardIpv6AccessLists.values()) {
        ExtendedIpv6AccessList eaList = saList.toExtendedIpv6AccessList();
        allIpv6ACLs.add(eaList);
    }
    allIpv6ACLs.addAll(_extendedIpv6AccessLists.values());
    for (ExtendedIpv6AccessList eaList : allIpv6ACLs) {
        if (usedForRouting(eaList)) {
            String msg = "used for routing";
            StandardIpv6AccessList parent = eaList.getParent();
            if (parent != null) {
                parent.getReferers().put(this, msg);
            } else {
                eaList.getReferers().put(this, msg);
            }
            Route6FilterList rfList = toRoute6FilterList(eaList);
            c.getRoute6FilterLists().put(rfList.getName(), rfList);
        }
        Ip6AccessList ipaList = toIp6AccessList(eaList);
        c.getIp6AccessLists().put(ipaList.getName(), ipaList);
    }
    // convert route maps to policy maps
    Set<RouteMap> routingRouteMaps = getRoutingRouteMaps();
    for (RouteMap map : _routeMaps.values()) {
        convertForPurpose(routingRouteMaps, map);
        // convert route maps to RoutingPolicy objects
        RoutingPolicy newPolicy = toRoutingPolicy(c, map);
        c.getRoutingPolicies().put(newPolicy.getName(), newPolicy);
    }
    // convert RoutePolicy to RoutingPolicy
    for (RoutePolicy routePolicy : _routePolicies.values()) {
        RoutingPolicy routingPolicy = toRoutingPolicy(c, routePolicy);
        c.getRoutingPolicies().put(routingPolicy.getName(), routingPolicy);
    }
    // convert interfaces
    _interfaces.forEach((ifaceName, iface) -> {
        org.batfish.datamodel.Interface newInterface = toInterface(iface, c.getIpAccessLists(), c);
        String vrfName = iface.getVrf();
        if (vrfName == null) {
            throw new BatfishException("Missing vrf name for iface: '" + iface.getName() + "'");
        }
        c.getInterfaces().put(ifaceName, newInterface);
        c.getVrfs().get(vrfName).getInterfaces().put(ifaceName, newInterface);
    });
    // apply vrrp settings to interfaces
    applyVrrp(c);
    // get IKE proposals
    for (Entry<String, IsakmpPolicy> e : _isakmpPolicies.entrySet()) {
        c.getIkeProposals().put(e.getKey(), e.getValue().getProposal());
    }
    addIkePoliciesAndGateways(c);
    // ipsec proposals
    for (Entry<String, IpsecTransformSet> e : _ipsecTransformSets.entrySet()) {
        c.getIpsecProposals().put(e.getKey(), e.getValue().getProposal());
    }
    // ipsec policies
    for (Entry<String, IpsecProfile> e : _ipsecProfiles.entrySet()) {
        String name = e.getKey();
        IpsecProfile profile = e.getValue();
        IpsecPolicy policy = new IpsecPolicy(name);
        policy.setPfsKeyGroup(profile.getPfsGroup());
        String transformSetName = profile.getTransformSet();
        if (c.getIpsecProposals().containsKey(transformSetName)) {
            policy.getProposals().put(transformSetName, c.getIpsecProposals().get(transformSetName));
        }
        c.getIpsecPolicies().put(name, policy);
    }
    // ipsec vpns
    for (Entry<String, Interface> e : _interfaces.entrySet()) {
        String name = e.getKey();
        Interface iface = e.getValue();
        Tunnel tunnel = iface.getTunnel();
        if (tunnel != null && tunnel.getMode() == TunnelMode.IPSEC) {
            IpsecVpn ipsecVpn = new IpsecVpn(name, c);
            ipsecVpn.setBindInterface(c.getInterfaces().get(name));
