From 7591eb65361e8a985275cefffa9911fc4fc6a16a Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 10:16:39 +0300 Subject: [PATCH 01/17] change order of fields in ibm's sg and nacl --- .../acl_testing3_detailed_explain.txt | 14 +- pkg/awsvpc/nacl_analysis.go | 4 +- ...ingExternalSG1_all_vpcs_explain_detail.txt | 6 +- ...sNodeToIksNode_all_vpcs_explain_detail.txt | 24 +-- .../LBToIksNode_all_vpcs_explain_detail.txt | 172 +++++++++--------- .../LBToResIPNode_all_vpcs_explain_detail.txt | 104 +++++------ .../NACLExternal1_all_vpcs_explain_detail.txt | 4 +- .../NACLExternal2_all_vpcs_explain_detail.txt | 2 +- .../NACLGrouping_all_vpcs_explain_detail.txt | 6 +- .../NACLInternal1_all_vpcs_explain_detail.txt | 14 +- .../NACLInternal2_all_vpcs_explain_detail.txt | 12 +- .../NACLInternal3_all_vpcs_explain_detail.txt | 6 +- .../NACLInternal4_all_vpcs_explain_detail.txt | 4 +- ...To4DstInternal_all_vpcs_explain_detail.txt | 12 +- ...enyNoConnQuery_all_vpcs_explain_detail.txt | 8 +- ...eryAllowSubset_all_vpcs_explain_detail.txt | 4 +- ...eryConnection1_all_vpcs_explain_detail.txt | 4 +- ...eryConnection2_all_vpcs_explain_detail.txt | 2 +- ...nnectionRules2_all_vpcs_explain_detail.txt | 6 +- ...nnectionRules3_all_vpcs_explain_detail.txt | 4 +- ...nnectionRules4_all_vpcs_explain_detail.txt | 4 +- ...lTCPAndRespond_all_vpcs_explain_detail.txt | 16 +- ...tialTCPRespond_all_vpcs_explain_detail.txt | 16 +- ...ectionSGBasic1_all_vpcs_explain_detail.txt | 4 +- ...ectionSGBasic2_all_vpcs_explain_detail.txt | 4 +- ...ectionSGBasic3_all_vpcs_explain_detail.txt | 4 +- ...ectionSGBasic4_all_vpcs_explain_detail.txt | 6 +- ...ectionSGBasic5_all_vpcs_explain_detail.txt | 4 +- ...ectionSGRules1_all_vpcs_explain_detail.txt | 16 +- ...ectionSGRules2_all_vpcs_explain_detail.txt | 8 +- ...ectionSGRules3_all_vpcs_explain_detail.txt | 14 +- ...ectionSGRules4_all_vpcs_explain_detail.txt | 16 +- ...nSGSubsetPorts_all_vpcs_explain_detail.txt | 6 +- ...pleExternalSG1_all_vpcs_explain_detail.txt | 4 +- ...pleExternalSG3_all_vpcs_explain_detail.txt | 4 +- ...pondPortsQuery_all_vpcs_explain_detail.txt | 14 +- .../VsiToVsi1_all_vpcs_explain_detail.txt | 14 +- .../VsiToVsi2_all_vpcs_explain_detail.txt | 12 +- .../VsiToVsi3_all_vpcs_explain_detail.txt | 16 +- .../VsiToVsi4_all_vpcs_explain_detail.txt | 6 +- .../VsiToVsi5_all_vpcs_explain_detail.txt | 10 +- ...eitherEnabling_all_vpcs_explain_detail.txt | 10 +- ...SgsOneEnabling_all_vpcs_explain_detail.txt | 16 +- .../VsiWithTwoSgs_all_vpcs_explain_detail.txt | 18 +- ...iNIsToSingleNI_all_vpcs_explain_detail.txt | 14 +- ...CVsiToExternal_all_vpcs_explain_detail.txt | 6 +- ...ltiVPCVsiToVsi_all_vpcs_explain_detail.txt | 12 +- ...bledDenyPrefix_all_vpcs_explain_detail.txt | 8 +- ...blesTCPRespond_all_vpcs_explain_detail.txt | 12 +- ...eDefaultFilter_all_vpcs_explain_detail.txt | 12 +- ...SpecificFilter_all_vpcs_explain_detail.txt | 12 +- ...tgwExampleCidr_all_vpcs_explain_detail.txt | 80 ++++---- ...NoProtocolConn_all_vpcs_explain_detail.txt | 8 +- ...odeSubsetRules_all_vpcs_explain_detail.txt | 14 +- .../out/lint_out/PartialTCPRespond_Lint | 24 +-- .../examples/out/lint_out/acl3_3rd_Lint | 8 +- .../out/lint_out/acl3_shadowed_rules_Lint | 16 +- ...3_shadowed_rules_other_lints_disabled_Lint | 6 +- .../examples/out/lint_out/basic_acl3_Lint | 8 +- .../examples/out/lint_out/basic_sg1_Lint | 24 +-- .../examples/out/lint_out/multivpc_Lint | 12 +- .../out/lint_out/multivpc_partly_overlap_Lint | 12 +- .../out/lint_out/multivpc_print_all_Lint | 12 +- pkg/ibmvpc/nacl_analysis.go | 4 +- pkg/ibmvpc/sg_analysis.go | 4 +- 65 files changed, 481 insertions(+), 481 deletions(-) diff --git a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt index f3526fa2b..d40333dbf 100644 --- a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt +++ b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow and deny rules - direction: outbound, name: acl1-out-1, priority: 1, action: deny, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: protocol: icmp - direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: protocol: icmp + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl2-in-4, priority: 4, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/nacl_analysis.go b/pkg/awsvpc/nacl_analysis.go index 01b7090c3..bb5bb016a 100644 --- a/pkg/awsvpc/nacl_analysis.go +++ b/pkg/awsvpc/nacl_analysis.go @@ -99,8 +99,8 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm direction = commonvpc.Inbound } ruleRes = &commonvpc.NACLRule{Src: src, Dst: dst, Connections: conns, Action: action} - ruleStr = fmt.Sprintf("ruleNumber: %d, direction: %s ,cidr: %s, action: %s, conn: %s\n", - ruleNumber, direction, ip, action, connStr) + ruleStr = fmt.Sprintf("ruleNumber: %d, action: %s, direction: %s, cidr: %s, conn: %s\n", + ruleNumber, action, direction, ip, connStr) return ruleStr, ruleRes, isIngress, nil } diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt index 93cd3a467..7c59a1e8f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -38,7 +38,7 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt index 3beeb8e72..f262044b4 100644 --- a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt @@ -15,32 +15,32 @@ Details: Path is enabled; The relevant rules are: Egress: security group kube-clusterid:1 allows connection with the following allow rules - direction: outbound, id: id:304, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, conns: protocol: all + id: id:304, direction: outbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all security group ky-test-default-sg allows connection with the following allow rules - direction: outbound, id: id:318, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:318, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 - direction: inbound, id: id:302, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, conns: protocol: all + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:302, direction: inbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:320, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, conns: protocol: all - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:320, direction: inbound, local: 0.0.0.0/0, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt index e6545a858..340c68068 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt @@ -18,29 +18,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, source: 192.168.32.