@Override public Boolean visitAclIpSpace(AclIpSpace aclIpSpace) { for (AclIpSpaceLine line : aclIpSpace.getLines()) { if (line.getAction() == LineAction.PERMIT && ipSpaceMayIntersectWildcard(line.getIpSpace())) { return true; } if (line.getAction() == LineAction.DENY && ipSpaceContainsWildcard(line.getIpSpace())) { return false; } } return false; }
public AclIpSpaceLine build() { return new AclIpSpaceLine(_ipSpace, _action, _srcText); }
private String computeLineDescription(AclIpSpaceLine line, IpSpaceDescriber describer) { String srcText = line.getSrcText(); if (srcText != null) { return srcText; } return line.getIpSpace().accept(describer); }
@Override public IpSpace visitAclIpSpace(AclIpSpace aclIpSpace) { /* Just specialize the IpSpace of each acl line. */ List<AclIpSpaceLine> specializedLines = aclIpSpace.getLines().stream() .map(line -> line.toBuilder().setIpSpace(visit(line.getIpSpace())).build()) .filter(line -> line.getIpSpace() != EmptyIpSpace.INSTANCE) .collect(ImmutableList.toImmutableList()); if (specializedLines.isEmpty()) { return EmptyIpSpace.INSTANCE; } if (specializedLines.stream() .allMatch(aclIpSpaceLine -> aclIpSpaceLine.getAction() == LineAction.DENY)) { return EmptyIpSpace.INSTANCE; } return AclIpSpace.of(specializedLines); }
@Test public void testComputeRouteMatchConditions() { Set<AbstractRoute> routes = ImmutableSet.of(new ConnectedRoute(P1, INTERFACE1), new ConnectedRoute(P2, INTERFACE2)); MockRib rib = MockRib.builder().setMatchingIps(ImmutableMap.of(P1, IPSPACE1, P2, IPSPACE2)).build(); /* Resulting IP space should permit matching IPs */ assertThat( ForwardingAnalysisImpl.computeRouteMatchConditions(routes, rib.getMatchingIps()), isAclIpSpaceThat( hasLines( containsInAnyOrder( AclIpSpaceLine.permit(IPSPACE1), AclIpSpaceLine.permit(IPSPACE2))))); }
public Builder then(AclIpSpaceLine line) { if (_full) { return this; } _full = line.getIpSpace() instanceof UniverseIpSpace; _lines.add(line); return this; }
public void recordAction( @Nonnull String aclIpSpaceName, @Nullable IpSpaceMetadata ipSpaceMetadata, int index, @Nonnull AclIpSpaceLine line, Ip ip, String ipDescription, IpSpaceDescriber describer) { if (line.getAction() == LineAction.PERMIT) { _currentTreeNode.setEvent( new PermittedByAclIpSpaceLine( aclIpSpaceName, ipSpaceMetadata, index, computeLineDescription(line, describer), ip, ipDescription)); } else { _currentTreeNode.setEvent( new DeniedByAclIpSpaceLine( aclIpSpaceName, ipSpaceMetadata, index, computeLineDescription(line, describer), ip, ipDescription)); } }
public static AclIpSpaceLine permit(IpSpace ipSpace) { return builder().setIpSpace(ipSpace).build(); }
IpSpace simplifiedLineIpSpace = line.getIpSpace().accept(this); if (simplifiedLineIpSpace == EmptyIpSpace.INSTANCE) { continue; AclIpSpaceLine simplifiedLine = line.toBuilder().setIpSpace(simplifiedLineIpSpace).build(); simplifiedLines.add(simplifiedLine); if (simplifiedLineIpSpace == UniverseIpSpace.INSTANCE) { if (simplifiedLines.size() == 1 && simplifiedLines.get(0).getAction() == LineAction.PERMIT) { return simplifiedLines.get(0).getIpSpace(); if (simplifiedLines.stream().allMatch(line -> line.getAction() == LineAction.DENY)) { return EmptyIpSpace.INSTANCE; .getIpSpace() .equals(UniverseIpSpace.INSTANCE) && simplifiedLines.stream().allMatch(line -> line.getAction() == LineAction.PERMIT)) { return UniverseIpSpace.INSTANCE;
@Test public void testComputeArpTrueEdge() { IpSpace nextHopIpSpace = new MockIpSpace(1); IpSpace dstIpSpace = new MockIpSpace(2); Edge e1 = Edge.of("c1", "i1", "c2", "i2"); _arpTrueEdgeDestIp = ImmutableMap.of(e1, dstIpSpace); _arpTrueEdgeNextHopIp = ImmutableMap.of(e1, nextHopIpSpace); ForwardingAnalysisImpl forwardingAnalysisImpl = initForwardingAnalysisImpl(); Map<Edge, IpSpace> result = forwardingAnalysisImpl.computeArpTrueEdge(); assertThat( result, hasEntry( equalTo(e1), isAclIpSpaceThat( hasLines( containsInAnyOrder( AclIpSpaceLine.permit(nextHopIpSpace), AclIpSpaceLine.permit(dstIpSpace)))))); }