            ipsecVpn.setIpsecPolicy(c.getIpsecPolicies().get(tunnel.getIpsecProfileName()));
            Ip source = tunnel.getSource();
            Ip destination = tunnel.getDestination();
            if (source == null || destination == null) {
                _w.redFlag("Can't match IkeGateway: tunnel source or destination is not set for " + name);
            } else {
                for (IkeGateway ikeGateway : c.getIkeGateways().values()) {
                    if (source.equals(ikeGateway.getLocalIp()) && destination.equals(ikeGateway.getAddress())) {
                        ipsecVpn.setIkeGateway(ikeGateway);
                    }
                }
                if (ipsecVpn.getIkeGateway() == null) {
                    _w.redFlag("Can't find matching IkeGateway for " + name);
                }
            }
            c.getIpsecVpns().put(ipsecVpn.getName(), ipsecVpn);
        }
    }
    // convert routing processes
    _vrfs.forEach((vrfName, vrf) -> {
        org.batfish.datamodel.Vrf newVrf = c.getVrfs().get(vrfName);
        // add snmp trap servers to main list
        if (newVrf.getSnmpServer() != null) {
            c.getSnmpTrapServers().addAll(newVrf.getSnmpServer().getHosts().keySet());
        }
        // convert static routes
        for (StaticRoute staticRoute : vrf.getStaticRoutes()) {
            newVrf.getStaticRoutes().add(toStaticRoute(c, staticRoute));
        }
        // convert rip process
        RipProcess ripProcess = vrf.getRipProcess();
        if (ripProcess != null) {
            org.batfish.datamodel.RipProcess newRipProcess = toRipProcess(ripProcess, vrfName, c, this);
            newVrf.setRipProcess(newRipProcess);
        }
        // convert ospf process
        OspfProcess ospfProcess = vrf.getOspfProcess();
        if (ospfProcess != null) {
            org.batfish.datamodel.OspfProcess newOspfProcess = toOspfProcess(ospfProcess, vrfName, c, this);
            newVrf.setOspfProcess(newOspfProcess);
        }
        // convert isis process
        IsisProcess isisProcess = vrf.getIsisProcess();
        if (isisProcess != null) {
            org.batfish.datamodel.IsisProcess newIsisProcess = toIsisProcess(isisProcess, c, this);
            newVrf.setIsisProcess(newIsisProcess);
        }
        // convert bgp process
        BgpProcess bgpProcess = vrf.getBgpProcess();
        if (bgpProcess != null) {
            org.batfish.datamodel.BgpProcess newBgpProcess = toBgpProcess(c, bgpProcess, vrfName);
            c.getVrfs().get(vrfName).setBgpProcess(newBgpProcess);
        }
    });
    // warn about references to undefined peer groups
    for (Entry<String, Integer> e : _undefinedPeerGroups.entrySet()) {
        String name = e.getKey();
        int line = e.getValue();
        undefined(CiscoStructureType.BGP_PEER_GROUP, name, CiscoStructureUsage.BGP_NEIGHBOR_STATEMENT, line);
    }
    // mark references to IPv4/6 ACLs that may not appear in data model
    markAcls(CiscoStructureUsage.CLASS_MAP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.CONTROL_PLANE_ACCESS_GROUP);
    markAcls(CiscoStructureUsage.COPS_LISTENER_ACCESS_LIST);
    markAcls(CiscoStructureUsage.CRYPTO_MAP_IPSEC_ISAKMP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IGMP_ACCESS_GROUP_ACL);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IGMP_STATIC_GROUP_ACL);
