Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When execution Bi-directional Reachability questions using TCP flags, data may not be obtained. #8904

Open
rynogawa opened this issue Dec 20, 2023 · 2 comments
Open

When execution Bi-directional Reachability questions using TCP flags, data may not be obtained. #8904

rynogawa opened this issue Dec 20, 2023 · 2 comments

Comments

@rynogawa
Copy link
Contributor

Describe the bug and expected behavior
Current behavior:
No response when running a Bi-directional Reachability question with the TCP flag set to SYN.

Expected behavior:
If TCP flow occurs from server 3 to server 1, the flow is allowed because dev2's ACL is set to "established."
The expectation is that can get response data.

Consideration
I got the correct response with the TCP flags below.
・MatchTcpFlags.match_synack()
・MatchTcpFlags.match_ack()

I think that this problem, the TCP flag (ACK bit) of the return flow is not converted.
(it is thought that the above working pattern was that forward flow already set up a ACK flag, so the return flow was also working fine.)

Config

hostname dev2
!
interface GigabitEthernet0/0
 ip address 10.0.12.2 255.255.255.0
 ip access-group 100 in
!
interface GigabitEthernet0/1
 ip address 10.0.23.2 255.255.255.0
!
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq 22

{
  "hostname": "server1",
  "hostInterfaces": {
    "eth1": {
      "name": "eth1",
      "prefix": "10.0.12.1/24",
      "gateway": "10.0.12.2"
    }
  }
}

{
  "hostname": "server3",
  "hostInterfaces": {
    "eth1": {
      "name": "eth1",
      "prefix": "10.0.23.3/24",
      "gateway": "10.0.23.2"
    }
  }
}

Runnable example

bireachability = bfq.bidirectionalReachability(
                    pathConstraints=PathConstraints(startLocation="server3"),
                    headers=HeaderConstraints(srcIps="10.0.23.3", srcPorts="50001", 
                                              dstIps="10.0.12.1", dstPorts="23",
                                              tcpFlags=MatchTcpFlags.match_syn(), ipProtocols='TCP'),
                    returnFlowType='SUCCESS').answer().frame()
if bireachability.empty:
    print("no data")

Sample Config.zip
@dhalperi
Copy link
Member

Yep, this looks right to me. We're likely not updating the TCP flags on the return flow for ip protocol == TCP.

I think this needs to be done somewhere around here:

batfish/projects/batfish/src/main/java/org/batfish/bddreachability/BidirectionalReachabilityAnalysis.java

Line 207 in 4027c9f

bdd = _bddPacket.swapSourceAndDestinationFields(bdd);

@rynogawa
Copy link
Contributor Author

Thank you for confirming.

I interpreted that the source IP and port are swapped with the destination IP and port.(and vice versa)
In this problem, I think that need to set the Ack bit instead of swapping.

I don't know how to deal with BDD, so could you please give me some advice on how to fix it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dhalperi @rynogawa