@VisibleForTesting public static Set<String> getFilterNames(Map<String, Configuration> configurations) { ImmutableSet.Builder<String> filterNames = ImmutableSet.builder(); configurations .values() .forEach(configuration -> filterNames.addAll(configuration.getIpAccessLists().keySet())); return filterNames.build(); }
@Override protected Map<String, IpAccessList> featureValueOf(Configuration actual) { return actual.getIpAccessLists(); } }
private Set<String> computeNodesWithSrcInterfaceConstraints() { return _configurations.entrySet().stream() .filter( entry -> { DependsOnSourceInterface dependsOnSourceInterface = new DependsOnSourceInterface(entry.getValue().getIpAccessLists()); return entry.getValue().getIpAccessLists().values().stream() .anyMatch(dependsOnSourceInterface::dependsOnSourceInterface); }) .map(Entry::getKey) .collect(ImmutableSet.toImmutableSet()); }
@Override public Set<IpAccessList> resolve(String node, SpecifierContext ctxt) { checkArgument( ctxt.getConfigs().containsKey(node), "SpecifierContext does not have configs for node: " + node); Configuration config = ctxt.getConfigs().get(node); return config.getIpAccessLists().values().stream() .filter(filter -> _shorthandSpecifier.matches(filter, config)) .collect(Collectors.toSet()); } }
public static BDDSourceManager forIpAccessList( BDDPacket pkt, Configuration config, IpAccessList acl) { return forIpAccessList( pkt, Sets.union(ImmutableSet.of(SOURCE_ORIGINATING_FROM_DEVICE), config.activeInterfaces()), config.getIpAccessLists(), acl); }
public void addAsIpAccessLists(Configuration config, VendorConfiguration vc, Warnings warnings) { _lineInInterfaces = new IdentityHashMap<>(); _lineOutInterfaces = new IdentityHashMap<>(); for (Entry<String, IptablesTable> e : _tables.entrySet()) { String tableName = e.getKey(); IptablesTable table = e.getValue(); for (Entry<String, IptablesChain> ec : table.getChains().entrySet()) { String chainName = ec.getKey(); IptablesChain chain = ec.getValue(); String aclName = toIpAccessListName(tableName, chainName); IpAccessList list = toIpAccessList(aclName, chain, vc); config.getIpAccessLists().put(aclName, list); } } }
@Override public AclLineMatchExpr toAclLineMatchExpr( CiscoConfiguration cc, Configuration c, MatchSemantics matchSemantics, Warnings w) { /* For now assume no match for non-existent ACLs */ if (!c.getIpAccessLists().containsKey(_name)) { return FalseExpr.INSTANCE; } return new PermittedByAcl( _name, String.format("Match if permitted by ip access-group '%s'", _name)); } }
@Override public IpAccessList build() { String name = _name != null ? _name : generateName(); IpAccessList ipAccessList = new IpAccessList(name, _lines, _sourceName, _sourceType); if (_owner != null) { _owner.getIpAccessLists().put(name, ipAccessList); } return ipAccessList; }
@Override protected IpAccessList featureValueOf(Configuration actual) { return actual.getIpAccessLists().get(_name); } }
private Map<String, AclLineMatchExprToBooleanExpr> computeAclLineMatchExprToBooleanExprs() { return toImmutableMap( _configurations, Entry::getKey, e -> { Configuration config = e.getValue(); return new AclLineMatchExprToBooleanExpr( config.getIpAccessLists(), config.getIpSpaces(), _sourceInterfaceField, _sourceInterfaceFieldValues.getOrDefault(e.getKey(), ImmutableMap.of())); }); }
@VisibleForTesting List<Triple<String, String, IpAccessList>> getQueryAcls(SearchFiltersQuestion question) { Map<String, Configuration> configs = _batfish.loadConfigurations(); return getSpecifiedAcls(question).entries().stream() .map( entry -> { String hostName = entry.getKey(); String aclName = entry.getValue(); Optional<IpAccessList> queryAcl = makeQueryAcl(configs.get(hostName).getIpAccessLists().get(aclName)); return queryAcl.map(acl -> ImmutableTriple.of(hostName, aclName, acl)); }) .filter(Optional::isPresent) .map(Optional::get) .collect(ImmutableList.toImmutableList()); }
@Override public Result evaluate(Environment environment) { Result result = new Result(); IpAccessList list = environment.getConfiguration().getIpAccessLists().get(_list); if (list != null) { // TODO } else { environment.setError(true); result.setBooleanValue(false); return result; } throw new UnsupportedOperationException("no implementation for generated method"); }
