-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAN support application any
with service application-default
#5310
Conversation
Codecov Report
@@ Coverage Diff @@
## master #5310 +/- ##
============================================
+ Coverage 73.4% 73.4% +<.01%
- Complexity 31992 32007 +15
============================================
Files 2624 2624
Lines 128981 129057 +76
Branches 15512 15523 +11
============================================
+ Hits 94682 94739 +57
- Misses 26797 26815 +18
- Partials 7502 7503 +1
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 3 files reviewed, 1 unresolved discussion
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1018 at r2 (raw file):
Quoted 7 lines of code…
if (rule.getAction() == LineAction.PERMIT) { // Since Batfish cannot currently match above L4, we follow Cisco-fragments-like logic: // When permitting an application, optimistically permit all traffic where the L4 rule // matches, assuming it is this application. But when blocking a specific application, do // not block all matching L4 traffic, since we can't know it is this specific application. serviceDisjuncts.addAll(matchApplications(rule, vsys)); }
is this the desired behavior even when any
is in the set of applications for a deny rule? i.e. no traffic will match a "deny any application" rule w/ application-default specified
I haven't seen any deny rules referencing any application with application-default specified, but it is surely possible
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1018 at r2 (raw file): Previously, sfraint (Spencer Fraint) wrote…
Don't you mean all traffic will match? |
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1044 at r2 (raw file): Quoted 4 lines of code…
This almost certainly needs to go down below where we check built-ins? Although hopefully no one overrides the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 3 files reviewed, 2 unresolved discussions (waiting on @dhalperi, @progwriter, and @sfraint)
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1018 at r2 (raw file):
Previously, dhalperi (Dan Halperin) wrote…
Don't you mean all traffic will match?
yes, meant all traffic will match, and no traffic will be permitted
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 3 of 3 files at r2.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @progwriter and @sfraint)
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1018 at r2 (raw file):
Previously, sfraint (Spencer Fraint) wrote…
yes, meant all traffic will match, and no traffic will be permitted
Is that not the only case this comes up?
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1035 at r2 (raw file):
} private List<AclLineMatchExpr> matchApplications(SecurityRule rule, Vsys vsys) {
Is this function only used above? If so, rename to something that indicates that?
bad attempt: matchServiceForApplications
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @progwriter and @sfraint)
a discussion (no related file):
Please rename PR to better indicate the change. We absolutely have support for the any application.
any
any
with service application-default
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @dhalperi, @progwriter, and @sfraint)
a discussion (no related file):
Previously, dhalperi (Dan Halperin) wrote…
Please rename PR to better indicate the change. We absolutely have support for the any application.
Updated
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1018 at r2 (raw file):
Previously, dhalperi (Dan Halperin) wrote…
Is that not the only case this comes up?
Chatted more offline about this and decided maybe we should handle the case where a deny
rule uses any
application with application-default
service, since we currently will never match or deny traffic due to a rule like that.
This also seems like something we can add separately from this PR.
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1044 at r2 (raw file):
Did you mean create a built-in for any
instead of special-asing it here?
And you cannot override the any
built-in 🙂
>>> set vsys vsys1 application any description testing
Server error : 'any' is invalid. 'any' is not allowed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 2 of 3 files reviewed, all discussions resolved (waiting on @dhalperi and @progwriter)
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1035 at r2 (raw file):
Previously, dhalperi (Dan Halperin) wrote…
Is this function only used above? If so, rename to something that indicates that?
bad attempt: matchServiceForApplications
done, didn't think of anything much better so sticking with that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r3.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @progwriter)
Add support for
any
application, which was previously unhandled in Batfish.In Palo Alto security rules,
application-default
can be specified as service match, which effectively defers traffic matching to application inspection. In that case, the specialany
application should match any application defined on the device.After this PR, Batfish assumes that all traffic will match the
any
application.