    markAcls(CiscoStructureUsage.INTERFACE_IP_INBAND_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_IP_VERIFY_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.INTERFACE_PIM_NEIGHBOR_FILTER);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_DESTINATION_ACCESS_LIST);
    markIpv4Acls(CiscoStructureUsage.IP_NAT_SOURCE_ACCESS_LIST);
    markAcls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST);
    markIpv6Acls(CiscoStructureUsage.LINE_ACCESS_CLASS_LIST6);
    markIpv4Acls(CiscoStructureUsage.MANAGEMENT_TELNET_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.MSDP_PEER_SA_LIST);
    markIpv4Acls(CiscoStructureUsage.NTP_ACCESS_GROUP);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_ACCEPT_RP_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ADDRESS_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_ANNOUNCE_FILTER);
    markIpv4Acls(CiscoStructureUsage.PIM_RP_CANDIDATE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SEND_RP_ANNOUNCE_ACL);
    markIpv4Acls(CiscoStructureUsage.PIM_SPT_THRESHOLD_ACL);
    markAcls(CiscoStructureUsage.RIP_DISTRIBUTE_LIST);
    markAcls(CiscoStructureUsage.ROUTER_ISIS_DISTRIBUTE_LIST_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_FILE_TRANSFER_ACL);
    markAcls(CiscoStructureUsage.SNMP_SERVER_TFTP_SERVER_LIST);
    markAcls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL);
    markIpv4Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL4);
    markIpv6Acls(CiscoStructureUsage.SNMP_SERVER_COMMUNITY_ACL6);
    markAcls(CiscoStructureUsage.SSH_ACL);
    markIpv4Acls(CiscoStructureUsage.SSH_IPV4_ACL);
    markIpv6Acls(CiscoStructureUsage.SSH_IPV6_ACL);
    markAcls(CiscoStructureUsage.WCCP_GROUP_LIST);
    markAcls(CiscoStructureUsage.WCCP_REDIRECT_LIST);
    markAcls(CiscoStructureUsage.WCCP_SERVICE_LIST);
    // mark references to mac-ACLs that may not appear in data model
    // TODO: fill in
    // mark references to route-maps that may not appear in data model
    markRouteMaps(CiscoStructureUsage.BGP_REDISTRIBUTE_OSPFV3_MAP);
    markRouteMaps(CiscoStructureUsage.BGP_ROUTE_MAP_OTHER);
    markRouteMaps(CiscoStructureUsage.BGP_VRF_AGGREGATE_ROUTE_MAP);
    markRouteMaps(CiscoStructureUsage.PIM_ACCEPT_REGISTER_ROUTE_MAP);
    // Cable
    markDepiClasses(CiscoStructureUsage.DEPI_TUNNEL_DEPI_CLASS);
    markDepiTunnels(CiscoStructureUsage.CONTROLLER_DEPI_TUNNEL);
    markDepiTunnels(CiscoStructureUsage.DEPI_TUNNEL_PROTECT_TUNNEL);
    markDocsisPolicies(CiscoStructureUsage.DOCSIS_GROUP_DOCSIS_POLICY);
    markDocsisPolicyRules(CiscoStructureUsage.DOCSIS_POLICY_DOCSIS_POLICY_RULE);
    markServiceClasses(CiscoStructureUsage.QOS_ENFORCE_RULE_SERVICE_CLASS);
    // L2tp
    markL2tpClasses(CiscoStructureUsage.DEPI_TUNNEL_L2TP_CLASS);
    // Vpn
    markIpsecProfiles(CiscoStructureUsage.TUNNEL_PROTECTION_IPSEC_PROFILE);
    markIpsecTransformSets(CiscoStructureUsage.IPSEC_PROFILE_TRANSFORM_SET);
    markKeyrings(CiscoStructureUsage.ISAKMP_PROFILE_KEYRING);
    // warn about unreferenced data structures
    warnUnusedStructure(_asPathSets, CiscoStructureType.AS_PATH_SET);
    warnUnusedCommunityLists();
    warnUnusedStructure(_cf.getDepiClasses(), CiscoStructureType.DEPI_CLASS);
    warnUnusedStructure(_cf.getDepiTunnels(), CiscoStructureType.DEPI_TUNNEL);
    warnUnusedDocsisPolicies();
    warnUnusedDocsisPolicyRules();
    warnUnusedStructure(_asPathAccessLists, CiscoStructureType.AS_PATH_ACCESS_LIST);
    warnUnusedIpAccessLists();
    warnUnusedStructure(_ipsecProfiles, CiscoStructureType.IPSEC_PROFILE);
