public static PermittedByAcl permittedByAcl(String aclName) { return new PermittedByAcl(aclName); }
@Override public AclLineMatchExpr visitPermittedByAcl(PermittedByAcl permittedByAcl) { PermittedByAcl newPermittedByAcl = new PermittedByAcl( _aclRenamer.apply(permittedByAcl.getAclName()), permittedByAcl.getDefaultAccept(), permittedByAcl.getDescription()); _literalsMap.put(permittedByAcl, newPermittedByAcl); return newPermittedByAcl; }
@Override public Boolean visitPermittedByAcl(PermittedByAcl permittedByAcl) { return _availableAcls .get(permittedByAcl.getAclName()) .filter( _flow, _srcInterface, _availableAcls, _namedIpSpaces, permittedByAcl.getDefaultAccept() ? LineAction.PERMIT : LineAction.DENY) .getAction() == LineAction.PERMIT; }
@Override public AclLineMatchExpr visitPermittedByAcl(PermittedByAcl permittedByAcl) { return _namedAclThunks.get(permittedByAcl.getAclName()).get(); }
@Override public BDD visitPermittedByAcl(PermittedByAcl permittedByAcl) { String name = permittedByAcl.getAclName(); checkArgument(_aclEnv.containsKey(name), "Undefined PermittedByAcl reference: %s", name); try { return _aclEnv.get(name).get(); } catch (NonRecursiveSupplierException e) { throw new BatfishException("Circular PermittedByAcl reference: " + name); } }
@Override @Nonnull public AclLineMatchExpr toAclLineMatchExpr(Map<String, ObjectGroup> objectGroups) { String aclName = CiscoConfiguration.computeServiceObjectAclName(_name); return new PermittedByAcl(aclName, String.format("Match service object: '%s'", _name)); } }
@Override public Boolean visitPermittedByAcl(PermittedByAcl permittedByAcl) { return dependsOnSourceInterface(_ipAccessLists.get(permittedByAcl.getAclName())); }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new PermittedByAcl(computeIcmpObjectGroupAclName(_name)); } }
@Override protected String featureValueOf(PermittedByAcl actual) { return actual.getAclName(); } }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new PermittedByAcl(computeServiceObjectAclName(_name)); } }
@Override public Boolean visitPermittedByAcl(PermittedByAcl permittedByAcl) { return trace(_availableAcls.get(permittedByAcl.getAclName())); }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new PermittedByAcl(computeProtocolObjectGroupAclName(_name)); } }
@Override public Void visitPermittedByAcl(PermittedByAcl permittedByAcl) { String aclName = permittedByAcl.getAclName(); Supplier<Void> thunk = _namedAclThunks.get(aclName); if (thunk == null) { throw new BatfishException("Unknown IpAccessList " + aclName); } return thunk.get(); }
@Override public AclLineMatchExpr toAclLineMatchExpr() { return new PermittedByAcl(computeServiceObjectGroupAclName(_name)); } }
@Override public BooleanExpr visitPermittedByAcl(PermittedByAcl permittedByAcl) { IpAccessList acl = _nodeAcls.get(permittedByAcl.getAclName()); // Right fold. Base case (when no line matches) is not permitted. BooleanExpr expr = org.batfish.z3.expr.FalseExpr.INSTANCE; ListIterator<IpAccessListLine> iter = acl.getLines().listIterator(acl.getLines().size()); while (iter.hasPrevious()) { IpAccessListLine line = iter.previous(); BooleanExpr matched = toBooleanExpr(line.getMatchCondition()); BooleanExpr permitted = line.getAction() == LineAction.PERMIT ? org.batfish.z3.expr.TrueExpr.INSTANCE : org.batfish.z3.expr.FalseExpr.INSTANCE; expr = new IfThenElse(matched, permitted, expr); } return expr; }
@Override @Nonnull public AclLineMatchExpr toAclLineMatchExpr(Map<String, ObjectGroup> objectGroups) { ObjectGroup objectGroup = objectGroups.get(_name); String aclName; if (objectGroup instanceof ProtocolObjectGroup) { aclName = CiscoConfiguration.computeProtocolObjectGroupAclName(_name); } else if (objectGroup instanceof ServiceObjectGroup) { aclName = CiscoConfiguration.computeServiceObjectGroupAclName(_name); } else { return FalseExpr.INSTANCE; } return new PermittedByAcl(aclName, String.format("Match object-group: '%s'", _name)); } }
@Override public AclLineMatchExpr toAclLineMatchExpr( CiscoConfiguration cc, Configuration c, MatchSemantics matchSemantics, Warnings w) { /* For now assume no match for non-existent ACLs */ if (!c.getIpAccessLists().containsKey(_name)) { return FalseExpr.INSTANCE; } return new PermittedByAcl( _name, String.format("Match if permitted by ip access-group '%s'", _name)); } }
new IpAccessListLine( LineAction.PERMIT, new PermittedByAcl(ACL_NAME_EXISTING_CONNECTION, false), "EXISTING_CONNECTION")); LineAction.PERMIT, new PermittedByAcl(e.getKey(), false), e.getKey() + "PERMIT")); new NotMatchExpr(new PermittedByAcl(e.getKey(), true)), e.getKey() + "DENY")); new IpAccessListLine( LineAction.PERMIT, new PermittedByAcl(ACL_NAME_GLOBAL_POLICY, false), "GLOBAL_POLICY_ACCEPT")); new IpAccessListLine( LineAction.DENY, new NotMatchExpr(new PermittedByAcl(ACL_NAME_GLOBAL_POLICY, true)), "GLOBAL_POLICY_REJECT"));
/** * Scope the headerspace permitted by an {@link IpAccessList} to those flows that also match * {@code invariantExpr}. */ @VisibleForTesting static IpAccessList scopedAcl(AclLineMatchExpr invariantExpr, IpAccessList acl) { return IpAccessList.builder() .setName(INVARIANT_ACL_NAME) .setLines( ImmutableList.<IpAccessListLine>builder() .add(rejecting(not(invariantExpr))) .add(accepting(new PermittedByAcl(acl.getName()))) .build()) .build(); } }
@Nullable @VisibleForTesting IpAccessList buildScreensPerZone(@Nonnull Zone zone, String aclName) { List<AclLineMatchExpr> matches = zone.getScreens().stream() .map( screenName -> { Screen screen = _masterLogicalSystem.getScreens().get(screenName); String screenAclName = ACL_NAME_SCREEN + screenName; IpAccessList screenAcl = _c.getIpAccessLists() .computeIfAbsent(screenAclName, x -> buildScreen(screen, screenAclName)); return screenAcl != null ? new PermittedByAcl(screenAcl.getName(), false) : null; }) .filter(Objects::nonNull) .collect(Collectors.toList()); return matches.isEmpty() ? null : IpAccessList.builder() .setName(aclName) .setLines(ImmutableList.of(IpAccessListLine.accepting(new AndMatchExpr(matches)))) .build(); }