@Override public void applyTo( HeaderSpace.Builder headerSpaceBuilder, JuniperConfiguration jc, Warnings w, Configuration c) { AddressBook addressBook = _zone == null ? _globalAddressBook : _zone.getAddressBook(); String addressBookName = addressBook.getAddressBookName(_addressBookEntryName); String ipSpaceName = addressBookName + "~" + _addressBookEntryName; IpSpaceReference ipSpaceReference = new IpSpaceReference(ipSpaceName); if (headerSpaceBuilder.getSrcIps() != null) { headerSpaceBuilder.setSrcIps( AclIpSpace.union( ImmutableList.<IpSpace>builder() .add(ipSpaceReference) .add(headerSpaceBuilder.getSrcIps()) .build())); } else { headerSpaceBuilder.setSrcIps(AclIpSpace.union(ipSpaceReference)); } } }
public static MatchHeaderSpace match5Tuple( Ip srcIp, int srcPort, Ip dstIp, int dstPort, IpProtocol ipProtocol) { return new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(srcIp.toIpSpace()) .setSrcPorts(ImmutableList.of(new SubRange(srcPort, srcPort))) .setDstIps(dstIp.toIpSpace()) .setDstPorts(ImmutableList.of(new SubRange(dstPort, dstPort))) .setIpProtocols(ImmutableList.of(ipProtocol)) .build()); } }
@Test public void testIntersect() { HeaderSpace h1 = HeaderSpace.builder().setDstIps(IP1).build(); HeaderSpace h2 = HeaderSpace.builder().setSrcIps(IP2).build(); HeaderSpace h3 = HeaderSpace.builder().setDstIps(IP1).setSrcIps(IP2).build(); assertThat(intersect(h1, h2), equalTo(Optional.of(h3))); assertThat(intersect(h2, h1), equalTo(Optional.of(h3))); }
private static IpAccessListLine toIpAccessListLine( ExtendedAccessListLine line, Map<String, ObjectGroup> objectGroups) { IpSpace srcIpSpace = line.getSourceAddressSpecifier().toIpSpace(); IpSpace dstIpSpace = line.getDestinationAddressSpecifier().toIpSpace(); AclLineMatchExpr matchService = line.getServiceSpecifier().toAclLineMatchExpr(objectGroups); AclLineMatchExpr match; if (matchService instanceof MatchHeaderSpace) { match = new MatchHeaderSpace( ((MatchHeaderSpace) matchService) .getHeaderspace() .toBuilder() .setSrcIps(srcIpSpace) .setDstIps(dstIpSpace) .build()); } else { match = new AndMatchExpr( ImmutableList.of( matchService, new MatchHeaderSpace( HeaderSpace.builder().setSrcIps(srcIpSpace).setDstIps(dstIpSpace).build()))); } return IpAccessListLine.builder() .setAction(line.getAction()) .setMatchCondition(match) .setName(line.getName()) .build(); }
@Test public void testWithUndefinedIpSpaceReferenceChain() { // Make sure it correctly interprets a chain of IpSpaceReferences ending with an undefined ref _c1.setIpSpaces( ImmutableSortedMap.of( "ipSpace1", new IpSpaceReference("ipSpace2"), "ipSpace2", new IpSpaceReference("ipSpace3"))); _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("ipSpace1")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
@Test public void testWithAclIpSpaceWithCircularRef() { // Named IP spaces includes AclIpSpace "aclIpSpace". // "aclIpSpace" contains an IpSpaceReference to itself. Rip _c1.setIpSpaces( ImmutableSortedMap.of( "aclIpSpace", AclIpSpace.of(AclIpSpaceLine.permit(new IpSpaceReference("aclIpSpace"))))); _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("aclIpSpace")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
