Skip to content

Rafactoring ACL attributes #464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mzbroch wants to merge 257 commits into
base: develop
Choose a base branch
from
Open

Rafactoring ACL attributes #464

mzbroch wants to merge 257 commits into from

Conversation

@mzbroch
Copy link
Contributor

@mzbroch mzbroch commented Feb 20, 2024
edited
Loading

  • class refactor - distinguish between "actions" and ACL attributes , move "actions"/"settings" under ACL.Meta class
  • unittests
  • Cartesian product supports None values: src_ip': None, 'dst_ip': None, 'action': None}
  • drop order_* methods
  • option to raise exceptions in validate_
  • aggregate results in validate_ and enforce_
  • remove dst_port processor,
  • -- provide additional examples through docs or contrib
  • docs updates

itdependsnetworks and others added 30 commits June 3, 2021 06:09
@itdependsnetworks
Merge pull request networktocode#14 from networktocode/develop
0aef341 
Release 0.2.0
@jdrew82
Add ASA Parser (networktocode#16)
d6da791 
* Add ASA parser

Co-authored-by: Justin Drew <jdrew82@users.noreply.github.com>
@jifox @jifoxpa
Add BASE_INTERFACES for hp_comware & checkpoint (networktocode#17)
8849420 
* Add BASE_INTERFACES for hp_comware & checkpoint

Co-authored-by: Josef Fuchs <josef.fuchs@pankl.com>
@jeffkala
prep for 0.2.1 release
a4c7924
@itdependsnetworks
Merge pull request networktocode#19 from networktocode/0.2.1
b33b022 
prep for 0.2.1 release
@itdependsnetworks
Merge pull request networktocode#20 from networktocode/develop
45a3ad5 
release 0.2.1
@qduk
Created docs
1edb4c3
@itdependsnetworks
Merge pull request networktocode#8 from qduk/feature/docs
6e2e5c5 
Adds docs for readthedocs
@qduk
Updated docs start line
72e94e1
@qduk
Merge pull request networktocode#24 from qduk/hotfix/Updates_attribut…
b0d8e6b 
…ion_docs

Updated attribution and contribution doc start-lines
@itdependsnetworks
move sphinx to dev dep, update docs, update metadata
971853d
@itdependsnetworks
add pytest ids
a7ec1d1
@itdependsnetworks
Merge pull request networktocode#25 from networktocode/docsandmore
692a2b6 
move sphinx to dev dep, update docs, update metadata
@dgjustice
Add IPv6 functionality to ip module. (networktocode#28)
631a8aa 
* Small performance enhancers

- remove redundant call to `str`
- `get_all_host` list to generator to avoid memory overhead of very
large lists

* Add lookup table for netmasks

There are only 32 + 128 valid IPv4/6 netmasks, so I created a lookup
table for easy validation.  If there are concerns about the memory
overhead, a computed version is easy enough to implement.

* Make netutils dual-stack

I modified functions where I could to make them compatible with IPv6.
Per [RFC4291](https://datatracker.ietf.org/doc/html/rfc4291#section-4),
I have assumed any addresses in the ::/8 range are IPv4.
The one exception is `cidr_to_netmask`.  I added a v6 version of that
function.

* Modify/add tests for proposed functionality
@dgjustice
Remove unnecessary code from ip (networktocode#30)
ce0aecf 
* remove count_bits tests

* Remove count_bits in favor of simpler/faster function
@qduk
interface_range_expansion function added (networktocode#31)
d0bda63 
* interface_range_expansion function added
@dgjustice
Add interface sorting support.
b6ac6f2
@dgjustice @qduk
Update netutils/interface.py
453067c 
Co-authored-by: Adam Byczkowski <38091261+qduk@users.noreply.github.com>
@dgjustice @qduk
Update netutils/interface.py
ab046d2 
Co-authored-by: Adam Byczkowski <38091261+qduk@users.noreply.github.com>
@dgjustice
Cleanup docs from PR suggestions.
ca0b591
@dgjustice
Rename split_interface_tuple to private member
f257a3e
@qduk
Merge pull request networktocode#34 from dgjustice/dgjustice
57972bc 
Add interface sorting support.
@ubajze
Remove the requests package
cfcffb8
@itdependsnetworks
Merge pull request networktocode#38 from networktocode/remove-requests
6e0c9e1 
Remove the requests package
@qduk
Create and order interface lists (networktocode#9)
3d7aae9 
* Added ability to create interface lists
@jtdub
Adds tcp/udp port mapper (networktocode#35)
f5317af 
* add tcp/udp port mapper
@qduk
Create library mapping page for readthedocs (networktocode#39)
ceb0b6f 
* Added document page for lib_mappings
* Updated lib mapping description and added README for pypi
* Update Scrapli variable name to include lib_mapper
@qduk
Added protocol mappings to docs
0744ef6
@qduk
Changed some wording
5e03281
@qduk
Updated docs
21a779a
itdependsnetworks
itdependsnetworks reviewed Feb 24, 2024
View reviewed changes
netutils/acl.py Outdated
return str(item.deny) # pylint: disable=undefined-loop-variable
if item.match(rule): # mzb: bugfix
return True # mzb: change to bool
return False # pylint: disable=undefined-loop-variable
Copy link
Contributor

@itdependsnetworks itdependsnetworks Feb 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had this as string as most vendors have more than just permit or deny, this is Palo's

allow
deny
drop
reset client
reset server
reset client and server

Copy link
Contributor Author

@mzbroch mzbroch Feb 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO match method should return only True/False if the rule is/not matched by the check. This should only check if A contains B.

Copy link
Contributor

@itdependsnetworks itdependsnetworks Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is reasonable to have different levels.

Copy link
Contributor Author

@mzbroch mzbroch Mar 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, I see this in a little different way :

def match_action(action, match_action):
    deny_actions = ['deny', 'drop', 'reset client', 'reset server', ...]
    if action in deny_actions and match_action in deny_actions:
        return True
    else:
        return False

I would really like to avoid putting opinionated logic into generic match resolution while we provide easily extensible framework

itdependsnetworks
itdependsnetworks reviewed Mar 6, 2024
View reviewed changes
itdependsnetworks
itdependsnetworks reviewed Mar 6, 2024
View reviewed changes
itdependsnetworks
itdependsnetworks reviewed Mar 6, 2024
View reviewed changes
@itdependsnetworks itdependsnetworks mentioned this pull request Mar 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@itdependsnetworks itdependsnetworks itdependsnetworks left review comments

@jeffkala jeffkala Awaiting requested review from jeffkala jeffkala is a code owner

@qduk qduk Awaiting requested review from qduk qduk is a code owner

@abates abates Awaiting requested review from abates

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.