diff --git a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt index a28c43647..d0d3edb75 100644 --- a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt +++ b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.4 to vsi2-ky within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: vsi2-ky[10.240.20.4] +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi2-ky[10.240.20.4] ======================================================================= Connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP diff --git a/cmd/analyzer/subcmds/explain.go b/cmd/analyzer/subcmds/explain.go index 5539040ac..0a2b57a56 100644 --- a/cmd/analyzer/subcmds/explain.go +++ b/cmd/analyzer/subcmds/explain.go @@ -27,8 +27,8 @@ const ( dstMaxPortFlag = "dst-max-port" detailFlag = "detail" - srcDstUsage = "endpoint; can be specified as a VSI name/CRN or an internal/external IP-address/CIDR;\n" + - "VSI name can be specified as or /" + srcDstUsage = "endpoint; can be specified as a VSI/subnet name/CRN or an internal/external IP-address/CIDR;\n" + + "VSI/subnet name can be specified as or as /" ) func NewExplainCommand(args *inArgs) *cobra.Command { diff --git a/docs/vpcanalyzer_explain.md b/docs/vpcanalyzer_explain.md index 33eb89303..065c3497f 100644 --- a/docs/vpcanalyzer_explain.md +++ b/docs/vpcanalyzer_explain.md @@ -20,10 +20,10 @@ vpcanalyzer explain [flags] ### Options ``` - --src string source endpoint for explanation; can be specified as a VSI name/CRN or an internal/external IP-address/CIDR; - VSI name can be specified as or / - --dst string destination endpoint for explanation; can be specified as a VSI name/CRN or an internal/external IP-address/CIDR; - VSI name can be specified as or / + --src string source endpoint for explanation; can be specified as a VSI/subnet name/CRN or as an internal/external IP-address/CIDR; + VSI/subnet name can be specified as or as / + --dst string destination endpoint for explanation; can be specified as a VSI/subnet name/CRN or as an internal/external IP-address/CIDR; + VSI/subnet name can be specified as or as / --protocol string protocol for connection description --src-min-port int minimum source port for connection description (default 1) --src-max-port int maximum source port for connection description (default 65535) diff --git a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt index 6354c19cf..d82da4c1d 100644 --- a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 147.235.0.0/16 to 10.240.0.96 within mixed -Interpreted source: 147.235.0.0/16 (external) -Interpreted destination: p3[10.240.0.96] +Interpreted source(s): 147.235.0.0/16 (external) +Interpreted destination(s): p3[10.240.0.96] ======================================================================= Connections from Public Internet 147.235.0.0/16 to p3[10.240.0.96]: protocol: TCP dst-ports: 9080 diff --git a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt index f54de2a62..565d84cb5 100644 --- a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.40.217 to 10.240.20.43 within vpc0 -Interpreted source: dashboard[10.240.40.217] -Interpreted destination: app2[10.240.20.43] +Interpreted source(s): dashboard[10.240.40.217] +Interpreted destination(s): app2[10.240.20.43] ====================================================================== Connections from dashboard[10.240.40.217] to app2[10.240.20.43]: All Connections diff --git a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt index b2d2ef73e..1816a69ad 100644 --- a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.2.28 to 10.240.32.122 within mixed -Interpreted source: p2[10.240.2.28] -Interpreted destination: q2[10.240.32.122] +Interpreted source(s): p2[10.240.2.28] +Interpreted destination(s): q2[10.240.32.122] ====================================================================== No connections from p2[10.240.2.28] to q2[10.240.32.122]; diff --git a/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt index 39d140754..bbc718360 100644 --- a/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.32.122 to 10.240.32.91 within mixed -Interpreted source: q2[10.240.32.122] -Interpreted destination: q1[10.240.32.91] +Interpreted source(s): q2[10.240.32.122] +Interpreted destination(s): q1[10.240.32.91] ======================================================================= Connections from q2[10.240.32.122] to q1[10.240.32.91]: protocol: UDP diff --git a/pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt new file mode 100644 index 000000000..cfb858733 --- /dev/null +++ b/pkg/awsvpc/examples/out/explain_out/subnet_to_subnet_all_vpcs_explain_detail.txt @@ -0,0 +1,62 @@ +Explaining connectivity from private2 to private1 within mixed +Interpreted source(s): r1[10.240.48.198] +Interpreted destination(s): q2[10.240.32.122], q1[10.240.32.91] +============================================================== + +Connections from r1[10.240.48.198] to q1[10.240.32.91]: No Connections + +Path: + r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> + subnet private1 -> network ACL acl1 -> security group GroupId:15 -> q1[10.240.32.91] + + +Details: +~~~~~~~~ +Path is disabled; The relevant rules are: + Egress: + security group GroupId:22 allows connection with the following allow rules + Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080 + network ACL acl1 allows connection with the following allow rules + ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all + + Ingress: + network ACL acl1 allows connection with the following allow rules + ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all + security group GroupId:15 allows connection with the following allow rules + Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535 + +------------------------------------------------------------------------------------------------------------------------ + +Connections from r1[10.240.48.198] to q2[10.240.32.122]: protocol: TCP dst-ports: 9080 + +Path: + r1[10.240.48.198] -> security group GroupId:22 -> network ACL acl1 -> subnet private2 -> + subnet private1 -> network ACL acl1 -> security group GroupId:9 -> q2[10.240.32.122] + + +Details: +~~~~~~~~ +Path is enabled; The relevant rules are: + Egress: + security group GroupId:22 allows connection with the following allow rules + Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, dstPorts: 9080-9080 + network ACL acl1 allows connection with the following allow rules + ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all + + Ingress: + network ACL acl1 allows connection with the following allow rules + ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all + security group GroupId:9 allows connection with the following allow rules + Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all + +TCP response is enabled; The relevant rules are: + Egress: + network ACL acl1 allows connection with the following allow rules + ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all + + Ingress: + network ACL acl1 allows connection with the following allow rules + ruleNumber: 20, action: allow, direction: inbound, cidr: 10.240.32.0/19, protocol: all + +------------------------------------------------------------------------------------------------------------------------ + diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt index bda48fd85..384c64495 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.20.245 to 161.26.0.0 within vpc0 -Interpreted source: app1[10.240.20.245] -Interpreted destination: 161.26.0.0 (external) +Interpreted source(s): app1[10.240.20.245] +Interpreted destination(s): 161.26.0.0 (external) ==================================================================== No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32; diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt index bfee49f48..a06a12dbe 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.20.245 to 161.26.0.0 within vpc0 -Interpreted source: app1[10.240.20.245] -Interpreted