public static MatchSrcInterface matchSrcInterface(String... iface) { return new MatchSrcInterface(ImmutableList.copyOf(iface)); }
@Override public final AclLineMatchExpr visitMatchSrcInterface(MatchSrcInterface matchSrcInterface) { // Remove interfaces that can't match List<String> relevantInterfaces = new ArrayList<>(); List<BDD> matchingInterfaceBDDs = new ArrayList<>(); for (String iface : matchSrcInterface.getSrcInterfaces()) { BDD interfaceBDD = _bddSrcManager.getSourceInterfaceBDD(iface); if (!interfaceBDD.and(_flowBDD).isZero()) { matchingInterfaceBDDs.add(interfaceBDD); relevantInterfaces.add(iface); } } if (relevantInterfaces.isEmpty()) { return FalseExpr.INSTANCE; } else if (_simplifyToTrue && _flowBDD.imp(BDDOps.orNull(matchingInterfaceBDDs)).isOne()) { return TrueExpr.INSTANCE; } return new MatchSrcInterface(relevantInterfaces); }
@Override public Void visitMatchSrcInterface(MatchSrcInterface matchSrcInterface) { _referencedSources.addAll(matchSrcInterface.getSrcInterfaces()); return null; }
@Override public Boolean visitMatchSrcInterface(MatchSrcInterface matchSrcInterface) { return matchSrcInterface.getSrcInterfaces().contains(_srcInterface); }
/** Convert a firewallFilter into an equivalent ACL. */ IpAccessList toIpAccessList(FirewallFilter filter) throws VendorConversionException { String name = filter.getName(); AclLineMatchExpr matchSrcInterface = null; /* * If srcInterfaces (from-zone) are filtered (this is the case for security policies), then * need to make a match condition for that */ String zoneName = filter.getFromZone(); if (zoneName != null) { matchSrcInterface = new MatchSrcInterface( _masterLogicalSystem.getZones().get(zoneName).getInterfaces().stream() .map(Interface::getName) .collect(ImmutableList.toImmutableList())); } /* Return an ACL that is the logical AND of srcInterface filter and headerSpace filter */ return fwTermsToIpAccessList(name, filter.getTerms().values(), matchSrcInterface); }
.setName("Traffic from security level " + l) .setMatchCondition( new MatchSrcInterface( _interfacesBySecurityLevel.get(l).stream() .map(this::getNewInterfaceName) .setName("Traffic from security level " + l + " with inbound filter") .setMatchCondition( new MatchSrcInterface( _interfacesBySecurityLevel.get(l).stream() .filter(iface -> iface.getIncomingFilter() != null) .filter( line -> !((MatchSrcInterface) line.getMatchCondition()).getSrcInterfaces().isEmpty()) .collect(Collectors.toList()));
@VisibleForTesting void requireSourceInterfaces(MatchSrcInterface matchSrcInterface) { Set<String> sourceInterfaces = matchSrcInterface.getSrcInterfaces(); checkState(_sources != Sources.DEVICE, "AclExplanation is unsatisfiable"); _sources = Sources.INTERFACES; _sourceInterfaces = _sourceInterfaces == null ? sourceInterfaces : Sets.intersection(_sourceInterfaces, sourceInterfaces); checkState(!_sourceInterfaces.isEmpty(), "AclExplanation is unsatisfiable"); _sourceInterfacesProvenance.add(matchSrcInterface); }
break; case INTERFACES: MatchSrcInterface matchSrcInterface = new MatchSrcInterface(_sourceInterfaces); conjunctsBuilder.add(matchSrcInterface); conjunctsProvenance.put(matchSrcInterface, _sourceInterfacesProvenance);
@Override public BDD visitMatchSrcInterface(MatchSrcInterface matchSrcInterface) { return _bddOps.or( matchSrcInterface.getSrcInterfaces().stream() .map(_bddSrcManager::getSourceInterfaceBDD) .collect(Collectors.toList())); }
