PAN: trace details for security rules

[sfraint]

Add some shallow trace details for Palo Alto security rules. Specifically, adding basic info on first source address, first destination address, and first service matched for a given rule.

---

Some example traces for cross-zone policies might look like this:

Matched security rule RULE1
   Matched source address
      Matched address-group addr_group1
   Matched destination address
      Matched address object addr2
   Matched a service

Matched security rule RULE2
   Matched source address
      Matched address value 10.10.10.10
   Matched destination address
      Matched address value 10.11.12.0/24
   Matched service application-default

Matched security rule RULE3
   Matched source address
      Matched address any
   Matched destination address
      Matched address any
   Matched service any

[batfish-bot]

This change is 

[codecov]

Codecov Report

Merging #6208 into master will increase coverage by 0.01%.
The diff coverage is 90.00%.

@@             Coverage Diff              @@
##             master    #6208      +/-   ##
============================================
+ Coverage     72.90%   72.92%   +0.01%     
- Complexity    34872    34909      +37     
============================================
  Files          2826     2826              
  Lines        142152   142234      +82     
  Branches      17070    17081      +11     
============================================
+ Hits         103639   103720      +81     
+ Misses        30313    30298      -15     
- Partials       8200     8216      +16     

Impacted Files	Coverage Δ	Complexity Δ
...n/java/org/batfish/datamodel/acl/AndMatchExpr.java	93.75% <ø> (ø)	9.00 <0.00> (ø)
...in/java/org/batfish/datamodel/acl/OrMatchExpr.java	87.50% <ø> (ø)	8.00 <0.00> (ø)
...a/org/batfish/datamodel/acl/AclLineMatchExprs.java	83.03% <50.00%> (-0.61%)	49.00 <1.00> (+1.00)	⬇️
...tfish/representation/palo_alto/ServiceBuiltIn.java	79.31% <50.00%> (-4.69%)	11.00 <2.00> (+2.00)	⬇️
...epresentation/palo_alto/PaloAltoConfiguration.java	87.60% <90.56%> (+0.50%)	347.00 <14.00> (+16.00)
...tation/palo_alto/PaloAltoTraceElementCreators.java	100.00% <100.00%> (ø)	21.00 <11.00> (+11.00)
...rg/batfish/identifiers/StorageBasedIdResolver.java	88.88% <0.00%> (-4.45%)	27.00% <0.00%> (ø%)
...org/batfish/datamodel/flow/BidirectionalTrace.java	81.81% <0.00%> (-2.28%)	14.00% <0.00%> (-1.00%)
...col/src/main/java/org/batfish/role/InferRoles.java	89.54% <0.00%> (-1.37%)	50.00% <0.00%> (-1.00%)
...src/main/java/org/batfish/coordinator/PoolMgr.java	59.25% <0.00%> (-1.24%)	15.00% <0.00%> (-1.00%)
... and 13 more

[dhalperi]

Reviewed 9 of 9 files at r1.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @anothermattbrown, @corinaminer, and @sfraint)

---

projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1060 at r1 (raw file):

// Tracing past NotExpr does not work well, so convert from Not(Or(...)) to
              // And(Not(...)) to push Not further down in trace
              ? new AndMatchExpr(negateMatchIps(dstExprs), matchDestinationAddressTraceElement())

What does the final trace look like here?

[dhalperi]

Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @anothermattbrown and @corinaminer)

---

projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1060 at r1 (raw file):

Previously, dhalperi (Dan Halperin) wrote…

// Tracing past NotExpr does not work well, so convert from Not(Or(...)) to
              // And(Not(...)) to push Not further down in trace
              ? new AndMatchExpr(negateMatchIps(dstExprs), matchDestinationAddressTraceElement())

What does the final trace look like here?

OK to handle later.