Initial development for versa application to reserve enum. #347
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pylint has been run and no new warnings introduced.
pylint run : no warnings
versa_test.py: tests for Versa acls added
pylint run. Only see unused import warnings.
Tests were run without any errors
versa.md: Documentation for Versa ACLs
Please note that these are initial commits. More
commits wil be done as needed.
abhindes
reviewed
Aug 16, 2023
capirca/lib/versa.py
Outdated
| @@ -0,0 +1,877 @@ | |||
| # Copyright 2011 Google Inc. All Rights Reserved. | |||
There was a problem hiding this comment.
Updated in the next commit
capirca/lib/versa.py
Outdated
| #import six | ||
|
|
||
|
|
||
| ICMP_TERM_LIMIT = 8 |
|
|
||
| if self.term.versa_application: | ||
| predef_str = 'predefined-services-list [' | ||
| for predef in self.term.versa_application: |
There was a problem hiding this comment.
We probably need to do some validation checking here on what valid versa applications are.
There was a problem hiding this comment.
versa.application is a list and it is check in Line 237
capirca/lib/versa.py
Outdated
| 'tenant', | ||
| 'policy')) | ||
| _VERSA_UNSUPPORTED_TERM_OPTIONS = set(('icmp_type', | ||
| 'stateless_reply', |
There was a problem hiding this comment.
stateless_reply fields are used to skip the reply flows if the firewall is stateful. Since Versa is stateful, we can remove this from here.
There was a problem hiding this comment.
Not being used. Deleted
| if len(val) > 0: | ||
| if 'template' in mstr: | ||
| self.templatename = val | ||
| elif 'tenant' in mstr: |
There was a problem hiding this comment.
Is tenant a required field? Could you provide an example of what might be populated in here?
There was a problem hiding this comment.
Added a skeleton of the config.
capirca/lib/versa.py
Outdated
Comment on lines
587
to
604
| # we need to remove icmp from the protocol and add it to the | ||
| #pan-application list | ||
| if term.protocol and 'icmp' in ' '.join(term.protocol): | ||
| term.protocol.remove('icmp') | ||
| term.versa_application.append('ICMP') | ||
| # Because Versa terms can contain inet and inet6 addresses. We have to | ||
| # have ability to recover proper AF for ICMP type we need. | ||
| # If protocol is empty or we cannot map to inet or inet6 we insert bogus | ||
| # af_type name which will cause new_term.NormalizeIcmpTypes to fail. | ||
|
|
||
| #if not term.protocol: | ||
| # icmp_af_type = 'unknown_af_icmp' | ||
| #else: | ||
| # icmp_af_type = self._AF_ICMP_MAP.get( | ||
| # term.protocol[0], 'unknown_af_icmp') | ||
| #tmp_icmptype = new_term.NormalizeIcmpTypes( | ||
| # term.icmp_type, term.protocol, icmp_af_type) | ||
|
|
There was a problem hiding this comment.
Some cleanup necessary here to support icmpv6 correctly.
There was a problem hiding this comment.
will deal with icmpv6 in the next round
|
Abhineet
There are a few extraneous things I need to take care of. However, I wanted
to not delay my initial commit. I will take in account all the comments
that you provide in the next set of commits.
Thanks
Sujay Datta
…On Tue, Aug 15, 2023, 19:11 abhindes ***@***.***> wrote:
***@***.**** commented on this pull request.
I'm still going through this.
------------------------------
In capirca/lib/versa.py
<#347 (comment)>:
> @@ -0,0 +1,877 @@
+# Copyright 2011 Google Inc. All Rights Reserved.
please update
------------------------------
In capirca/lib/versa.py
<#347 (comment)>:
> +"""Versa generator."""
+# pylint: disable=super-init-not-called
+
+
+import collections
+import copy
+#import datetime
+import itertools
+
+from absl import logging
+from capirca.lib import aclgenerator
+from capirca.lib import nacaddr
+#import six
+
+
+ICMP_TERM_LIMIT = 8
Is this being used?
------------------------------
In capirca/lib/versa.py
<#347 (comment)>:
> + """Build Term app"""
+ mstr = []
+ if self.app:
+ apps = list(filter(lambda x: x['name'] == self.term.name, self.app))
+ if len(apps) > 0:
+ slist = ''
+ for i in range(0,len(apps)):
+ for j in range(0,len(apps[i]['protocol'])):
+ slist = slist + ' ' + self.term.name + '-app' + str(j+1)
+ if len(slist) > 0:
+ slist = 'services-list [' + slist + ' ];'
+ mstr.append(slist)
+
+ if self.term.versa_application:
+ predef_str = 'predefined-services-list ['
+ for predef in self.term.versa_application:
We probably need to do some validation checking here on what valid versa
applications are.
------------------------------
In capirca/lib/versa.py
<#347 (comment)>:
> +
+ _PLATFORM = 'versa'
+ SUFFIX = '.vsp'
+ _SUPPORTED_AF = set(('inet', 'inet6', 'mixed'))
+ _ZONE_ADDR_BOOK = 'address-book-zone'
+ _GLOBAL_ADDR_BOOK = 'address-book-global'
+ _ADDRESSBOOK_TYPES = set((_ZONE_ADDR_BOOK, _GLOBAL_ADDR_BOOK))
+ _NOVERBOSE = 'noverbose'
+ _SUPPORTED_TARGET_OPTIONS = set((_ZONE_ADDR_BOOK,
+ _GLOBAL_ADDR_BOOK,
+ _NOVERBOSE))
+ _VERSA_SUPPORTED_TARGET_OPTIONS = set(('template',
+ 'tenant',
+ 'policy'))
+ _VERSA_UNSUPPORTED_TERM_OPTIONS = set(('icmp_type',
+ 'stateless_reply',
stateless_reply fields are used to skip the reply flows if the firewall is
stateful. Since Versa is stateful, we can remove this from here.
