np-guard
diff --git a/‎pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion b/‎pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt
Lines changed: 23 additions & 21 deletions b/‎pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt
Lines changed: 23 additions & 21 deletions
diff --git a/‎pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion b/‎pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion b/‎pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/commonvpc/vpc.go
Lines changed: 14 additions & 11 deletions b/‎pkg/commonvpc/vpc.go
Lines changed: 14 additions & 11 deletions
diff --git a/‎pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt
Lines changed: 1 addition & 1 deletion b/‎pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion b/‎pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt
Lines changed: 9 additions & 9 deletions b/‎pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt
Lines changed: 9 additions & 9 deletions
diff --git a/‎pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion b/‎pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt
Lines changed: 1 addition & 1 deletion b/‎pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt
Lines changed: 1 addition & 1 deletion
@@ -3,7 +3,7 @@ Interpreted source(s): p2[10.240.2.28]
 Interpreted destination(s): q2[10.240.32.122]
 ======================================================================
 
-No connections from p2[10.240.2.28] to q2[10.240.32.122];
+No connectivity from p2[10.240.2.28] to q2[10.240.32.122];
 	connection is blocked at ingress
 
 Egress: security group GroupId:9 allows connection; network ACL acl1 allows connection
 
@@ -3,16 +3,16 @@ Interpreted source(s): r1[10.240.48.198]
 Interpreted destination(s): q2[10.240.32.122], q1[10.240.32.91]
 ==============================================================
 
-Connections from r1[10.240.48.198] to q1[10.240.32.91]: No Connections
+Connections from r1[10.240.48.198] to q2[10.240.32.122]: protocol: TCP dst-ports: 9080
 
 Path:
 	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
-	subnet private1 -> network ACL acl1 -> security group GroupId:15 -> q1[10.240.32.91]
+	subnet private1 -> network ACL acl1 -> security group GroupId:9 -> q2[10.240.32.122]
 
 
 Details:
 ~~~~~~~~
-Path is disabled; The relevant rules are:
+Path is enabled; The relevant rules are:
 	Egress:
 		security group GroupId:22 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080
@@ -22,21 +22,32 @@ Path is disabled; The relevant rules are:
 	Ingress:
 		network ACL acl1 allows connection with the following allow rules
 			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
-		security group GroupId:15 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535
+		security group GroupId:9 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all
+
+TCP response is enabled; The relevant rules are:
+	Egress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
+
+	Ingress:
+		network ACL acl1 allows connection with the following allow rules
+			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
-Connections from r1[10.240.48.198] to q2[10.240.32.122]: protocol: TCP dst-ports: 9080
+No connectivity from r1[10.240.48.198] to q1[10.240.32.91];
+	connectivity is blocked since traffic patterns allowed at ingress are disjoint from the traffic patterns allowed at egress.
+	allowed egress traffic: protocol: TCP dst-ports: 9080, allowed ingress traffic: protocol: UDP
+
+Egress: security group GroupId:22 allows connection; network ACL acl1 allows connection
+Ingress: network ACL acl1 allows connection; security group GroupId:15 allows connection
 
-Path:
-	r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> 
-	subnet private1 -> network ACL acl1 -> security group GroupId:9 -> q2[10.240.32.122]
 
 
 Details:
 ~~~~~~~~
-Path is enabled; The relevant rules are:
+Path is disabled; The relevant rules are:
 	Egress:
 		security group GroupId:22 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080
@@ -46,17 +57,8 @@ Path is enabled; The relevant rules are:
 	Ingress:
 		network ACL acl1 allows connection with the following allow rules
 			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
-		security group GroupId:9 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all
-
-TCP response is enabled; The relevant rules are:
-	Egress:
-		network ACL acl1 allows connection with the following allow rules
-			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
-
-	Ingress:
-		network ACL acl1 allows connection with the following allow rules
-			ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all
+		security group GroupId:15 allows connection with the following allow rules
+			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535
 
 ------------------------------------------------------------------------------------------------------------------------
 
@@ -3,7 +3,7 @@ Interpreted source(s): app1[10.240.20.245]
 Interpreted destination(s): 161.26.0.0 (external)
 ====================================================================
 
-No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
+No connectivity from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
 	connection is blocked at egress
 
 External traffic via InternetGateway: internet_gw
 
@@ -3,7 +3,7 @@ Interpreted source(s): app1[10.240.20.245]
 Interpreted destination(s): 161.26.0.0 (external)
 ====================================================================
 
-No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
+No connectivity from app1[10.240.20.245] to Public Internet 161.26.0.0/32;
 	connection is blocked at egress
 