    warnUnusedStructure(_ipsecTransformSets, CiscoStructureType.IPSEC_TRANSFORM_SET);
    warnUnusedIpv6AccessLists();
    warnUnusedKeyrings();
    warnUnusedStructure(_cf.getL2tpClasses(), CiscoStructureType.L2TP_CLASS);
    warnUnusedStructure(_macAccessLists, CiscoStructureType.MAC_ACCESS_LIST);
    warnUnusedStructure(_natPools, CiscoStructureType.NAT_POOL);
    warnUnusedStructure(_prefixLists, CiscoStructureType.PREFIX_LIST);
    warnUnusedStructure(_prefix6Lists, CiscoStructureType.PREFIX6_LIST);
    warnUnusedPeerGroups();
    warnUnusedPeerSessions();
    warnUnusedStructure(_routeMaps, CiscoStructureType.ROUTE_MAP);
    warnUnusedServiceClasses();
    c.simplifyRoutingPolicies();
    c.computeRoutingPolicySources(_w);
    return c;
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) AaaAuthentication(org.batfish.datamodel.vendor_family.cisco.AaaAuthentication) VendorConfiguration(org.batfish.vendor.VendorConfiguration) Configuration(org.batfish.datamodel.Configuration) ArrayList(java.util.ArrayList) Aaa(org.batfish.datamodel.vendor_family.cisco.Aaa) BatfishException(org.batfish.common.BatfishException) AsPathAccessList(org.batfish.datamodel.AsPathAccessList) CommunityList(org.batfish.datamodel.CommunityList) CommunityListLine(org.batfish.datamodel.CommunityListLine) Ip6AccessListLine(org.batfish.datamodel.Ip6AccessListLine) Route6FilterLine(org.batfish.datamodel.Route6FilterLine) Line(org.batfish.datamodel.vendor_family.cisco.Line) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) AsPathAccessListLine(org.batfish.datamodel.AsPathAccessListLine) IpAccessListLine(org.batfish.datamodel.IpAccessListLine) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) IpAccessList(org.batfish.datamodel.IpAccessList) Ip(org.batfish.datamodel.Ip) SubRange(org.batfish.datamodel.SubRange) Ip6AccessList(org.batfish.datamodel.Ip6AccessList) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) Route6FilterList(org.batfish.datamodel.Route6FilterList) BigInteger(java.math.BigInteger) RouteFilterList(org.batfish.datamodel.RouteFilterList) AaaAuthenticationLogin(org.batfish.datamodel.vendor_family.cisco.AaaAuthenticationLogin)

Example 9 with RoutingPolicy

use of org.batfish.datamodel.routing_policy.RoutingPolicy in project batfish by batfish.

the class VpnConnection method applyToVpnGateway.

public void applyToVpnGateway(AwsConfiguration awsConfiguration, Region region, Warnings warnings) {
    if (!awsConfiguration.getConfigurationNodes().containsKey(_vpnGatewayId)) {
        warnings.redFlag(String.format("VPN Gateway \"%s\" referred by VPN connection \"%s\" not found", _vpnGatewayId, _vpnConnectionId));
        return;
    }
    Configuration vpnGatewayCfgNode = awsConfiguration.getConfigurationNodes().get(_vpnGatewayId);
    for (int i = 0; i < _ipsecTunnels.size(); i++) {
        int idNum = i + 1;
        String vpnId = _vpnConnectionId + "-" + idNum;
        IpsecTunnel ipsecTunnel = _ipsecTunnels.get(i);
        if (ipsecTunnel.getCgwBgpAsn() != -1 && (_staticRoutesOnly || _routes.size() != 0)) {
            throw new BatfishException("Unexpected combination of BGP and static routes for VPN connection: \"" + _vpnConnectionId + "\"");
        }
        // create representation structures and add to configuration node
        IpsecVpn ipsecVpn = new IpsecVpn(vpnId, vpnGatewayCfgNode);
        vpnGatewayCfgNode.getIpsecVpns().put(vpnId, ipsecVpn);
        IpsecPolicy ipsecPolicy = new IpsecPolicy(vpnId);