destination: 161.26.0.0 (external) +Interpreted source(s): app1[10.240.20.245] +Interpreted destination(s): 161.26.0.0 (external) ==================================================================== No connections from app1[10.240.20.245] to Public Internet 161.26.0.0/32; diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt index 3b8cca370..0694dd1d1 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.42 to 161.26.0.0 within vpc0 -Interpreted source: proxy[10.240.10.42] -Interpreted destination: 161.26.0.0 (external) +Interpreted source(s): proxy[10.240.10.42] +Interpreted destination(s): 161.26.0.0 (external) =================================================================== Connections from proxy[10.240.10.42] to Public Internet 161.26.0.0/32: All Connections diff --git a/pkg/awsvpc/explainability_test.go b/pkg/awsvpc/explainability_test.go index 170f32f89..4f78bda17 100644 --- a/pkg/awsvpc/explainability_test.go +++ b/pkg/awsvpc/explainability_test.go @@ -34,6 +34,7 @@ var explainTests = []*commonvpc.VpcGeneralTest{ DetailExplain: true, }, // existing sub-connection between two endpoints of the same subnet + // todo: https://github.com/np-guard/vpc-network-config-analyzer/issues/859 { Name: "same_subnet_partial_connection", InputConfig: "aws_mixed", @@ -44,10 +45,10 @@ var explainTests = []*commonvpc.VpcGeneralTest{ }, // no connection between two endpoints of the same subnet { - Name: "same_subnet_no_connection", + Name: "subnet_to_subnet", InputConfig: "aws_mixed", - ESrc: "10.240.0.96", - EDst: "10.240.3.70", + ESrc: "private2", + EDst: "private1", Format: vpcmodel.Text, DetailExplain: true, }, diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt index 8b15e0e55..63145aabe 100644 --- a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/8 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/8 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/8 (external) ======================================================================== Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt index c5e930614..5e3615287 100644 --- a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.4 to 161.26.0.0/8 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/8 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/8 (external) ============================================================================ Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt index 357f577a6..e8c65375d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 192.168.8.4 to 192.168.4.4 within ky-test-vpc -Interpreted source: iks-node[192.168.8.4] -Interpreted destination: iks-node[192.168.4.4] +Interpreted source(s): iks-node[192.168.8.4] +Interpreted destination(s): iks-node[192.168.4.4] ========================================================================== Connections from iks-node[192.168.8.4] to iks-node[192.168.4.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt index 8eee56432..0bd865d43 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca to 192.168.4.4 within ky-test-vpc -Interpreted source: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6] -Interpreted destination: iks-node[192.168.4.4] +Interpreted source(s): kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6] +Interpreted destination(s): iks-node[192.168.4.4] ================================================================================================================ Connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6] to iks-node[192.168.4.4]: protocol: TCP,UDP dst-ports: 30000-32767 diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt index 0f1cb9f6d..d9bd28f9a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca to 192.168.32.5 within ky-test-vpc -Interpreted source: kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6] -Interpreted destination: iks-clusterid:1[192.168.32.5] +Interpreted source(s): kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.16.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.0.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.32.0-192.168.32.4,192.168.32.6-192.168.35.255], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.4.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.20.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.8.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[Potential LB private IP][192.168.24.0/22], kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.40.6] +Interpreted destination(s): iks-clusterid:1[192.168.32.5] ================================================================================================================= No connections from kube-clusterid:1-8fdd1d0a2ce34deba99d0f885451b1ca[LB private IP][192.168.36.6] to iks-clusterid:1[192.168.32.5]; diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt index d578fdb7f..9aba4eef2 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) ========================================================================= Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt index 665a461fc..151bd9f38 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 100.128.0.0/32 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 100.128.0.0/32 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 100.128.0.0/32 (external) ========================================================================== No connections from vsi1-ky[10.240.10.4] to Public Internet 100.128.0.0/32; diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt index 4729b0fa4..7084fc01a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal3_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from 100.128.0.0/32 to vsi1-ky within test-vpc1-ky -Interpreted source: 100.128.0.0/32 (external) -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): 100.128.0.0/32 (external) +Interpreted destination(s): vsi1-ky[10.240.10.4] ========================================================================== No connections from Public Internet 100.128.0.0/32 to vsi1-ky[10.240.10.4]; diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt index 090e05d77..50cfefa49 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.4 to 161.26.0.0/15 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/15 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/15 (external) ============================================================================= Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt index 36d11a842..73f4b1a2a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.4 to vsi2-ky within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: vsi2-ky[10.240.20.4] +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi2-ky[10.240.20.4] ======================================================================= Connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt index 1e3f66aeb..39c8cfc46 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 10.240.20.4 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: vsi2-ky[10.240.20.4] +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi2-ky[10.240.20.4] ======================================================================= Connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt index 40c4cb26f..85b7feeb9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi2-ky to 10.240.10.4 within test-vpc1-ky -Interpreted source: vsi2-ky[10.240.20.4] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi2-ky[10.240.20.4] +Interpreted destination(s): vsi1-ky[10.240.10.4] ======================================================================= Connections from vsi2-ky[10.240.20.4] to vsi1-ky[10.240.10.