------------------------------
In capirca/lib/versa.py
<#347 (comment)>:
> + }
+
+ supported_sub_tokens.update(
+ {'action': {'accept', 'deny', 'reject', 'count', 'log', 'dscp'},
+ })
+
+ del supported_sub_tokens['option']
+ return supported_tokens, supported_sub_tokens
+
+
+ def HeaderParams(self, mstr, val):
+ """HeaderParams populates the template name and tenant name."""
+ if len(val) > 0:
+ if 'template' in mstr:
+ self.templatename = val
+ elif 'tenant' in mstr:
Is tenant a required field? Could you provide an example of what might be
populated in here?
------------------------------
In capirca/lib/versa.py
<#347 (comment)>:
> + # we need to remove icmp from the protocol and add it to the
+ #pan-application list
+ if term.protocol and 'icmp' in ' '.join(term.protocol):
+ term.protocol.remove('icmp')
+ term.versa_application.append('ICMP')
+ # Because Versa terms can contain inet and inet6 addresses. We have to
+ # have ability to recover proper AF for ICMP type we need.
+ # If protocol is empty or we cannot map to inet or inet6 we insert bogus
+ # af_type name which will cause new_term.NormalizeIcmpTypes to fail.
+
+ #if not term.protocol:
+ # icmp_af_type = 'unknown_af_icmp'
+ #else:
+ # icmp_af_type = self._AF_ICMP_MAP.get(
+ # term.protocol[0], 'unknown_af_icmp')
+ #tmp_icmptype = new_term.NormalizeIcmpTypes(
+ # term.icmp_type, term.protocol, icmp_af_type)
+
Some cleanup necessary here.
—
Reply to this email directly, view it on GitHub
<#347 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ARIYF7VJC4L7PQJUOBVTZELXVQF2LANCNFSM6AAAAAA3KNNYLA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
abhindes
reviewed
Aug 16, 2023
capirca/lib/versa.py
Outdated
| return self.target | ||
|
|
||
| def PrintTreeInt(self,num=0): | ||
| """Internal function to the tree. Does recursion""" |
There was a problem hiding this comment.
We might need to check if the default recursion depths are sufficient for large policies here. Might want to move away from recursion if needed.
There was a problem hiding this comment.
Already verified with multiple tests.
abhindes
reviewed
Aug 16, 2023
| self.addrbook = addrbook | ||
| self.app = [] | ||
|
|
||
| if term.source_zone: |
There was a problem hiding this comment.
qq on Versa: Is intra-Zone traffic permitted by default, or denied by default?
abhindes
reviewed
Aug 16, 2023
| if self.term.action: | ||
| self.BuildTermLogging(access_pn) | ||
|
|
||
| #print("\n".join(set_term.PrintTree())) |
abhindes
reviewed
Aug 16, 2023
capirca/lib/versa.py
Outdated
Comment on lines
422
to
423
| #current_date = datetime.datetime.utcnow().date() | ||
| #exp_info_date = current_date + datetime.timedelta(weeks=exp_info) |
abhindes
reviewed
Aug 16, 2023
capirca/lib/versa.py
Outdated
Comment on lines
432
to
435
| #if self._NOVERBOSE in filter_options[4:]: | ||
| # verbose = False | ||
|
|
||
| # TODO(robankeny): Clean up option section. |
abhindes
reviewed
Aug 16, 2023
capirca/lib/versa.py
Outdated
Comment on lines
587
to
588
| # we need to remove icmp from the protocol and add it to the | ||
| #pan-application list |
abhindes
reviewed
Aug 16, 2023
tests/lib/versa_test.py
Outdated
| @@ -0,0 +1,476 @@ | |||
| # Copyright 2012 Google Inc. All Rights Reserved. | |||
abhindes
reviewed
Aug 16, 2023
| pol = policy.ParsePolicy(GOOD_HEADER_1 + ICMP_TYPE_TERM_1 , self.naming) | ||
| self.assertRaises(versa.VersaUnsupportedTerm, versa.Versa, pol, EXP_INFO) | ||
|
|
||
| def testIcmpV6(self): |
There was a problem hiding this comment.
We'll want to add some tests later to meet https://github.com/google/capirca/blob/master/doc/generator_patterns.md#icmp-and-icmpv6-handling
abhindes
reviewed
Aug 16, 2023
| _IPSET5 = [nacaddr.IP('10.0.0.0/24')] | ||
|
|
||
|
|
||
| class VersaTest(absltest.TestCase): |
There was a problem hiding this comment.
We probably will need to add some more unit test coverage. The generator has a ton of different options and it will help to have more cases covered - https://github.com/google/capirca/blob/master/doc/generator_patterns.md#test-coverage
abhindes
reviewed
Aug 16, 2023
abhindes
approved these changes
Aug 17, 2023
Changes for expiration, platform, platform-exclude, logging Added tests for expiration, platform, platform-exclude, multiple terms, logging ipv4/v6. Renamed terms for better understanding. Ran pylint on versa.py and versa-test.py
Added Versa policy file and verified using aclgen.py
copybara-service bot
pushed a commit
that referenced
this pull request
Sep 12, 2023
…ort. Fixes #347. PiperOrigin-RevId: 564745184
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enum added for Versa App development since Versa routers are service aware router like Paolo Alto Routers.
Once this Enum is reviewed and approved , other changes can be checked in.
pylint has been run and no new warnings introduced by the code change