        vpnGatewayCfgNode.getIpsecPolicies().put(vpnId, ipsecPolicy);
        ipsecVpn.setIpsecPolicy(ipsecPolicy);
        IpsecProposal ipsecProposal = new IpsecProposal(vpnId, -1);
        vpnGatewayCfgNode.getIpsecProposals().put(vpnId, ipsecProposal);
        ipsecPolicy.getProposals().put(vpnId, ipsecProposal);
        IkeGateway ikeGateway = new IkeGateway(vpnId);
        vpnGatewayCfgNode.getIkeGateways().put(vpnId, ikeGateway);
        ipsecVpn.setIkeGateway(ikeGateway);
        IkePolicy ikePolicy = new IkePolicy(vpnId);
        vpnGatewayCfgNode.getIkePolicies().put(vpnId, ikePolicy);
        ikeGateway.setIkePolicy(ikePolicy);
        IkeProposal ikeProposal = new IkeProposal(vpnId, -1);
        vpnGatewayCfgNode.getIkeProposals().put(vpnId, ikeProposal);
        ikePolicy.getProposals().put(vpnId, ikeProposal);
        String externalInterfaceName = "external" + idNum;
        InterfaceAddress externalInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwOutsideAddress(), Prefix.MAX_PREFIX_LENGTH);
        Interface externalInterface = Utils.newInterface(externalInterfaceName, vpnGatewayCfgNode, externalInterfaceAddress);
        String vpnInterfaceName = "vpn" + idNum;
        InterfaceAddress vpnInterfaceAddress = new InterfaceAddress(ipsecTunnel.getVgwInsideAddress(), ipsecTunnel.getVgwInsidePrefixLength());
        Interface vpnInterface = Utils.newInterface(vpnInterfaceName, vpnGatewayCfgNode, vpnInterfaceAddress);
        // Set fields within representation structures
        // ipsec
        ipsecVpn.setBindInterface(vpnInterface);
        ipsecPolicy.setPfsKeyGroup(toDiffieHellmanGroup(ipsecTunnel.getIpsecPerfectForwardSecrecy()));
        ipsecProposal.setAuthenticationAlgorithm(toIpsecAuthenticationAlgorithm(ipsecTunnel.getIpsecAuthProtocol()));
        ipsecProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIpsecEncryptionProtocol()));
        ipsecProposal.setProtocol(toIpsecProtocol(ipsecTunnel.getIpsecProtocol()));
        ipsecProposal.setLifetimeSeconds(ipsecTunnel.getIpsecLifetime());
        // ike
        ikeGateway.setExternalInterface(externalInterface);
        ikeGateway.setAddress(ipsecTunnel.getCgwOutsideAddress());
        ikeGateway.setLocalIp(externalInterface.getAddress().getIp());
        if (ipsecTunnel.getIkePreSharedKeyHash() != null) {
            ikePolicy.setPreSharedKeyHash(ipsecTunnel.getIkePreSharedKeyHash());
            ikeProposal.setAuthenticationMethod(IkeAuthenticationMethod.PRE_SHARED_KEYS);
        }
        ikeProposal.setAuthenticationAlgorithm(toIkeAuthenticationAlgorithm(ipsecTunnel.getIkeAuthProtocol()));
        ikeProposal.setDiffieHellmanGroup(toDiffieHellmanGroup(ipsecTunnel.getIkePerfectForwardSecrecy()));
        ikeProposal.setEncryptionAlgorithm(toEncryptionAlgorithm(ipsecTunnel.getIkeEncryptionProtocol()));
        ikeProposal.setLifetimeSeconds(ipsecTunnel.getIkeLifetime());
        // bgp (if configured)
        if (ipsecTunnel.getVgwBgpAsn() != -1) {
            BgpProcess proc = vpnGatewayCfgNode.getDefaultVrf().getBgpProcess();
            if (proc == null) {
                proc = new BgpProcess();
                proc.setRouterId(ipsecTunnel.getVgwInsideAddress());
                proc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
                vpnGatewayCfgNode.getDefaultVrf().setBgpProcess(proc);
            }
            BgpNeighbor cgBgpNeighbor = new BgpNeighbor(ipsecTunnel.getCgwInsideAddress(), vpnGatewayCfgNode);
            cgBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            proc.getNeighbors().put(cgBgpNeighbor.getPrefix(), cgBgpNeighbor);
            cgBgpNeighbor.setRemoteAs(ipsecTunnel.getCgwBgpAsn());
            cgBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            cgBgpNeighbor.setLocalIp(ipsecTunnel.getVgwInsideAddress());
            cgBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            cgBgpNeighbor.setSendCommunity(false);
            VpnGateway vpnGateway = region.getVpnGateways().get(_vpnGatewayId);
            List<String> attachmentVpcIds = vpnGateway.getAttachmentVpcIds();
            if (attachmentVpcIds.size() != 1) {
                throw new BatfishException("Not sure what routes to advertise since VPN Gateway: \"" + _vpnGatewayId + "\" for VPN connection: \"" + _vpnConnectionId + "\" is linked to multiple VPCs");
            }
            String vpcId = attachmentVpcIds.get(0);
            // iBGP connection to VPC
            Configuration vpcNode = awsConfiguration.getConfigurationNodes().get(vpcId);
            Ip vpcIfaceAddress = vpcNode.getInterfaces().get(_vpnGatewayId).getAddress().getIp();
            Ip vgwToVpcIfaceAddress = vpnGatewayCfgNode.getInterfaces().get(vpcId).getAddress().getIp();
            BgpNeighbor vgwToVpcBgpNeighbor = new BgpNeighbor(vpcIfaceAddress, vpnGatewayCfgNode);
            proc.getNeighbors().put(vgwToVpcBgpNeighbor.getPrefix(), vgwToVpcBgpNeighbor);
            vgwToVpcBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vgwToVpcBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setLocalIp(vgwToVpcIfaceAddress);
            vgwToVpcBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vgwToVpcBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vgwToVpcBgpNeighbor.setSendCommunity(true);
            // iBGP connection from VPC
            BgpNeighbor vpcToVgwBgpNeighbor = new BgpNeighbor(vgwToVpcIfaceAddress, vpcNode);
            BgpProcess vpcProc = new BgpProcess();
            vpcNode.getDefaultVrf().setBgpProcess(vpcProc);
            vpcProc.setMultipathEquivalentAsPathMatchMode(MultipathEquivalentAsPathMatchMode.EXACT_PATH);
            vpcProc.setRouterId(vpcIfaceAddress);
            vpcProc.getNeighbors().put(vpcToVgwBgpNeighbor.getPrefix(), vpcToVgwBgpNeighbor);
            vpcToVgwBgpNeighbor.setVrf(Configuration.DEFAULT_VRF_NAME);
            vpcToVgwBgpNeighbor.setLocalAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setLocalIp(vpcIfaceAddress);
            vpcToVgwBgpNeighbor.setRemoteAs(ipsecTunnel.getVgwBgpAsn());
            vpcToVgwBgpNeighbor.setDefaultMetric(BGP_NEIGHBOR_DEFAULT_METRIC);
            vpcToVgwBgpNeighbor.setSendCommunity(true);
            String rpRejectAllName = "~REJECT_ALL~";
            String rpAcceptAllEbgpAndSetNextHopSelfName = "~ACCEPT_ALL_EBGP_AND_SET_NEXT_HOP_SELF~";
            If acceptIffEbgp = new If();
            acceptIffEbgp.setGuard(new MatchProtocol(RoutingProtocol.BGP));
            acceptIffEbgp.setTrueStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            acceptIffEbgp.setFalseStatements(ImmutableList.of(Statements.ExitReject.toStaticStatement()));
            RoutingPolicy vgwRpAcceptAllBgp = new RoutingPolicy(rpAcceptAllEbgpAndSetNextHopSelfName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(vgwRpAcceptAllBgp.getName(), vgwRpAcceptAllBgp);
