diff --git a/cmd/analyzer/subcmds/analysis.go b/cmd/analyzer/subcmds/analysis.go index 0bc7d8e82..cc4b6a339 100644 --- a/cmd/analyzer/subcmds/analysis.go +++ b/cmd/analyzer/subcmds/analysis.go @@ -85,7 +85,6 @@ func routingAnalysis(inArgs *inArgs) error { fmt.Println(path.String()) fmt.Println("") } - return nil*/ } diff --git a/pkg/ibmvpc/examples/input/input_sg_testing1_new_partly_TCP_and_respond.json b/pkg/ibmvpc/examples/input/input_sg_testing1_new_partly_TCP_and_respond.json new file mode 100644 index 000000000..7ebb2fb5d --- /dev/null +++ b/pkg/ibmvpc/examples/input/input_sg_testing1_new_partly_TCP_and_respond.json @@ -0,0 +1,1856 @@ +{ + "endpoint_gateways": [ + { + "created_at": "2023-03-26T08:58:43.000Z", + "crn": "crn:1", + "health_state": "ok", + "href": "href:2", + "id": "id:3", + "ips": [ + { + "address": "10.240.30.6", + "href": "href:4", + "id": "id:5", + "name": "vpe-for-etcd-db-ky", + "resource_type": "subnet_reserved_ip" + } + ], + "lifecycle_state": "stable", + "name": "db-endpoint-gateway-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "endpoint_gateway", + "security_groups": [ + { + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky" + } + ], + "service_endpoint": "ttt", + "service_endpoints": [ + "ttt" + ], + "tags": [], + "target": { + "crn": "crn:11", + "resource_type": "provider_cloud_service" + }, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky" + } + } + ], + "floating_ips": [ + { + "address": "52.118.184.123", + "created_at": "2023-03-26T07:40:08Z", + "crn": "crn:15", + "href": "href:16", + "id": "id:17", + "name": "floating-ip-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "status": "available", + "tags": [], + "target": { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "primary_ip": { + "address": "10.240.20.4", + "href": "href:20", + "id": "id:21", + "name": "unpopular-fool-uncapped-gallantly", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "address": "52.118.190.41", + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:23", + "href": "href:24", + "id": "id:25", + "name": "public-gw-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "status": "available", + "tags": [], + "target": { + "crn": "crn:26", + "href": "href:27", + "id": "id:28", + "name": "public-gw-ky", + "resource_type": "public_gateway" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "instances": [ + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:34" + }, + "href": "href:32", + "id": "id:33", + "name": "railing-repaint-cruller-surname", + "volume": { + "crn": "crn:35", + "href": "href:36", + "id": "id:37", + "name": "untimely-haunt-remand-alto" + } + }, + "created_at": "2023-03-26T07:40:05Z", + "crn": "crn:v1:staging:public:is:us-south:a/6527::vpc:a456", + "disks": [], + "href": "href:30", + "id": "id:31", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi1-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:40:05Z", + "floating_ips": [], + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.10.4", + "href": "href:43", + "id": "id:44", + "name": "tackiness-cupped-fragile-beak", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "name": "subnet1-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "primary_ip": { + "address": "10.240.10.4", + "href": "href:43", + "id": "id:44", + "name": "tackiness-cupped-fragile-beak", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "name": "subnet1-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:34" + }, + "href": "href:32", + "id": "id:33", + "name": "railing-repaint-cruller-surname", + "volume": { + "crn": "crn:35", + "href": "href:36", + "id": "id:37", + "name": "untimely-haunt-remand-alto" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:57" + }, + "href": "href:55", + "id": "id:56", + "name": "dimly-giggly-reviver-amusable", + "volume": { + "crn": "crn:58", + "href": "href:59", + "id": "id:60", + "name": "hamlet-plunder-decree-steed" + } + }, + "created_at": "2023-03-26T07:39:42Z", + "crn": "crn:52", + "disks": [], + "href": "href:53", + "id": "id:54", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi2-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:39:42Z", + "floating_ips": [ + { + "address": "52.118.184.123", + "crn": "crn:15", + "href": "href:16", + "id": "id:17", + "name": "floating-ip-ky" + } + ], + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.20.4", + "href": "href:20", + "id": "id:21", + "name": "unpopular-fool-uncapped-gallantly", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "name": "subnet2-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "primary_ip": { + "address": "10.240.20.4", + "href": "href:20", + "id": "id:21", + "name": "unpopular-fool-uncapped-gallantly", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "name": "subnet2-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:57" + }, + "href": "href:55", + "id": "id:56", + "name": "dimly-giggly-reviver-amusable", + "volume": { + "crn": "crn:58", + "href": "href:59", + "id": "id:60", + "name": "hamlet-plunder-decree-steed" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:72" + }, + "href": "href:70", + "id": "id:71", + "name": "occupier-eagle-slashing-empirical", + "volume": { + "crn": "crn:73", + "href": "href:74", + "id": "id:75", + "name": "powdered-reroute-poser-penny" + } + }, + "created_at": "2023-03-26T07:39:29Z", + "crn": "crn:67", + "disks": [], + "href": "href:68", + "id": "id:69", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi3a-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:39:29Z", + "floating_ips": [], + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.30.5", + "href": "href:78", + "id": "id:79", + "name": "twentieth-airport-immunize-afraid", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "primary_ip": { + "address": "10.240.30.5", + "href": "href:78", + "id": "id:79", + "name": "twentieth-airport-immunize-afraid", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:72" + }, + "href": "href:70", + "id": "id:71", + "name": "occupier-eagle-slashing-empirical", + "volume": { + "crn": "crn:73", + "href": "href:74", + "id": "id:75", + "name": "powdered-reroute-poser-penny" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:88" + }, + "href": "href:86", + "id": "id:87", + "name": "devourer-suspend-wrecking-glorious", + "volume": { + "crn": "crn:89", + "href": "href:90", + "id": "id:91", + "name": "amiable-sabbatical-cabbage-shortage" + } + }, + "created_at": "2023-03-26T07:39:29Z", + "crn": "crn:83", + "disks": [], + "href": "href:84", + "id": "id:85", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi3b-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:39:29Z", + "floating_ips": [], + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.30.4", + "href": "href:94", + "id": "id:95", + "name": "plethora-junkman-sevenfold-image", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "primary_ip": { + "address": "10.240.30.4", + "href": "href:94", + "id": "id:95", + "name": "plethora-junkman-sevenfold-image", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:88" + }, + "href": "href:86", + "id": "id:87", + "name": "devourer-suspend-wrecking-glorious", + "volume": { + "crn": "crn:89", + "href": "href:90", + "id": "id:91", + "name": "amiable-sabbatical-cabbage-shortage" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "network_acls": [ + { + "created_at": "2023-03-26T07:39:11Z", + "crn": "crn:96", + "href": "href:97", + "id": "id:98", + "name": "acl2-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:101", + "id": "id:102", + "name": "inbound" + }, + "created_at": "2023-03-26T07:39:12Z", + "destination": "0.0.0.0/0", + "direction": "outbound", + "href": "href:99", + "id": "id:100", + "ip_version": "ipv4", + "name": "outbound", + "protocol": "all", + "source": "0.0.0.0/0" + }, + { + "action": "allow", + "created_at": "2023-03-26T07:39:12Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:101", + "id": "id:102", + "ip_version": "ipv4", + "name": "inbound", + "protocol": "all", + "source": "0.0.0.0/0" + } + ], + "subnets": [ + { + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "name": "subnet2-ky", + "resource_type": "subnet" + } + ], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:103", + "href": "href:104", + "id": "id:105", + "name": "acl1-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:108", + "id": "id:109", + "name": "inbound" + }, + "created_at": "2023-03-26T07:39:10Z", + "destination": "0.0.0.0/0", + "destination_port_max": 200, + "destination_port_min": 100, + "direction": "outbound", + "href": "href:106", + "id": "id:107", + "ip_version": "ipv4", + "name": "outbound", + "protocol": "tcp", + "source": "0.0.0.0/0", + "source_port_max": 50, + "source_port_min": 1 + }, + { + "action": "allow", + "created_at": "2023-03-26T07:39:11Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:108", + "id": "id:109", + "ip_version": "ipv4", + "name": "inbound", + "source": "0.0.0.0/0", + "protocol": "tcp", + "destination_port_max": 95, + "destination_port_min": 25, + "source_port_max": 215, + "source_port_min": 115 + } + ], + "subnets": [ + { + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "name": "subnet1-ky", + "resource_type": "subnet" + } + ], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:110", + "href": "href:111", + "id": "id:112", + "name": "acl3-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:115", + "id": "id:116", + "name": "inbound" + }, + "created_at": "2023-03-26T07:39:11Z", + "destination": "0.0.0.0/0", + "direction": "outbound", + "href": "href:113", + "id": "id:114", + "ip_version": "ipv4", + "name": "outbound", + "protocol": "tcp", + "source": "0.0.0.0/0", + "destination_port_max": 100, + "destination_port_min": 20, + "source_port_max": 205, + "source_port_min": 110 + }, + { + "action": "allow", + "created_at": "2023-03-26T07:39:12Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:115", + "id": "id:116", + "ip_version": "ipv4", + "name": "inbound", + "protocol": "tcp", + "source": "0.0.0.0/0", + "destination_port_max": 220, + "destination_port_min": 100, + "source_port_max": 60, + "source_port_min": 10 + } + ], + "subnets": [ + { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + } + ], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:38:54Z", + "crn": "crn:117", + "href": "href:118", + "id": "id:119", + "name": "corrode-kilogram-cola-mandated", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:122", + "id": "id:123", + "name": "allow-outbound" + }, + "created_at": "2023-03-26T07:38:54Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:120", + "id": "id:121", + "ip_version": "ipv4", + "name": "allow-inbound", + "protocol": "all", + "source": "0.0.0.0/0" + }, + { + "action": "allow", + "created_at": "2023-03-26T07:38:54Z", + "destination": "0.0.0.0/0", + "direction": "outbound", + "href": "href:122", + "id": "id:123", + "ip_version": "ipv4", + "name": "allow-outbound", + "protocol": "all", + "source": "0.0.0.0/0" + } + ], + "subnets": [], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + } + ], + "public_gateways": [ + { + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:26", + "floating_ip": { + "address": "52.118.190.41", + "crn": "crn:23", + "href": "href:24", + "id": "id:25", + "name": "public-gw-ky" + }, + "href": "href:27", + "id": "id:28", + "name": "public-gw-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "public_gateway", + "status": "available", + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "security_groups": [ + { + "created_at": "2023-03-26T07:39:11Z", + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:124", + "id": "id:125", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + }, + { + "direction": "inbound", + "href": "href:126", + "id": "id:127", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.30.0/24" + } + }, + { + "direction": "outbound", + "href": "href:124", + "id": "id:125", + "ip_version": "ipv4", + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + }, + { + "direction": "outbound", + "href": "href:124", + "id": "id:125", + "ip_version": "ipv4", + "protocol": "tcp", + "port_max": 200, + "port_min": 100, + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + } + ], + "tags": [], + "targets": [ + { + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "resource_type": "network_interface" + }, + { + "crn": "crn:1", + "href": "href:2", + "id": "id:3", + "name": "db-endpoint-gateway-ky", + "resource_type": "endpoint_gateway" + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:11Z", + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:128", + "id": "id:129", + "ip_version": "ipv4", + "protocol": "icmp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "142.0.0.0/7" + } + }, + { + "direction": "inbound", + "href": "href:130", + "id": "id:131", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky" + } + }, + { + "direction": "outbound", + "href": "href:132", + "id": "id:133", + "ip_version": "ipv4", + "port_max": 65535, + "port_min": 1, + "protocol": "udp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "161.26.0.0/16" + } + }, + { + "direction": "inbound", + "href": "href:134", + "id": "id:135", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + }, + { + "direction": "inbound", + "href": "href:136", + "id": "id:137", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky" + } + } + ], + "tags": [], + "targets": [ + { + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "resource_type": "network_interface" + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:09Z", + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:138", + "id": "id:139", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.20.0/24" + } + }, + { + "direction": "outbound", + "href": "href:140", + "id": "id:141", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.10.0/24" + } + }, + { + "direction": "inbound", + "href": "href:142", + "id": "id:143", + "ip_version": "ipv4", + "port_max": 22, + "port_min": 22, + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "address": "147.235.219.206" + } + }, + { + "direction": "outbound", + "href": "href:144", + "id": "id:145", + "ip_version": "ipv4", + "protocol": "icmp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "142.0.0.0/8" + } + }, + { + "direction": "inbound", + "href": "href:146", + "id": "id:147", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky" + } + }, + { + "direction": "outbound", + "href": "href:148", + "id": "id:149", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.30.0/24" + } + }, + { + "direction": "outbound", + "href": "href:150", + "id": "id:151", + "ip_version": "ipv4", + "port_max": 65535, + "port_min": 1, + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + }, + { + "direction": "inbound", + "href": "href:152", + "id": "id:153", + "ip_version": "ipv4", + "port_max": 65535, + "port_min": 1, + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + } + ], + "tags": [], + "targets": [ + { + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "resource_type": "network_interface" + }, + { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "resource_type": "network_interface" + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:38:54Z", + "crn": "crn:154", + "href": "href:155", + "id": "id:156", + "name": "shininess-disavow-whinny-canal", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:157", + "id": "id:158", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + }, + { + "direction": "inbound", + "href": "href:159", + "id": "id:160", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:154", + "href": "href:155", + "id": "id:156", + "name": "shininess-disavow-whinny-canal" + } + } + ], + "tags": [], + "targets": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + } + ], + "subnets": [ + { + "available_ipv4_address_count": 250, + "created_at": "2023-03-26T07:39:41Z", + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "ip_version": "ipv4", + "ipv4_cidr_block": "10.240.10.0/24", + "name": "subnet1-ky", + "network_acl": { + "crn": "crn:103", + "href": "href:104", + "id": "id:105", + "name": "acl1-ky" + }, + "public_gateway": { + "crn": "crn:26", + "href": "href:27", + "id": "id:28", + "name": "public-gw-ky", + "resource_type": "public_gateway" + }, + "reserved_ips": [ + { + "address": "10.240.10.0", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:161", + "id": "id:162", + "lifecycle_state": "stable", + "name": "ibm-network-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.1", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:163", + "id": "id:164", + "lifecycle_state": "stable", + "name": "ibm-default-gateway", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.2", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:165", + "id": "id:166", + "lifecycle_state": "stable", + "name": "ibm-dns-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.3", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:167", + "id": "id:168", + "lifecycle_state": "stable", + "name": "ibm-reserved-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.4", + "auto_delete": true, + "created_at": "2023-03-26T07:40:05Z", + "href": "href:43", + "id": "id:44", + "lifecycle_state": "stable", + "name": "tackiness-cupped-fragile-beak", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.10.255", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:169", + "id": "id:170", + "lifecycle_state": "stable", + "name": "ibm-broadcast-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + } + ], + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "subnet", + "routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "status": "available", + "tags": [ + "public" + ], + "total_ipv4_address_count": 256, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "available_ipv4_address_count": 250, + "created_at": "2023-03-26T07:39:29Z", + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "ip_version": "ipv4", + "ipv4_cidr_block": "10.240.20.0/24", + "name": "subnet2-ky", + "network_acl": { + "crn": "crn:96", + "href": "href:97", + "id": "id:98", + "name": "acl2-ky" + }, + "reserved_ips": [ + { + "address": "10.240.20.0", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:173", + "id": "id:174", + "lifecycle_state": "stable", + "name": "ibm-network-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.1", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:175", + "id": "id:176", + "lifecycle_state": "stable", + "name": "ibm-default-gateway", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.2", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:177", + "id": "id:178", + "lifecycle_state": "stable", + "name": "ibm-dns-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.3", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:179", + "id": "id:180", + "lifecycle_state": "stable", + "name": "ibm-reserved-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.4", + "auto_delete": true, + "created_at": "2023-03-26T07:39:42Z", + "href": "href:20", + "id": "id:21", + "lifecycle_state": "stable", + "name": "unpopular-fool-uncapped-gallantly", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.20.255", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:181", + "id": "id:182", + "lifecycle_state": "stable", + "name": "ibm-broadcast-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + } + ], + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "subnet", + "routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "status": "available", + "tags": [ + "public" + ], + "total_ipv4_address_count": 256, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "available_ipv4_address_count": 248, + "created_at": "2023-03-26T07:39:15Z", + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "ip_version": "ipv4", + "ipv4_cidr_block": "10.240.30.0/24", + "name": "subnet3-ky", + "network_acl": { + "crn": "crn:110", + "href": "href:111", + "id": "id:112", + "name": "acl3-ky" + }, + "reserved_ips": [ + { + "address": "10.240.30.0", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:183", + "id": "id:184", + "lifecycle_state": "stable", + "name": "ibm-network-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.1", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:185", + "id": "id:186", + "lifecycle_state": "stable", + "name": "ibm-default-gateway", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.2", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:187", + "id": "id:188", + "lifecycle_state": "stable", + "name": "ibm-dns-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.3", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:189", + "id": "id:190", + "lifecycle_state": "stable", + "name": "ibm-reserved-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.4", + "auto_delete": true, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:94", + "id": "id:95", + "lifecycle_state": "stable", + "name": "plethora-junkman-sevenfold-image", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.30.5", + "auto_delete": true, + "created_at": "2023-03-26T07:39:30Z", + "href": "href:78", + "id": "id:79", + "lifecycle_state": "stable", + "name": "twentieth-airport-immunize-afraid", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.30.6", + "auto_delete": true, + "created_at": "2023-03-26T08:58:46Z", + "href": "href:4", + "id": "id:5", + "lifecycle_state": "stable", + "name": "vpe-for-etcd-db-ky", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "crn": "crn:1", + "href": "href:2", + "id": "id:3", + "name": "db-endpoint-gateway-ky", + "resource_type": "endpoint_gateway" + } + }, + { + "address": "10.240.30.255", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:191", + "id": "id:192", + "lifecycle_state": "stable", + "name": "ibm-broadcast-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + } + ], + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "subnet", + "routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "status": "available", + "tags": [ + "private" + ], + "total_ipv4_address_count": 256, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "vpcs": [ + { + "classic_access": false, + "created_at": "2023-03-26T07:38:54Z", + "crn": "crn:12", + "cse_source_ips": [ + { + "ip": { + "address": "10.249.196.57" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "ip": { + "address": "10.249.205.252" + }, + "zone": { + "href": "href:193", + "name": "us-south-2" + } + }, + { + "ip": { + "address": "10.12.167.235" + }, + "zone": { + "href": "href:194", + "name": "us-south-3" + } + } + ], + "default_network_acl": { + "crn": "crn:117", + "href": "href:118", + "id": "id:119", + "name": "corrode-kilogram-cola-mandated" + }, + "default_routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "default_security_group": { + "crn": "crn:154", + "href": "href:155", + "id": "id:156", + "name": "shininess-disavow-whinny-canal" + }, + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "vpc", + "status": "available", + "tags": [] + } + ] +} + diff --git a/pkg/ibmvpc/examples/input/input_sg_testing1_new_respond_partly.json b/pkg/ibmvpc/examples/input/input_sg_testing1_new_respond_partly.json new file mode 100644 index 000000000..fad7f0e24 --- /dev/null +++ b/pkg/ibmvpc/examples/input/input_sg_testing1_new_respond_partly.json @@ -0,0 +1,1848 @@ +{ + "endpoint_gateways": [ + { + "created_at": "2023-03-26T08:58:43.000Z", + "crn": "crn:1", + "health_state": "ok", + "href": "href:2", + "id": "id:3", + "ips": [ + { + "address": "10.240.30.6", + "href": "href:4", + "id": "id:5", + "name": "vpe-for-etcd-db-ky", + "resource_type": "subnet_reserved_ip" + } + ], + "lifecycle_state": "stable", + "name": "db-endpoint-gateway-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "endpoint_gateway", + "security_groups": [ + { + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky" + } + ], + "service_endpoint": "ttt", + "service_endpoints": [ + "ttt" + ], + "tags": [], + "target": { + "crn": "crn:11", + "resource_type": "provider_cloud_service" + }, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky" + } + } + ], + "floating_ips": [ + { + "address": "52.118.184.123", + "created_at": "2023-03-26T07:40:08Z", + "crn": "crn:15", + "href": "href:16", + "id": "id:17", + "name": "floating-ip-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "status": "available", + "tags": [], + "target": { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "primary_ip": { + "address": "10.240.20.4", + "href": "href:20", + "id": "id:21", + "name": "unpopular-fool-uncapped-gallantly", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "address": "52.118.190.41", + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:23", + "href": "href:24", + "id": "id:25", + "name": "public-gw-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "status": "available", + "tags": [], + "target": { + "crn": "crn:26", + "href": "href:27", + "id": "id:28", + "name": "public-gw-ky", + "resource_type": "public_gateway" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "instances": [ + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:34" + }, + "href": "href:32", + "id": "id:33", + "name": "railing-repaint-cruller-surname", + "volume": { + "crn": "crn:35", + "href": "href:36", + "id": "id:37", + "name": "untimely-haunt-remand-alto" + } + }, + "created_at": "2023-03-26T07:40:05Z", + "crn": "crn:v1:staging:public:is:us-south:a/6527::vpc:a456", + "disks": [], + "href": "href:30", + "id": "id:31", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi1-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:40:05Z", + "floating_ips": [], + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.10.4", + "href": "href:43", + "id": "id:44", + "name": "tackiness-cupped-fragile-beak", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "name": "subnet1-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "primary_ip": { + "address": "10.240.10.4", + "href": "href:43", + "id": "id:44", + "name": "tackiness-cupped-fragile-beak", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "name": "subnet1-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:34" + }, + "href": "href:32", + "id": "id:33", + "name": "railing-repaint-cruller-surname", + "volume": { + "crn": "crn:35", + "href": "href:36", + "id": "id:37", + "name": "untimely-haunt-remand-alto" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:57" + }, + "href": "href:55", + "id": "id:56", + "name": "dimly-giggly-reviver-amusable", + "volume": { + "crn": "crn:58", + "href": "href:59", + "id": "id:60", + "name": "hamlet-plunder-decree-steed" + } + }, + "created_at": "2023-03-26T07:39:42Z", + "crn": "crn:52", + "disks": [], + "href": "href:53", + "id": "id:54", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi2-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:39:42Z", + "floating_ips": [ + { + "address": "52.118.184.123", + "crn": "crn:15", + "href": "href:16", + "id": "id:17", + "name": "floating-ip-ky" + } + ], + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.20.4", + "href": "href:20", + "id": "id:21", + "name": "unpopular-fool-uncapped-gallantly", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "name": "subnet2-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "primary_ip": { + "address": "10.240.20.4", + "href": "href:20", + "id": "id:21", + "name": "unpopular-fool-uncapped-gallantly", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "name": "subnet2-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:57" + }, + "href": "href:55", + "id": "id:56", + "name": "dimly-giggly-reviver-amusable", + "volume": { + "crn": "crn:58", + "href": "href:59", + "id": "id:60", + "name": "hamlet-plunder-decree-steed" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:72" + }, + "href": "href:70", + "id": "id:71", + "name": "occupier-eagle-slashing-empirical", + "volume": { + "crn": "crn:73", + "href": "href:74", + "id": "id:75", + "name": "powdered-reroute-poser-penny" + } + }, + "created_at": "2023-03-26T07:39:29Z", + "crn": "crn:67", + "disks": [], + "href": "href:68", + "id": "id:69", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi3a-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:39:29Z", + "floating_ips": [], + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.30.5", + "href": "href:78", + "id": "id:79", + "name": "twentieth-airport-immunize-afraid", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "primary_ip": { + "address": "10.240.30.5", + "href": "href:78", + "id": "id:79", + "name": "twentieth-airport-immunize-afraid", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:72" + }, + "href": "href:70", + "id": "id:71", + "name": "occupier-eagle-slashing-empirical", + "volume": { + "crn": "crn:73", + "href": "href:74", + "id": "id:75", + "name": "powdered-reroute-poser-penny" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "availability_policy": { + "host_failure": "restart" + }, + "bandwidth": 4000, + "boot_volume_attachment": { + "device": { + "id": "id:88" + }, + "href": "href:86", + "id": "id:87", + "name": "devourer-suspend-wrecking-glorious", + "volume": { + "crn": "crn:89", + "href": "href:90", + "id": "id:91", + "name": "amiable-sabbatical-cabbage-shortage" + } + }, + "created_at": "2023-03-26T07:39:29Z", + "crn": "crn:83", + "disks": [], + "href": "href:84", + "id": "id:85", + "image": { + "crn": "crn:38", + "href": "href:39", + "id": "id:40", + "name": "ibm-centos-7-9-minimal-amd64-8" + }, + "lifecycle_reasons": [], + "lifecycle_state": "stable", + "memory": 4, + "metadata_service": { + "enabled": false, + "protocol": "http", + "response_hop_limit": 1 + }, + "name": "vsi3b-ky", + "network_interfaces": [ + { + "allow_ip_spoofing": false, + "created_at": "2023-03-26T07:39:29Z", + "floating_ips": [], + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "port_speed": 3000, + "primary_ip": { + "address": "10.240.30.4", + "href": "href:94", + "id": "id:95", + "name": "plethora-junkman-sevenfold-image", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "security_groups": [ + { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + ], + "status": "available", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + }, + "type": "primary" + } + ], + "numa_count": 1, + "primary_network_interface": { + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "primary_ip": { + "address": "10.240.30.4", + "href": "href:94", + "id": "id:95", + "name": "plethora-junkman-sevenfold-image", + "resource_type": "subnet_reserved_ip" + }, + "resource_type": "network_interface", + "subnet": { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + } + }, + "profile": { + "href": "href:51", + "name": "cx2-2x4" + }, + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "instance", + "startable": true, + "status": "running", + "status_reasons": [], + "tags": [], + "total_network_bandwidth": 3000, + "total_volume_bandwidth": 1000, + "vcpu": { + "architecture": "amd64", + "count": 2, + "manufacturer": "intel" + }, + "volume_attachments": [ + { + "device": { + "id": "id:88" + }, + "href": "href:86", + "id": "id:87", + "name": "devourer-suspend-wrecking-glorious", + "volume": { + "crn": "crn:89", + "href": "href:90", + "id": "id:91", + "name": "amiable-sabbatical-cabbage-shortage" + } + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "network_acls": [ + { + "created_at": "2023-03-26T07:39:11Z", + "crn": "crn:96", + "href": "href:97", + "id": "id:98", + "name": "acl2-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:101", + "id": "id:102", + "name": "inbound" + }, + "created_at": "2023-03-26T07:39:12Z", + "destination": "0.0.0.0/0", + "direction": "outbound", + "href": "href:99", + "id": "id:100", + "ip_version": "ipv4", + "name": "outbound", + "protocol": "all", + "source": "0.0.0.0/0" + }, + { + "action": "allow", + "created_at": "2023-03-26T07:39:12Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:101", + "id": "id:102", + "ip_version": "ipv4", + "name": "inbound", + "protocol": "all", + "source": "0.0.0.0/0" + } + ], + "subnets": [ + { + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "name": "subnet2-ky", + "resource_type": "subnet" + } + ], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:103", + "href": "href:104", + "id": "id:105", + "name": "acl1-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:108", + "id": "id:109", + "name": "inbound" + }, + "created_at": "2023-03-26T07:39:10Z", + "destination": "0.0.0.0/0", + "destination_port_max": 200, + "destination_port_min": 100, + "direction": "outbound", + "href": "href:106", + "id": "id:107", + "ip_version": "ipv4", + "name": "outbound", + "protocol": "tcp", + "source": "0.0.0.0/0", + "source_port_max": 50, + "source_port_min": 1 + }, + { + "action": "allow", + "created_at": "2023-03-26T07:39:11Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:108", + "id": "id:109", + "ip_version": "ipv4", + "name": "inbound", + "protocol": "all", + "source": "0.0.0.0/0" + } + ], + "subnets": [ + { + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "name": "subnet1-ky", + "resource_type": "subnet" + } + ], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:110", + "href": "href:111", + "id": "id:112", + "name": "acl3-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:115", + "id": "id:116", + "name": "inbound" + }, + "created_at": "2023-03-26T07:39:11Z", + "destination": "0.0.0.0/0", + "direction": "outbound", + "href": "href:113", + "id": "id:114", + "ip_version": "ipv4", + "name": "outbound", + "protocol": "all", + "source": "0.0.0.0/0" + }, + { + "action": "allow", + "created_at": "2023-03-26T07:39:12Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:115", + "id": "id:116", + "ip_version": "ipv4", + "name": "inbound", + "protocol": "tcp", + "source": "0.0.0.0/0", + "destination_port_max": 220, + "destination_port_min": 100, + "source_port_max": 60, + "source_port_min": 10 + } + ], + "subnets": [ + { + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "name": "subnet3-ky", + "resource_type": "subnet" + } + ], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:38:54Z", + "crn": "crn:117", + "href": "href:118", + "id": "id:119", + "name": "corrode-kilogram-cola-mandated", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "action": "allow", + "before": { + "href": "href:122", + "id": "id:123", + "name": "allow-outbound" + }, + "created_at": "2023-03-26T07:38:54Z", + "destination": "0.0.0.0/0", + "direction": "inbound", + "href": "href:120", + "id": "id:121", + "ip_version": "ipv4", + "name": "allow-inbound", + "protocol": "all", + "source": "0.0.0.0/0" + }, + { + "action": "allow", + "created_at": "2023-03-26T07:38:54Z", + "destination": "0.0.0.0/0", + "direction": "outbound", + "href": "href:122", + "id": "id:123", + "ip_version": "ipv4", + "name": "allow-outbound", + "protocol": "all", + "source": "0.0.0.0/0" + } + ], + "subnets": [], + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + } + ], + "public_gateways": [ + { + "created_at": "2023-03-26T07:39:10Z", + "crn": "crn:26", + "floating_ip": { + "address": "52.118.190.41", + "crn": "crn:23", + "href": "href:24", + "id": "id:25", + "name": "public-gw-ky" + }, + "href": "href:27", + "id": "id:28", + "name": "public-gw-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "public_gateway", + "status": "available", + "tags": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "security_groups": [ + { + "created_at": "2023-03-26T07:39:11Z", + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:124", + "id": "id:125", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + }, + { + "direction": "inbound", + "href": "href:126", + "id": "id:127", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.30.0/24" + } + }, + { + "direction": "outbound", + "href": "href:124", + "id": "id:125", + "ip_version": "ipv4", + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + }, + { + "direction": "outbound", + "href": "href:124", + "id": "id:125", + "ip_version": "ipv4", + "protocol": "tcp", + "port_max": 200, + "port_min": 100, + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + } + ], + "tags": [], + "targets": [ + { + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "resource_type": "network_interface" + }, + { + "crn": "crn:1", + "href": "href:2", + "id": "id:3", + "name": "db-endpoint-gateway-ky", + "resource_type": "endpoint_gateway" + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:11Z", + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:128", + "id": "id:129", + "ip_version": "ipv4", + "protocol": "icmp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "142.0.0.0/7" + } + }, + { + "direction": "inbound", + "href": "href:130", + "id": "id:131", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky" + } + }, + { + "direction": "outbound", + "href": "href:132", + "id": "id:133", + "ip_version": "ipv4", + "port_max": 65535, + "port_min": 1, + "protocol": "udp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "161.26.0.0/16" + } + }, + { + "direction": "inbound", + "href": "href:134", + "id": "id:135", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + }, + { + "direction": "inbound", + "href": "href:136", + "id": "id:137", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:8", + "href": "href:9", + "id": "id:10", + "name": "sg3-ky" + } + } + ], + "tags": [], + "targets": [ + { + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "resource_type": "network_interface" + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:39:09Z", + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:138", + "id": "id:139", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.20.0/24" + } + }, + { + "direction": "outbound", + "href": "href:140", + "id": "id:141", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.10.0/24" + } + }, + { + "direction": "inbound", + "href": "href:142", + "id": "id:143", + "ip_version": "ipv4", + "port_max": 22, + "port_min": 22, + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "address": "147.235.219.206" + } + }, + { + "direction": "outbound", + "href": "href:144", + "id": "id:145", + "ip_version": "ipv4", + "protocol": "icmp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "142.0.0.0/8" + } + }, + { + "direction": "inbound", + "href": "href:146", + "id": "id:147", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:45", + "href": "href:46", + "id": "id:47", + "name": "sg1-ky" + } + }, + { + "direction": "outbound", + "href": "href:148", + "id": "id:149", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "10.240.30.0/24" + } + }, + { + "direction": "outbound", + "href": "href:150", + "id": "id:151", + "ip_version": "ipv4", + "port_max": 65535, + "port_min": 1, + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + }, + { + "direction": "inbound", + "href": "href:152", + "id": "id:153", + "ip_version": "ipv4", + "port_max": 65535, + "port_min": 1, + "protocol": "tcp", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:61", + "href": "href:62", + "id": "id:63", + "name": "sg2-ky" + } + } + ], + "tags": [], + "targets": [ + { + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "resource_type": "network_interface" + }, + { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "resource_type": "network_interface" + } + ], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + }, + { + "created_at": "2023-03-26T07:38:54Z", + "crn": "crn:154", + "href": "href:155", + "id": "id:156", + "name": "shininess-disavow-whinny-canal", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "rules": [ + { + "direction": "outbound", + "href": "href:157", + "id": "id:158", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "cidr_block": "0.0.0.0/0" + } + }, + { + "direction": "inbound", + "href": "href:159", + "id": "id:160", + "ip_version": "ipv4", + "protocol": "all", + "local": { + "cidr_block": "0.0.0.0/0" + }, + "remote": { + "crn": "crn:154", + "href": "href:155", + "id": "id:156", + "name": "shininess-disavow-whinny-canal" + } + } + ], + "tags": [], + "targets": [], + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + } + } + ], + "subnets": [ + { + "available_ipv4_address_count": 250, + "created_at": "2023-03-26T07:39:41Z", + "crn": "crn:48", + "href": "href:49", + "id": "id:50", + "ip_version": "ipv4", + "ipv4_cidr_block": "10.240.10.0/24", + "name": "subnet1-ky", + "network_acl": { + "crn": "crn:103", + "href": "href:104", + "id": "id:105", + "name": "acl1-ky" + }, + "public_gateway": { + "crn": "crn:26", + "href": "href:27", + "id": "id:28", + "name": "public-gw-ky", + "resource_type": "public_gateway" + }, + "reserved_ips": [ + { + "address": "10.240.10.0", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:161", + "id": "id:162", + "lifecycle_state": "stable", + "name": "ibm-network-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.1", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:163", + "id": "id:164", + "lifecycle_state": "stable", + "name": "ibm-default-gateway", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.2", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:165", + "id": "id:166", + "lifecycle_state": "stable", + "name": "ibm-dns-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.3", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:167", + "id": "id:168", + "lifecycle_state": "stable", + "name": "ibm-reserved-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.10.4", + "auto_delete": true, + "created_at": "2023-03-26T07:40:05Z", + "href": "href:43", + "id": "id:44", + "lifecycle_state": "stable", + "name": "tackiness-cupped-fragile-beak", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:41", + "id": "id:42", + "name": "virtuous-familiar-oboe-hurdle", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.10.255", + "auto_delete": false, + "created_at": "2023-03-26T07:39:41Z", + "href": "href:169", + "id": "id:170", + "lifecycle_state": "stable", + "name": "ibm-broadcast-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + } + ], + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "subnet", + "routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "status": "available", + "tags": [ + "public" + ], + "total_ipv4_address_count": 256, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "available_ipv4_address_count": 250, + "created_at": "2023-03-26T07:39:29Z", + "crn": "crn:64", + "href": "href:65", + "id": "id:66", + "ip_version": "ipv4", + "ipv4_cidr_block": "10.240.20.0/24", + "name": "subnet2-ky", + "network_acl": { + "crn": "crn:96", + "href": "href:97", + "id": "id:98", + "name": "acl2-ky" + }, + "reserved_ips": [ + { + "address": "10.240.20.0", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:173", + "id": "id:174", + "lifecycle_state": "stable", + "name": "ibm-network-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.1", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:175", + "id": "id:176", + "lifecycle_state": "stable", + "name": "ibm-default-gateway", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.2", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:177", + "id": "id:178", + "lifecycle_state": "stable", + "name": "ibm-dns-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.3", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:179", + "id": "id:180", + "lifecycle_state": "stable", + "name": "ibm-reserved-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.20.4", + "auto_delete": true, + "created_at": "2023-03-26T07:39:42Z", + "href": "href:20", + "id": "id:21", + "lifecycle_state": "stable", + "name": "unpopular-fool-uncapped-gallantly", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:18", + "id": "id:19", + "name": "silencer-ointment-chafe-outlet", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.20.255", + "auto_delete": false, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:181", + "id": "id:182", + "lifecycle_state": "stable", + "name": "ibm-broadcast-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + } + ], + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "subnet", + "routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "status": "available", + "tags": [ + "public" + ], + "total_ipv4_address_count": 256, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "available_ipv4_address_count": 248, + "created_at": "2023-03-26T07:39:15Z", + "crn": "crn:80", + "href": "href:81", + "id": "id:82", + "ip_version": "ipv4", + "ipv4_cidr_block": "10.240.30.0/24", + "name": "subnet3-ky", + "network_acl": { + "crn": "crn:110", + "href": "href:111", + "id": "id:112", + "name": "acl3-ky" + }, + "reserved_ips": [ + { + "address": "10.240.30.0", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:183", + "id": "id:184", + "lifecycle_state": "stable", + "name": "ibm-network-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.1", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:185", + "id": "id:186", + "lifecycle_state": "stable", + "name": "ibm-default-gateway", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.2", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:187", + "id": "id:188", + "lifecycle_state": "stable", + "name": "ibm-dns-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.3", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:189", + "id": "id:190", + "lifecycle_state": "stable", + "name": "ibm-reserved-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + }, + { + "address": "10.240.30.4", + "auto_delete": true, + "created_at": "2023-03-26T07:39:29Z", + "href": "href:94", + "id": "id:95", + "lifecycle_state": "stable", + "name": "plethora-junkman-sevenfold-image", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:92", + "id": "id:93", + "name": "brunt-legacy-confound-sedate", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.30.5", + "auto_delete": true, + "created_at": "2023-03-26T07:39:30Z", + "href": "href:78", + "id": "id:79", + "lifecycle_state": "stable", + "name": "twentieth-airport-immunize-afraid", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "href": "href:76", + "id": "id:77", + "name": "pony-repressed-utility-wanting", + "resource_type": "network_interface" + } + }, + { + "address": "10.240.30.6", + "auto_delete": true, + "created_at": "2023-03-26T08:58:46Z", + "href": "href:4", + "id": "id:5", + "lifecycle_state": "stable", + "name": "vpe-for-etcd-db-ky", + "owner": "user", + "resource_type": "subnet_reserved_ip", + "target": { + "crn": "crn:1", + "href": "href:2", + "id": "id:3", + "name": "db-endpoint-gateway-ky", + "resource_type": "endpoint_gateway" + } + }, + { + "address": "10.240.30.255", + "auto_delete": false, + "created_at": "2023-03-26T07:39:15Z", + "href": "href:191", + "id": "id:192", + "lifecycle_state": "stable", + "name": "ibm-broadcast-address", + "owner": "provider", + "resource_type": "subnet_reserved_ip" + } + ], + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "subnet", + "routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "status": "available", + "tags": [ + "private" + ], + "total_ipv4_address_count": 256, + "vpc": { + "crn": "crn:12", + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_type": "vpc" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + } + ], + "vpcs": [ + { + "classic_access": false, + "created_at": "2023-03-26T07:38:54Z", + "crn": "crn:12", + "cse_source_ips": [ + { + "ip": { + "address": "10.249.196.57" + }, + "zone": { + "href": "href:22", + "name": "us-south-1" + } + }, + { + "ip": { + "address": "10.249.205.252" + }, + "zone": { + "href": "href:193", + "name": "us-south-2" + } + }, + { + "ip": { + "address": "10.12.167.235" + }, + "zone": { + "href": "href:194", + "name": "us-south-3" + } + } + ], + "default_network_acl": { + "crn": "crn:117", + "href": "href:118", + "id": "id:119", + "name": "corrode-kilogram-cola-mandated" + }, + "default_routing_table": { + "href": "href:171", + "id": "id:172", + "name": "moustache-bronchial-tribute-surrogate", + "resource_type": "routing_table" + }, + "default_security_group": { + "crn": "crn:154", + "href": "href:155", + "id": "id:156", + "name": "shininess-disavow-whinny-canal" + }, + "href": "href:13", + "id": "id:14", + "name": "test-vpc1-ky", + "resource_group": { + "href": "href:6", + "id": "id:7", + "name": "anonymous" + }, + "resource_type": "vpc", + "status": "available", + "tags": [] + } + ] +} + diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt index 72a92e766..af2855cce 100644 --- a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain.txt @@ -11,7 +11,7 @@ Path: ------------------------------------------------------------------------------------------------------------------------ No connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255; -connection blocked by egress +connection is blocked by egress External traffic via PublicGateway: public-gw-ky Egress: security group sg1-ky blocks connection; network ACL acl1-ky allows connection diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_debug.txt index 4e78dceb5..e6411eec4 100644 --- a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_debug.txt @@ -11,16 +11,17 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ No connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.0.0.0-161.25.255.255,161.27.0.0-161.255.255.255; -connection blocked by egress +connection is blocked by egress External traffic via PublicGateway: public-gw-ky Egress: security group sg1-ky blocks connection; network ACL acl1-ky allows connection @@ -31,10 +32,11 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky blocks connection since there are no relevant allow rules -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky blocks connection since there are no relevant allow rules + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_debug.txt index 57a6e2945..89ff8c064 100644 --- a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from 192.168.8.4 (iks-node[192.168.8.4]) to 192.168.4.4 ========================================================================================================================== Allowed connections from iks-node[192.168.8.4] to iks-node[192.168.4.4]: All Connections + The TCP sub-connection is responsive Path: iks-node[192.168.8.4] -> security group[kube-clusterid:1, ky-test-default-sg] -> ky-test-private-subnet-3 -> network ACL ky-test-private-2-others-acl -> @@ -10,25 +11,35 @@ Path: Details: ~~~~~~~~ -Egress: -security group kube-clusterid:1 allows connection with the following allow rules - index: 8, direction: outbound, conns: protocol: all, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0 -security group ky-test-default-sg allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL ky-test-private-2-others-acl allows connection with the following allow rules - index: 6, direction: outbound , src: 0.0.0.0/0 , dst: 192.168.0.0/20, conn: all, action: allow - -Ingress: -network ACL ky-test-private-2-others-acl allows connection with the following allow rules - index: 2, direction: inbound , src: 192.168.0.0/20 , dst: 0.0.0.0/0, conn: all, action: allow -security group kube-clusterid:1 allows connection with the following allow rules - index: 3, direction: inbound, conns: protocol: tcp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 4, direction: inbound, conns: protocol: udp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 6, direction: inbound, conns: protocol: icmp, icmpType: protocol: ICMP icmp-type: 8, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 7, direction: inbound, conns: protocol: all, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0 -security group ky-test-default-sg allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0 - index: 2, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group kube-clusterid:1 allows connection with the following allow rules + index: 8, direction: outbound, conns: protocol: all, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0 + security group ky-test-default-sg allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL ky-test-private-2-others-acl allows connection with the following allow rules + index: 6, direction: outbound , src: 0.0.0.0/0 , dst: 192.168.0.0/20, conn: all, action: allow + + Ingress: + network ACL ky-test-private-2-others-acl allows connection with the following allow rules + index: 2, direction: inbound , src: 192.168.0.0/20 , dst: 0.0.0.0/0, conn: all, action: allow + security group kube-clusterid:1 allows connection with the following allow rules + index: 3, direction: inbound, conns: protocol: tcp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 4, direction: inbound, conns: protocol: udp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 6, direction: inbound, conns: protocol: icmp, icmpType: protocol: ICMP icmp-type: 8, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 7, direction: inbound, conns: protocol: all, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0 + security group ky-test-default-sg allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0 + index: 2, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL ky-test-private-2-others-acl allows connection with the following allow rules + index: 6, direction: outbound , src: 0.0.0.0/0 , dst: 192.168.0.0/20, conn: all, action: allow + + Ingress: + network ACL ky-test-private-2-others-acl allows connection with the following allow rules + index: 2, direction: inbound , src: 192.168.0.0/20 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_debug.txt index 98e44914c..416f6713d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_debug.txt index 3c87282f1..271d2b98d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from vsi1-ky to 100.128.0.0/32 within test-vpc1-ky ========================================================================== No connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 100.128.0.0/32; -connection blocked by egress +connection is blocked by egress External traffic via PublicGateway: public-gw-ky Egress: security group sg1-ky allows connection; network ACL acl1-ky blocks connection @@ -13,10 +13,11 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky blocks connection since there are no relevant allow rules +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky blocks connection since there are no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_debug.txt index 031fb0528..4d4624123 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_debug.txt @@ -11,16 +11,17 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow ------------------------------------------------------------------------------------------------------------------------ No connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.27.0.0/16; -connection blocked by egress +connection is blocked by egress External traffic via PublicGateway: public-gw-ky Egress: security group sg1-ky allows connection; network ACL acl1-ky blocks connection @@ -31,10 +32,11 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky blocks connection since there are no relevant allow rules +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky blocks connection since there are no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt index 6df717c69..2061bc73f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain.txt @@ -2,6 +2,7 @@ Explaining connectivity from 10.240.10.4 (vsi1-ky[10.240.10.4]) to vsi2-ky withi ============================================================================================== Allowed connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP + The TCP sub-connection is responsive Path: vsi1-ky[10.240.10.4] -> security group sg1-ky -> subnet1-ky -> network ACL acl1-ky -> diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_debug.txt index 508a80722..ee3e649e1 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi1-ky to 10.240.20.4 (vsi2-ky[10.240.20.4]) withi ============================================================================================== Allowed connections from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]: protocol: TCP,UDP + The TCP sub-connection is responsive Path: vsi1-ky[10.240.10.4] -> security group sg1-ky -> subnet1-ky -> network ACL acl1-ky -> @@ -10,18 +11,28 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow and deny rules - index: 0, direction: outbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: protocol: icmp, action: deny - index: 2, direction: outbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 6, direction: inbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow and deny rules + index: 0, direction: outbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: protocol: icmp, action: deny + index: 2, direction: outbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 6, direction: inbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl2-ky allows connection with the following allow rules + index: 2, direction: outbound , src: 10.240.20.0/24 , dst: 10.240.10.0/24, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 4, direction: inbound , src: 10.240.20.0/24 , dst: 10.240.10.0/24, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_debug.txt index 18724a60c..880a9a775 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi2-ky to 10.240.10.4 (vsi1-ky[10.240.10.4]) withi ============================================================================================== Allowed connections from vsi2-ky[10.240.20.4] to vsi1-ky[10.240.10.4]: All Connections + The TCP sub-connection is responsive Path: vsi2-ky[10.240.20.4] -> security group sg1-ky -> subnet2-ky -> network ACL acl2-ky -> @@ -10,17 +11,27 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl2-ky allows connection with the following allow rules - index: 2, direction: outbound , src: 10.240.20.0/24 , dst: 10.240.10.0/24, conn: all, action: allow - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 4, direction: inbound , src: 10.240.20.0/24 , dst: 10.240.10.0/24, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl2-ky allows connection with the following allow rules + index: 2, direction: outbound , src: 10.240.20.0/24 , dst: 10.240.10.0/24, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 4, direction: inbound , src: 10.240.20.0/24 , dst: 10.240.10.0/24, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 2, direction: outbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 6, direction: inbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_debug.txt index ca1e47fd0..8a35ee55e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from vsi1-ky to vsi3a-ky within test-vpc1-ky ==================================================================== No connections are allowed from vsi1-ky[10.240.10.4] to vsi3a-ky[10.240.30.5]; -connection blocked by egress +connection is blocked by egress Egress: security group sg1-ky allows connection; network ACL acl1-ky blocks connection Ingress: network ACL acl3-ky allows connection; security group sg1-ky allows connection @@ -13,16 +13,17 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky blocks connection since there are no relevant allow rules - -Ingress: -network ACL acl3-ky allows connection with the following allow rules - index: 2, direction: inbound , src: 10.240.10.0/24 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky blocks connection since there are no relevant allow rules + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 2, direction: inbound , src: 10.240.10.0/24 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_debug.txt index ddce7cb0b..11273cf28 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi3b-ky to vsi3a-ky within test-vpc1-ky ===================================================================== Allowed connections from vsi3b-ky[10.240.30.6] to vsi3a-ky[10.240.30.5]: All Connections + The TCP sub-connection is responsive Path: vsi3b-ky[10.240.30.6] -> security group sg1-ky -> @@ -10,13 +11,14 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -Ingress: -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + Ingress: + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_debug.txt index 1f8c25db6..86c3e0488 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi3b-ky to 10.240.30.4/26 (vsi3a-ky[10.240.30.5], ====================================================================================================================================================================================== Allowed connections from vsi3b-ky[10.240.30.6] to db-endpoint-gateway-ky[10.240.30.7]: All Connections + The TCP sub-connection is responsive Path: vsi3b-ky[10.240.30.6] -> security group sg1-ky -> @@ -10,17 +11,19 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -Ingress: -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + Ingress: + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ Allowed connections from vsi3b-ky[10.240.30.6] to vsi3a-ky[10.240.30.5]: All Connections + The TCP sub-connection is responsive Path: vsi3b-ky[10.240.30.6] -> security group sg1-ky -> @@ -29,17 +32,19 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -Ingress: -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + Ingress: + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ Allowed connections from vsi3b-ky[10.240.30.6] to vsi3c-ky[10.240.30.4]: All Connections + The TCP sub-connection is responsive Path: vsi3b-ky[10.240.30.6] -> security group sg1-ky -> @@ -48,13 +53,14 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 - -Ingress: -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + + Ingress: + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_debug.txt index f867c4274..22b5f6467 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from vsi1-ky to vsi2-ky within test-vpc1-ky using "proto ========================================================================================== No connections are allowed from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4] using "protocol: ICMP"; -connection blocked by egress +connection is blocked by egress Egress: security group sg1-ky allows connection; network ACL acl1-ky blocks connection Ingress: network ACL acl2-ky allows connection; security group sg1-ky allows connection @@ -13,17 +13,18 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky blocks connection with the following deny rules: - index: 0, direction: outbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: deny - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 6, direction: inbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky blocks connection with the following deny rules: + index: 0, direction: outbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: deny + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 6, direction: inbound , src: 10.240.10.0/24 , dst: 10.240.20.0/24, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_debug.txt index e6771ec94..5818931f0 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_debug.txt @@ -12,11 +12,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-600, dstPorts: 1-50, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-600, dstPorts: 1-50, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_debug.txt index 77addecaf..21c22a1e4 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_debug.txt index 7bc54d940..14d172b39 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using =============================================================================================== No connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: TCP"; -connection blocked by egress +connection is blocked by egress External traffic via PublicGateway: public-gw-ky Egress: security group sg1-ky allows connection; network ACL acl1-ky blocks connection @@ -13,10 +13,11 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky blocks connection since there are no relevant allow rules +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky blocks connection since there are no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_debug.txt index 18808ddab..2599cde5f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky ========================================================================= Allowed connections from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16: All Connections + TCP response is blocked Path: vsi1-ky[10.240.10.4] -> security group sg1-ky -> subnet1-ky -> network ACL acl1-ky -> @@ -11,12 +12,17 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow - index: 2, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow + index: 2, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: all, action: allow + +TCP response is disabled by the following rules: + Ingress: + network ACL acl1-ky blocks connection since there are no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_debug.txt index bce3e005d..126eccb97 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi1-ky to 161.26.0.0/16 within test-vpc1-ky using =============================================================================================== Connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.26.0.0/16 using "protocol: TCP" + TCP response is blocked Path: vsi1-ky[10.240.10.4] -> security group sg1-ky -> subnet1-ky -> network ACL acl1-ky -> @@ -11,11 +12,16 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 2, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 2, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: all, action: allow + +TCP response is disabled by the following rules: + Ingress: + network ACL acl1-ky blocks connection since there are no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_debug.txt index cf2928de1..e22eec1eb 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: outbound , src: 10.240.10.0/24 , dst: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_debug.txt new file mode 100644 index 000000000..540fd0927 --- /dev/null +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_debug.txt @@ -0,0 +1,39 @@ +Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky +==================================================================== + +Allowed connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: protocol: TCP src-ports: 115-205 dst-ports: 25-95 + TCP response is enabled for: protocol: TCP src-ports: 115-200 dst-ports: 25-50 + +Path: + vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> + network ACL acl1-ky -> subnet1-ky -> security group sg1-ky -> vsi1-ky[10.240.10.4] + + +Details: +~~~~~~~~ +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 110-205, dstPorts: 20-100, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 115-215, dstPorts: 25-95, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + +TCP response is partly enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220, action: allow + +------------------------------------------------------------------------------------------------------------------------ + diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt new file mode 100644 index 000000000..c5a15f83a --- /dev/null +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt @@ -0,0 +1,39 @@ +Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky +==================================================================== + +Allowed connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections + TCP response is enabled for: protocol: TCP src-ports: 100-200 dst-ports: 10-50 + +Path: + vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> + network ACL acl1-ky -> subnet1-ky -> security group sg1-ky -> vsi1-ky[10.240.10.4] + + +Details: +~~~~~~~~ +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + +TCP response is partly enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220, action: allow + +------------------------------------------------------------------------------------------------------------------------ + diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_debug.txt index e46908188..247e23932 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_debug.txt index 339497df7..4e8286c12 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_debug.txt index 6c86f21e6..bc951a6bb 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_debug.txt index 808f88a03..739a61886 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_debug.txt @@ -11,16 +11,17 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ No connections are allowed from vsi1-ky[10.240.10.4] to Public Internet 161.16.0.0-161.25.255.255,161.27.0.0-161.31.255.255 using "protocol: UDP src-ports: 10-100 dst-ports: 443"; -connection blocked by egress +connection is blocked by egress External traffic via PublicGateway: public-gw-ky Egress: security group sg1-ky blocks connection; network ACL acl1-ky allows connection @@ -31,10 +32,11 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky blocks connection since there are no relevant allow rules -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky blocks connection since there are no relevant allow rules + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_debug.txt index 10c1c740c..3df2ce72a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from vsi1-ky to vsi3a-ky within test-vpc1-ky using "prot =========================================================================================================================== No connections are allowed from vsi1-ky[10.240.10.4] to vsi3a-ky[10.240.30.5] using "protocol: UDP src-ports: 10-100 dst-ports: 443"; -connection blocked both by ingress and egress +connection is blocked both by ingress and egress Egress: security group sg1-ky blocks connection; network ACL acl1-ky allows connection Ingress: network ACL acl3-ky allows connection; security group sg3-ky blocks connection @@ -13,15 +13,16 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky blocks connection since there are no relevant allow rules -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl3-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg3-ky blocks connection since there are no relevant allow rules +Path is enabled by the following rules: + Egress: + security group sg1-ky blocks connection since there are no relevant allow rules + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg3-ky blocks connection since there are no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_debug.txt index 6af325ea4..4a2435a5a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky ==================================================================== Allowed connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections + The TCP sub-connection is responsive Path: vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> @@ -10,19 +11,29 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg3-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_debug.txt index 1a12ab2b6..cc66846b4 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_debug.txt @@ -10,17 +10,18 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg3-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_debug.txt index 1ece930e7..4266f5eed 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky using "prot =========================================================================================================== Connections are allowed from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4] using "protocol: TCP dst-ports: 50-54" + The entire connection is TCP responsive Path: vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> @@ -10,18 +11,28 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg3-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_debug.txt index 34a47286e..24d6c2074 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky using "prot ============================================================================================================= Connections are allowed from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4] using "protocol: TCP dst-ports: 120-230" + The entire connection is TCP responsive Path: vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> @@ -10,19 +11,29 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg3-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_debug.txt index 798a0ac71..b2606ebce 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from 147.235.219.206/32 to vsi2-ky within test-vpc1-ky u ===================================================================================================================== Connections are allowed from Public Internet 147.235.219.206/32 to vsi2-ky[10.240.20.4] using "protocol: TCP dst-ports: 22" + The entire connection is TCP responsive (note that not all queried protocols/ports are allowed) Path: @@ -12,9 +13,10 @@ Path: Details: ~~~~~~~~ -Ingress: -security group sg2-ky allows connection with the following allow rules - index: 2, direction: inbound, conns: protocol: tcp, dstPorts: 22-22, remote: 147.235.219.206/32, local: 0.0.0.0/0 +Path is enabled by the following rules: + Ingress: + security group sg2-ky allows connection with the following allow rules + index: 2, direction: inbound, conns: protocol: tcp, dstPorts: 22-22, remote: 147.235.219.206/32, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_debug.txt index 69e2c7003..4f8d3cd44 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_debug.txt index e428b93eb..ba70a8575 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_debug.txt @@ -11,11 +11,12 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 2, direction: outbound, conns: protocol: udp, dstPorts: 1-65535, remote: 161.26.0.0/16, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_debug.txt new file mode 100644 index 000000000..a3d156bfc --- /dev/null +++ b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_debug.txt @@ -0,0 +1,38 @@ +Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky using "protocol: TCP src-ports: 90-180 dst-ports: 20-60" +============================================================================================================================= + +Connections are allowed from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4] using "protocol: TCP src-ports: 90-180 dst-ports: 20-60" + TCP response is enabled for: protocol: TCP src-ports: 100-180 dst-ports: 20-50 + +Path: + vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> + network ACL acl1-ky -> subnet1-ky -> security group sg1-ky -> vsi1-ky[10.240.10.4] + + +Details: +~~~~~~~~ +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + +TCP response is partly enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220, action: allow + +------------------------------------------------------------------------------------------------------------------------ + diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_debug.txt index 30f46a705..497ebf976 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi2-ky to vsi3b-ky within test-vpc1-ky ==================================================================== Allowed connections from vsi2-ky[10.240.20.4] to vsi3b-ky[10.240.30.4]: protocol: TCP + The entire connection is TCP responsive Path: vsi2-ky[10.240.20.4] -> security group sg2-ky -> subnet2-ky -> network ACL acl2-ky -> @@ -10,18 +11,28 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg2-ky allows connection with the following allow rules - index: 5, direction: outbound, conns: protocol: all, remote: 10.240.30.0/24, local: 0.0.0.0/0 - index: 6, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0 -network ACL acl2-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl3-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg2-ky allows connection with the following allow rules - index: 7, direction: inbound, conns: protocol: tcp, dstPorts: 1-65535, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg2-ky allows connection with the following allow rules + index: 5, direction: outbound, conns: protocol: all, remote: 10.240.30.0/24, local: 0.0.0.0/0 + index: 6, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0 + network ACL acl2-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg2-ky allows connection with the following allow rules + index: 7, direction: inbound, conns: protocol: tcp, dstPorts: 1-65535, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_debug.txt index 7ea2e2d3a..77645bd3a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi2-ky to 10.240.10.4 (vsi1-ky[10.240.10.4]) withi ============================================================================================== Allowed connections from vsi2-ky[10.240.20.4] to vsi1-ky[10.240.10.4]: All Connections + The TCP sub-connection is responsive Path: vsi2-ky[10.240.20.4] -> security group sg2-ky -> subnet2-ky -> network ACL acl2-ky -> @@ -10,17 +11,27 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg2-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 10.240.10.0/24, local: 0.0.0.0/0 -network