private LineAction action(Ip ip, Map<String, IpSpace> namedIpSpaces) { return _lines.stream() .filter(line -> line.getIpSpace().containsIp(ip, namedIpSpaces)) .map(AclIpSpaceLine::getAction) .findFirst() .orElse(LineAction.DENY); }
public Builder toBuilder() { return builder().setAction(_action).setIpSpace(_ipSpace); }
@Override public Boolean visitAclIpSpace(AclIpSpace aclIpSpace) { return aclIpSpace.getLines().stream() .filter(line -> line.getAction() == LineAction.PERMIT) .allMatch(line -> line.getIpSpace().accept(this)); }
@Test public void testVisitAclIpSpace() { IpSpace lineIpSpace = UniverseIpSpace.INSTANCE; String lineIpSpaceName = "lineIpSpace"; IpSpaceMetadata lineIpSpaceMetadata = new IpSpaceMetadata("line_space_name", "line_space_type"); IpSpace ipSpace = AclIpSpace.of(AclIpSpaceLine.permit(lineIpSpace)); IpSpaceDescriber describerWithMetadata = new IpSpaceDescriber( new AclTracer( _flow, null, ImmutableMap.of(), ImmutableMap.of(TEST_NAME, ipSpace), ImmutableMap.of(TEST_NAME, TEST_METADATA))); IpSpaceDescriber describerWithLineMetadata = new IpSpaceDescriber( new AclTracer( _flow, null, ImmutableMap.of(), ImmutableMap.of(lineIpSpaceName, lineIpSpace), ImmutableMap.of(lineIpSpaceName, lineIpSpaceMetadata))); assertThat(ipSpace.accept(_describerNoNamesNorMetadata), equalTo("[0: universe]")); assertThat( ipSpace.accept(describerWithLineMetadata), equalTo("[0: 'line_space_type' named 'line_space_name']")); assertThat(ipSpace.accept(describerWithMetadata), equalTo(TEST_METADATA_DESCRIPTION)); }
@Override public String visitAclIpSpace(AclIpSpace aclIpSpace) { String metadataDescription = computeMetadataDescription(aclIpSpace); if (metadataDescription != null) { return metadataDescription; } ImmutableList.Builder<String> lineDescs = ImmutableList.builder(); CommonUtil.<AclIpSpaceLine>forEachWithIndex( aclIpSpace.getLines(), (i, line) -> lineDescs.add(String.format("%d: %s", i, line.getIpSpace().accept(this)))); return lineDescs.build().toString(); }
public static AclIpSpaceLine reject(IpSpace ipSpace) { return builder().setIpSpace(ipSpace).setAction(LineAction.DENY).build(); }
@Override public Boolean visitAclIpSpace(AclIpSpace aclIpSpace) { for (AclIpSpaceLine line : aclIpSpace.getLines()) { if (line.getAction() == LineAction.DENY && ipSpaceMayIntersectWildcard(line.getIpSpace())) { return true; } if (line.getAction() == LineAction.PERMIT && ipSpaceContainsWildcard(line.getIpSpace())) { return false; } } /* * If we reach this point, no PERMIT line is guaranteed to contain ipWildcard. This means * it's possible (though not certain) that this does not contain ipWildcard. */ return true; }
@Test public void testWithAclIpSpaceWithGoodRefs() { // ACL contains an AclIpSpace that references the same valid named IpSpace twice _aclb .setLines( ImmutableList.of( acceptingHeaderSpace( HeaderSpace.builder() .setSrcIps( AclIpSpace.of( AclIpSpaceLine.permit(new IpSpaceReference("ipSpace")), AclIpSpaceLine.permit(new IpSpaceReference("ipSpace")))) .build()))) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have correctly dereferenced "ipSpace" assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat( spec.acl.getSanitizedAcl().getLines(), equalTo( ImmutableList.of( acceptingHeaderSpace( HeaderSpace.builder() .setSrcIps( AclIpSpace.of( AclIpSpaceLine.permit(Ip.parse("1.2.3.4").toIpSpace()), AclIpSpaceLine.permit(Ip.parse("1.2.3.4").toIpSpace()))) .build())))); }
public Builder thenAction(LineAction action, IpSpace space) { return then(AclIpSpaceLine.builder().setAction(action).setIpSpace(space).build()); }
@Override public IpSpace visitAclIpSpace(AclIpSpace aclIpSpace) { AclIpSpace.Builder renamedSpace = AclIpSpace.builder(); aclIpSpace .getLines() .forEach( line -> { IpSpace space = line.getIpSpace().accept(this); renamedSpace.thenAction(line.getAction(), space); }); return renamedSpace.build(); }