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt index eba706649..10240e31e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to vsi3a-ky within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: vsi3a-ky[10.240.30.5] +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi3a-ky[10.240.30.5] ==================================================================== No connections from vsi1-ky[10.240.10.4] to vsi3a-ky[10.240.30.5]; diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt index e6368a0b5..a7f062036 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3b-ky to vsi3a-ky within test-vpc1-ky -Interpreted source: vsi3b-ky[10.240.30.6] -Interpreted destination: vsi3a-ky[10.240.30.5] +Interpreted source(s): vsi3b-ky[10.240.30.6] +Interpreted destination(s): vsi3a-ky[10.240.30.5] ===================================================================== Connections from vsi3b-ky[10.240.30.6] to vsi3a-ky[10.240.30.5]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt index 6f3233a09..1adc34350 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3b-ky to 10.240.30.4/26 within test-vpc1-ky -Interpreted source: vsi3b-ky[10.240.30.6] -Interpreted destination: vsi3a-ky[10.240.30.5], vsi3c-ky[10.240.30.4], vsi3b-ky[10.240.30.6], db-endpoint-gateway-ky[10.240.30.7] +Interpreted source(s): vsi3b-ky[10.240.30.6] +Interpreted destination(s): vsi3a-ky[10.240.30.5], vsi3c-ky[10.240.30.4], vsi3b-ky[10.240.30.6], db-endpoint-gateway-ky[10.240.30.7] =========================================================================== Connections from vsi3b-ky[10.240.30.6] to db-endpoint-gateway-ky[10.240.30.7]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt index fc0b6d4f2..1b2310558 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to vsi2-ky within test-vpc1-ky using "protocol: ICMP" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: vsi2-ky[10.240.20.4] +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi2-ky[10.240.20.4] ========================================================================================== No connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4] using "protocol: ICMP"; diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt index 7de9edc13..cd9d7e06c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using "protocol: UDP" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) =============================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP src-ports: 1-600 dst-ports: 1-50" diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt index 4f6987ee5..899c3bb17 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using "protocol: UDP" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) =============================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP" diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt index 7712a7018..ec32e4844 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using "protocol: TCP" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) =============================================================================================== No connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: TCP"; diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt index dadd8f497..646974e03 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) ========================================================================= Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt index 7b77e02ba..874e4d74c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using "protocol: TCP" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) =============================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: TCP" diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt index 6afcff26d..f4727842b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.4/32 to 161.26.0.0/16 within test-vpc1-ky using "protocol: UDP" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) ====================================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP" diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt index 1dd260449..14b497ea9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ==================================================================== Connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: protocol: TCP src-ports: 115-205 dst-ports: 25-95 diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt index f7a9c24dc..43df8ea09 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ==================================================================== Connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt index c14a23f7c..b4fd9e416 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using "protocol: UDP" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) =============================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP" diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt index 7ffc79bb3..d303fdbc3 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.4 to 161.26.0.0/16 within test-vpc1-ky using "protocol: UDP src-ports: 10-100 dst-ports: 443" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) ==================================================================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP src-ports: 10-100 dst-ports: 443" diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt index 119dda1ee..c143ddc73 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from crn:v1:staging:public:is:us-south:a/6527::vpc:a456 to 161.26.0.0/20 within test-vpc1-ky using "protocol: UDP src-ports: 10-100 dst-ports: 443" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/20 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/20 (external) =========================================================================================================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/20 using "protocol: UDP src-ports: 10-100 dst-ports: 443" diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt index b86774de7..08af27580 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/12 within test-vpc1-ky using "protocol: UDP src-ports: 10-100 dst-ports: 443" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/12 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/12 (external) ================================================================================================================================ Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: UDP src-ports: 10-100 dst-ports: 443" diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt index 0d8ebe76f..67b55827f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to vsi3a-ky within test-vpc1-ky using "protocol: UDP src-ports: 10-100 dst-ports: 443" -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: vsi3a-ky[10.240.30.5] +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi3a-ky[10.240.30.5] =========================================================================================================================== No connections from vsi1-ky[10.240.10.4] to vsi3a-ky[10.240.30.5] using "protocol: UDP src-ports: 10-100 dst-ports: 443"; diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt index 0e85369c8..9de1d8c9c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ==================================================================== Connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt index 2e7bdf19a..7cecae395 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky using "protocol: UDP" -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ========================================================================================== Connections are allowed from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4] using "protocol: UDP" diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt index d19308c61..d057a417b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky using "protocol: TCP dst-ports: 50-54" -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] =========================================================================================================== Connections are allowed from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4] using "protocol: TCP dst-ports: 50-54" diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt index bfdff2b6d..96976e7a1 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky using "protocol: TCP dst-ports: 