767 sg nacl fields print order (#856)

cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt

@@ -15,25 +15,25 @@ Details:
 Path is enabled; The relevant rules are:
 	Egress:
 		security group sg1-ky allows connection with the following allow rules
-			direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
+			id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all
 		network ACL acl1-ky allows connection with the following allow and deny rules
-			direction: outbound, name: acl1-out-1, priority: 1, action: deny, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: protocol: icmp
-			direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all
+			name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: icmp
+			name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all
 
 	Ingress:
 		network ACL acl2-ky allows connection with the following allow rules
-			direction: inbound, name: acl2-in-4, priority: 4, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all
+			name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all
 		security group sg1-ky allows connection with the following allow rules
-			direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
+			id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all
 
 TCP response is enabled; The relevant rules are:
 	Egress:
 		network ACL acl2-ky allows connection with the following allow rules
-			direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all
+			name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all
 
 	Ingress:
 		network ACL acl1-ky allows connection with the following allow rules
-			direction: inbound, name: acl1-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all
+			name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt

@@ -17,18 +17,18 @@ Details:
 Path is enabled; The relevant rules are:
 	Ingress:
 		network ACL acl1 allows connection with the following allow and deny rules
-			ruleNumber: 10, direction: inbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 9080-9080
-			ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all
+			ruleNumber: 10, action: allow, direction: inbound, cidr: 147.235.0.0/16, protocol: tcp, dstPorts: 9080-9080
+			ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
 		security group GroupId:35 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 147.0.0.0/8, conns: protocol: tcp, dstPorts: 0-65535
+			Inbound index: 0, direction: inbound, target: 147.0.0.0/8, protocol: tcp, dstPorts: 0-65535
 		security group GroupId:9 has no relevant allow rules
 		Ingress to public internet is allowed since subnet public is public
 
 TCP response is partly enabled; The relevant rules are:
 	Egress:
 		network ACL acl1 allows connection with the following allow and deny rules
-			ruleNumber: 10, direction: outbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 1025-5000
-			ruleNumber: 32767, direction: outbound ,cidr: 0.0.0.0/0, action: deny, conn: all
+			ruleNumber: 10, action: allow, direction: outbound, cidr: 147.235.0.0/16, protocol: tcp, dstPorts: 1025-5000
+			ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt

@@ -15,24 +15,24 @@ Details:
 Path is enabled; The relevant rules are:
 	Egress:
 		security group GroupId:50 allows connection with the following allow rules
-			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
+			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 
 	Ingress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
 		security group GroupId:42 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 10.240.40.0/24, conns: protocol: all
+			Inbound index: 0, direction: inbound, target: 10.240.40.0/24, protocol: all
 
 TCP response is enabled; The relevant rules are:
 	Egress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 
 	Ingress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt

@@ -19,15 +19,15 @@ Details:
 Path is disabled; The relevant rules are:
 	Egress:
 		security group GroupId:9 allows connection with the following allow rules
-			Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all
+			Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all
 		network ACL acl1 allows connection with the following allow rules
-			ruleNumber: 20, direction: outbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all
 
 	Ingress:
 		network ACL acl1 blocks connection with the following deny rules:
-			ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all
+			ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all
 		security group GroupId:9 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, conns: protocol: all
+			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/same_subnet_no_connection_all_vpcs_explain_detail.txt

@@ -20,7 +20,7 @@ Path is disabled; The relevant rules are:
 	Egress:
 		security group GroupId:35 has no relevant allow rules
 		security group GroupId:9 allows connection with the following allow rules
-			Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all
+			Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all
 
 	Ingress:
 		security group GroupId:35 has no relevant allow rules

pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt

@@ -15,11 +15,11 @@ Details:
 Path is enabled; The relevant rules are:
 	Egress:
 		security group GroupId:9 allows connection with the following allow rules
-			Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all
+			Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all
 
 	Ingress:
 		security group GroupId:15 allows connection with the following allow rules
-			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, conns: protocol: udp, dstPorts: 0-65535
+			Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt

@@ -19,10 +19,10 @@ Path is disabled; The relevant rules are:
 	Egress:
 		Egress to public internet is blocked since subnet application is private
 		security group GroupId:35 allows connection with the following allow rules
-			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
+			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all
 		security group GroupId:42 has no relevant allow rules
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt

@@ -20,7 +20,7 @@ Path is disabled; The relevant rules are:
 		Egress to public internet is blocked since subnet application is private
 		security group GroupId:42 has no relevant allow rules
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt

@@ -17,14 +17,14 @@ Path is enabled; The relevant rules are:
 	Egress:
 		Egress to public internet is allowed since subnet edge is public
 		security group GroupId:35 allows connection with the following allow rules
-			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
+			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all
 