@Test public void testSrcInterface() { // Test source interface matching Set<String> interfaceNames = new HashSet<>(); interfaceNames.add("test"); MatchSrcInterface exprSrcInterface = new MatchSrcInterface(interfaceNames); // Confirm the same interface name is matched assertThat(exprSrcInterface, matches(createFlow(), "test")); // Confirm a different interface name is not matched assertThat(exprSrcInterface, not(matches(createFlow(), "fail"))); } }
@Override public BooleanExpr visitMatchSrcInterface(MatchSrcInterface matchSrcInterface) { return new OrExpr( matchSrcInterface.getSrcInterfaces().stream() .map(this::matchSrcInterfaceExpr) .collect(ImmutableList.toImmutableList())); }
@Override public Optional<Transformation.Builder> toOutgoingTransformation( Map<String, IpAccessList> ipAccessLists, Map<String, NatPool> natPools, @Nullable Set<String> insideInterfaces, Configuration c) { /* * No named ACL in rule, but need to match src/dest to global/local according * to direction and rule type */ AclLineMatchExpr matchExpr; TransformationStep step; switch (getAction()) { case SOURCE_INSIDE: matchExpr = AclLineMatchExprs.matchSrc(_localNetwork); step = TransformationStep.shiftSourceIp(_globalNetwork); break; case SOURCE_OUTSIDE: matchExpr = AclLineMatchExprs.matchDst(_localNetwork); step = TransformationStep.shiftDestinationIp(_globalNetwork); break; default: return Optional.empty(); } if (insideInterfaces != null) { matchExpr = AclLineMatchExprs.and(matchExpr, new MatchSrcInterface(insideInterfaces)); } return Optional.of(Transformation.when(matchExpr).apply(step)); }
Set<String> referencedInterfaces = matchSrcInterfaceExprs.stream() .flatMap(expr -> expr.getSrcInterfaces().stream()) .collect(Collectors.toSet()); if (!nodeInterfaces.containsAll(referencedInterfaces)) {
@Test public void testWithUndefinedSrcInterfaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition(new MatchSrcInterface(ImmutableList.of("???"))) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
/** Generate outgoing IpAccessList for the specified zone */ private IpAccessList generateOutgoingFilter(String name, Zone toZone, Vsys vsys) { List<IpAccessListLine> lines = new TreeList<>(); SortedMap<String, Rule> rules = toZone.getVsys().getRules(); for (Rule rule : rules.values()) { if (!rule.getDisabled() && (rule.getTo().contains(toZone.getName()) || rule.getTo().contains(CATCHALL_ZONE_NAME))) { lines.add(toIpAccessListLine(rule, vsys)); } } // Intrazone traffic is allowed by default lines.add( IpAccessListLine.builder() .accepting() .setMatchCondition(new MatchSrcInterface(toZone.getInterfaceNames())) .build()); return IpAccessList.builder().setName(name).setLines(lines).build(); }
c.getZones(), Entry::getKey, zoneByNameEntry -> new MatchSrcInterface(zoneByNameEntry.getValue().getInterfaces()));
if (_sameSecurityTrafficIntra && !_sameSecurityTrafficInter) { ifaceFilter = new MatchSrcInterface( ImmutableList.of(newIface.getName()), "Allow traffic received on this interface"); } else if (!_sameSecurityTrafficIntra && _sameSecurityTrafficInter) { ifaceFilter = new MatchSrcInterface( _interfacesBySecurityLevel.get(iface.getSecurityLevel()).stream() .filter(other -> !other.equals(iface))
natAclExpr = and(natAclExpr, new MatchSrcInterface(insideInterfaces));
.setMatchCondition( new AndMatchExpr( ImmutableList.of(new MatchSrcInterface(ImmutableList.of("iface1"))))) .build(), IpAccessListLine.accepting() .setMatchCondition( new OrMatchExpr( ImmutableList.of(new MatchSrcInterface(ImmutableList.of("iface2"))))) .build(), IpAccessListLine.accepting() .setMatchCondition( new NotMatchExpr(new MatchSrcInterface(ImmutableList.of("iface3")))) .build())) .build();
conjuncts.add(new MatchSrcInterface(srcInterfaces));