In the case of IOS, Batfish crashes when executing Bi-directional Reachability to the IP address after NAT.
tokonish opened this issue · comments
[Problem]
In the case of IOS, Batfish crashes when executing Bi-directional Reachability to the IP address after NAT.
[Topology]
![コミュニティ報告用](https://private-user-images.githubusercontent.com/148535612/279230005-e6e80780-e167-4710-8a14-71406d2e39dd.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTEiLCJleHAiOjE3MDI4Mzg3MzEsIm5iZiI6MTcwMjgzODQzMSwicGF0aCI6Ii8xNDg1MzU2MTIvMjc5MjMwMDA1LWU2ZTgwNzgwLWUxNjctNDcxMC04YTE0LTcxNDA2ZDJlMzlkZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBSVdOSllBWDRDU1ZFSDUzQSUyRjIwMjMxMjE3JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDIzMTIxN1QxODQwMzFaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1hZmQ0NzYyMTZlYjA3MDBjOGVjMDUzNjk1Yzc0MmRhOGE4MGYxYjVlMjhhMzM2YTYwNjUzMDFiZDFkOGYwZGE0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.REeEFV9cOAgJSTa3oIMmsmT6fkrAfhCEJo1i1etIPd4)
dev3's NAT settings convert 10.0.12.1 to 20.0.12.1.
[Config] ※Minimum Config
・ dev1
hostname dev1
!
no ip domain lookup
!
interface GigabitEthernet0/1
ip address 10.0.12.1 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.12.2
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
・ dev2
hostname dev2
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.0.12.2 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.23.2 255.255.255.0
no shutdown
!
ip route 10.0.45.0 255.255.255.0 10.0.23.3
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
・ dev3
hostname dev3
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.0.23.3 255.255.255.0
ip nat inside
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.34.3 255.255.255.0
ip nat outside
no shutdown
!
ip nat inside source static 10.0.12.1 20.0.12.1
!
ip route 10.0.12.0 255.255.255.0 10.0.23.2
ip route 10.0.45.0 255.255.255.0 10.0.34.4
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
・ dev4
hostname dev4
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.0.34.4 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
ip address 10.0.45.4 255.255.255.0
no shutdown
!
ip route 20.0.12.0 255.255.255.0 10.0.34.3
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
・ dev5
hostname dev5
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.0.45.5 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.45.4
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
end
[Result]
・ Bi-directional Reachability Forward
ACCEPTED
1. node: dev01
ORIGINATED(default)
FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 10.0.12.2, Routes: [static (Network: 0.0.0.0/0, Next Hop: ip 10.0.12.2)])
TRANSMITTED(GigabitEthernet0/0)
2. node: dev02
RECEIVED(GigabitEthernet0/0)
FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.23.3, Routes: [static (Network: 10.0.45.0/24, Next Hop: ip 10.0.23.3)])
TRANSMITTED(GigabitEthernet0/1)
3. node: dev03
RECEIVED(GigabitEthernet0/0)
FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.34.4, Routes: [static (Network: 10.0.45.0/24, Next Hop: ip 10.0.34.4)])
TRANSFORMED(SOURCE_NAT srcIp: 10.0.12.1 -> 20.0.12.1)
SETUP_SESSION(Incoming Interfaces: [GigabitEthernet0/1], Action: PostNatFibLookup, Match Criteria: [ipProtocol=ICMP, srcIp=10.0.45.5, dstIp=20.0.12.1], Transformation: [dstIp: 20.0.12.1 -> 10.0.12.1])
TRANSMITTED(GigabitEthernet0/1)
4. node: dev04
RECEIVED(GigabitEthernet0/1)
FORWARDED(Forwarded out interface: GigabitEthernet0/0, Routes: [connected (Network: 10.0.45.0/24, Next Hop: interface GigabitEthernet0/0)])
TRANSMITTED(GigabitEthernet0/0)
5. node: dev05
RECEIVED(GigabitEthernet0/0)
ACCEPTED(GigabitEthernet0/0)
・ Bi-directional Reachability Reverse
ACCEPTED
1. node: dev05
ORIGINATED(default)
FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 10.0.45.4, Routes: [static (Network: 0.0.0.0/0, Next Hop: ip 10.0.45.4)])
TRANSMITTED(GigabitEthernet0/0)
2. node: dev04
RECEIVED(GigabitEthernet0/0)
FORWARDED(Forwarded out interface: GigabitEthernet0/1 with resolved next-hop IP: 10.0.34.3, Routes: [static (Network: 20.0.12.0/24, Next Hop: ip 10.0.34.3)])
TRANSMITTED(GigabitEthernet0/1)
3. node: dev03
RECEIVED(GigabitEthernet0/1)
MATCHED_SESSION(Incoming Interfaces: [GigabitEthernet0/1], Action: PostNatFibLookup, Match Criteria: [ipProtocol=ICMP, srcIp=10.0.45.5, dstIp=20.0.12.1], Transformation: [dstIp: 20.0.12.1 -> 10.0.12.1])
TRANSFORMED(DEST_NAT dstIp: 20.0.12.1 -> 10.0.12.1)
FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 10.0.23.2, Routes: [static (Network: 10.0.12.0/24, Next Hop: ip 10.0.23.2)])
TRANSMITTED(GigabitEthernet0/0)
4. node: dev02
RECEIVED(GigabitEthernet0/1)
FORWARDED(Forwarded out interface: GigabitEthernet0/0, Routes: [connected (Network: 10.0.12.0/24, Next Hop: interface GigabitEthernet0/0)])
TRANSMITTED(GigabitEthernet0/0)
5. node: dev01
RECEIVED(GigabitEthernet0/0)
ACCEPTED(GigabitEthernet0/0)
・ Bi-directional Reachability(dev5->dev1)
Traceback (most recent call last):
File "/root/development/testQuestion/./questions.py", line 380, in <module>
main(args)
File "/root/development/testQuestion/./questions.py", line 32, in main
args.handler(args, logger)
File "/root/development/testQuestion/./questions.py", line 275, in command_bireachability
returnFlowType='SUCCESS').answer().frame()
File "/root/development/testQuestion/venv/lib/python3.10/site-packages/pybatfish/question/question.py", line 192, in answer
return _bf_answer_obj(
File "/root/development/testQuestion/venv/lib/python3.10/site-packages/pybatfish/client/internal.py", line 60, in _bf_answer_obj
workhelper.execute(work_item, session, background, extra_args)
File "/root/development/testQuestion/venv/lib/python3.10/site-packages/pybatfish/client/workhelper.py", line 140, in execute
raise BatfishException(
pybatfish.exception.BatfishException: Work terminated abnormally
work_item: {"containerName": "Mobills", "id": "5d649c02-7915-457e-be28-004f84d123b9", "requestParams": {"answer": "", "questionname": "__bidirectionalReachability_05c6a631-db91-4452-8f56-eb39156a078e", "testrig": "SrcNAT_IOS_BiReach"}, "testrigName": "SrcNAT_IOS_BiReach"}
In the case of IOS, Batfish crashes when executing Bi-directional Reachability from 10.0.45.5 to 20.0.12.1 after NAT.
Can you attach server-side logs (docker logs) to this issue?
Hi, I tried this out and did not have any issues. Can you post more about the network you're using? Here's mine: https://gist.github.com/dhalperi/2db8b46ebff98eb4d3fbb97aed823af3
Hello, thank you for your reply.
This problem occurs when checking with Bi-direactional Reachability instead of Bi-direactional Traceroute.
Please confirm.
logs↓
・8859log.txt
ipynb(pdf converted)↓
・8859_.pdf
Thanks for that repro. After fixing a few bugs (srcIps
, not scIps
) I ran this query:
bf.q.bidirectionalReachability(
pathConstraints=PathConstraints(startLocation='dev5'),
headers=HeaderConstraints(srcIps= '10.0.45.5', dstIps='20.0.12.1', srcPorts='32875', dstPorts='22')
).answer().frame()
and got
Caused by: java.lang.UnsupportedOperationException: Reachability does not yet support PreNatFibLookup
That checks out.
Logging Slack discussion with @anothermattbrown :
actually I think at this point we should have all the pieces we need
I think this is a 1 or 2 dayer
we just need to use BDDFibGenerator, apply the NAT on all the out-edges (presumably all? I’d have to double-check the concrete impl) and stitch it back together. Not too different from what we do in other cases