PAN: Support for rule-type in security rules

projects/batfish/src/main/java/org/batfish/grammar/palo_alto/PaloAltoConfigurationBuilder.java

@@ -288,6 +288,7 @@
 import org.batfish.grammar.palo_alto.PaloAltoParser.Srs_fromContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Srs_negate_destinationContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Srs_negate_sourceContext;
+import org.batfish.grammar.palo_alto.PaloAltoParser.Srs_rule_typeContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Srs_serviceContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Srs_sourceContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Srs_toContext;
@@ -391,6 +392,7 @@
 import org.batfish.representation.palo_alto.RuleEndpoint;
 import org.batfish.representation.palo_alto.Rulebase;
 import org.batfish.representation.palo_alto.SecurityRule;
+import org.batfish.representation.palo_alto.SecurityRule.RuleType;
 import org.batfish.representation.palo_alto.Service;
 import org.batfish.representation.palo_alto.ServiceBuiltIn;
 import org.batfish.representation.palo_alto.ServiceGroup;
@@ -2472,6 +2474,19 @@ public void exitSrs_action(Srs_actionContext ctx) {
     }
   }
 
+  @Override
+  public void exitSrs_rule_type(Srs_rule_typeContext ctx) {
+    if (ctx.INTERZONE() != null) {
+      _currentSecurityRule.setRuleType(RuleType.INTERZONE);
+    } else if (ctx.INTRAZONE() != null) {
+      _currentSecurityRule.setRuleType(RuleType.INTRAZONE);
+    } else if (ctx.UNIVERSAL() != null) {
+      _currentSecurityRule.setRuleType(RuleType.UNIVERSAL);
+    } else {
+      warn(ctx, "Unsupported security rule-type");
+    }
+  }
+
   private void referenceApplicationLike(
       String name, String uniqueName, PaloAltoStructureUsage usage, ParserRuleContext var) {
     PaloAltoStructureType type =

projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java

@@ -149,6 +149,7 @@
 import org.batfish.datamodel.transformation.TransformationStep;
 import org.batfish.representation.palo_alto.OspfAreaNssa.DefaultRouteType;
 import org.batfish.representation.palo_alto.OspfInterface.LinkType;
+import org.batfish.representation.palo_alto.SecurityRule.RuleType;
 import org.batfish.representation.palo_alto.Vsys.NamespaceType;
 import org.batfish.representation.palo_alto.Zone.Type;
 import org.batfish.vendor.StructureUsage;
@@ -613,20 +614,7 @@ private IpAccessList generateCrossZoneFilter(
     // Build an ACL Line for each rule that is enabled and applies to this from/to zone pair.
     List<AclLine> lines =
         rules.stream()
-            .filter(
-                e -> {
-                  SecurityRule rule = e.getKey();
-                  if (rule.getDisabled()) {
-                    return false;
-                  } else if (Sets.intersection(
-                          rule.getFrom(), ImmutableSet.of(fromZone.getName(), CATCHALL_ZONE_NAME))
-                      .isEmpty()) {
-                    return false;
-                  }
-                  return !Sets.intersection(
-                          rule.getTo(), ImmutableSet.of(toZone.getName(), CATCHALL_ZONE_NAME))
-                      .isEmpty();
-                })
+            .filter(e -> securityRuleApplies(fromZone.getName(), toZone.getName(), e.getKey()))
             .map(entry -> toIpAccessListLine(entry.getKey(), entry.getValue()))
             .collect(ImmutableList.toImmutableList());
     // Intrazone traffic is allowed by default.
@@ -647,6 +635,28 @@ private IpAccessList generateCrossZoneFilter(
     return IpAccessList.builder().setName(crossZoneFilterName).setLines(lines).build();
   }
 