ACL acl2-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 3, direction: inbound, conns: protocol: all, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg2-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 10.240.10.0/24, local: 0.0.0.0/0 + network ACL acl2-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 3, direction: inbound, conns: protocol: all, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_debug.txt index 725576b70..8e03c6fc9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi3a-ky to 10.240.10.4 (vsi1-ky[10.240.10.4]) with =============================================================================================== Allowed connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections + The TCP sub-connection is responsive Path: vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> @@ -10,19 +11,29 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg3-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_debug.txt index fa5fc2ab3..9c4a50be7 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from 10.240.10.4 (vsi1-ky[10.240.10.4]) to 10.240.20.4 ( ========================================================================================================================= No connections are allowed from vsi1-ky[10.240.10.4] to vsi2-ky[10.240.20.4]; -connection blocked by egress +connection is blocked by egress Egress: security group sg1-ky blocks connection; network ACL acl1-ky allows connection Ingress: network ACL acl2-ky allows connection; security group sg2-ky allows connection @@ -13,16 +13,17 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky blocks connection since there are no relevant allow rules -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg2-ky allows connection with the following allow rules - index: 4, direction: inbound, conns: protocol: all, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky blocks connection since there are no relevant allow rules + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg2-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_debug.txt index d1e5da00f..9b24a715a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from vsi3a-ky to vsi2-ky within test-vpc1-ky ==================================================================== No connections are allowed from vsi3a-ky[10.240.30.5] to vsi2-ky[10.240.20.4]; -connection blocked by ingress +connection is blocked by ingress Egress: security group sg3-ky allows connection; network ACL acl3-ky allows connection Ingress: network ACL acl2-ky allows connection; security group sg2-ky blocks connection @@ -14,18 +14,19 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg3-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg2-ky blocks connection since there are no relevant allow rules +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg2-ky blocks connection since there are no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_debug.txt index 15f9e032e..534bdfc46 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi3a-ky to vsi1-ky within test-vpc1-ky ==================================================================== Allowed connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections + The TCP sub-connection is responsive Path: vsi3a-ky[10.240.30.5] -> security group sg3-ky -> subnet3-ky -> network ACL acl3-ky -> @@ -10,21 +11,31 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg3-ky allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 - index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 -security group sg3-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 10.240.30.0/24, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg3-ky allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 2, direction: outbound, conns: protocol: tcp, dstPorts: 1-65535, remote: 0.0.0.0/0, local: 0.0.0.0/0 + index: 3, direction: outbound, conns: protocol: tcp, dstPorts: 100-200, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0 + security group sg3-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 10.240.30.0/24, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_debug.txt index fda69c558..4f93d4430 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from test-vpc0-ky/vsi1-ky to 172.217.22.46/32 within tes ========================================================================================= Allowed connections from vsi1-ky[10.240.1.4] to Public Internet 172.217.22.46/32: All Connections + The TCP sub-connection is responsive Path: vsi1-ky[10.240.1.4] -> security group sg1-ky -> subnet1-ky -> network ACL acl1-ky -> @@ -11,11 +12,17 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl1-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 10.240.1.0/24 , dst: 172.217.22.46/32, conn: all, action: allow +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl1-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 10.240.1.0/24 , dst: 172.217.22.46/32, conn: all, action: allow + +TCP response is enabled by the following rules: + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 4, direction: inbound , src: 172.217.22.46/32 , dst: 10.240.1.0/24, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_debug.txt index a74576c96..d718b1d4a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi31-ky to vsi32-ky within test-vpc3-ky ===================================================================== Allowed connections from vsi31-ky[10.240.31.4] to vsi32-ky[10.240.128.4]: All Connections + The TCP sub-connection is responsive Path: vsi31-ky[10.240.31.4] -> security group sg31-ky -> subnet31-ky -> network ACL acl31-ky -> @@ -10,17 +11,27 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg31-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl31-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL acl31-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg31-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg31-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl31-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl31-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg31-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl31-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl31-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt index 8f530dd05..d0e3ab36f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherEnableDefaultDifFile_all_vpcs_explain.txt @@ -2,6 +2,7 @@ Explaining connectivity from vsi11-ky to vsi21a-ky ================================================== Allowed connections from test-vpc1-ky/vsi11-ky[10.240.11.4] to test-vpc2-ky/vsi21a-ky[10.240.64.4]: All Connections + The TCP sub-connection is responsive Path: vsi11-ky[10.240.11.4] -> security group sg11-ky -> subnet11-ky -> network ACL acl11-ky -> diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt index 5ca225c3a..c23b692e1 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwAnotherExampleEnabledConn_all_vpcs_explain.txt @@ -2,6 +2,7 @@ Explaining connectivity from ky-vsi0-subnet5 to ky-vsi0-subnet11 ================================================================ Allowed connections from test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] to test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4]: All Connections + The TCP sub-connection is responsive Path: ky-vsi0-subnet5[10.240.9.4] -> security group sg1-ky -> subnet5 -> network ACL acl3-ky -> diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_debug.txt index 593de8625..9439e0578 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_debug.txt @@ -15,20 +15,21 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter - index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter + index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_debug.txt index 0d2227b83..8ae65d19a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from ky-vsi0-subnet5 to ky-vsi0-subnet11 ================================================================ Allowed connections from test-vpc0-ky/ky-vsi0-subnet5[10.240.9.4] to test-vpc1-ky/ky-vsi0-subnet11[10.240.80.4]: All Connections + The TCP sub-connection is responsive Path: ky-vsi0-subnet5[10.240.9.4] -> security group sg1-ky -> subnet5 -> network ACL acl3-ky -> @@ -11,20 +12,30 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg1-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl3-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky allows connection via transit connection tg_connection1 with the following prefix filter - default prefix, action: permit - -Ingress: -network ACL acl11-ky allows connection with the following allow rules - index: 2, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg11-ky allows connection with the following allow rules - index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg1-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl3-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky allows connection via transit connection tg_connection1 with the following prefix filter + default prefix, action: permit + + Ingress: + network ACL acl11-ky allows connection with the following allow rules + index: 2, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg11-ky allows connection with the following allow rules + index: 1, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl11-ky allows connection with the following allow rules + index: 1, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl3-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_debug.txt index e7be153a4..d3d6deb45 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from ky-vsi1-subnet20 to ky-vsi0-subnet2 ================================================================ Allowed connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4]: All Connections + The TCP sub-connection is responsive Path: ky-vsi1-subnet20[10.240.128.5] -> security group sg21-ky -> subnet20 -> network ACL acl21-ky -> @@ -11,20 +12,30 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter - index: 0, action: permit, prefix: 10.240.4.0/22 - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter + index: 0, action: permit, prefix: 10.240.4.0/22 + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl2-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl21-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_debug.txt index 8cb2ba5ee..91e6a851b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from ky-vsi1-subnet20 to 10.240.0.0/21 (test-vpc0-ky/ky- =============================================================================================================================================================================================================================================================================================================================================================================================================== Allowed connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi0-subnet2[10.240.4.4]: All Connections + The TCP sub-connection is responsive Path: ky-vsi1-subnet20[10.240.128.5] -> security group sg21-ky -> subnet20 -> network ACL acl21-ky -> @@ -11,24 +12,35 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter - index: 0, action: permit, prefix: 10.240.4.0/22 - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter + index: 0, action: permit, prefix: 10.240.4.0/22 + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl2-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl21-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ Allowed connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi0-subnet3[10.240.5.5]: All Connections + The TCP sub-connection is responsive Path: ky-vsi1-subnet20[10.240.128.5] -> security group sg21-ky -> subnet20 -> network ACL acl21-ky -> @@ -38,24 +50,35 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter - index: 0, action: permit, prefix: 10.240.4.0/22 - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter + index: 0, action: permit, prefix: 10.240.4.0/22 + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl2-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl21-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ Allowed connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi1-subnet2[10.240.4.5]: All Connections + The TCP sub-connection is responsive Path: ky-vsi1-subnet20[10.240.128.5] -> security group sg21-ky -> subnet20 -> network ACL acl21-ky -> @@ -65,24 +88,35 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter - index: 0, action: permit, prefix: 10.240.4.0/22 - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter + index: 0, action: permit, prefix: 10.240.4.0/22 + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl2-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl21-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ Allowed connections from test-vpc2-ky/ky-vsi1-subnet20[10.240.128.5] to test-vpc0-ky/ky-vsi1-subnet3[10.240.5.4]: All Connections + The TCP sub-connection is responsive Path: ky-vsi1-subnet20[10.240.128.5] -> security group sg21-ky -> subnet20 -> network ACL acl21-ky -> @@ -92,20 +126,30 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter - index: 0, action: permit, prefix: 10.240.4.0/22 - -Ingress: -network ACL acl2-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter + index: 0, action: permit, prefix: 10.240.4.0/22 + + Ingress: + network ACL acl2-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL acl2-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL acl21-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ @@ -123,20 +167,21 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter - index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter + index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ @@ -154,20 +199,21 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter - index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter + index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ @@ -185,20 +231,21 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter - index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter + index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ @@ -216,20 +263,21 @@ Path: Details: ~~~~~~~~ -Egress: -security group sg21-ky allows connection with the following allow rules - index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL acl21-ky allows connection with the following allow rules - index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter - index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 - -Ingress: -network ACL acl1-ky allows connection with the following allow rules - index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow -security group sg1-ky allows connection with the following allow rules - index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group sg21-ky allows connection with the following allow rules + index: 1, direction: outbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL acl21-ky allows connection with the following allow rules + index: 0, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter + index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 + + Ingress: + network ACL acl1-ky allows connection with the following allow rules + index: 1, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + security group sg1-ky allows connection with the following allow rules + index: 0, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_debug.txt index 56e5d57d8..d777f2379 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_debug.txt @@ -2,7 +2,7 @@ Explaining connectivity from 192.168.40.5 (iks-clusterid:1[192.168.40.5]) to 192 ========================================================================================================================================================== No connections are allowed from iks-clusterid:1[192.168.40.5] to iks-node[192.168.0.4] using "protocol: ICMP"; -connection blocked by egress +connection is blocked by egress Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 blocks connection; network ACL ky-test-edge-acl allows connection Ingress: network ACL ky-test-private-2-others-acl allows connection; security group kube-clusterid:1 allows connection; security group ky-test-default-sg allows connection @@ -13,18 +13,19 @@ Path: Details: ~~~~~~~~ -Egress: -security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 blocks connection since there are no relevant allow rules -network ACL ky-test-edge-acl allows connection with the following allow rules - index: 1, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL ky-test-private-2-others-acl allows connection with the following allow rules - index: 0, direction: inbound , src: 192.168.32.0/20 , dst: 0.0.0.0/0, conn: all, action: allow -security group kube-clusterid:1 allows connection with the following allow rules - index: 6, direction: inbound, conns: protocol: icmp, icmpType: protocol: ICMP icmp-type: 8, remote: 0.0.0.0/0, local: 0.0.0.0/0 -security group ky-test-default-sg allows connection with the following allow rules - index: 2, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 blocks connection since there are no relevant allow rules + network ACL ky-test-edge-acl allows connection with the following allow rules + index: 1, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL ky-test-private-2-others-acl allows connection with the following allow rules + index: 0, direction: inbound , src: 192.168.32.0/20 , dst: 0.0.0.0/0, conn: all, action: allow + security group kube-clusterid:1 allows connection with the following allow rules + index: 6, direction: inbound, conns: protocol: icmp, icmpType: protocol: ICMP icmp-type: 8, remote: 0.0.0.0/0, local: 0.0.0.0/0 + security group ky-test-default-sg allows connection with the following allow rules + index: 2, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_debug.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_debug.txt index 5a242457d..b6565f470 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_debug.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_debug.txt @@ -2,6 +2,7 @@ Explaining connectivity from 192.168.40.5 (iks-clusterid:1[192.168.40.5]) to 192 ========================================================================================================================================================= Connections are allowed from iks-clusterid:1[192.168.40.5] to iks-node[192.168.0.4] using "protocol: TCP dst-ports: 30000-32767" + The entire connection is TCP responsive (note that not all queried protocols/ports are allowed) Path: @@ -11,19 +12,29 @@ Path: Details: ~~~~~~~~ -Egress: -security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - index: 0, direction: outbound, conns: protocol: tcp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 -network ACL ky-test-edge-acl allows connection with the following allow rules - index: 1, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow - -Ingress: -network ACL ky-test-private-2-others-acl allows connection with the following allow rules - index: 0, direction: inbound , src: 192.168.32.0/20 , dst: 0.0.0.0/0, conn: all, action: allow -security group kube-clusterid:1 allows connection with the following allow rules - index: 3, direction: inbound, conns: protocol: tcp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 -security group ky-test-default-sg allows connection with the following allow rules - index: 2, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 +Path is enabled by the following rules: + Egress: + security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules + index: 0, direction: outbound, conns: protocol: tcp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 + network ACL ky-test-edge-acl allows connection with the following allow rules + index: 1, direction: outbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow + + Ingress: + network ACL ky-test-private-2-others-acl allows connection with the following allow rules + index: 0, direction: inbound , src: 192.168.32.0/20 , dst: 0.0.0.0/0, conn: all, action: allow + security group kube-clusterid:1 allows connection with the following allow rules + index: 3, direction: inbound, conns: protocol: tcp, dstPorts: 30000-32767, remote: 0.0.0.0/0, local: 0.0.0.0/0 + security group ky-test-default-sg allows connection with the following allow rules + index: 2, direction: inbound, conns: protocol: all, remote: 0.0.0.0/0, local: 0.0.0.0/0 + +TCP response is enabled by the following rules: + Egress: + network ACL ky-test-private-2-others-acl allows connection with the following allow rules + index: 4, direction: outbound , src: 0.0.0.0/0 , dst: 192.168.32.0/20, conn: all, action: allow + + Ingress: + network ACL ky-test-edge-acl allows connection with the following allow rules + index: 0, direction: inbound , src: 0.0.0.0/0 , dst: 0.0.0.0/0, conn: all, action: allow ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/explainability_test.go b/pkg/ibmvpc/explainability_test.go index 522e36709..170e888ee 100644 --- a/pkg/ibmvpc/explainability_test.go +++ b/pkg/ibmvpc/explainability_test.go @@ -414,6 +414,35 @@ var explainTests = []*vpcGeneralTest{ EDst: "vsi1-ky", format: vpcmodel.Debug, }, + // respond enabled only on part of the TCP connection + { + name: "PartialTCPRespond", + inputConfig: "sg_testing1_new_respond_partly", + ESrc: "vsi3a-ky", + EDst: "vsi1-ky", + format: vpcmodel.Debug, + }, + // original path as well as respond enabled only on part of the TCP connection + { + name: "PartialTCPAndRespond", + inputConfig: "sg_testing1_new_partly_TCP_and_respond", + ESrc: "vsi3a-ky", + EDst: "vsi1-ky", + format: vpcmodel.Debug, + }, + // respond w.r.t. specific ports query + { + name: "TCPRespondPortsQuery", + inputConfig: "sg_testing1_new_respond_partly", + ESrc: "vsi3a-ky", + EDst: "vsi1-ky", + EProtocol: netp.ProtocolStringTCP, + ESrcMinPort: 90, + ESrcMaxPort: 180, + EDstMinPort: 20, + EDstMaxPort: 60, + format: vpcmodel.Debug, + }, // the following three tests are within a single VPC in a multiVPC context // 2 vsi connection { diff --git a/pkg/ibmvpc/nacl_analysis.go b/pkg/ibmvpc/nacl_analysis.go index 22a378f55..6fb36c9ac 100644 --- a/pkg/ibmvpc/nacl_analysis.go +++ b/pkg/ibmvpc/nacl_analysis.go @@ -575,7 +575,7 @@ func (na *NACLAnalyzer) StringRules(rules []int) string { if err != nil { return "" } - strRulesSlice[i] = "\t" + strRule + strRulesSlice[i] = "\t\t\t" + strRule } sort.Strings(strRulesSlice) return strings.Join(strRulesSlice, "") diff --git a/pkg/ibmvpc/sg_analysis.go b/pkg/ibmvpc/sg_analysis.go index 01e84e56e..f4950e2bb 100644 --- a/pkg/ibmvpc/sg_analysis.go +++ b/pkg/ibmvpc/sg_analysis.go @@ -474,7 +474,7 @@ func (sga *SGAnalyzer) StringRules(rules []int) string { if err != nil { return "" } - strRulesSlice[i] = "\t" + strRule + strRulesSlice[i] = "\t\t\t" + strRule } sort.Strings(strRulesSlice) return strings.Join(strRulesSlice, "") diff --git a/pkg/ibmvpc/vpc.go b/pkg/ibmvpc/vpc.go index c5b22b7ec..d8e66e211 100644 --- a/pkg/ibmvpc/vpc.go +++ b/pkg/ibmvpc/vpc.go @@ -19,6 +19,8 @@ import ( "github.com/np-guard/vpc-network-config-analyzer/pkg/vpcmodel" ) +const doubleTab = "\t\t" + /////////////////////////////////////////////////////////////////////////////////////////////////// func nameWithBracketsInfo(name, inBrackets string) string { @@ -394,7 +396,7 @@ func (nl *NaclLayer) StringDetailsOfRules(listRulesInFilter []vpcmodel.RulesInTa nacl := nl.naclList[rulesInFilter.Table] header := getHeaderRulesType(vpcmodel.FilterKindName(nl.Kind())+" "+nacl.Name(), rulesInFilter.RulesOfType) + nacl.analyzer.StringRules(rulesInFilter.Rules) - strListRulesInFilter += header + strListRulesInFilter += doubleTab + header } return strListRulesInFilter } @@ -594,7 +596,7 @@ func (sgl *SecurityGroupLayer) StringDetailsOfRules(listRulesInFilter []vpcmodel listRulesInFilterSlice := make([]string, len(listRulesInFilter)) for i, rulesInFilter := range listRulesInFilter { sg := sgl.sgList[rulesInFilter.Table] - listRulesInFilterSlice[i] = getHeaderRulesType(vpcmodel.FilterKindName(sgl.Kind())+" "+sg.Name(), rulesInFilter.RulesOfType) + + listRulesInFilterSlice[i] = doubleTab + getHeaderRulesType(vpcmodel.FilterKindName(sgl.Kind())+" "+sg.Name(), rulesInFilter.RulesOfType) + sg.analyzer.StringRules(rulesInFilter.Rules) } sort.Strings(listRulesInFilterSlice) @@ -978,8 +980,9 @@ func (tgw *TransitGateway) stringPrefixFiltersVerbose(transitConn *datamodel.Tra } else { action = "blocks" } - thisPrefixStr = fmt.Sprintf("transit gateway %s %s connection via transit connection %s "+ - "with the following prefix filter\n\t%s\n", tgw.Name(), action, *transitConn.Name, tgwRouterFilterDetails) + thisPrefixStr = fmt.Sprintf("\ttransit gateway %s %s connection via transit connection %s "+ + "with the following prefix filter\n%s%s\n", tgw.Name(), action, *transitConn.Name, + doubleTab, tgwRouterFilterDetails) strRes = append(strRes, thisPrefixStr) } return strRes, nil diff --git a/pkg/vpcmodel/commonConnectivity.go b/pkg/vpcmodel/commonConnectivity.go index 1db97c080..795f24570 100644 --- a/pkg/vpcmodel/commonConnectivity.go +++ b/pkg/vpcmodel/commonConnectivity.go @@ -49,7 +49,7 @@ func partitionTCPNonTCP(conn *connection.Set) (tcp, nonTCP *connection.Set) { type GeneralConnectivityMap map[VPCResourceIntf]map[VPCResourceIntf]*connection.Set // GeneralResponsiveConnectivityMap describes connectivity similarly to GeneralConnectivityMap; -// only here the describes connection includes respond details,namely in what cases a TCP respond is enabled +// only here the describes connection includes respond details, namely in what cases a TCP respond is enabled type GeneralResponsiveConnectivityMap map[VPCResourceIntf]map[VPCResourceIntf]*detailedConn func (allowConnCombined GeneralConnectivityMap) updateAllowedConnsMap(src, dst VPCResourceIntf, conn *connection.Set) { diff --git a/pkg/vpcmodel/detailedConn.go b/pkg/vpcmodel/detailedConn.go index 8449fe5d6..df2877f23 100644 --- a/pkg/vpcmodel/detailedConn.go +++ b/pkg/vpcmodel/detailedConn.go @@ -65,44 +65,48 @@ func detailedConnForAllRsp() *detailedConn { // isAllObliviousRsp: returns true iff detailedConn contains all the connection domain // (regardless of what part is responsive and what part isn't) -func (e *detailedConn) isAllObliviousRsp() bool { - return e.allConn.Equal(connection.All()) +func (d *detailedConn) isAllObliviousRsp() bool { + return d.allConn.Equal(connection.All()) } // isEmpty: return true iff the detailedConn is empty -func (e *detailedConn) isEmpty() bool { - return e.allConn.IsEmpty() +func (d *detailedConn) isEmpty() bool { + return d.allConn.IsEmpty() } // Equal all components of two detailedConn are equal -func (e *detailedConn) equal(other *detailedConn) bool { - return e.tcpRspEnable.Equal(other.tcpRspEnable) && e.nonTCP.Equal(other.nonTCP) && - e.allConn.Equal(other.allConn) +func (d *detailedConn) equal(other *detailedConn) bool { + return d.tcpRspEnable.Equal(other.tcpRspEnable) && d.nonTCP.Equal(other.nonTCP) && + d.allConn.Equal(other.allConn) } // union of two detailedConn: union tcpRspEnable, nonTCP and allConn // (tcpRspDisable is computed based on these) -func (e *detailedConn) union(other *detailedConn) *detailedConn { - rspConn := e.tcpRspEnable.Union(other.tcpRspEnable) - otherConn := e.nonTCP.Union(other.nonTCP) - conn := e.allConn.Union(other.allConn) +func (d *detailedConn) union(other *detailedConn) *detailedConn { + rspConn := d.tcpRspEnable.Union(other.tcpRspEnable) + otherConn := d.nonTCP.Union(other.nonTCP) + conn := d.allConn.Union(other.allConn) return newDetailedConn(rspConn, otherConn, conn) } // subtract of two detailedConn: subtraction of tcpRspEnable, nonTCP and allConn // (tcpRspDisable is computed based on these) -func (e *detailedConn) subtract(other *detailedConn) *detailedConn { - rspConn := e.tcpRspEnable.Subtract(other.tcpRspEnable) - otherConn := e.nonTCP.Subtract(other.nonTCP) - conn := e.allConn.Subtract(other.allConn) +func (d *detailedConn) subtract(other *detailedConn) *detailedConn { + rspConn := d.tcpRspEnable.Subtract(other.tcpRspEnable) + otherConn := d.nonTCP.Subtract(other.nonTCP) + conn := d.allConn.Subtract(other.allConn) return newDetailedConn(rspConn, otherConn, conn) } -func (e *detailedConn) string() string { - if !e.tcpRspDisable.IsEmpty() { - return e.allConn.String() + " * " +func (d *detailedConn) hasTCPComponent() bool { + return !d.tcpRspEnable.Union(d.tcpRspDisable).IsEmpty() +} + +func (d *detailedConn) string() string { + if !d.tcpRspDisable.IsEmpty() { + return d.allConn.String() + " * " } - return e.allConn.String() + return d.allConn.String() } // computeDetailedConn computes the detailedConn object, given input `srcToDst` diff --git a/pkg/vpcmodel/explainabilityConnectivity.go b/pkg/vpcmodel/explainabilityConnectivity.go index 77008b0b5..95f096708 100644 --- a/pkg/vpcmodel/explainabilityConnectivity.go +++ b/pkg/vpcmodel/explainabilityConnectivity.go @@ -55,6 +55,8 @@ type srcDstDetails struct { actualMergedRules *rulesConnection // rules actually effecting the connection (both allow and deny) // enabling rules implies whether ingress/egress is enabled // potential rules are saved for further debugging and explanation provided to the user + respondRules *rulesConnection // rules of non-stateful filters enabling/disabling respond + } type rulesAndConnDetails []*srcDstDetails @@ -122,11 +124,15 @@ func (c *VPCConfig) explainConnectivityForVPC(src, dst string, srcNodes, dstNode } rulesAndDetails.computeActualRules() rulesAndDetails.computeCombinedActualRules() // combined deny and allow - - groupedLines, err4 := newGroupConnExplainability(c, &rulesAndDetails) + err4 := rulesAndDetails.updateRespondRules(c, connQuery) if err4 != nil { return nil, err4 } + + groupedLines, err5 := newGroupConnExplainability(c, &rulesAndDetails) + if err5 != nil { + return nil, err5 + } // the user has to be notified regarding an assumption we make about IKSNode's security group hasIksNode := srcNodes[0].Kind() == ResourceTypeIKSNode || dstNodes[0].Kind() == ResourceTypeIKSNode return &Explanation{c, connQuery, &rulesAndDetails, src, dst, @@ -393,9 +399,9 @@ func (c *VPCConfig) getRulesOfConnection(src, dst Node, return allowRulesOfConnection, denyRulesOfConnection, nil } -func (rulesInLayers rulesInLayers) updateRulesPerLayerIfNonEmpty(layer string, rulesFilter *[]RulesInTable) { +func (rules rulesInLayers) updateRulesPerLayerIfNonEmpty(layer string, rulesFilter *[]RulesInTable) { if len(*rulesFilter) > 0 { - rulesInLayers[layer] = *rulesFilter + rules[layer] = *rulesFilter } } @@ -476,3 +482,69 @@ func (v *VPCConnectivity) getConnection(c *VPCConfig, src, dst