 TCP response is enabled; The relevant rules are:
 	Ingress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 

pkg/awsvpc/nacl_analysis.go

@@ -59,10 +59,10 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm
 	ruleObj := na.prioritiesEntries[index]
 	protocol := convertProtocol(*ruleObj.Protocol)
 	ruleNumber := *ruleObj.RuleNumber
+	portsStr := ""
 	switch protocol {
 	case allProtocols:
 		conns = connection.All()
-		connStr = protocol
 	case protocolTCP, protocolUDP:
 		minPort := int64(*ruleObj.PortRange.From)
 		maxPort := int64(*ruleObj.PortRange.To)
@@ -72,20 +72,26 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm
 			minPort,
 			maxPort,
 		)
-		connStr = fmt.Sprintf("protocol: %s, dstPorts: %d-%d", protocol, minPort, maxPort)
+		portsStr = fmt.Sprintf(", dstPorts: %d-%d", minPort, maxPort)
 	case protocolICMP:
 		icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax,
 			err := handleIcmpTypeCode(ruleObj.IcmpTypeCode.Type, ruleObj.IcmpTypeCode.Code)
 
 		if err != nil {
 			return "", nil, false, err
 		}
+		if ruleObj.IcmpTypeCode.Type != nil && *ruleObj.IcmpTypeCode.Type != -1 {
+			portsStr = fmt.Sprintf(", type: %d", *ruleObj.IcmpTypeCode.Type)
+		}
+		if ruleObj.IcmpTypeCode.Code != nil && *ruleObj.IcmpTypeCode.Code != -1 {
+			portsStr += fmt.Sprintf(", code: %d", *ruleObj.IcmpTypeCode.Code)
+		}
 		conns = connection.ICMPConnection(icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax)
-		connStr = fmt.Sprintf("protocol: %s", protocol)
 	default:
 		err = fmt.Errorf("GetNACLRule unsupported protocol type: %s ", *ruleObj.Protocol)
 		return "", nil, false, err
 	}
+	connStr = "protocol: " + protocol + portsStr
 	action := string(ruleObj.RuleAction)
 	ip, err := ipblock.FromCidr(*ruleObj.CidrBlock)
 	if err != nil {
@@ -99,8 +105,8 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm
 		direction = commonvpc.Inbound
 	}
 	ruleRes = &commonvpc.NACLRule{Src: src, Dst: dst, Connections: conns, Action: action}
-	ruleStr = fmt.Sprintf("ruleNumber: %d, direction: %s ,cidr: %s, action: %s, conn: %s\n",
-		ruleNumber, direction, ip, action, connStr)
+	ruleStr = fmt.Sprintf("ruleNumber: %d, action: %s, direction: %s, cidr: %s, %s\n",
+		ruleNumber, action, direction, ip, connStr)
 	return ruleStr, ruleRes, isIngress, nil
 }
 

pkg/awsvpc/sg_analysis.go

@@ -104,7 +104,7 @@ func (sga *AWSSGAnalyzer) getProtocolTCPUDPRule(ruleObj *types.IpPermission, dir
 }
 
 func getRuleStr(direction, connStr, ipRanges string) string {
-	return fmt.Sprintf("direction: %s, target: %s, conns: %s\n", direction, ipRanges, connStr)
+	return fmt.Sprintf("direction: %s, target: %s, %s\n", direction, ipRanges, connStr)
 }
 
 func handleIcmpTypeCode(icmpType, icmpCode *int32) (newIcmpTypeMin, newIcmpTypeMax,

pkg/awsvpc/sg_analysis_test.go

@@ -84,12 +84,12 @@ func TestSGRule(t *testing.T) {
 	require.Nil(t, err)
 	require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0")
 	require.Equal(t, sgRule.Index, 0)
-	require.Equal(t, "Inbound index: 0, direction: inbound, target: 0.0.0.0/0, conns: protocol: all\n", ruleStr)
+	require.Equal(t, "Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: all\n", ruleStr)
 	ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1)
 	require.Nil(t, err)
 	require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0")
 	require.Equal(t, sgRule.Index, 1)
-	require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all\n", ruleStr)
+	require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all\n", ruleStr)
 }
 
 func newSGobj(groupID, groupName, vpcID string, ipPermissions []types.IpPermission,
@@ -131,13 +131,13 @@ func TestWithSgObj(t *testing.T) {
 	require.Nil(t, err)
 	require.Equal(t, "4.2.0.0/16", sgRule.Remote.Cidr.String())
 	require.Equal(t, 0, sgRule.Index)
-	require.Equal(t, "Inbound index: 0, direction: inbound, target: 4.2.0.0/16, conns: protocol: tcp,"+
+	require.Equal(t, "Inbound index: 0, direction: inbound, target: 4.2.0.0/16, protocol: tcp,"+
 		" dstPorts: 5-1000\n", ruleStr)
 	ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1)
 	require.Nil(t, err)
 	require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0")
 	require.Equal(t, sgRule.Index, 1)
-	require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: tcp, "+
+	require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, "+
 		"dstPorts: 23-10030\n", ruleStr)
 }
 

pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt

@@ -16,9 +16,9 @@ Details:
 Path is enabled; The relevant rules are:
 	Egress:
 		security group sg1-ky allows connection with the following allow rules
-			direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp,  dstPorts: 1-65535
+			id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp,  dstPorts: 1-65535
 		network ACL acl1-ky allows connection with the following allow rules
-			direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+			name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
@@ -38,7 +38,7 @@ Path is disabled; The relevant rules are:
 	Egress:
 		security group sg1-ky has no relevant allow rules
 		network ACL acl1-ky allows connection with the following allow rules
-			direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+			name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all
 
 ------------------------------------------------------------------------------------------------------------------------