Giters

batfish / batfish

Batfish is a network configuration analysis tool that can find bugs and guarantee the correctness of (planned or current) network configurations. It enables network engineers to rapidly and safely evolve their network, without fear of outages or security breaches.

Home Page:http://www.batfish.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

When execution Bi-directional Reachability questions using TCP flags, data may not be obtained.

rynogawa opened this issue · comments

commented

Describe the bug and expected behavior
Current behavior:
No response when running a Bi-directional Reachability question with the TCP flag set to SYN.

Expected behavior:
If TCP flow occurs from server 3 to server 1, the flow is allowed because dev2's ACL is set to "established."
The expectation is that can get response data.

Consideration
I got the correct response with the TCP flags below.
・MatchTcpFlags.match_synack()
・MatchTcpFlags.match_ack()

I think that this problem, the TCP flag (ACK bit) of the return flow is not converted.
(it is thought that the above working pattern was that forward flow already set up a ACK flag, so the return flow was also working fine.)

Config

hostname dev2
!
interface GigabitEthernet0/0
 ip address 10.0.12.2 255.255.255.0
 ip access-group 100 in
!
interface GigabitEthernet0/1
 ip address 10.0.23.2 255.255.255.0
!
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq 22

{
  "hostname": "server1",
  "hostInterfaces": {
    "eth1": {
      "name": "eth1",
      "prefix": "10.0.12.1/24",
      "gateway": "10.0.12.2"
    }
  }
}

{
  "hostname": "server3",
  "hostInterfaces": {
    "eth1": {
      "name": "eth1",
      "prefix": "10.0.23.3/24",
      "gateway": "10.0.23.2"
    }
  }
}

Runnable example

bireachability = bfq.bidirectionalReachability(
                    pathConstraints=PathConstraints(startLocation="server3"),
                    headers=HeaderConstraints(srcIps="10.0.23.3", srcPorts="50001", 
                                              dstIps="10.0.12.1", dstPorts="23",
                                              tcpFlags=MatchTcpFlags.match_syn(), ipProtocols='TCP'),
                    returnFlowType='SUCCESS').answer().frame()
if bireachability.empty:
    print("no data")

Sample Config.zip

commented

Yep, this looks right to me. We're likely not updating the TCP flags on the return flow for ip protocol == TCP.

I think this needs to be done somewhere around here:

batfish/projects/batfish/src/main/java/org/batfish/bddreachability/BidirectionalReachabilityAnalysis.java

Line 207 in 4027c9f

bdd = _bddPacket.swapSourceAndDestinationFields(bdd);

commented

Thank you for confirming.

I interpreted that the source IP and port are swapped with the destination IP and port.(and vice versa)
In this problem, I think that need to set the Ack bit instead of swapping.

I don't know how to deal with BDD, so could you please give me some advice on how to fix it.