@Override public HeaderSpace specialize(HeaderSpace headerSpace) { return headerSpace .toBuilder() // combine dstIps and notDstIps into dstIps .setDstIps(specializeIpSpace(headerSpace.getDstIps(), _dstIpSpaceSpecializer)) .setNotDstIps(specializeIpSpace(headerSpace.getNotDstIps(), _dstIpSpaceSpecializer)) .setDstPorts(specializeSubRange(headerSpace.getDstPorts(), _pkt.getDstPort())) .setNotDstPorts(specializeSubRange(headerSpace.getNotDstPorts(), _pkt.getDstPort())) .setIpProtocols(specializeIpProtocols(headerSpace.getIpProtocols())) .setIcmpCodes(specializeSubRange(headerSpace.getIcmpCodes(), _pkt.getIcmpCode())) .setIcmpTypes(specializeSubRange(headerSpace.getIcmpTypes(), _pkt.getIcmpType())) .setSrcOrDstIps( specializeIpSpace( headerSpace.getSrcOrDstIps(), _dstIpSpaceSpecializer, _srcIpSpaceSpecializer)) .setSrcOrDstPorts( specializeSubRange( headerSpace.getSrcOrDstPorts(), _pkt.getSrcPort(), _pkt.getDstPort())) .setSrcPorts(specializeSubRange(headerSpace.getSrcPorts(), _pkt.getSrcPort())) .setNotSrcPorts(specializeSubRange(headerSpace.getNotSrcPorts(), _pkt.getSrcPort())) .setSrcIps(specializeIpSpace(headerSpace.getSrcIps(), _srcIpSpaceSpecializer)) .setNotSrcIps(specializeIpSpace(headerSpace.getNotSrcIps(), _srcIpSpaceSpecializer)) .setTcpFlags(specializeTcpFlags(headerSpace.getTcpFlags())) .build(); }
@Test public void testWithIpSpaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.rejecting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(new IpSpaceReference("ipSpace")) .build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should directly reject 1.2.3.4 assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat( spec.acl.getSanitizedAcl().getLines(), equalTo( ImmutableList.of( rejectingHeaderSpace( HeaderSpace.builder().setSrcIps(Ip.parse("1.2.3.4").toIpSpace()).build())))); }
private Map<String, IpAccessList> createAclMap( String aclName, String srcIpWildcard, LineAction lineAction) { // Build a single entry map, mapping aclName to an ACL matching the given srcIpWildcard // Create a single ACL line matching the given srcIpWildcard IpAccessListLine acll = IpAccessListLine.builder() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder() .setSrcIps(ImmutableSet.of(new IpWildcard(srcIpWildcard))) .build())) .setAction(lineAction) .build(); // Add that single ACL line to a new ACL IpAccessList.Builder aclb = _nf.aclBuilder(); aclb.setName(aclName); aclb.setLines(ImmutableList.of(acll)); // Return a map, mapping aclName to the ACL itself return ImmutableMap.of(aclName, aclb.build()); }
@Override public AclLineMatchExpr visitMatchHeaderSpace(MatchHeaderSpace matchHeaderSpace) { HeaderSpace headerSpace = matchHeaderSpace.getHeaderspace(); IpSpace dstIps = rename(headerSpace.getDstIps()); IpSpace notDstIps = rename(headerSpace.getNotDstIps()); IpSpace srcIps = rename(headerSpace.getSrcIps()); IpSpace notSrcIps = rename(headerSpace.getNotSrcIps()); IpSpace srcOrDstIps = rename(headerSpace.getSrcOrDstIps()); MatchHeaderSpace newMatchHeaderSpace = new MatchHeaderSpace( headerSpace .toBuilder() .setDstIps(dstIps) .setNotDstIps(notDstIps) .setSrcIps(srcIps) .setNotSrcIps(notSrcIps) .setSrcOrDstIps(srcOrDstIps) .build()); _literalsMap.put(matchHeaderSpace, newMatchHeaderSpace); return newMatchHeaderSpace; }