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -59,29 +59,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, source: 192.168.32.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -100,29 +100,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -141,29 +141,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, source: 192.168.16.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, source: 0.0.0.0/0 , destination: 192.168.16.0/20, conn: all + name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -182,29 +182,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, source: 192.168.16.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, source: 0.0.0.0/0 , destination: 192.168.16.0/20, conn: all + name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -223,29 +223,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, source: 192.168.16.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, source: 0.0.0.0/0 , destination: 192.168.16.0/20, conn: all + name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -264,29 +264,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, source: 192.168.32.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -305,16 +305,16 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 Ingress: security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -333,29 +333,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt index ac416354e..8bad24c85 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt @@ -22,17 +22,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -55,17 +55,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -88,17 +88,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -121,17 +121,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -154,17 +154,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -187,17 +187,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -220,13 +220,13 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 Ingress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -249,17 +249,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -282,17 +282,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt index 4cc27c270..d79eb3e17 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-2, priority: 2, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt index 302fcccc9..4028e0b32 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt @@ -18,7 +18,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt index 6c2f23f50..2400e340f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-2, priority: 2, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -37,7 +37,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt index 4b700417d..af818ad19 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow and deny rules - direction: outbound, name: acl1-out-1, priority: 1, action: deny, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: protocol: icmp - direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: protocol: icmp + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl2-in-4, priority: 4, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt index 1729fa0b2..6a1c835a6 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl2-in-4, priority: 4, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt index 2c4da44b2..e303acbcb 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt @@ -18,14 +18,14 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky has no relevant allow rules Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: acl3-in-1, priority: 1, action: allow, source: 10.240.10.0/24 , destination: 0.0.0.0/0, conn: all + name: acl3-in-1, priority: 1, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt index 70c67511b..0167e870f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt @@ -15,11 +15,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt index c2b06f553..cd9a2e27d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt @@ -15,11 +15,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -35,11 +35,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -55,11 +55,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt index 59929ab7d..ce9b550cb 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt @@ -18,15 +18,15 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky blocks connection with the following deny rules: - direction: outbound, name: acl1-out-1, priority: 1, action: deny, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl2-in-4, priority: 4, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt index ef01dd824..54d02985e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt @@ -17,9 +17,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-2, priority: 2, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-600, dstPorts: 1-50 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-600, dstPorts: 1-50 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt index 466d750d2..d172ea214 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-2, priority: 2, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt index 9c304658f..795b7318d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt @@ -18,7 +18,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt index 1fb6f006d..824c9eddd 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt @@ -17,10 +17,10 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-2, priority: 2, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 - direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: all + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: all TCP response is disabled; The relevant rules are: Ingress: diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt index 282dc0cc2..fe2277422 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt @@ -17,9 +17,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: all + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: all TCP response is disabled; The relevant rules are: Ingress: diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt index e1b7c992e..e4845c06e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-2, priority: 2, action: allow, source: 10.240.10.0/24 , destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt index ead09e66b..a2a04097a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt @@ -16,26 +16,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 110-205, dstPorts: 20-100 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 110-205, dstPorts: 20-100 Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 115-215, dstPorts: 25-95 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 