            vgwRpAcceptAllBgp.setStatements(ImmutableList.of(new SetNextHop(new SelfNextHop(), false), acceptIffEbgp));
            vgwToVpcBgpNeighbor.setExportPolicy(rpAcceptAllEbgpAndSetNextHopSelfName);
            RoutingPolicy vgwRpRejectAll = new RoutingPolicy(rpRejectAllName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(rpRejectAllName, vgwRpRejectAll);
            vgwToVpcBgpNeighbor.setImportPolicy(rpRejectAllName);
            String rpAcceptAllName = "~ACCEPT_ALL~";
            RoutingPolicy vpcRpAcceptAll = new RoutingPolicy(rpAcceptAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpAcceptAllName, vpcRpAcceptAll);
            vpcRpAcceptAll.setStatements(ImmutableList.of(Statements.ExitAccept.toStaticStatement()));
            vpcToVgwBgpNeighbor.setImportPolicy(rpAcceptAllName);
            RoutingPolicy vpcRpRejectAll = new RoutingPolicy(rpRejectAllName, vpcNode);
            vpcNode.getRoutingPolicies().put(rpRejectAllName, vpcRpRejectAll);
            vpcToVgwBgpNeighbor.setExportPolicy(rpRejectAllName);
            Vpc vpc = region.getVpcs().get(vpcId);
            String originationPolicyName = vpnId + "_origination";
            RoutingPolicy originationRoutingPolicy = new RoutingPolicy(originationPolicyName, vpnGatewayCfgNode);
            vpnGatewayCfgNode.getRoutingPolicies().put(originationPolicyName, originationRoutingPolicy);
            cgBgpNeighbor.setExportPolicy(originationPolicyName);
            If originationIf = new If();
            List<Statement> statements = originationRoutingPolicy.getStatements();
            statements.add(originationIf);
            statements.add(Statements.ExitReject.toStaticStatement());
            originationIf.getTrueStatements().add(new SetOrigin(new LiteralOrigin(OriginType.IGP, null)));
            originationIf.getTrueStatements().add(Statements.ExitAccept.toStaticStatement());
            RouteFilterList originationRouteFilter = new RouteFilterList(originationPolicyName);
            vpnGatewayCfgNode.getRouteFilterLists().put(originationPolicyName, originationRouteFilter);
            vpc.getCidrBlockAssociations().forEach(prefix -> {
                RouteFilterLine matchOutgoingPrefix = new RouteFilterLine(LineAction.ACCEPT, prefix, new SubRange(prefix.getPrefixLength(), prefix.getPrefixLength()));
                originationRouteFilter.addLine(matchOutgoingPrefix);
            });
            Conjunction conj = new Conjunction();
            originationIf.setGuard(conj);
            conj.getConjuncts().add(new MatchProtocol(RoutingProtocol.STATIC));
            conj.getConjuncts().add(new MatchPrefixSet(new DestinationNetwork(), new NamedPrefixSet(originationPolicyName)));
        }
        // static routes (if configured)
        for (Prefix staticRoutePrefix : _routes) {
            StaticRoute staticRoute = StaticRoute.builder().setNetwork(staticRoutePrefix).setNextHopIp(ipsecTunnel.getCgwInsideAddress()).setAdministrativeCost(Route.DEFAULT_STATIC_ROUTE_ADMIN).setMetric(Route.DEFAULT_STATIC_ROUTE_COST).build();
            vpnGatewayCfgNode.getDefaultVrf().getStaticRoutes().add(staticRoute);
        }
    }
}