/** * Convert given {@link PacketHeaderConstraints} to a BDD, also taking into account named IP * spaces * * @param phc the packet header constraints * @param namedIpSpaces map of named IP spaces * @param srcIpSpace Resolved source IP space * @param dstIpSpace Resolved destination IP space */ public static BDD toBDD( PacketHeaderConstraints phc, Map<String, IpSpace> namedIpSpaces, IpSpace srcIpSpace, IpSpace dstIpSpace) { HeaderSpace.Builder b = toHeaderSpaceBuilder(phc).setSrcIps(srcIpSpace).setDstIps(dstIpSpace); return new HeaderSpaceToBDD(new BDDPacket(), namedIpSpaces).toBDD(b.build()); }
@Test public void testWithUndefinedIpSpaceReference() { _aclb .setLines( ImmutableList.of( IpAccessListLine.accepting() .setMatchCondition( new MatchHeaderSpace( HeaderSpace.builder().setSrcIps(new IpSpaceReference("???")).build())) .build())) .build(); List<AclSpecs> aclSpecs = getAclSpecs(ImmutableSet.of("c1")); // The sanitized version of the acl should have one unmatchable line assertThat(aclSpecs, hasSize(1)); AclSpecs spec = aclSpecs.get(0); assertThat(spec.acl.getSanitizedAcl().getLines(), equalTo(ImmutableList.of(UNMATCHABLE))); }
public static MatchHeaderSpace matchSrc(IpSpace ipSpace) { return new MatchHeaderSpace(HeaderSpace.builder().setSrcIps(ipSpace).build()); }
public HeaderSpace toIngressIpAccessListLine(Region region) { return toHeaderSpaceBuilder().setSrcIps(collectIpWildCards(region)).build(); }
@Override public void applyTo( HeaderSpace.Builder headerSpaceBuilder, JuniperConfiguration jc, Warnings w, Configuration c) { headerSpaceBuilder.setSrcIps( AclIpSpace.union(headerSpaceBuilder.getSrcIps(), _ipWildcard.toIpSpace())); }
@Override public Void visitNatRuleMatchSrcAddrName(NatRuleMatchSrcAddrName natRuleMatchSrcAddrName) { _headerSpace.setSrcIps( new IpSpaceReference(GLOBAL_ADDRESS_BOOK_PREFIX + natRuleMatchSrcAddrName.getName())); return null; }
private static MatchHeaderSpace matchField(Prefix prefix, IpField field) { switch (field) { case DESTINATION: return new MatchHeaderSpace(HeaderSpace.builder().setDstIps(prefix.toIpSpace()).build()); case SOURCE: return new MatchHeaderSpace(HeaderSpace.builder().setSrcIps(prefix.toIpSpace()).build()); default: throw new BatfishException("Invalid field"); } }
/** Resolve all parameters and update the underlying headerspace. */ public HeaderSpace resolveHeaderspace(SpecifierContext ctx) { return _headerSpace .toBuilder() .setSrcIps(resolveIpSpaceSpecifier(_sourceIpSpaceSpecifier, ctx)) .setDstIps(resolveIpSpaceSpecifier(_destinationIpSpaceSpecifier, ctx)) .build(); }
/** * Convert {@link PacketHeaderConstraints} to an {@link AclLineMatchExpr}. * * @param phc the packet header constraints * @param srcIpSpace Resolved source IP space * @param dstIpSpace Resolved destination IP space */ public static AclLineMatchExpr toAclLineMatchExpr( PacketHeaderConstraints phc, IpSpace srcIpSpace, IpSpace dstIpSpace) { return new MatchHeaderSpace( toHeaderSpaceBuilder(phc).setSrcIps(srcIpSpace).setDstIps(dstIpSpace).build()); }
@Override public Void visitNatRuleMatchSrcAddr(NatRuleMatchSrcAddr natRuleMatchSrcAddr) { _headerSpace.setSrcIps(natRuleMatchSrcAddr.getPrefix().toIpSpace()); return null; }