120-230" -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ============================================================================================================= Connections are allowed from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4] using "protocol: TCP dst-ports: 120-230" diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt index bb27cac11..c2f5011bf 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 147.235.219.206/32 to vsi2-ky within test-vpc1-ky using "protocol: TCP dst-ports: 10-30" -Interpreted source: 147.235.219.206/32 (external) -Interpreted destination: vsi2-ky[10.240.20.4] +Interpreted source(s): 147.235.219.206/32 (external) +Interpreted destination(s): vsi2-ky[10.240.20.4] ===================================================================================================================== Connections are allowed from Public Internet 147.235.219.206/32 to vsi2-ky[10.240.20.4] using "protocol: TCP dst-ports: 22" diff --git a/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt index 963c23d38..50a03230a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.30.4/24 to 161.26.0.0/8 within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5], vsi3b-ky[10.240.30.4], db-endpoint-gateway-ky[10.240.30.6] -Interpreted destination: 161.26.0.0/8 (external) +Interpreted source(s): vsi3a-ky[10.240.30.5], vsi3b-ky[10.240.30.4], db-endpoint-gateway-ky[10.240.30.6] +Interpreted destination(s): 161.26.0.0/8 (external) =============================================================================== No connections from db-endpoint-gateway-ky[10.240.30.6] to Public Internet 161.0.0.0/8; diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt index a10f76aff..f0e649345 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/16 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/16 (external) ========================================================================= Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: protocol: UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG2_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG2_all_vpcs_explain.txt index b26db10e2..cbd03689b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG2_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG2_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from 161.26.0.0/16 to vsi1-ky within test-vpc1-ky -Interpreted source: 161.26.0.0/16 (external) -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): 161.26.0.0/16 (external) +Interpreted destination(s): vsi1-ky[10.240.10.4] ========================================================================= No connections from Public Internet 161.26.0.0/16 to vsi1-ky[10.240.10.4]; diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt index 45d2ae1a2..437224442 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/32 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: 161.26.0.0/32 (external) +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): 161.26.0.0/32 (external) ========================================================================= Connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/32: protocol: UDP diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG4_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG4_all_vpcs_explain.txt index bb0c919ea..501be48e3 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG4_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG4_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3b-ky to 161.26.0.0/32 within test-vpc1-ky -Interpreted source: vsi3b-ky[10.240.30.4] -Interpreted destination: 161.26.0.0/32 (external) +Interpreted source(s): vsi3b-ky[10.240.30.4] +Interpreted destination(s): 161.26.0.0/32 (external) ========================================================================== No connections from vsi3b-ky[10.240.30.4] to Public Internet 161.26.0.0/32; diff --git a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt index f473ffb5a..23a5362c6 100644 --- a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky using "protocol: TCP src-ports: 90-180 dst-ports: 20-60" -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ============================================================================================================================= Connections are allowed from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4] using "protocol: TCP src-ports: 90-180 dst-ports: 20-60" diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt index e0f8ccb94..cd75d73dc 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi2-ky to vsi3b-ky within test-vpc1-ky -Interpreted source: vsi2-ky[10.240.20.4] -Interpreted destination: vsi3b-ky[10.240.30.4] +Interpreted source(s): vsi2-ky[10.240.20.4] +Interpreted destination(s): vsi3b-ky[10.240.30.4] ==================================================================== Connections from vsi2-ky[10.240.20.4] to vsi3b-ky[10.240.30.4]: protocol: TCP diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt index fa2c985a4..edc01ce2f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi2-ky to 10.240.10.4 within test-vpc1-ky -Interpreted source: vsi2-ky[10.240.20.4] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi2-ky[10.240.20.4] +Interpreted destination(s): vsi1-ky[10.240.10.4] ======================================================================= Connections from vsi2-ky[10.240.20.4] to vsi1-ky[10.240.10.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt index 0130f43b7..54b6a9076 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to 10.240.10.4 within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ======================================================================== Connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt index 2236095ef..ae0c6444e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 10.240.10.4 to 10.240.20.4 within test-vpc1-ky -Interpreted source: vsi1-ky[10.240.10.4] -Interpreted destination: vsi2-ky[10.240.20.4] +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi2-ky[10.240.20.4] =========================================================================== No connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]; diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt index 39c0c28f9..55c79404e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi2-ky within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi2-ky[10.240.20.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi2-ky[10.240.20.4] ==================================================================== No connections from vsi3a-ky[10.240.30.5] to vsi2-ky[10.240.20.4]; diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt index 79333d08b..a2a9785a1 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ==================================================================== No connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]; diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt index a2697d3f1..e7196ea9e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ==================================================================== Connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt index d11c8a4d2..6394c3568 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky -Interpreted source: vsi3a-ky[10.240.30.5] -Interpreted destination: vsi1-ky[10.240.10.4] +Interpreted source(s): vsi3a-ky[10.240.30.5] +Interpreted destination(s): vsi1-ky[10.240.10.4] ==================================================================== Connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/externalToSubnet_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/externalToSubnet_all_vpcs_explain_detail.txt new file mode 100644 index 000000000..0d7ed159d --- /dev/null +++ b/pkg/ibmvpc/examples/out/explain_out/externalToSubnet_all_vpcs_explain_detail.txt @@ -0,0 +1,65 @@ +Explaining connectivity from 161.26.0.0 to subnet3-ky within test-vpc1-ky +Interpreted source(s): 161.26.0.0 (external) +Interpreted