Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rafactoring ACL attributes #464

Open
wants to merge 31 commits into
base: develop
Choose a base branch
from
Open

Rafactoring ACL attributes #464

wants to merge 31 commits into from

Conversation

mzbroch
Copy link
Contributor

@mzbroch mzbroch commented Feb 20, 2024
edited
Loading

  • class refactor - distinguish between "actions" and ACL attributes , move "actions"/"settings" under ACL.Meta class
  • unittests
  • Cartesian product supports None values: src_ip': None, 'dst_ip': None, 'action': None}
  • drop order_* methods
  • option to raise exceptions in validate_
  • aggregate results in validate_ and enforce_
  • remove dst_port processor,
  • -- provide additional examples through docs or contrib
  • docs updates

@mzbroch mzbroch changed the title Netutils/acl mod Rafactoring ACL attributes Feb 23, 2024
@mzbroch mzbroch marked this pull request as ready for review February 23, 2024 09:52
itdependsnetworks
itdependsnetworks reviewed Feb 24, 2024
View reviewed changes
netutils/acl.py Outdated
return str(item.deny) # pylint: disable=undefined-loop-variable
if item.match(rule): # mzb: bugfix
return True # mzb: change to bool
return False # pylint: disable=undefined-loop-variable
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had this as string as most vendors have more than just permit or deny, this is Palo's

allow
deny
drop
reset client
reset server
reset client and server

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO match method should return only True/False if the rule is/not matched by the check. This should only check if A contains B.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is reasonable to have different levels.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, I see this in a little different way :

def match_action(action, match_action):
    deny_actions = ['deny', 'drop', 'reset client', 'reset server', ...]
    if action in deny_actions and match_action in deny_actions:
        return True
    else:
        return False

I would really like to avoid putting opinionated logic into generic match resolution while we provide easily extensible framework

itdependsnetworks
itdependsnetworks reviewed Mar 6, 2024
View reviewed changes
netutils/acl.py Outdated Show resolved Hide resolved
itdependsnetworks
itdependsnetworks reviewed Mar 6, 2024
View reviewed changes
netutils/acl.py Outdated Show resolved Hide resolved
@itdependsnetworks itdependsnetworks mentioned this pull request Mar 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itdependsnetworks itdependsnetworks itdependsnetworks left review comments

@jeffkala jeffkala Awaiting requested review from jeffkala jeffkala is a code owner

@qduk qduk Awaiting requested review from qduk qduk is a code owner

@abates abates Awaiting requested review from abates

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mzbroch @itdependsnetworks