Also used : IpsecVpn(org.batfish.datamodel.IpsecVpn) Configuration(org.batfish.datamodel.Configuration) BgpProcess(org.batfish.datamodel.BgpProcess) LiteralOrigin(org.batfish.datamodel.routing_policy.expr.LiteralOrigin) NamedPrefixSet(org.batfish.datamodel.routing_policy.expr.NamedPrefixSet) Ip(org.batfish.datamodel.Ip) Prefix(org.batfish.datamodel.Prefix) SelfNextHop(org.batfish.datamodel.routing_policy.expr.SelfNextHop) BgpNeighbor(org.batfish.datamodel.BgpNeighbor) IpsecProposal(org.batfish.datamodel.IpsecProposal) Conjunction(org.batfish.datamodel.routing_policy.expr.Conjunction) SubRange(org.batfish.datamodel.SubRange) SetNextHop(org.batfish.datamodel.routing_policy.statement.SetNextHop) RouteFilterLine(org.batfish.datamodel.RouteFilterLine) IkeProposal(org.batfish.datamodel.IkeProposal) BatfishException(org.batfish.common.BatfishException) StaticRoute(org.batfish.datamodel.StaticRoute) InterfaceAddress(org.batfish.datamodel.InterfaceAddress) Statement(org.batfish.datamodel.routing_policy.statement.Statement) MatchPrefixSet(org.batfish.datamodel.routing_policy.expr.MatchPrefixSet) SetOrigin(org.batfish.datamodel.routing_policy.statement.SetOrigin) RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) MatchProtocol(org.batfish.datamodel.routing_policy.expr.MatchProtocol) DestinationNetwork(org.batfish.datamodel.routing_policy.expr.DestinationNetwork) IpsecPolicy(org.batfish.datamodel.IpsecPolicy) IkeGateway(org.batfish.datamodel.IkeGateway) RouteFilterList(org.batfish.datamodel.RouteFilterList) IkePolicy(org.batfish.datamodel.IkePolicy) If(org.batfish.datamodel.routing_policy.statement.If) Interface(org.batfish.datamodel.Interface)

Example 10 with RoutingPolicy

use of org.batfish.datamodel.routing_policy.RoutingPolicy in project batfish by batfish.

the class AstVisitor method visit.

/*
   * Walk starting from an AST statement
   */
public void visit(Configuration conf, Statement s, Consumer<Statement> fs, Consumer<BooleanExpr> fe) {
    fs.accept(s);
    if (s instanceof If) {
        If i = (If) s;
        visit(conf, i.getGuard(), fs, fe);
        visit(conf, i.getTrueStatements(), fs, fe);
        visit(conf, i.getFalseStatements(), fs, fe);
    } else if (s instanceof SetDefaultPolicy) {
        SetDefaultPolicy p = (SetDefaultPolicy) s;
        RoutingPolicy rp = conf.getRoutingPolicies().get(p.getDefaultPolicy());
        visit(conf, rp.getStatements(), fs, fe);
    }
}
Also used : RoutingPolicy(org.batfish.datamodel.routing_policy.RoutingPolicy) SetDefaultPolicy(org.batfish.datamodel.routing_policy.statement.SetDefaultPolicy) If(org.batfish.datamodel.routing_policy.statement.If)

Aggregations

RoutingPolicy (org.batfish.datamodel.routing_policy.RoutingPolicy)50 If (org.batfish.datamodel.routing_policy.statement.If)17 Prefix (org.batfish.datamodel.Prefix)16 BatfishException (org.batfish.common.BatfishException)12 Ip (org.batfish.datamodel.Ip)12 Conjunction (org.batfish.datamodel.routing_policy.expr.Conjunction)12 Statement (org.batfish.datamodel.routing_policy.statement.Statement)12 Configuration (org.batfish.datamodel.Configuration)11 BooleanExpr (org.batfish.datamodel.routing_policy.expr.BooleanExpr)11 MatchProtocol (org.batfish.datamodel.routing_policy.expr.MatchProtocol)11 InterfaceAddress (org.batfish.datamodel.InterfaceAddress)10 CallExpr (org.batfish.datamodel.routing_policy.expr.CallExpr)10 Disjunction (org.batfish.datamodel.routing_policy.expr.Disjunction)10 ArrayList (java.util.ArrayList)9 MatchPrefixSet (org.batfish.datamodel.routing_policy.expr.MatchPrefixSet)9 HashSet (java.util.HashSet)7 RouteFilterList (org.batfish.datamodel.RouteFilterList)7 SubRange (org.batfish.datamodel.SubRange)7 Not (org.batfish.datamodel.routing_policy.expr.Not)7 HashMap (java.util.HashMap)6