private void setHeaderSpaceInfo( HeaderSpace.Builder hb, @Nullable IpProtocol ipProtocol, @Nullable Integer portRangeStart, @Nullable Integer portRangeEnd) { if (ipProtocol != null) { hb.setIpProtocols(ImmutableSet.of(ipProtocol)); } if (portRangeStart != null) { hb.setDstPorts( ImmutableSet.of( new SubRange(portRangeStart, portRangeEnd == null ? portRangeStart : portRangeEnd))); } }
@Override public void applyTo( HeaderSpace.Builder headerSpaceBuilder, JuniperConfiguration jc, Warnings w, Configuration c) { headerSpaceBuilder.setIpProtocols( Iterables.concat(headerSpaceBuilder.getIpProtocols(), ImmutableSet.of(_protocol))); }
@Override public void exitAat_protocol(Aat_protocolContext ctx) { IpProtocol protocol = toIpProtocol(ctx.ip_protocol()); HeaderSpace oldHeaderSpace = _currentApplicationTerm.getHeaderSpace(); _currentApplicationTerm.setHeaderSpace( oldHeaderSpace .toBuilder() .setIpProtocols( ImmutableSet.<IpProtocol>builder() .addAll(oldHeaderSpace.getIpProtocols()) .add(protocol) .build()) .build()); }
.setIcmpCodes(_icmpCodes) .setIcmpTypes(_icmpTypes) .setIpProtocols(_ipProtocols) .setNegate(_negate) .setNotDscps(_notDscps)
public static Optional<HeaderSpace> intersect(HeaderSpace h1, HeaderSpace h2) { checkArgument(isUnconstrained(h1.getSrcOrDstIps())); checkArgument(isUnconstrained(h2.getSrcOrDstIps())); checkArgument(isUnconstrained(h1.getSrcOrDstPorts())); checkArgument(isUnconstrained(h2.getSrcOrDstPorts())); checkArgument(isUnconstrained(h1.getSrcOrDstProtocols())); checkArgument(isUnconstrained(h2.getSrcOrDstProtocols())); try { return Optional.of( HeaderSpace.builder() .setDscps(intersectSimpleSets(h1.getDscps(), h2.getDscps())) .setDstIps(intersection(h1.getDstIps(), h2.getDstIps())) .setDstPorts(intersectSubRangeSets(h1.getDstPorts(), h2.getDstPorts())) .setDstProtocols(intersectSimpleSets(h1.getDstProtocols(), h2.getDstProtocols())) .setIpProtocols(intersectSimpleSets(h1.getIpProtocols(), h2.getIpProtocols())) .setIcmpCodes(intersectSubRangeSets(h1.getIcmpCodes(), h2.getIcmpCodes())) .setIcmpTypes(intersectSubRangeSets(h1.getIcmpTypes(), h2.getIcmpTypes())) .setNotDstIps(AclIpSpace.union(h1.getNotDstIps(), h2.getNotDstIps())) .setNotDstPorts(Sets.union(h1.getNotDstPorts(), h2.getNotDstPorts())) .setNotSrcIps(AclIpSpace.union(h1.getNotSrcIps(), h2.getNotSrcIps())) .setNotSrcPorts(Sets.union(h1.getNotSrcPorts(), h2.getNotSrcPorts())) .setSrcIps(AclIpSpace.intersection(h1.getSrcIps(), h2.getSrcIps())) .setSrcOrDstPorts(intersectSubRangeSets(h1.getSrcOrDstPorts(), h2.getSrcOrDstPorts())) .setSrcPorts(intersectSubRangeSets(h1.getSrcPorts(), h2.getSrcPorts())) .setTcpFlags(intersectTcpFlagMatchConditions(h1.getTcpFlags(), h2.getTcpFlags())) .build()); } catch (NoIntersection e) { return Optional.empty(); } }
@Test public void testWithIcmpType() { // First line accepts IP 1.2.3.4 // Second line accepts same but only ICMP of type 8 List<IpAccessListLine> lines = ImmutableList.of( IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder().setSrcIps(Ip.parse("1.2.3.4").toIpSpace()).build()), IpAccessListLine.acceptingHeaderSpace( HeaderSpace.builder() .setSrcIps(Ip.parse("1.2.3.4").toIpSpace()) .setIpProtocols(ImmutableSet.of(IpProtocol.ICMP)) .setIcmpTypes(ImmutableList.of(new SubRange(8))) .build())); _aclb.setLines(lines).setName("acl").build(); List<String> lineNames = lines.stream().map(Object::toString).collect(Collectors.toList()); TableAnswerElement answer = answer(new FilterLineReachabilityQuestion()); // Construct the expected result. First line should block second. Multiset<Row> expected = ImmutableMultiset.of( Row.builder(COLUMN_METADATA) .put(COL_SOURCES, ImmutableList.of(_c1.getHostname() + ": acl")) .put(COL_UNREACHABLE_LINE, lineNames.get(1)) .put(COL_UNREACHABLE_LINE_ACTION, LineAction.PERMIT) .put(COL_BLOCKING_LINES, ImmutableList.of(lineNames.get(0))) .put(COL_DIFF_ACTION, false) .put(COL_REASON, BLOCKING_LINES) .build()); assertThat(answer.getRows().getData(), equalTo(expected)); }