destination(s): vsi3a-ky[10.240.30.5], vsi3b-ky[10.240.30.4], db-endpoint-gateway-ky[10.240.30.6] +========================================================================= + +No connections from Public Internet 161.26.0.0/32 to db-endpoint-gateway-ky[10.240.30.6]; + connection is blocked at ingress and because there is no resource for external connectivity + +Ingress: network ACL acl3-ky allows connection; security group sg3-ky does not allow connection + +Path: + Public Internet 161.26.0.0/32 -> + | no resource for external connectivity | + + +Details: +~~~~~~~~ +Path is disabled; The relevant rules are: + Ingress: + network ACL acl3-ky allows connection with the following allow rules + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all + security group sg3-ky has no relevant allow rules + +------------------------------------------------------------------------------------------------------------------------ + +No connections from Public Internet 161.26.0.0/32 to vsi3a-ky[10.240.30.5]; + connection is blocked at ingress and because there is no resource for external connectivity + +Ingress: network ACL acl3-ky allows connection; security group sg3-ky does not allow connection + +Path: + Public Internet 161.26.0.0/32 -> + | no resource for external connectivity | + + +Details: +~~~~~~~~ +Path is disabled; The relevant rules are: + Ingress: + network ACL acl3-ky allows connection with the following allow rules + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all + security group sg3-ky has no relevant allow rules + +------------------------------------------------------------------------------------------------------------------------ + +No connections from Public Internet 161.26.0.0/32 to vsi3b-ky[10.240.30.4]; + connection is blocked at ingress and because there is no resource for external connectivity + +Ingress: network ACL acl3-ky allows connection; security group sg2-ky does not allow connection + +Path: + Public Internet 161.26.0.0/32 -> + | no resource for external connectivity | + + +Details: +~~~~~~~~ +Path is disabled; The relevant rules are: + Ingress: + network ACL acl3-ky allows connection with the following allow rules + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all + security group sg2-ky has no relevant allow rules + +------------------------------------------------------------------------------------------------------------------------ + diff --git a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt index 700879d18..2767dcbfe 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi3-ky to vsi1-ky within test-vpc1-ky -Interpreted source: vsi3-ky[10.240.10.4], vsi3-ky[10.240.20.5] -Interpreted destination: vsi1-ky[10.240.10.5] +Interpreted source(s): vsi3-ky[10.240.10.4], vsi3-ky[10.240.20.5] +Interpreted destination(s): vsi1-ky[10.240.10.5] =================================================================== Connections from vsi3-ky[10.240.20.5] to vsi1-ky[10.240.10.5]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt index 5f245486f..03aa36d27 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi11-ky to 172.217.22.46/32 within test-vpc1-ky -Interpreted source: vsi11-ky[10.240.11.4] -Interpreted destination: 172.217.22.46/32 (external) +Interpreted source(s): vsi11-ky[10.240.11.4] +Interpreted destination(s): 172.217.22.46/32 (external) ============================================================================= No connections from vsi11-ky[10.240.11.4] to Public Internet 172.217.22.46/32; diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt index 4c0995cdd..499701d72 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from test-vpc0-ky/vsi1-ky to 172.217.22.46/32 within test-vpc0-ky -Interpreted source: vsi1-ky[10.240.1.4] -Interpreted destination: 172.217.22.46/32 (external) +Interpreted source(s): vsi1-ky[10.240.1.4] +Interpreted destination(s): 172.217.22.46/32 (external) ========================================================================================= Connections from vsi1-ky[10.240.1.4] to Public Internet 172.217.22.46/32: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt index 348907ed1..821d2857a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi31-ky to vsi32-ky within test-vpc3-ky -Interpreted source: vsi31-ky[10.240.31.4] -Interpreted destination: vsi32-ky[10.240.128.4] +Interpreted source(s): vsi31-ky[10.240.31.4] +Interpreted destination(s): vsi32-ky[10.240.128.4] ===================================================================== Connections from vsi31-ky[10.240.31.4] to vsi32-ky[10.240.128.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/subnetToVsiSingleVpc_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/subnetToVsiSingleVpc_all_vpcs_explain_detail.txt new file mode 100644 index 000000000..c24c1759f --- /dev/null +++ b/pkg/ibmvpc/examples/out/explain_out/subnetToVsiSingleVpc_all_vpcs_explain_detail.txt @@ -0,0 +1,31 @@ +Explaining connectivity from subnet1-ky to 10.240.20.4 within test-vpc1-ky +Interpreted source(s): vsi1-ky[10.240.10.4] +Interpreted destination(s): vsi2-ky[10.240.20.4] +========================================================================== + +No connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]; + connection is blocked at egress + +Egress: security group sg1-ky does not allow connection; network ACL acl1-ky allows connection +Ingress: network ACL acl2-ky allows connection; security group sg2-ky allows connection + +Path: + vsi1-ky[10.240.10.4] -> | security group sg1-ky | + + +Details: +~~~~~~~~ +Path is disabled; The relevant rules are: + Egress: + security group sg1-ky has no relevant allow rules + network ACL acl1-ky allows connection with the following allow rules + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all + security group sg2-ky allows connection with the following allow rules + id: id:147, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), protocol: all + +------------------------------------------------------------------------------------------------------------------------ + diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt index c3a641752..c446d7c85 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from vsi11-ky to vsi21a-ky -Interpreted source: test-vpc1-ky/vsi11-ky[10.240.11.4] -Interpreted destination: test-vpc2-ky/vsi21a-ky[10.240.64.4] +Interpreted source(s): test-vpc1-ky/vsi11-ky[10.240.11.4] +Interpreted destination(s): test-vpc2-ky/vsi21a-ky[10.240.64.4] ================================================== Connections from test-vpc1-ky/vsi11-ky[10.240.11.4] to test-vpc2-ky/vsi21a-ky[10.240.64.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt index 305813d06..be7c445fc 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from ky-vsi0-subnet5 to ky-vsi0-subnet11 -Interpreted source: test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] -Interpreted destination: test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4] +Interpreted source(s): test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] +Interpreted destination(s): test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4] ================================================================ Connections from test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] to test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain.txt index 97ad98a97..ccc2eb0e9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain.txt @@ -1,6 +1,6 @@ Explaining connectivity from ky-vsi1-subnet20 to ky-vsi0-subnet0 -Interpreted source: test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] -Interpreted destination: test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5] +Interpreted source(s): test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] +Interpreted destination(s): test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5] ================================================================ No connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5]; diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt index ea6f68885..af8eb594d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from ky-vsi1-subnet20 to ky-vsi0-subnet0 -Interpreted source: test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] -Interpreted destination: test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5] +Interpreted source(s): test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] +Interpreted destination(s): test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5] ================================================================ No connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5]; diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt index eedbba25e..87cc57fc7 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from ky-vsi0-subnet0 to ky-vsi0-subnet10 -Interpreted source: test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5] -Interpreted destination: test-vpc1-ky/ky-vsi0-subnet10[10.240.64.4] +Interpreted source(s): test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5] +Interpreted destination(s): test-vpc1-ky/ky-vsi0-subnet10[10.240.64.4] ================================================================ Connections from test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5] to test-vpc1-ky/ky-vsi0-subnet10[10.240.64.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt index 41b129a6c..550da3621 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from ky-vsi0-subnet5 to ky-vsi0-subnet11 -Interpreted source: test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] -Interpreted destination: test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4] +Interpreted source(s): test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] +Interpreted destination(s): test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4] ================================================================ Connections from test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] to test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt index 64b2a70c8..1e9207bbd 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from ky-vsi1-subnet20 to ky-vsi0-subnet2 -Interpreted source: test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] -Interpreted destination: test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4] +Interpreted source(s): test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] +Interpreted destination(s): test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4] ================================================================ Connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt index 67eb7172e..c6af9547d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from ky-vsi1-subnet20 to 10.240.0.0/21 -Interpreted source: test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] -Interpreted destination: test-vpc0-ky/ky-vsi1-subnet2[10.240.4.5], test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4], test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5], test-vpc0-ky/ky-vsi1-subnet0[10.240.0.4], test-vpc0-ky/ky-vsi0-subnet1[10.240.1.5], test-vpc0-ky/ky-vsi1-subnet1[10.240.1.4], test-vpc0-ky/ky-vsi0-subnet3[10.240.5.5], test-vpc0-ky/ky-vsi1-subnet3[10.240.5.4] +Interpreted source(s): test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] +Interpreted destination(s): test-vpc0-ky/ky-vsi1-subnet2[10.240.4.5], test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4], test-vpc0-ky/ky-vsi0-subnet0[10.240.0.5], test-vpc0-ky/ky-vsi1-subnet0[10.240.0.4], test-vpc0-ky/ky-vsi0-subnet1[10.240.1.5], test-vpc0-ky/ky-vsi1-subnet1[10.240.1.4], test-vpc0-ky/ky-vsi0-subnet3[10.240.5.5], test-vpc0-ky/ky-vsi1-subnet3[10.240.5.4] ============================================================== Connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4]: All Connections diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwSubnetToSubnet_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/tgwSubnetToSubnet_all_vpcs_explain.txt new file mode 100644 index 000000000..fa9ff9ea6 --- /dev/null +++ b/pkg/ibmvpc/examples/out/explain_out/tgwSubnetToSubnet_all_vpcs_explain.txt @@ -0,0 +1,17 @@ +Explaining connectivity from test-vpc1-ky/subnet11-ky to subnet32-ky +Interpreted source(s): test-vpc1-ky/vsi11-ky[10.240.11.4] +Interpreted destination(s): test-vpc3-ky/vsi32-ky[10.240.128.4] +==================================================================== + +No connections from test-vpc1-ky/vsi11-ky[10.240.11.4] to test-vpc3-ky/vsi32-ky[10.240.128.4]; + connection is blocked at egress + +Egress: security group sg11-ky allows connection; network ACL acl11-ky blocks connection +cross-vpc-connection: transit-connection tg_connection3 of transit-gateway local-tg-ky allows connection +Ingress: network ACL acl31-ky allows connection; security group sg31-ky allows connection + +Path: + vsi11-ky[10.240.11.4] -> security group sg11-ky -> | network ACL acl11-ky | + +------------------------------------------------------------------------------------------------------------------------ + diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt index 44a1ffc7b..8c9178577 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 192.168.40.5 to 192.168.0.4 within ky-test-vpc using "protocol: ICMP" -Interpreted source: iks-clusterid:1[192.168.40.5] -Interpreted destination: iks-node[192.168.0.4] +Interpreted source(s): iks-clusterid:1[192.168.40.5] +Interpreted destination(s): iks-node[192.168.0.4] ================================================================================================== No connections from iks-clusterid:1[192.168.40.5] to iks-node[192.168.0.4] using "protocol: ICMP"; diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt index 8ef6ad285..0062ec272 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt @@ -1,6 +1,6 @@ Explaining connectivity from 192.168.40.5 to 192.168.0.4 within ky-test-vpc using "protocol: TCP" -Interpreted source: iks-clusterid:1[192.168.40.5] -Interpreted destination: iks-node[192.168.0.4] +Interpreted source(s): iks-clusterid:1[192.168.40.5] +Interpreted destination(s): iks-node[192.168.0.4] ================================================================================================= Connections are allowed from iks-clusterid:1[192.168.40.5] to iks-node[192.168.0.4] using "protocol: TCP dst-ports: 30000-32767" diff --git a/pkg/ibmvpc/explainability_test.go b/pkg/ibmvpc/explainability_test.go index 810efe7dd..563b5361a 100644 --- a/pkg/ibmvpc/explainability_test.go +++ b/pkg/ibmvpc/explainability_test.go @@ -78,6 +78,22 @@ var explainTests = []*commonvpc.VpcGeneralTest{ Format: vpcmodel.Text, DetailExplain: true, }, + { + Name: "subnetToVsiSingleVpc", + InputConfig: "sg_testing1_new", + ESrc: "subnet1-ky", + EDst: "10.240.20.4", + Format: vpcmodel.Text, + DetailExplain: true, + }, + { + Name: "externalToSubnet", + InputConfig: "sg_testing1_new", + ESrc: "161.26.0.0", + EDst: "subnet3-ky", + Format: vpcmodel.Text, + DetailExplain: true, + }, { Name: "SimpleExternalSG1", InputConfig: "sg_testing1_new", @@ -585,6 +601,13 @@ var explainTests = []*commonvpc.VpcGeneralTest{ Format: vpcmodel.Text, DetailExplain: true, }, + { + Name: "tgwSubnetToSubnet", + InputConfig: "tgw_larger_example", + ESrc: "test-vpc1-ky/subnet11-ky", + EDst: "subnet32-ky", + Format: vpcmodel.Text, + }, // connection disabled by lack of cross-vpc router (tgw) { Name: "multiVPCNoCrossVPCRouter", @@ -759,14 +782,22 @@ func TestInputValiditySingleVPCContext(t *testing.T) { // should fail since vsi's name has a typo _, err5 := vpcConfigSg1.ExplainConnectivity(existingVsi, nonExistingVsi, nil) fmt.Println(err5.Error()) - require.NotNil(t, err5, "the test should fail since dst non existing vsi") - require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, or endpoint name", err5.Error()) + require.NotNil(t, err5, "the test should fail since dst non existing