@Override public void applyTo( HeaderSpace.Builder headerSpaceBuilder, JuniperConfiguration jc, Warnings w, Configuration c) { AddressBook addressBook = _zone == null ? _globalAddressBook : _zone.getAddressBook(); String addressBookName = addressBook.getAddressBookName(_addressBookEntryName); String ipSpaceName = addressBookName + "~" + _addressBookEntryName; IpSpaceReference ipSpaceReference = new IpSpaceReference(ipSpaceName); if (headerSpaceBuilder.getDstIps() != null) { headerSpaceBuilder.setDstIps( AclIpSpace.union( ImmutableList.<IpSpace>builder() .add(ipSpaceReference) .add(headerSpaceBuilder.getDstIps()) .build())); } else { headerSpaceBuilder.setDstIps(AclIpSpace.union(ipSpaceReference)); } } }
public static MatchHeaderSpace match5Tuple( Ip srcIp, int srcPort, Ip dstIp, int dstPort, IpProtocol ipProtocol) { return new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(srcIp.toIpSpace()) .setSrcPorts(ImmutableList.of(new SubRange(srcPort, srcPort))) .setDstIps(dstIp.toIpSpace()) .setDstPorts(ImmutableList.of(new SubRange(dstPort, dstPort))) .setIpProtocols(ImmutableList.of(ipProtocol)) .build()); } }
@Test public void testIntersect() { HeaderSpace h1 = HeaderSpace.builder().setDstIps(IP1).build(); HeaderSpace h2 = HeaderSpace.builder().setSrcIps(IP2).build(); HeaderSpace h3 = HeaderSpace.builder().setDstIps(IP1).setSrcIps(IP2).build(); assertThat(intersect(h1, h2), equalTo(Optional.of(h3))); assertThat(intersect(h2, h1), equalTo(Optional.of(h3))); }
@Test public void testDefaultDeniedByNamedAclIpSpace() { AclIpSpace aclIpSpace = AclIpSpace.DENY_ALL; IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setDstIps(new IpSpaceReference(ACL_IP_SPACE_NAME)) .build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(ACL_IP_SPACE_NAME, aclIpSpace); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(ACL_IP_SPACE_NAME, new IpSpaceMetadata(ACL_IP_SPACE_NAME, TEST_ACL)); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat( trace, hasEvents(contains(ImmutableList.of(isDefaultDeniedByIpAccessListNamed(ACL_NAME))))); }
@Test public void testDeniedByNamedAclIpSpaceLine() { AclIpSpace aclIpSpace = AclIpSpace.of(AclIpSpaceLine.DENY_ALL); IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setDstIps(new IpSpaceReference(ACL_IP_SPACE_NAME)) .build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(ACL_IP_SPACE_NAME, aclIpSpace); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(ACL_IP_SPACE_NAME, new IpSpaceMetadata(ACL_IP_SPACE_NAME, TEST_ACL)); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat( trace, hasEvents(contains(ImmutableList.of(isDefaultDeniedByIpAccessListNamed(ACL_NAME))))); }
@Override public AclLineMatchExpr visitMatchHeaderSpace(MatchHeaderSpace matchHeaderSpace) { HeaderSpace headerSpace = matchHeaderSpace.getHeaderspace(); IpSpace dstIps = rename(headerSpace.getDstIps()); IpSpace notDstIps = rename(headerSpace.getNotDstIps()); IpSpace srcIps = rename(headerSpace.getSrcIps()); IpSpace notSrcIps = rename(headerSpace.getNotSrcIps()); IpSpace srcOrDstIps = rename(headerSpace.getSrcOrDstIps()); MatchHeaderSpace newMatchHeaderSpace = new MatchHeaderSpace( headerSpace .toBuilder() .setDstIps(dstIps) .setNotDstIps(notDstIps) .setSrcIps(srcIps) .setNotSrcIps(notSrcIps) .setSrcOrDstIps(srcOrDstIps) .build()); _literalsMap.put(matchHeaderSpace, newMatchHeaderSpace); return newMatchHeaderSpace; }
@Test public void testDeniedByNamedSimpleIpSpace() { String ipSpaceName = "aclIpSpace"; IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setDstIps(new IpSpaceReference(ipSpaceName)) .build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(ipSpaceName, Ip.MAX.toIpSpace()); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(ipSpaceName, new IpSpaceMetadata(ipSpaceName, TEST_ACL)); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat( trace, hasEvents(contains(ImmutableList.of(isDefaultDeniedByIpAccessListNamed(ACL_NAME))))); }
