Juniper Filters: Better names for cross-zone firewall filters (#5395)

batfish · Jan 11, 2020 · 5aa8471 · 5aa8471
1 parent 2764f38
commit 5aa8471
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 11 deletions.
diff --git a/...cts/batfish/src/main/java/org/batfish/representation/juniper/CompositeFirewallFilter.java b/...cts/batfish/src/main/java/org/batfish/representation/juniper/CompositeFirewallFilter.java
@@ -4,6 +4,7 @@
 
 import com.google.common.collect.ImmutableList;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 import javax.annotation.Nonnull;
@@ -39,5 +40,10 @@ public boolean isUsedForFBF() {
     return _inner.stream().anyMatch(FirewallFilter::isUsedForFBF);
   }
 
+  @Override
+  public Optional<String> getFromZone() {
+    return Optional.empty();
+  }
+
   private final @Nonnull List<FirewallFilter> _inner;
 }
diff --git a/...ects/batfish/src/main/java/org/batfish/representation/juniper/ConcreteFirewallFilter.java b/...ects/batfish/src/main/java/org/batfish/representation/juniper/ConcreteFirewallFilter.java
@@ -2,7 +2,7 @@
 
 import java.util.LinkedHashMap;
 import java.util.Map;
-import javax.annotation.Nullable;
+import java.util.Optional;
 
 /** A firewall filter on Juniper. */
 public final class ConcreteFirewallFilter extends FirewallFilter {
@@ -29,8 +29,9 @@ public Family getFamily() {
     return _family;
   }
 
-  public @Nullable String getFromZone() {
-    return _fromZone;
+  @Override
+  public Optional<String> getFromZone() {
+    return Optional.ofNullable(_fromZone);
   }
 
   /** Whether or not this filter is used for Filter-Based Forwarding (FBF) */

diff --git a/projects/batfish/src/main/java/org/batfish/representation/juniper/FirewallFilter.java b/projects/batfish/src/main/java/org/batfish/representation/juniper/FirewallFilter.java
@@ -1,6 +1,7 @@
 package org.batfish.representation.juniper;
 
 import java.io.Serializable;
+import java.util.Optional;
 import javax.annotation.Nonnull;
 
 /** The VS structure for things that are ACL-like. */
@@ -13,6 +14,8 @@ public abstract class FirewallFilter implements Serializable {
 
   public abstract boolean isUsedForFBF();
 
+  public abstract Optional<String> getFromZone();
+
   // Private implementation details.
 
   protected FirewallFilter(@Nonnull String name) {

diff --git a/projects/batfish/src/main/java/org/batfish/representation/juniper/JuniperConfiguration.java b/projects/batfish/src/main/java/org/batfish/representation/juniper/JuniperConfiguration.java
@@ -2073,13 +2073,28 @@ IpAccessList buildSecurityPolicyAcl(String name, Zone zone) {
 
     /* Zone specific policies */
     if (zone != null && !zone.getFromZonePolicies().isEmpty()) {
-      for (String fromZone : zone.getFromZonePolicies().keySet()) {
-        String zonePolicyLineDesc =
-            fromZone.equals(zone.getName())
-                ? String.format("Match intra-zone policy for zone %s", fromZone)
-                : String.format(
-                    "Match cross-zone policy from-zone %s to-zone %s", fromZone, zone.getName());
-        zoneAclLines.add(new AclAclLine(zonePolicyLineDesc, fromZone));
+      for (Entry<String, FirewallFilter> e : zone.getFromZonePolicies().entrySet()) {
+        String filterName = e.getKey();
+        FirewallFilter filter = e.getValue();
+
+        // Name the ACL line that will apply zone policy.
+        String zonePolicyLineDesc;
+        // Not possible to configure a zone policy for multiple from zones.
+        String fromZone = filter.getFromZone().orElse(null);
+        if (fromZone == null) {
+          // Zone egress policy for traffic originating from device
+          zonePolicyLineDesc = String.format("Match policy from junos-host to zone %s", filterName);
+        } else if (fromZone.equals(zone.getName())) {
+          // Intra-zone policy
+          zonePolicyLineDesc = String.format("Match intra-zone policy for zone %s", fromZone);
+        } else {
+          // Cross-zone policy
+          zonePolicyLineDesc =
+              String.format(
+                  "Match cross-zone policy from zone %s to zone %s", fromZone, zone.getName());
+        }
+
+        zoneAclLines.add(new AclAclLine(zonePolicyLineDesc, filterName));
       }
     }
 
@@ -2199,7 +2214,7 @@ IpAccessList toIpAccessList(FirewallFilter f) throws VendorConversionException {
        * If srcInterfaces (from-zone) are filtered (this is the case for security policies), then
        * need to make a match condition for that
        */
-      String zoneName = filter.getFromZone();
+      String zoneName = filter.getFromZone().orElse(null);
       if (zoneName != null) {
         matchSrcInterface =
             new MatchSrcInterface(_masterLogicalSystem.getZones().get(zoneName).getInterfaces());