vsi/subnet") + require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name", + err5.Error()) // should fail since src and dst are identical _, err6 := vpcConfigSg1.ExplainConnectivity("10.240.10.4/32", "10.240.10.4", nil) fmt.Println(err6.Error()) require.NotNil(t, err6, "the test should fail src and dst are equal") require.Equal(t, "specified src and dst are equal", err6.Error()) + + vpcConfigNACL3 := getConfig(t, "acl_testing5") + // should fail since subnet sub1-1-ky contains no endpoints + _, err7 := vpcConfigNACL3.ExplainConnectivity("sub1-1-ky", "169.255.0.0", nil) + fmt.Println(err7.Error()) + require.NotNil(t, err7, "the test should fail since subnet contains no endpoints") + require.Equal(t, "illegal src: subnet sub1-1-ky [10.240.1.0/24] contains no endpoints", err7.Error()) } func TestInputValidityMultipleVPCContext(t *testing.T) { @@ -815,21 +846,23 @@ func TestInputValidityMultipleVPCContext(t *testing.T) { _, err5 := vpcConfigMultiVpc.ExplainConnectivity(existingVsi, nonExistingVsi, nil) fmt.Println(err5.Error()) require.NotNil(t, err5, "the test should fail since dst non existing vsi") - require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, or endpoint name", err5.Error()) + require.Equal(t, "illegal dst: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name", + err5.Error()) fmt.Println() // should fail since src vsi's name has a typo _, err6 := vpcConfigMultiVpc.ExplainConnectivity(nonExistingVsi, existingVsi, nil) fmt.Println(err6.Error()) require.NotNil(t, err6, "the test should fail since src non existing vsi") - require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, or endpoint name", err6.Error()) + require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name", + err6.Error()) fmt.Println() // should fail since src and dst vsi's name has a typo - err msg should be about src _, err7 := vpcConfigMultiVpc.ExplainConnectivity(nonExistingVsi, existingVsi, nil) fmt.Println(err7.Error()) require.NotNil(t, err7, "the test should fail since src and dst non existing vsi") - require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, or endpoint name", err7.Error()) + require.Equal(t, "illegal src: vsi3a is not a legal IP address, CIDR, endpoint name or subnet name", err7.Error()) fmt.Println() // src does not exist, dst is an internal address not connected to a vsi. should prioritize the dst error @@ -844,7 +877,8 @@ func TestInputValidityMultipleVPCContext(t *testing.T) { _, err9 := vpcConfigMultiVpc.ExplainConnectivity(cidr1, existingVsiWrongVpc, nil) fmt.Println(err9.Error()) require.NotNil(t, err9, "the test should fail since the src vsi given with wrong vpc") - require.Equal(t, "illegal dst: test-vpc1-ky/vsi3a-ky is not a legal IP address, CIDR, or endpoint name", err9.Error()) + require.Equal(t, "illegal dst: test-vpc1-ky/vsi3a-ky is not a legal IP address,"+ + " CIDR, endpoint name or subnet name", err9.Error()) vpcConfigTgwDupNames := getConfig(t, "tgw_larger_example_dup_names") dupSrcVsi := "vsi1-ky" diff --git a/pkg/vpcmodel/explainabilityInput.go b/pkg/vpcmodel/explainabilityInput.go index 92b5942dc..c2e7f8dd0 100644 --- a/pkg/vpcmodel/explainabilityInput.go +++ b/pkg/vpcmodel/explainabilityInput.go @@ -39,13 +39,14 @@ func (e *ExplanationArgs) Dst() string { // consts for managing errors from the single vpc context in the global, multi-vpc, context. // error are prioritized: the larger the error, the higher its severity const ( - noErr = iota - noValidInputErr // string does not represent a valid input w.r.t. this config - wait until we go over all vpcs - internalNoConnectedEndpoints // internal address not connected to any of the VPC's eps - wait until we go over all vpcs - fatalErr // fatal error that implies immediate termination (do not wait until we go over all vpcs) + noErr = iota + noValidInputErr // string does not represent a valid input w.r.t. this config - wait until we go over all vpcs + noConnectedEndpoints // no connected endpoints: either internal address not connected to any of the VPC's eps + // or no endpoints in subnet - in both cases wait until we go over all vpcs + fatalErr // fatal error that implies immediate termination (do not wait until we go over all vpcs) ) -const noValidInputMsg = "is not a legal IP address, CIDR, or endpoint name" +const noValidInputMsg = "is not a legal IP address, CIDR, endpoint name or subnet name" const Deliminator = "/" @@ -96,7 +97,7 @@ type srcAndDstNodes struct { //nolint:gocyclo // better not split into two function func (c *MultipleVPCConfigs) getVPCConfigAndSrcDstNodes(src, dst string) (vpcConfig *VPCConfig, srcNodes, dstNodes []Node, err error) { - var errMsgInternalNoEP, errMsgNoValidSrc, errMsgNoValidDst error + var errMsgNoEp, errMsgNoValidSrc, errMsgNoValidDst error var srcFoundSomeCfg, dstFoundSomeCfg bool if unifyInput(src) == unifyInput(dst) { return nil, nil, nil, fmt.Errorf("specified src and dst are equal") @@ -115,8 +116,8 @@ func (c *MultipleVPCConfigs) getVPCConfigAndSrcDstNodes(src, dst string) (vpcCon switch { case errType == fatalErr: return c.Config(cfgID), nil, nil, err - case errType == internalNoConnectedEndpoints: - errMsgInternalNoEP = err + case errType == noConnectedEndpoints: + errMsgNoEp = err case errType == noValidInputErr && srcNodes == nil: errMsgNoValidSrc = err case errType == noValidInputErr: // srcNodes != nil, dstNodes == nil @@ -134,14 +135,14 @@ func (c *MultipleVPCConfigs) getVPCConfigAndSrcDstNodes(src, dst string) (vpcCon // no match: no single vpc config or multi vpc config in which a match for both src and dst was found // this can be either a result of input error, or of src and dst of different vpc that are not connected via cross-vpc router case len(configsWithSrcDstNodeSingleVpc) == 0 && len(configsWithSrcDstNodeMultiVpc) == 0: - return noConfigMatchSrcDst(srcFoundSomeCfg, dstFoundSomeCfg, errMsgInternalNoEP, + return noConfigMatchSrcDst(srcFoundSomeCfg, dstFoundSomeCfg, errMsgNoEp, errMsgNoValidSrc, errMsgNoValidDst) // single config in which both src and dst were found, and the matched config is a multi vpc config: returns the matched config case len(configsWithSrcDstNodeSingleVpc) == 0 && len(configsWithSrcDstNodeMultiVpc) == 1: for cfgID, val := range configsWithSrcDstNodeMultiVpc { return c.Config(cfgID), val.srcNodes, val.dstNodes, nil } - // Src and dst were found in a exactly one single-vpc config. Its likely src and dst were also found in + // Src and dst were found in exactly one single-vpc config. Its likely src and dst were also found in // multi-vpc configs (in each such config that connects their vpc to another one). // In this case the relevant config for analysis is the single vpc config, which is the returned config case len(configsWithSrcDstNodeSingleVpc) == 1: @@ -165,9 +166,9 @@ func unifyInput(str string) string { // no match for both src and dst in any of the cfgs: // this can be either a result of input error, or of src and dst of different vpc that are not connected via cross-vpc router // prioritizes cases and possible errors as follows: -// valid input but no cross vpc router > errMsgInternalNoEP > errMsgNoValidSrc > errMsgNoValidDst +// valid input but no cross vpc router > errMsgNoEp > errMsgNoValidSrc > errMsgNoValidDst // this function was tested manually; having a dedicated test for it is too much work w.r.t its simplicity -func noConfigMatchSrcDst(srcFoundSomeCfg, dstFoundSomeCfg bool, errMsgInternalNoEP, +func noConfigMatchSrcDst(srcFoundSomeCfg, dstFoundSomeCfg bool, errMsgNoEp, errMsgNoValidSrc, errMsgNoValidDst error) (vpcConfig *VPCConfig, srcNodes, dstNodes []Node, err error) { switch { @@ -175,8 +176,8 @@ func noConfigMatchSrcDst(srcFoundSomeCfg, dstFoundSomeCfg bool, errMsgInternalNo // this is not considered an error - the output will explain the src, dst are not connected via cross-vpc router case srcFoundSomeCfg && dstFoundSomeCfg: return nil, nil, nil, nil - case errMsgInternalNoEP != nil: - return