@Test public void testDeniedByUnnamedSimpleIpSpace() { IpSpace ipSpace = EmptyIpSpace.INSTANCE; IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder().setDstIps(ipSpace).build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat(trace, hasEvents(contains(isDefaultDeniedByIpAccessListNamed(ACL_NAME)))); }
@Test public void testDeniedByUnnamedAclIpSpace() { AclIpSpace aclIpSpace = AclIpSpace.DENY_ALL; IpAccessList acl = IpAccessList.builder() .setName(ACL_NAME) .setLines( ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder().setDstIps(aclIpSpace).build()))) .build(); Map<String, IpAccessList> availableAcls = ImmutableMap.of(ACL_NAME, acl); Map<String, IpSpace> namedIpSpaces = ImmutableMap.of(); Map<String, IpSpaceMetadata> namedIpSpaceMetadata = ImmutableMap.of(); AclTrace trace = AclTracer.trace( acl, FLOW, SRC_INTERFACE, availableAcls, namedIpSpaces, namedIpSpaceMetadata); assertThat(trace, hasEvents(contains(isDefaultDeniedByIpAccessListNamed(ACL_NAME)))); }
/** * Convert given {@link PacketHeaderConstraints} to a BDD, also taking into account named IP * spaces * * @param phc the packet header constraints * @param namedIpSpaces map of named IP spaces * @param srcIpSpace Resolved source IP space * @param dstIpSpace Resolved destination IP space */ public static BDD toBDD( PacketHeaderConstraints phc, Map<String, IpSpace> namedIpSpaces, IpSpace srcIpSpace, IpSpace dstIpSpace) { HeaderSpace.Builder b = toHeaderSpaceBuilder(phc).setSrcIps(srcIpSpace).setDstIps(dstIpSpace); return new HeaderSpaceToBDD(new BDDPacket(), namedIpSpaces).toBDD(b.build()); }
public static MatchHeaderSpace matchDst(IpSpace ipSpace) { return new MatchHeaderSpace(HeaderSpace.builder().setDstIps(ipSpace).build()); }
public HeaderSpace toEgressIpAccessListLine(Region region) { return toHeaderSpaceBuilder().setDstIps(collectIpWildCards(region)).build(); }
@Override public Void visitNatRuleMatchDstAddrName(NatRuleMatchDstAddrName natRuleMatchDstAddrName) { _headerSpace.setDstIps( new IpSpaceReference(GLOBAL_ADDRESS_BOOK_PREFIX + natRuleMatchDstAddrName.getName())); return null; }
/** * Convert {@link PacketHeaderConstraints} to an {@link AclLineMatchExpr}. * * @param phc the packet header constraints * @param srcIpSpace Resolved source IP space * @param dstIpSpace Resolved destination IP space */ public static AclLineMatchExpr toAclLineMatchExpr( PacketHeaderConstraints phc, IpSpace srcIpSpace, IpSpace dstIpSpace) { return new MatchHeaderSpace( toHeaderSpaceBuilder(phc).setSrcIps(srcIpSpace).setDstIps(dstIpSpace).build()); }
@Test public void test_negate() { IpSpace ip = Ip.parse("1.2.3.4").toIpSpace(); BDD ipBDD = _toBDD.toBDD(ip, _dstIpSpaceToBdd); assertThat( _toBDD.toBDD(HeaderSpace.builder().setDstIps(ip).setNegate(true).build()), equalTo(ipBDD.not())); }
@Override public void applyTo( HeaderSpace.Builder headerSpaceBuilder, JuniperConfiguration jc, Warnings w, Configuration c) { headerSpaceBuilder.setDstIps( AclIpSpace.union(headerSpaceBuilder.getDstIps(), _ipWildcard.toIpSpace())); }
private static MatchHeaderSpace matchField(Prefix prefix, IpField field) { switch (field) { case DESTINATION: return new MatchHeaderSpace(HeaderSpace.builder().setDstIps(prefix.toIpSpace()).build()); case SOURCE: return new MatchHeaderSpace(HeaderSpace.builder().setSrcIps(prefix.toIpSpace()).build()); default: throw new BatfishException("Invalid field"); } }
@Override public Void visitNatRuleMatchDstAddr(NatRuleMatchDstAddr natRuleMatchDstAddr) { _headerSpace.setDstIps(natRuleMatchDstAddr.getPrefix().toIpSpace()); return null; }
/** Resolve all parameters and update the underlying headerspace. */ public HeaderSpace resolveHeaderspace(SpecifierContext ctx) { return _headerSpace .toBuilder() .setSrcIps(resolveIpSpaceSpecifier(_sourceIpSpaceSpecifier, ctx)) .setDstIps(resolveIpSpaceSpecifier(_destinationIpSpaceSpecifier, ctx)) .build(); }
@Test public void testIntersect_nonTrivialDstIpIntersection() { HeaderSpace h1 = HeaderSpace.builder().setDstIps(IP1).build(); HeaderSpace h2 = HeaderSpace.builder().setDstIps(IP2).build(); HeaderSpace h3 = HeaderSpace.builder().setDstIps(AclIpSpace.intersection(IP1, IP2)).build(); assertThat(intersect(h1, h2), equalTo(Optional.of(h3))); }