 External traffic via InternetGateway: internet_gw
 
@@ -367,9 +367,9 @@ func (nl *NaclLayer) RulesInConnectivity(src, dst vpcmodel.Node,
 		if err2 != nil {
 			return nil, nil, err2
 		}
-		tableHasEffect := getTableEffect(connQuery, conn)
-		appendToRulesInFilter(&allowRes, &allowRules, index, tableHasEffect, true)
-		appendToRulesInFilter(&denyRes, &denyRules, index, tableHasEffect, false)
+		tableConn, tableHasEffect := getTableConnEffect(connQuery, conn)
+		appendToRulesInFilter(&allowRes, &allowRules, index, tableConn, tableHasEffect, true)
+		appendToRulesInFilter(&denyRes, &denyRules, index, tableConn, tableHasEffect, false)
 	}
 	return allowRes, denyRes, nil
 }
@@ -379,7 +379,7 @@ func (nl *NaclLayer) Name() string {
 }
 
 func appendToRulesInFilter(resRulesInFilter *[]vpcmodel.RulesInTable, rules *[]int, filterIndex int,
-	tableEffect vpcmodel.TableEffect, isAllow bool) {
+	tableConn *connection.Set, tableEffect vpcmodel.TableEffect, isAllow bool) {
 	var rType vpcmodel.RulesType
 	switch {
 	case len(*rules) == 0:
@@ -393,6 +393,7 @@ func appendToRulesInFilter(resRulesInFilter *[]vpcmodel.RulesInTable, rules *[]i
 		TableIndex:     filterIndex,
 		Rules:          *rules,
 		RulesOfType:    rType,
+		TableConn:      tableConn,
 		TableHasEffect: tableEffect,
 	}
 	*resRulesInFilter = append(*resRulesInFilter, rulesInNacl)
@@ -594,11 +595,13 @@ func (sgl *SecurityGroupLayer) RulesInConnectivity(src, dst vpcmodel.Node,
 				rType = vpcmodel.NoRules
 			}
 			conn := sg.AllowedConnectivity(src, dst, isIngress)
+			tableConn, tableHasEffect := getTableConnEffect(connQuery, conn)
 			rulesInSg := vpcmodel.RulesInTable{
 				TableIndex:     index,
 				Rules:          sgRules,
 				RulesOfType:    rType,
-				TableHasEffect: getTableEffect(connQuery, conn),
+				TableConn:      tableConn,
+				TableHasEffect: tableHasEffect,
 			}
 			allowRes = append(allowRes, rulesInSg)
 		}
@@ -718,19 +721,19 @@ func (sg *SecurityGroup) getMemberTargetStrAddress(src, dst vpcmodel.Node,
 	return member.IPBlock(), target.IPBlock(), member.CidrOrAddress()
 }
 
-func getTableEffect(connQuery, conn *connection.Set) vpcmodel.TableEffect {
+func getTableConnEffect(connQuery, conn *connection.Set) (*connection.Set, vpcmodel.TableEffect) {
 	switch {
 	case connQuery == nil: // connection not part of query
 		if !conn.IsEmpty() {
-			return vpcmodel.Allow
+			return conn, vpcmodel.Allow
 		} else {
-			return vpcmodel.Deny
+			return conn, vpcmodel.Deny
 		}
 	case conn.Intersect(connQuery).IsEmpty():
-		return vpcmodel.Deny
+		return connection.None(), vpcmodel.Deny
 	case connQuery.ContainedIn(conn):
-		return vpcmodel.Allow
+		return connQuery, vpcmodel.Allow
 	default:
-		return vpcmodel.PartlyAllow
+		return conn.Intersect(connQuery), vpcmodel.PartlyAllow
 	}
 }
@@ -12,7 +12,7 @@ Path:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from vsi1-ky[10.240.10.4] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255;
+No connectivity from vsi1-ky[10.240.10.4] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255;
 	connection is blocked at egress
 
 External traffic via PublicGateway: public-gw-ky
 
@@ -22,7 +22,7 @@ Path is enabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from vsi1-ky[10.240.10.4] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255;
+No connectivity from vsi1-ky[10.240.10.4] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255;
 	connection is blocked at egress
 
 External traffic via PublicGateway: public-gw-ky
 
@@ -3,7 +3,7 @@ Interpreted source(s): kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potenti
 Interpreted destination(s): iks-clusterid:1[192.168.32.5]
 =================================================================================================================
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -36,7 +36,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -69,7 +69,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -102,7 +102,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -135,7 +135,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -168,7 +168,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -201,7 +201,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -230,7 +230,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
@@ -263,7 +263,7 @@ Path is disabled; The relevant rules are:
 
 ------------------------------------------------------------------------------------------------------------------------
 
-No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22] to iks-clusterid:1[192.168.32.5];
+No connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22] to iks-clusterid:1[192.168.32.5];
 	connection is blocked by load balancer
 
 Load Balancer: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LoadBalancer] will not connect to iks-clusterid:1[192.168.32.5], since it is not its pool member
 
@@ -3,7 +3,7 @@ Interpreted source(s): vsi1-ky[10.240.10.4]
 Interpreted destination(s): 100.128.0.0/32 (external)
 ==========================================================================
 
-No connections from vsi1-ky[10.240.10.4] to Public Internet 100.128.0.0/32;
+No connectivity from vsi1-ky[10.240.10.4] to Public Internet 100.128.0.0/32;
 	connection is blocked at egress
 
 External traffic via PublicGateway: public-gw-ky
 
@@ -3,7 +3,7 @@ Interpreted source(s): 100.128.0.0/32 (external)
 Interpreted destination(s): vsi1-ky[10.240.10.4]
 ==========================================================================
 
-No connections from Public Internet 100.128.0.0/32 to vsi1-ky[10.240.10.4];
+No connectivity from Public Internet 100.128.0.0/32 to vsi1-ky[10.240.10.4];
 	connection is blocked at ingress and because there is no resource for external connectivity
 
 Ingress: network ACL acl1-ky blocks connection; security group sg1-ky allows connection