/** * Convert packet header constraints to a {@link HeaderSpace.Builder} * * <p><b>Does not resolve/set source and destination IPs</b> */ public static HeaderSpace.Builder toHeaderSpaceBuilder(PacketHeaderConstraints phc) { // Note: headerspace builder does not accept nulls, so we have to convert nulls to empty sets HeaderSpace.Builder builder = HeaderSpace.builder() .setIpProtocols(firstNonNull(phc.resolveIpProtocols(), ImmutableSortedSet.of())) .setSrcPorts(extractSubranges(phc.getSrcPorts())) .setDstPorts(extractSubranges(phc.resolveDstPorts())) .setIcmpCodes(extractSubranges(phc.getIcmpCodes())) .setIcmpTypes(extractSubranges(phc.getIcmpTypes())) .setDstProtocols(firstNonNull(phc.getApplications(), ImmutableSortedSet.of())) .setFragmentOffsets(extractSubranges(phc.getFragmentOffsets())) .setPacketLengths(extractSubranges(phc.getPacketLengths())) .setTcpFlags(firstNonNull(phc.getTcpFlags(), ImmutableSet.of())) .setStates(firstNonNull(phc.getFlowStates(), ImmutableSortedSet.of())); if (phc.getDscps() != null) { builder.setDscps(phc.getDscps().enumerate()); } if (phc.getEcns() != null) { builder.setEcns(ImmutableSortedSet.copyOf(phc.getEcns().enumerate())); } return builder; }
@Override public HeaderSpace specialize(HeaderSpace headerSpace) { return headerSpace .toBuilder() // combine dstIps and notDstIps into dstIps .setDstIps(specializeIpSpace(headerSpace.getDstIps(), _dstIpSpaceSpecializer)) .setNotDstIps(specializeIpSpace(headerSpace.getNotDstIps(), _dstIpSpaceSpecializer)) .setDstPorts(specializeSubRange(headerSpace.getDstPorts(), _pkt.getDstPort())) .setNotDstPorts(specializeSubRange(headerSpace.getNotDstPorts(), _pkt.getDstPort())) .setIpProtocols(specializeIpProtocols(headerSpace.getIpProtocols())) .setIcmpCodes(specializeSubRange(headerSpace.getIcmpCodes(), _pkt.getIcmpCode())) .setIcmpTypes(specializeSubRange(headerSpace.getIcmpTypes(), _pkt.getIcmpType())) .setSrcOrDstIps( specializeIpSpace( headerSpace.getSrcOrDstIps(), _dstIpSpaceSpecializer, _srcIpSpaceSpecializer)) .setSrcOrDstPorts( specializeSubRange( headerSpace.getSrcOrDstPorts(), _pkt.getSrcPort(), _pkt.getDstPort())) .setSrcPorts(specializeSubRange(headerSpace.getSrcPorts(), _pkt.getSrcPort())) .setNotSrcPorts(specializeSubRange(headerSpace.getNotSrcPorts(), _pkt.getSrcPort())) .setSrcIps(specializeIpSpace(headerSpace.getSrcIps(), _srcIpSpaceSpecializer)) .setNotSrcIps(specializeIpSpace(headerSpace.getNotSrcIps(), _srcIpSpaceSpecializer)) .setTcpFlags(specializeTcpFlags(headerSpace.getTcpFlags())) .build(); }
@Override public IpAccessList toIpAccessList(LineAction action, PaloAltoConfiguration pc, Vsys vsys) { HeaderSpace.Builder headerSpaceBuilder = HeaderSpace.builder(); headerSpaceBuilder.setSrcPorts( _sourcePorts.stream().map(SubRange::new).collect(Collectors.toSet())); headerSpaceBuilder.setDstPorts(_ports.stream().map(SubRange::new).collect(Collectors.toSet())); headerSpaceBuilder.setIpProtocols(ImmutableList.of(_protocol)); return IpAccessList.builder() .setName(_name) .setLines( ImmutableList.of( IpAccessListLine.builder() .setAction(action) .setMatchCondition(new MatchHeaderSpace(headerSpaceBuilder.build())) .build())) .setSourceName(_name) .setSourceType(PaloAltoStructureType.SERVICE.getDescription()) .build(); } }