+  @VisibleForTesting
+  static boolean securityRuleApplies(String fromZoneName, String toZoneName, SecurityRule rule) {
+    if (rule.getDisabled()) {
+      return false;
+    }
+    boolean fromZoneInRuleFrom =
+        !Sets.intersection(rule.getFrom(), ImmutableSet.of(fromZoneName, CATCHALL_ZONE_NAME))
+            .isEmpty();
+    boolean toZoneInRuleTo =
+        !Sets.intersection(rule.getTo(), ImmutableSet.of(toZoneName, CATCHALL_ZONE_NAME)).isEmpty();
+    // rule-type doc:
+    // https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
+    if (rule.getRuleType() == RuleType.INTRAZONE) {
+      // destination zones ignored for intrazone rules
+      return fromZoneInRuleFrom && fromZoneName.equals(toZoneName);
+    } else if (rule.getRuleType() == RuleType.INTERZONE) {
+      return fromZoneInRuleFrom && toZoneInRuleTo && !fromZoneName.equals(toZoneName);
+    }
+    // default case -- universal or unspecified
+    return fromZoneInRuleFrom && toZoneInRuleTo;
+  }
+
   /**
    * Collects the security rules from this Vsys and merges the common pre-/post-rulebases from
    * Panorama.

projects/batfish/src/main/java/org/batfish/representation/palo_alto/SecurityRule.java

@@ -14,6 +14,12 @@
 @ParametersAreNonnullByDefault
 public final class SecurityRule implements Serializable {
 
+  public enum RuleType {
+    INTERZONE,
+    INTRAZONE,
+    UNIVERSAL
+  }
+
   // Name of the rule
   @Nonnull private final String _name;
   // Action of the rule
@@ -42,6 +48,9 @@ public final class SecurityRule implements Serializable {
   // Applications
   @Nonnull private final SortedSet<String> _applications;
 
+  // Applications
+  @Nullable private RuleType _ruleType;
+
   public SecurityRule(String name, Vsys vsys) {
     _action = LineAction.DENY;
     _applications = new TreeSet<>();
@@ -127,6 +136,11 @@ public Vsys getVsys() {
     return _vsys;
   }
 
+  @Nullable
+  public RuleType getRuleType() {
+    return _ruleType;
+  }
+
   public void setAction(LineAction action) {
     _action = action;
   }
@@ -138,4 +152,8 @@ public void setDescription(String description) {
   public void setDisabled(boolean disabled) {
     _disabled = disabled;
   }
+
+  public void setRuleType(@Nullable RuleType ruleType) {
+    _ruleType = ruleType;
+  }
 }

projects/batfish/src/test/java/org/batfish/grammar/palo_alto/PaloAltoGrammarTest.java

@@ -237,6 +237,7 @@
 import org.batfish.representation.palo_alto.RedistRuleRefNameOrPrefix;
 import org.batfish.representation.palo_alto.RuleEndpoint;
 import org.batfish.representation.palo_alto.SecurityRule;
+import org.batfish.representation.palo_alto.SecurityRule.RuleType;
 import org.batfish.representation.palo_alto.ServiceBuiltIn;
 import org.batfish.representation.palo_alto.StaticRoute;
 import org.batfish.representation.palo_alto.Tag;
@@ -2133,6 +2134,19 @@ public void testEmptyZoneOutgoingFilterTraceElements() {
             });
   }
 
+  @Test
+  public void testRulebaseRuleType() {
+    String hostname = "rulebase-rule-type";
+    PaloAltoConfiguration vendorConfig = parsePaloAltoConfig(hostname);
+
+    Map<String, SecurityRule> rules =
+        vendorConfig.getVirtualSystems().get(DEFAULT_VSYS_NAME).getRulebase().getSecurityRules();
+
+    assertThat(rules.get("RULE1").getRuleType(), equalTo(RuleType.INTERZONE));
+    assertThat(rules.get("RULE2").getRuleType(), equalTo(RuleType.INTRAZONE));
+    assertThat(rules.get("RULE3").getRuleType(), equalTo(RuleType.UNIVERSAL));
+  }
+
   @Test
   public void testRulebaseService() {
     String hostname = "rulebase-service";

projects/batfish/src/test/java/org/batfish/representation/palo_alto/PaloAltoConfigurationTest.java