private Row testFiltersRow(boolean base, String hostname, String aclName, Flow flow) { if (base) { _batfish.pushBaseSnapshot(); } else { _batfish.pushDeltaSnapshot(); } Configuration c = _batfish.loadConfigurations().get(hostname); Row row = TestFiltersAnswerer.getRow(c.getIpAccessLists().get(aclName), flow, c); _batfish.popSnapshot(); return row; }
/** * Provides a matcher that matches if the IpAccessList accepts a flow at the provided source * interface given the definitions in the provided configuration. */ public static Accepts accepts( @Nonnull Flow flow, @Nullable String srcInterface, @Nonnull Configuration configuration) { return new Accepts( flow, srcInterface, configuration.getIpAccessLists(), configuration.getIpSpaces()); }
/** * Provides a matcher that matches if the IpAccessList rejects a flow at the provided source * interface given the provided acl definitions. */ public static Rejects rejects( @Nonnull Flow flow, @Nullable String srcInterface, @Nonnull Configuration configuration) { return new Rejects( flow, srcInterface, configuration.getIpAccessLists(), configuration.getIpSpaces()); }
private List<AclSpecs> getAclSpecs(Set<String> configNames) { SortedMap<String, Configuration> configs = ImmutableSortedMap.of("c1", _c1, "c2", _c2); Map<String, Set<IpAccessList>> acls = CommonUtil.toImmutableMap( configs, Entry::getKey, entry -> configNames.contains(entry.getKey()) ? ImmutableSet.copyOf(entry.getValue().getIpAccessLists().values()) : ImmutableSet.of()); return FilterLineReachabilityAnswerer.getAclSpecs( configs, acls, new FilterLineReachabilityRows()); } }
private static void setIpsecPeerConfigPolicyAccessList( Configuration c, CryptoMapEntry cryptoMapEntry, IpsecPeerConfig.Builder<?, ?> ipsecPeerConfigBuilder, Warnings w) { if (cryptoMapEntry.getAccessList() != null) { IpAccessList cryptoAcl = c.getIpAccessLists().get(cryptoMapEntry.getAccessList()); if (cryptoAcl != null) { IpAccessList symmetricCryptoAcl = createAclWithSymmetricalLines(cryptoAcl); if (symmetricCryptoAcl != null) { ipsecPeerConfigBuilder.setPolicyAccessList(symmetricCryptoAcl); } else { // log a warning if the ACL was not made symmetrical successfully w.redFlag( String.format( "Cannot process the Access List for crypto map %s:%s", cryptoMapEntry.getName(), cryptoMapEntry.getSequenceNumber())); } } } }
private TransformationToTransition initTransformationToTransformation(Configuration node) { return new TransformationToTransition( _bddPacket, new IpAccessListToBDD( _bddPacket, _bddSourceManagers.get(node.getHostname()), new HeaderSpaceToBDD( _bddPacket, node.getIpSpaces(), _dstIpSpaceToBDD, _srcIpSpaceToBDD), node.getIpAccessLists())); }
@Nullable @VisibleForTesting IpAccessList buildScreensPerInterface(Interface iface) { Zone zone = _masterLogicalSystem.getInterfaceZones().get(iface.getName()); if (zone == null) { return null; } // build a acl for each zone String zoneAclName = ACL_NAME_SCREEN_ZONE + zone.getName(); IpAccessList zoneAcl = _c.getIpAccessLists() .computeIfAbsent(zoneAclName, x -> buildScreensPerZone(zone, zoneAclName)); return zoneAcl == null ? null : IpAccessList.builder() .setName(ACL_NAME_SCREEN_INTERFACE + iface.getName()) .setLines(ImmutableList.of(IpAccessListLine.accepting(new PermittedByAcl(zoneAclName)))) .build(); }
@Test public void testForIpAccessList() { NetworkFactory nf = new NetworkFactory(); Configuration config = configWithOneAcl(nf); IpAccessList acl = config.getIpAccessLists().values().iterator().next(); BDDSourceManager mgr = BDDSourceManager.forIpAccessList(_pkt, config, acl); Map<String, BDD> srcBDDs = mgr.getSourceBDDs(); assertThat( srcBDDs.keySet(), equalTo(ImmutableSet.of(IFACE1, IFACE2, IFACE3, SOURCE_ORIGINATING_FROM_DEVICE))); BDD iface1BDD = srcBDDs.get(IFACE1); BDD iface2BDD = srcBDDs.get(IFACE2); BDD iface3BDD = srcBDDs.get(IFACE3); BDD origBDD = srcBDDs.get(SOURCE_ORIGINATING_FROM_DEVICE); assertThat("BDDs for IFACE1 and IFACE2 should be different", !iface1BDD.equals(iface2BDD)); assertThat( "BDDs for all sources other than IFACE1 should be the same", iface2BDD.equals(iface3BDD) && iface3BDD.equals(origBDD)); }