Node) (conn *deta } return conn, nil } + +// updates respondRules of each line in rulesAndConnDetails +// respondRules are the rules enabling/disabling the response when relevant: +// respond is relevant for TCP, and respond rules are relevant when non-stateful filters are relevant (NACL) +func (details *rulesAndConnDetails) updateRespondRules(c *VPCConfig, connQuery *connection.Set) error { + responseConn := allTCPconn() + if connQuery != nil { + responseConn = responseConn.Intersect(connQuery) + } + for _, srcDstDetails := range *details { + // respond rules are relevant if connection has a TCP component and non-stateful filter (NACL at the moment) + // are relevant for + if !respondRulesRelevant(srcDstDetails.conn, srcDstDetails.filtersRelevant) { + continue + } + respondRules, err := c.getRespondRules(srcDstDetails.src, srcDstDetails.dst, responseConn) + if err != nil { + return err + } + srcDstDetails.respondRules = respondRules + } + return nil +} + +func respondRulesRelevant(conn *detailedConn, filtersRelevant map[string]bool) bool { + return conn.hasTCPComponent() && filtersRelevant[NaclLayer] +} + +// gets the NACL rules that enables/disables respond for connection conn, assuming nacl is applied +func (c *VPCConfig) getRespondRules(src, dst Node, + conn *connection.Set) (respondRules *rulesConnection, err error) { + mergedIngressRules, mergedEgressRules := rulesInLayers{}, rulesInLayers{} + // respond: from dst to src; thus, ingress rules: relevant only if *src* is internal, egress is *dst* is internal + if src.IsInternal() { + var err error + mergedIngressRules, err = c.computeAndUpdateDirectionRespondRules(src, dst, conn, true) + if err != nil { + return nil, err + } + } + if dst.IsInternal() { + var err error + mergedEgressRules, err = c.computeAndUpdateDirectionRespondRules(src, dst, conn, false) + if err != nil { + return nil, err + } + } + return &rulesConnection{mergedIngressRules, mergedEgressRules}, nil +} + +func (c *VPCConfig) computeAndUpdateDirectionRespondRules(src, dst Node, conn *connection.Set, + isIngress bool) (rulesInLayers, error) { + // respond: dst and src switched, src and dst ports also switched + // computes allowRulesPerLayer/denyRulePerLayer: ingress/egress rules enabling/disabling respond + // note that there could be both allow and deny in case part of the connection is enabled and part blocked + connSwitch := conn.SwitchSrcDstPorts() + allowRules, denyRules, err1 := c.getFiltersRulesBetweenNodesPerDirectionAndLayer(dst, src, connSwitch, isIngress, NaclLayer) + if err1 != nil { + return nil, err1 + } + allowRulesPerLayer, denyRulePerLayer := rulesInLayers{}, rulesInLayers{} + allowRulesPerLayer.updateRulesPerLayerIfNonEmpty(NaclLayer, allowRules) + denyRulePerLayer.updateRulesPerLayerIfNonEmpty(NaclLayer, denyRules) + mergedRules := mergeAllowDeny(allowRulesPerLayer, denyRulePerLayer) + return mergedRules, err1 +} diff --git a/pkg/vpcmodel/explainabilityPrint.go b/pkg/vpcmodel/explainabilityPrint.go index 583952b8c..973ed3da9 100644 --- a/pkg/vpcmodel/explainabilityPrint.go +++ b/pkg/vpcmodel/explainabilityPrint.go @@ -39,6 +39,8 @@ func explainHeader(explanation *Explanation) string { return header1 + newLine + header2 + doubleNL } +// connHeader is used to print 1) the query in the first header +// 2) the actual allowed connection from the queried one in the 2nd header func connHeader(connQuery *connection.Set) string { if connQuery != nil { return " using \"" + connQuery.String() + "\"" @@ -88,17 +90,20 @@ func explainMissingCrossVpcRouter(src, dst string, connQuery *connection.Set) st // prints a single line of explanation for externalAddress grouped // The printing contains 4 sections: -// 1. Header describing the query and whether there is a connection. E.g.: -// * Allowed connections from ky-vsi0-subnet5[10.240.9.4] to ky-vsi0-subnet11[10.240.80.4]: All Connections -// * No connections are allowed from ky-vsi1-subnet20[10.240.128.5] to ky-vsi0-subnet0[10.240.0.5]; -// 2. List of all the different resources effecting the connection and the effect of each. E.g.: +// 1. Header describing the query and whether there is a connection. E.g.: +// * Allowed connections from ky-vsi0-subnet5[10.240.9.4] to ky-vsi0-subnet11[10.240.80.4]: All Connections +// The TCP sub-connection is responsive +// * No connections are allowed from ky-vsi1-subnet20[10.240.128.5] to ky-vsi0-subnet0[10.240.0.5]; +// 2. List of all the different resources effecting the connection and the effect of each. E.g.: +// // cross-vpc-connection: transit-connection tg_connection0 of transit-gateway local-tg-ky denys connection // Egress: security group sg21-ky allows connection; network ACL acl21-ky allows connection // Ingress: network ACL acl1-ky allows connection; security group sg1-ky allows connection // 3. Connection path description. E.g.: // ky-vsi1-subnet20[10.240.128.5] -> security group sg21-ky -> subnet20 -> network ACL acl21-ky -> // test-vpc2-ky -> TGW local-tg-ky -> | -// 4. Details of enabling and disabling rules/prefixes, including details of each rule +// +// 4. Details of enabling and disabling rules/prefixes, including details of each rule // // 1 and 3 are printed always // 2 is printed only when the connection is blocked. It is redundant when the entire path ("3") is printed. When @@ -136,18 +141,37 @@ func (g *groupedConnLine) explainabilityLineStr(c *VPCConfig, connQuery *connect ingressBlocking, egressBlocking, externalRouter, crossVpcRouter, crossVpcConnection, rules) + newLine // details is "4" above egressRulesDetails, ingressRulesDetails := rules.ruleDetailsStr(c, filtersRelevant, needEgress, needIngress) + conn := g.commonProperties.conn if verbose { - details = "\nDetails:\n~~~~~~~~\n" + egressRulesDetails + crossRouterFilterDetails + ingressRulesDetails + details = "\nDetails:\n~~~~~~~~\nPath is enabled by the following rules:\n" + + egressRulesDetails + crossRouterFilterDetails + ingressRulesDetails + if respondRulesRelevant(conn, filtersRelevant) { + // for respond rules needIngress and needEgress are switched + respondEgressDetails, respondsIngressDetails := expDetails.respondRules.ruleDetailsStr(c, filtersRelevant, needIngress, needEgress) + details += respondDetailsHeader(conn) + respondEgressDetails + respondsIngressDetails + } } return g.explainPerCaseStr(c, src, dst, connQuery, crossVpcConnection, ingressBlocking, egressBlocking, noConnection, resourceEffectHeader, path, details) } +// assumption: the func is called only if the tcp component of the connection is not empty +func respondDetailsHeader(d *detailedConn) string { + switch { + case d.tcpRspDisable.IsEmpty(): + return "TCP response is enabled by the following rules:\n" + case d.tcpRspEnable.IsEmpty(): + return "TCP response is disabled by the following rules:\n" + default: + return "TCP response is partly enabled by the following rules:\n" + } +} + // after all data is gathered, generates the actual string to be printed func (g *groupedConnLine) explainPerCaseStr(c *VPCConfig, src, dst EndpointElem, connQuery, crossVpcConnection *connection.Set, ingressBlocking, egressBlocking bool, noConnection, resourceEffectHeader, path, details string) string { - conn := g.commonProperties.conn.allConn + conn := g.commonProperties.conn externalRouter, crossVpcRouter := g.commonProperties.expDetails.externalRouter, g.commonProperties.expDetails.crossVpcRouter headerPlusPath := resourceEffectHeader + path @@ -162,13 +186,13 @@ func (g *groupedConnLine) explainPerCaseStr(c *VPCConfig, src, dst EndpointElem, return fmt.Sprintf("%v\tThe dst is external but there is no Floating IP or Public Gateway connecting to public internet\n", noConnection) case ingressBlocking && egressBlocking: - return fmt.Sprintf("%vconnection blocked both by ingress and egress"+tripleNLVars, noConnection, + return fmt.Sprintf("%vconnection is blocked both by ingress and egress"+tripleNLVars, noConnection, headerPlusPath, details) case ingressBlocking: - return fmt.Sprintf("%vconnection blocked by ingress"+tripleNLVars, noConnection, + return fmt.Sprintf("%vconnection is blocked by ingress"+tripleNLVars, noConnection, headerPlusPath, details) case egressBlocking: - return fmt.Sprintf("%vconnection blocked by egress"+tripleNLVars, noConnection, + return fmt.Sprintf("%vconnection is blocked by egress"+tripleNLVars, noConnection, headerPlusPath, details) default: // there is a connection return existingConnectionStr(c, connQuery, src, dst, conn, path, details) @@ -206,19 +230,20 @@ func noConnectionHeader(src, dst string, connQuery *connection.Set) string { // printing when connection exists. // computing "1" when there is a connection and adding to it already computed "2" and "3" as described in explainabilityLineStr func existingConnectionStr(c *VPCConfig, connQuery *connection.Set, src, dst EndpointElem, - conn *connection.Set, path, details string) string { + conn *detailedConn, path, details string) string { resComponents := []string{} // Computing the header, "1" described in explainabilityLineStr + respondConnStr := respondString(conn) if connQuery == nil { - resComponents = append(resComponents, fmt.Sprintf("Allowed connections from %v to %v: %v\n", src.ExtendedName(c), dst.ExtendedName(c), - conn.String())) + resComponents = append(resComponents, fmt.Sprintf("Allowed connections from %v to %v: %v%v\n", src.ExtendedName(c), dst.ExtendedName(c), + conn.allConn.String(), respondConnStr)) } else { properSubsetConn := "" - if !conn.Equal(connQuery) { + if !conn.allConn.Equal(connQuery) { properSubsetConn = "(note that not all queried protocols/ports are allowed)\n" } - resComponents = append(resComponents, fmt.Sprintf("Connections are allowed from %s to %s%s\n%s", - src.ExtendedName(c), dst.ExtendedName(c), connHeader(conn), properSubsetConn)) + resComponents = append(resComponents, fmt.Sprintf("Connections are allowed from %s to %s%s%s\n%s", + src.ExtendedName(c), dst.ExtendedName(c), connHeader(conn.allConn), respondConnStr, properSubsetConn)) } resComponents = append(resComponents, path, details) return strings.Join(resComponents, newLine) @@ -257,21 +282,21 @@ func (rules *rulesConnection) ruleDetailsStr(c *VPCConfig, filtersRelevant map[s ingressRulesDetails = rules.ingressRules.rulesDetailsStr(c, filtersRelevant, true) } if needEgress && egressRulesDetails != emptyString { - egressRulesDetails = "Egress:\n" + egressRulesDetails + newLine + egressRulesDetails = "\tEgress:\n" + egressRulesDetails + newLine } if needIngress && ingressRulesDetails != emptyString { - ingressRulesDetails = "Ingress:\n" + ingressRulesDetails + newLine + ingressRulesDetails = "\tIngress:\n" + ingressRulesDetails + newLine } return egressRulesDetails, ingressRulesDetails } // returns a string with the effect of each filter by calling StringFilterEffect // e.g. "security group sg1-ky allows connection; network ACL acl1-ky blocks connection" -func (rulesInLayers rulesInLayers) summaryFiltersStr(c *VPCConfig, filtersRelevant map[string]bool, isIngress bool) string { +func (rules rulesInLayers) summaryFiltersStr(c *VPCConfig, filtersRelevant map[string]bool, isIngress bool) string { filtersLayersToPrint := getLayersToPrint(filtersRelevant, isIngress) strSlice := make([]string, len(filtersLayersToPrint)) for i, layer := range filtersLayersToPrint { - strSlice[i] = stringFilterEffect(c, layer, rulesInLayers[layer]) + strSlice[i] = stringFilterEffect(c, layer, rules[layer]) } return strings.Join(strSlice, semicolon+space) } @@ -416,11 +441,11 @@ func pathFiltersSingleLayerStr(c *VPCConfig, filterLayerName string, rules []Rul } // prints detailed list of rules that effects the (existing or non-existing) connection -func (rulesInLayers rulesInLayers) rulesDetailsStr(c *VPCConfig, filtersRelevant map[string]bool, isIngress bool) string { +func (rules rulesInLayers) rulesDetailsStr(c *VPCConfig, filtersRelevant map[string]bool, isIngress bool) string { var strSlice []string for _, layer := range getLayersToPrint(filtersRelevant, isIngress) { filter := c.getFilterTrafficResourceOfKind(layer) - if rules, ok := rulesInLayers[layer]; ok { + if rules, ok := rules[layer]; ok { strSlice = append(strSlice, filter.StringDetailsOfRules(rules)) } } @@ -446,3 +471,21 @@ func getLayersToPrint(filtersRelevant map[string]bool, isIngress bool) (filterLa } return orderedRelevantFiltersLayers } + +func respondString(d *detailedConn) string { + switch { + case d.allConn.Equal(d.nonTCP): + // no tcp component - ill-relevant + return "" + case d.tcpRspEnable.IsEmpty(): + // no tcp responsive component + return "\n\tTCP response is blocked" + case d.tcpRspEnable.Equal(d.allConn): + // tcp responsive component is the entire connection + return "\n\tThe entire connection is TCP responsive" + case d.tcpRspDisable.IsEmpty(): + return "\n\tThe TCP sub-connection is responsive" + default: + return "\n\tTCP response is enabled for: " + d.tcpRspEnable.String() + } +} diff --git a/pkg/vpcmodel/grouping.go b/pkg/vpcmodel/grouping.go index de02fa160..0f62f5b47 100644 --- a/pkg/vpcmodel/grouping.go +++ b/pkg/vpcmodel/grouping.go @@ -28,6 +28,7 @@ type groupedExternalNodesInfo struct { type explainDetails struct { rules *rulesConnection + respondRules *rulesConnection externalRouter RoutingResource crossVpcRouter RoutingResource crossVpcRules []RulesInTable @@ -342,9 +343,10 @@ func (g *GroupConnLines) groupExternalAddressesForExplainability() error { for _, details := range *g.explain { groupingStrKey := details.explanationEncode(g.config) expDetails := &explainDetails{details.actualMergedRules, - details.externalRouter, details.crossVpcRouter, + details.respondRules, details.externalRouter, details.crossVpcRouter, details.crossVpcRules, details.filtersRelevant, - details.connEnabled, details.ingressEnabled, details.egressEnabled} + details.connEnabled, details.ingressEnabled, + details.egressEnabled} err := g.addLineToExternalGrouping(&res, details.src, details.dst, &groupedCommonProperties{conn: details.conn, expDetails: expDetails, groupingStrKey: groupingStrKey}) @@ -612,14 +614,18 @@ func (details *srcDstDetails) explanationEncode(c *VPCConfig) string { if details.crossVpcRouter != nil { encodeComponents = append(encodeComponents, details.crossVpcRouter.UID()) } - if len(details.actualMergedRules.egressRules) > 0 { - encodeComponents = append(encodeComponents, "egress:"+ - details.actualMergedRules.egressRules.rulesDetailsStr(c, details.filtersRelevant, false)) - } - if len(details.actualMergedRules.ingressRules) > 0 { - encodeComponents = append(encodeComponents, "ingress:"+ - details.actualMergedRules.ingressRules.rulesDetailsStr(c, details.filtersRelevant, true)) - } - + details.actualMergedRules.egressRules.appendEncodeRules(&encodeComponents, c, details.filtersRelevant, + "egress", false) + details.actualMergedRules.ingressRules.appendEncodeRules(&encodeComponents, c, details.filtersRelevant, + "ingress", true) return strings.Join(encodeComponents, ";") } + +func (rules *rulesInLayers) appendEncodeRules(encodeComponents *[]string, + c *VPCConfig, filtersRelevant map[string]bool, header string, isIngress bool) { + if len(*rules) == 0 { + return + } + *encodeComponents = append(*encodeComponents, header+ + rules.rulesDetailsStr(c, filtersRelevant, isIngress)) +}