@@ -18,11 +18,14 @@
 import static org.batfish.representation.palo_alto.PaloAltoConfiguration.generateSgSgLines;
 import static org.batfish.representation.palo_alto.PaloAltoConfiguration.generateSharedGatewayOutgoingFilter;
 import static org.batfish.representation.palo_alto.PaloAltoConfiguration.generateVsysSharedGatewayCalls;
+import static org.batfish.representation.palo_alto.PaloAltoConfiguration.securityRuleApplies;
 import static org.batfish.representation.palo_alto.PaloAltoTraceElementCreators.zoneToZoneMatchTraceElement;
 import static org.batfish.representation.palo_alto.PaloAltoTraceElementCreators.zoneToZoneRejectTraceElement;
 import static org.hamcrest.Matchers.contains;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
@@ -35,6 +38,7 @@
 import org.batfish.datamodel.IpProtocol;
 import org.batfish.datamodel.NamedPort;
 import org.batfish.datamodel.NetworkFactory;
+import org.batfish.representation.palo_alto.SecurityRule.RuleType;
 import org.batfish.representation.palo_alto.Zone.Type;
 import org.junit.Before;
 import org.junit.Test;
@@ -623,4 +627,30 @@ public void testGenerateVsysSharedGatewayCallsMissingLayer3() {
     // no lines should be returned since externalToZone has no layer-3 zone
     assertEquals(generateVsysSharedGatewayCalls(sharedGateway, vsys).count(), 0L);
   }
+
+  @Test
+  public void testSecurityRuleAppliesRuleType() {
+    SecurityRule rule = new SecurityRule("rule", new Vsys(VSYS_NAME));
+    rule.getFrom().addAll(ImmutableList.of("A", "B"));
+    rule.getTo().addAll(ImmutableList.of("C", "B"));
+
+    // default case -- covers universal
+    assertTrue(securityRuleApplies("A", "B", rule));
+    assertTrue(securityRuleApplies("A", "C", rule));
+    assertTrue(securityRuleApplies("B", "B", rule));
+    assertFalse(securityRuleApplies("A", "A", rule));
+    assertFalse(securityRuleApplies("C", "A", rule));
+
+    rule.setRuleType(RuleType.INTERZONE);
+    assertTrue(securityRuleApplies("A", "C", rule));
+    assertTrue(securityRuleApplies("A", "B", rule));
+    assertFalse(securityRuleApplies("A", "A", rule));
+    assertFalse(securityRuleApplies("B", "B", rule));
+
+    rule.setRuleType(RuleType.INTRAZONE);
+    assertTrue(securityRuleApplies("A", "A", rule));
+    assertTrue(securityRuleApplies("B", "B", rule));
+    assertFalse(securityRuleApplies("A", "B", rule));
+    assertFalse(securityRuleApplies("C", "C", rule));
+  }
 }

projects/batfish/src/test/resources/org/batfish/grammar/palo_alto/testconfigs/rulebase-rule-type

@@ -0,0 +1,24 @@
+set deviceconfig system hostname rulebase-rule-type
+set network interface ethernet ethernet1/1 layer3 ip 1.1.1.1/24
+set network interface ethernet ethernet1/4 layer3 ip 1.1.4.1/24
+set zone z1 network layer3 [ ethernet1/1 ]
+set zone z2 network layer3 ethernet1/4
+
+set rulebase security rules RULE1 from z1
+set rulebase security rules RULE1 to z2
+set rulebase security rules RULE1 source any
+set rulebase security rules RULE1 destination any
+set rulebase security rules RULE1 rule-type interzone
+
+set rulebase security rules RULE2 from z1
+set rulebase security rules RULE2 to z2
+set rulebase security rules RULE2 source any
+set rulebase security rules RULE2 destination any
+set rulebase security rules RULE2 rule-type intrazone
+
+set rulebase security rules RULE3 from z1
+set rulebase security rules RULE3 to z2
+set rulebase security rules RULE3 source any
+set rulebase security rules RULE3 destination any
+set rulebase security rules RULE3 rule-type universal
+