@Override @Nonnull public AclLineMatchExpr toAclLineMatchExpr(Map<String, ObjectGroup> objectGroups) { return new MatchHeaderSpace( HeaderSpace.builder() .setDscps(_dscps) .setDstPorts(_dstPortRanges) .setEcns(_ecns) .setIcmpCodes( _icmpCode != null ? ImmutableSet.of(new SubRange(_icmpCode)) : ImmutableSet.of()) .setIcmpTypes( _icmpType != null ? ImmutableSet.of(new SubRange(_icmpType)) : ImmutableSet.of()) .setIpProtocols( _protocol != IpProtocol.IP ? ImmutableSet.of(_protocol) : ImmutableSet.of()) .setSrcPorts(_srcPortRanges) .setStates(_states) .setTcpFlags(_tcpFlags) .build()); }
private HeaderSpace.Builder toHeaderSpaceBuilder() { HeaderSpace.Builder headerSpaceBuilder = HeaderSpace.builder(); // line.setAction(LineAction.PERMIT); IpProtocol protocol = toIpProtocol(_ipProtocol); if (protocol != null) { headerSpaceBuilder.setIpProtocols(ImmutableSet.of(protocol)); } // if the range isn't all ports, set it in ACL if (_fromPort != 0 || _toPort != 65535) { headerSpaceBuilder.setDstPorts(ImmutableSet.of(new SubRange(_fromPort, _toPort))); } return headerSpaceBuilder; } }
@Test public void test_ipProtocols() { IpProtocol proto1 = IpProtocol.TCP; IpProtocol proto2 = IpProtocol.UDP; HeaderSpace headerSpace = HeaderSpace.builder().setIpProtocols(ImmutableList.of(proto1, proto2)).build(); BDD bdd = _toBDD.toBDD(headerSpace); BDD protoBDD = _pkt.getIpProtocol().value(proto1.number()).or(_pkt.getIpProtocol().value(proto2.number())); assertThat(bdd, equalTo(protoBDD)); }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new MatchHeaderSpace( HeaderSpace.builder() .setIpProtocols(ImmutableList.of(IpProtocol.TCP, IpProtocol.UDP)) .setSrcOrDstPorts(_ports) .build()); } }
@Override public AclLineMatchExpr toAclLineMatchExpr() { HeaderSpace.Builder b = HeaderSpace.builder().setIpProtocols(ImmutableList.copyOf(_protocols)); b.setDstPorts(_dstPorts); b.setSrcPorts(_srcPorts); if (_icmpType != null) { b.setIcmpTypes(ImmutableList.of(new SubRange(_icmpType))); } return new MatchHeaderSpace(b.build()); } }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new MatchHeaderSpace( HeaderSpace.builder() .setIpProtocols(ImmutableList.of(IpProtocol.TCP)) .setDstPorts(_ports) .build()); } }
public static MatchHeaderSpace match5Tuple( Ip srcIp, int srcPort, Ip dstIp, int dstPort, IpProtocol ipProtocol) { return new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(srcIp.toIpSpace()) .setSrcPorts(ImmutableList.of(new SubRange(srcPort, srcPort))) .setDstIps(dstIp.toIpSpace()) .setDstPorts(ImmutableList.of(new SubRange(dstPort, dstPort))) .setIpProtocols(ImmutableList.of(ipProtocol)) .build()); } }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new MatchHeaderSpace( HeaderSpace.builder().setIpProtocols(ImmutableList.of(IpProtocol.ICMP)).build()); } }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new MatchHeaderSpace( HeaderSpace.builder() .setIpProtocols(ImmutableList.of(IpProtocol.UDP)) .setDstPorts(_ports) .build()); } }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new MatchHeaderSpace( HeaderSpace.builder().setIpProtocols(ImmutableList.of(_protocol)).build()); } }
public void applyTo(HeaderSpace.Builder destinationHeaderSpace) { destinationHeaderSpace.setIpProtocols( Iterables.concat(destinationHeaderSpace.getIpProtocols(), _headerSpace.getIpProtocols())); destinationHeaderSpace.setDstPorts( Iterables.concat(destinationHeaderSpace.getDstPorts(), _headerSpace.getDstPorts())); destinationHeaderSpace.setSrcPorts( Iterables.concat(destinationHeaderSpace.getSrcPorts(), _headerSpace.getSrcPorts())); }