nil, nil, nil, errMsgInternalNoEP + case errMsgNoEp != nil: + return nil, nil, nil, errMsgNoEp case !srcFoundSomeCfg: return nil, nil, nil, errMsgNoValidSrc default: // !dstFoundSomeCfg: @@ -254,8 +255,9 @@ func (e *ExplanationArgs) GetConnectionSet() *connection.Set { // given src and dst input and a VPCConfigs finds the []nodes they represent in the config // src/dst may refer to: // 1. Endpoint by UID or name; in this case we consider the network interfaces of the endpoint -// 2. Internal IP address or cidr; in this case we consider the endpoints in that address range -// 3. external IP address or cidr +// 2. Subnet by name; in this case we consider its internal address, see next item +// 3. Internal IP address or cidr; in this case we consider the endpoints in that address range +// 4. external IP address or cidr func (c *VPCConfig) srcDstInputToNodes(srcName, dstName string) (srcNodes, dstNodes []Node, errType int, err error) { var errSrc, errDst error @@ -293,7 +295,7 @@ func (c *VPCConfig) getSrcOrDstInputNode(name, srcOrDst string) (nodes []Node, return outNodes, noErr, nil } -// given a VPCConfig and a string cidrOrName representing an endpoint or internal/external +// given a VPCConfig and a string cidrOrName representing a subnet, an endpoint or internal/external // cidr/address returns the corresponding node(s) and a bool which is true iff // cidrOrName is an internal address and the nodes are its network interfaces func (c *VPCConfig) getNodesFromInputString(cidrOrName string) (nodes []Node, @@ -306,10 +308,19 @@ func (c *VPCConfig) getNodesFromInputString(cidrOrName string) (nodes []Node, if endpoint != nil { return endpoint, noErr, nil } - // cidrOrName, if legal, references an address. - // 2. cidrOrName references an ip address - ipBlock, err2 := ipblock.FromCidrOrAddress(cidrOrName) + // 2. cidrOrName references subnet + subnetEndpoints, err2 := c.getNodesOfSubnet(cidrOrName) if err2 != nil { + return nil, noConnectedEndpoints, err2 + } + if subnetEndpoints != nil { + return subnetEndpoints, noErr, nil + } + // cidrOrName, if legal, references an address. + + // 3. cidrOrName references an ip address + ipBlock, err3 := ipblock.FromCidrOrAddress(cidrOrName) + if err3 != nil { // the input is not a legal cidr or IP address, which in this stage means it is not a // valid presentation for src/dst. Lint demands that an error is returned here return nil, noValidInputErr, @@ -319,21 +330,37 @@ func (c *VPCConfig) getNodesFromInputString(cidrOrName string) (nodes []Node, return c.getNodesFromAddress(cidrOrName, ipBlock) } +// getNodesOfSubnet gets a string name or UID of a subnet, and +// returns the list of all nodes within this subnet's cidr +// note: in case there are two subnets of the same name, or a subnet and a vsi, we take the first one +// using the same name is a bad practice but its not npGuard's responsibility to guard. +// in this case the user may refer to the exact cidr instead of the name +func (c *VPCConfig) getNodesOfSubnet(name string) ([]Node, error) { + inputSubnet, inputVpc := getResourceAndVpcNames(name) + var foundSubnet Subnet + for _, subnet := range c.Subnets { + if (inputVpc == "" || subnet.VPC().Name() == inputVpc) && + (inputSubnet == subnet.UID() || inputSubnet == subnet.Name()) { + foundSubnet = subnet + } + } + if foundSubnet == nil { + return nil, nil + } + subnetNodes := c.getNodesWithinInternalAddressFilterNonRelevant(foundSubnet.AddressRange()) + if len(subnetNodes) == 0 { + return nil, fmt.Errorf("subnet %s [%s] contains no endpoints", foundSubnet.Name(), foundSubnet.AddressRange()) + } + return subnetNodes, nil +} + // getNodesOfEndpoint gets a string name or UID of an endpoint (e.g. VSI), and // returns the list of all nodes within this endpoint func (c *VPCConfig) getNodesOfEndpoint(name string) ([]Node, int, error) { var nodeSetOfEndpoint NodeSet - // endpoint name may be prefixed by vpc name - var vpc, endpoint string uid := name // uid specified - vpc prefix is not relevant and uid may contain the deliminator "/" - cidrOrNameSlice := strings.Split(name, Deliminator) - switch len(cidrOrNameSlice) { - case 1: // vpc name not specified - endpoint = name - case 2: // vpc name specified - vpc = cidrOrNameSlice[0] - endpoint = cidrOrNameSlice[1] - } + // endpoint name may be prefixed by vpc name + endpoint, vpc := getResourceAndVpcNames(name) for _, nodeSet := range append(c.NodeSets, c.loadBalancersAsNodeSets()...) { if (vpc == "" || nodeSet.VPC().Name() == vpc) && nodeSet.Name() == endpoint || // if vpc of endpoint specified, equality must hold nodeSet.UID() == uid { @@ -351,6 +378,20 @@ func (c *VPCConfig) getNodesOfEndpoint(name string) ([]Node, int, error) { return nodeSetOfEndpoint.Nodes(), noErr, nil } +// getResourceAndVpcNames given a name of a resource (endpoint, subnet) that is potentially prefixed by vpc name, +// returns the resource name the vpc name (if any) and the resource name +func getResourceAndVpcNames(name string) (resource, vpc string) { + cidrOrNameSlice := strings.Split(name, Deliminator) + switch len(cidrOrNameSlice) { + case 1: // vpc name not specified + resource = name + case 2: // vpc name specified + vpc = cidrOrNameSlice[0] + resource = cidrOrNameSlice[1] + } + return resource, vpc +} + // getNodesFromAddress gets a string and IPBlock that represents a cidr or IP address // and returns the corresponding node(s)and a bool which is true iff ipOrCidr is an internal address. // Specifically: @@ -383,15 +424,20 @@ func (c *VPCConfig) getNodesFromAddress(ipOrCidr string, inputIPBlock *ipblock.I return nodes, noErr, nil } // internal address - networkInterfaces := c.GetNodesWithinInternalAddress(inputIPBlock) - // filtering out the nodes which are not represented by their address (currently only LB private IPs): - networkInterfaces = slices.DeleteFunc(networkInterfaces, func(n Node) bool { return !n.RepresentedByAddress() }) + networkInterfaces := c.getNodesWithinInternalAddressFilterNonRelevant(inputIPBlock) if len(networkInterfaces) == 0 { // 3. - return nil, internalNoConnectedEndpoints, fmt.Errorf("no network interfaces are connected to %s", ipOrCidr) + return nil, noConnectedEndpoints, fmt.Errorf("no network interfaces are connected to %s", ipOrCidr) } return networkInterfaces, noErr, nil // 4. } +func (c *VPCConfig) getNodesWithinInternalAddressFilterNonRelevant(inputIPBlock *ipblock.IPBlock) []Node { + networkInterfaces := c.GetNodesWithinInternalAddress(inputIPBlock) + // filtering out the nodes which are not represented by their address (currently only LB private IPs): + networkInterfaces = slices.DeleteFunc(networkInterfaces, func(n Node) bool { return !n.RepresentedByAddress() }) + return networkInterfaces +} + // given input IPBlock, gets (disjoint) external nodes I s.t.: // 1. The union of these nodes is the cidr // 2. Let i be a node in I and n be a node in VPCConfig. diff --git a/pkg/vpcmodel/explainabilityPrint.go b/pkg/vpcmodel/explainabilityPrint.go index d17e1461e..e4a643209 100644 --- a/pkg/vpcmodel/explainabilityPrint.go +++ b/pkg/vpcmodel/explainabilityPrint.go @@ -39,9 +39,9 @@ func explainHeader(explanation *Explanation) string { // ToDo srcNodes, dstNodes is empty when no cross-vpc router connects src and dst. // See https://github.com/np-guard/vpc-network-config-analyzer/issues/655 if len(explanation.srcNodes) > 0 && len(explanation.dstNodes) > 0 { - srcInterpretation = fmt.Sprintf("Interpreted source: %s\n", endPointInterpretation(explanation.c, + srcInterpretation = fmt.Sprintf("Interpreted source(s): %s\n", endPointInterpretation(explanation.c, explanation.src, explanation.srcNodes)) - dstInterpretation = fmt.Sprintf("Interpreted destination: %s\n", endPointInterpretation(explanation.c, + dstInterpretation = fmt.Sprintf("Interpreted destination(s): %s\n", endPointInterpretation(explanation.c, explanation.dst, explanation.dstNodes)) } underLine := strings.Repeat("=", len(title))