115-215, dstPorts: 25-95 security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt index ad2968fa6..84b558edb 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt @@ -16,26 +16,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt index 0c6dc7b39..f31e3ae82 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt index 8ce1dff0c..9cf0a1032 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt index 4a87ec56a..b42a0e75f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt index a896d2892..b9bea9cf7 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -38,7 +38,7 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt index dd2faf8f8..b9546f560 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt @@ -19,11 +19,11 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg3-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt index 502ab14da..2b3d69db6 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt @@ -15,26 +15,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt index 3f7616660..fdbae6f24 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt @@ -15,15 +15,15 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt index 3c8bb59aa..db03d5107 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt index 8dd56c73b..0a3fde63f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt @@ -15,26 +15,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt index 4a1c875d8..22d823214 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt @@ -17,14 +17,14 @@ Details: Path is enabled; The relevant rules are: Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg2-ky allows connection with the following allow rules - direction: inbound, id: id:143, remote: 147.235.219.206/32, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 22-22 + id: id:143, direction: inbound, local: 0.0.0.0/0, remote: 147.235.219.206/32, conns: protocol: tcp, dstPorts: 22-22 TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt index 0da9aa225..e3b490879 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt index 3458576f4..7a00c094e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt index 7649c8910..00d3b4e08 100644 --- a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt @@ -16,25 +16,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt index 38426fefc..307d71edc 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all + id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg2-ky allows connection with the following allow rules - direction: inbound, id: id:153, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:153, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 TCP response is enabled; The relevant rules are: Egress: network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt index efd17973f..2557d9ded 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - direction: outbound, id: id:141, remote: 10.240.10.0/24, local: 0.0.0.0/0, conns: protocol: all + id: id:141, direction: outbound, local: 0.0.0.0/0, remote: 10.240.10.0/24, conns: protocol: all network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, conns: protocol: all + id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt index 2de522d1a..33111d8a4 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt @@ -15,26 +15,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt index c4478447a..de9988303 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt @@ -19,13 +19,13 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg2-ky allows connection with the following allow rules - direction: inbound, id: id:147, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, conns: protocol: all + id: id:147, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt index 39f5b345e..dc810eed8 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt @@ -19,15 +19,15 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg2-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt index 17602a679..be7fc12c7 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt @@ -19,15 +19,15 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky has no relevant allow rules security group sg3-ky has no relevant allow rules diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt index 6e476bc95..61137ee53 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt @@ -15,27 +15,27 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), conns: protocol: all security group sg3-ky has no relevant allow rules TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt index 03a82822a..205779e60 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt @@ -15,28 +15,28 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), conns: protocol: all security group sg3-ky allows connection with the following allow rules - direction: inbound, id: id:127, remote: 10.240.30.0/24, local: 0.0.0.0/0, conns: protocol: all + id: id:127, direction: inbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt index d3168cff9..6cc9f62f8 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - direction: outbound, id: id:96, remote: 10.240.10.0/24, local: 0.0.0.0/0, conns: protocol: all + id: id:96, direction: outbound, local: 0.0.0.0/0, remote: 10.240.10.0/24, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:89, remote: sg2-ky (10.240.20.4/31), local: 0.0.0.0/0, conns: protocol: all + id: id:89, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/31), conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -54,7 +54,7 @@ Path is disabled; The relevant rules are: Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:87, remote: sg1-ky (10.240.10.4/31), local: 0.0.0.0/0, conns: protocol: all + id: id:87, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/31), conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt index ea21f99fd..c1b28605c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt @@ -16,14 +16,14 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:412, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:412, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 10.240.1.0/24 , destination: 172.217.22.46/32, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 10.240.1.0/24, destination: 172.217.22.46/32, conn: all TCP response is enabled; The relevant rules are: Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 172.217.22.46/32 , destination: 10.240.1.0/24, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 172.217.22.46/32, destination: 10.240.1.0/24, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt index c6c360612..a4e1fdab6 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg31-ky allows connection with the following allow rules - direction: outbound, id: id:405, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:405, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl31-ky allows connection with the following allow rules - direction: outbound, name: acl31-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl31-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl31-ky allows connection with the following allow rules - direction: inbound, name: acl31-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl31-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg31-ky allows connection with the following allow rules - direction: inbound, id: id:403, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:403, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl31-ky allows connection with the following allow rules - direction: outbound, name: acl31-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl31-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL acl31-ky allows connection with the following allow rules - direction: inbound, name: acl31-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl31-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt index da1d85ee5..dbd4ec5db 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt @@ -20,18 +20,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt index 7c9136b57..51c8dbaae 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt @@ -17,30 +17,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:346, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:346, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl1-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection1 with the following prefix filter default prefix, action: permit Ingress: network ACL acl11-ky allows connection with the following allow rules - direction: inbound, name: acl11-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg11-ky allows connection with the following allow rules - direction: inbound, id: id:371, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:371, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is disabled; The relevant rules are: Egress: network ACL acl11-ky allows connection with the following allow rules - direction: outbound, name: acl11-out-2, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl11-out-2, priority: 2, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt index 7bd6abf1c..7114f1c77 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt @@ -16,30 +16,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:346, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:346, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection1 with the following prefix filter default prefix, action: permit Ingress: network ACL acl11-ky allows connection with the following allow rules - direction: inbound, name: acl11-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg11-ky allows connection with the following allow rules - direction: inbound, id: id:371, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:371, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl11-ky allows connection with the following allow rules - direction: outbound, name: acl11-out-2, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl11-out-2, priority: 2, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter default prefix, action: permit Ingress: network ACL acl3-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt index 3792a8a2b..40bc988a4 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt @@ -16,30 +16,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - direction: inbound, name: acl21-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt index fa64f1fc1..07fc92db8 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt @@ -16,30 +16,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - direction: inbound, name: acl21-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -56,30 +56,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - direction: inbound, name: acl21-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -96,30 +96,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - direction: inbound, name: acl21-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -136,30 +136,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - direction: outbound, name: acl1-out-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - direction: inbound, name: acl21-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ @@ -180,18 +180,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -212,18 +212,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -244,18 +244,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -276,18 +276,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all network ACL acl21-ky allows connection with the following allow rules - direction: outbound, name: acl21-out-2, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - direction: inbound, name: acl1-in-1, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt index 0984be4d1..19f518252 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt @@ -19,15 +19,15 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 has no relevant allow rules network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, source: 192.168.32.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt index 7e275a587..4c900a6fe 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt @@ -16,26 +16,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - direction: outbound, name: allow-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: inbound, name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, source: 192.168.32.0/20 , destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - direction: outbound, name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - direction: inbound, name: allow-inbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint b/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint index b43430161..f599736b5 100644 --- a/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint @@ -20,11 +20,11 @@ ________________________________________________________________________________ "SGs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet1-ky" (10.240.10.0/24). - Rule details: direction: inbound, id: id:131, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, conns: protocol: all + Rule details: id: id:131, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), conns: protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + Rule details: id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnets "subnet2-ky" (10.240.20.0/24), "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, conns: protocol: all + Rule details: id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: all ... (3 more) ________________________________________________________________________________________________________________________________________________________________________________________________________ @@ -32,19 +32,19 @@ ________________________________________________________________________________ "Security group rules implied by other rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg2-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:139, remote: 10.240.20.0/24, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, conns: protocol: all + id: id:139, direction: outbound, local: 0.0.0.0/0, remote: 10.240.20.0/24, conns: protocol: all + id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint b/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint index 052104e1c..9e6acb55e 100644 --- a/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint @@ -15,19 +15,19 @@ ________________________________________________________________________________ "Network ACL rules referencing CIDRs outside of the VPC address space" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.206/31 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: direction: inbound, name: acl2-in-2, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.207 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: direction: inbound, name: acl2-in-1, priority: 1, action: deny, source: 0.0.0.0/0 , destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACLs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, name: acl3-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.30.0/31, conn: all + Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, conn: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: outbound, name: acl3-out-2, priority: 2, action: allow, source: 10.240.30.0/31 , destination: 10.240.20.0/24, conn: all + Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, conn: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "SG not applied to any resources" issues: diff --git a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint index f72d8102b..bd48b8e1b 100644 --- a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint @@ -15,31 +15,31 @@ ________________________________________________________________________________ "Network ACL rules referencing CIDRs outside of the VPC address space" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.206/31 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: direction: inbound, name: acl2-in-2, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.207 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: direction: inbound, name: acl2-in-1, priority: 1, action: deny, source: 0.0.0.0/0 , destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: outbound, name: acl2-in-4-shadowed-by, priority: 4, action: allow, source: 10.240.20.0/28 , destination: 10.240.10.0/24, conn: all + Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, conn: all Shadowing rules: - direction: outbound, name: acl2-out-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: protocol: icmp - direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl2-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: protocol: icmp + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACLs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" rule splits subnet "subnet2-ky" (10.240.20.0/24). - Rule details: direction: outbound, name: acl2-in-4-shadowed-by, priority: 4, action: allow, source: 10.240.20.0/28 , destination: 10.240.10.0/24, conn: all + Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, conn: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, name: acl3-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.30.0/31, conn: all + Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, conn: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: outbound, name: acl3-out-2, priority: 2, action: allow, source: 10.240.30.0/31 , destination: 10.240.20.0/24, conn: all + Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, conn: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "SG not applied to any resources" issues: diff --git a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint index f845ae89e..42c65500e 100644 --- a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint @@ -1,7 +1,7 @@ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: outbound, name: acl2-in-4-shadowed-by, priority: 4, action: allow, source: 10.240.20.0/28 , destination: 10.240.10.0/24, conn: all + Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, conn: all Shadowing rules: - direction: outbound, name: acl2-out-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: protocol: icmp - direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all + name: acl2-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: protocol: icmp + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all diff --git a/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint b/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint index 7ef9b582e..b4e5423c3 100644 --- a/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint @@ -15,19 +15,19 @@ ________________________________________________________________________________ "Network ACL rules referencing CIDRs outside of the VPC address space" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.206/31 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: direction: inbound, name: acl2-in-2, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.207 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: direction: inbound, name: acl2-in-1, priority: 1, action: deny, source: 0.0.0.0/0 , destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACLs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, name: acl3-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.30.0/31, conn: all + Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, conn: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: outbound, name: acl3-out-2, priority: 2, action: allow, source: 10.240.30.0/31 , destination: 10.240.20.0/24, conn: all + Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, conn: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "SG not applied to any resources" issues: diff --git a/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint b/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint index b544e84b4..2f233d13d 100644 --- a/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint @@ -11,11 +11,11 @@ ________________________________________________________________________________ "SGs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet1-ky" (10.240.10.0/24). - Rule details: direction: inbound, id: id:131, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, conns: protocol: all + Rule details: id: id:131, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), conns: protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, conns: protocol: all + Rule details: id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnets "subnet2-ky" (10.240.20.0/24), "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, conns: protocol: all + Rule details: id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: all ... (3 more) ________________________________________________________________________________________________________________________________________________________________________________________________________ @@ -23,19 +23,19 @@ ________________________________________________________________________________ "Security group rules implied by other rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg2-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:139, remote: 10.240.20.0/24, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, conns: protocol: all + id: id:139, direction: outbound, local: 0.0.0.0/0, remote: 10.240.20.0/24, conns: protocol: all + id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint b/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint index 93df7224a..3334b6747 100644 --- a/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint @@ -16,16 +16,16 @@ ________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: inbound, name: acl2-in-2, priority: 3, action: allow, source: 10.240.1.0/24 , destination: 10.240.2.0/24, conn: all + Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, conn: all Shadowing rules: - direction: inbound, name: acl2-in-0, priority: 1, action: deny, source: 10.240.0.0/16 , destination: 10.240.2.0/24, conn: all - direction: inbound, name: acl2-in-1, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 10.240.2.0/24, conn: all + name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, conn: all + name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, conn: all In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: outbound, name: acl2-out-2, priority: 3, action: allow, source: 10.240.2.0/24 , destination: 10.240.1.0/24, conn: all + Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, conn: all Shadowing rules: - direction: outbound, name: acl2-out-0, priority: 1, action: deny, source: 10.240.2.0/24 , destination: 10.240.0.0/16, conn: all - direction: outbound, name: acl2-out-1, priority: 2, action: allow, source: 10.240.2.0/24 , destination: 0.0.0.0/0, conn: all + name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, conn: all + name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, conn: all ________________________________________________________________________________________________________________________________________________________________________________________________________ diff --git a/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint b/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint index afdab8d15..fcb32b320 100644 --- a/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint @@ -16,16 +16,16 @@ ________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: inbound, name: acl2-in-2, priority: 3, action: allow, source: 10.240.1.0/24 , destination: 10.240.2.0/24, conn: all + Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, conn: all Shadowing rules: - direction: inbound, name: acl2-in-0, priority: 1, action: deny, source: 10.240.0.0/16 , destination: 10.240.2.0/24, conn: all - direction: inbound, name: acl2-in-1, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 10.240.2.0/24, conn: all + name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, conn: all + name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, conn: all In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: outbound, name: acl2-out-2, priority: 3, action: allow, source: 10.240.2.0/24 , destination: 10.240.1.0/24, conn: all + Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, conn: all Shadowing rules: - direction: outbound, name: acl2-out-0, priority: 1, action: deny, source: 10.240.2.0/24 , destination: 10.240.0.0/16, conn: all - direction: outbound, name: acl2-out-1, priority: 2, action: allow, source: 10.240.2.0/24 , destination: 0.0.0.0/0, conn: all + name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, conn: all + name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, conn: all ________________________________________________________________________________________________________________________________________________________________________________________________________ diff --git a/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint b/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint index ba3507f0a..f854dac26 100644 --- a/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint @@ -17,16 +17,16 @@ ________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: inbound, name: acl2-in-2, priority: 3, action: allow, source: 10.240.1.0/24 , destination: 10.240.2.0/24, conn: all + Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, conn: all Shadowing rules: - direction: inbound, name: acl2-in-0, priority: 1, action: deny, source: 10.240.0.0/16 , destination: 10.240.2.0/24, conn: all - direction: inbound, name: acl2-in-1, priority: 2, action: allow, source: 0.0.0.0/0 , destination: 10.240.2.0/24, conn: all + name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, conn: all + name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, conn: all In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: direction: outbound, name: acl2-out-2, priority: 3, action: allow, source: 10.240.2.0/24 , destination: 10.240.1.0/24, conn: all + Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, conn: all Shadowing rules: - direction: outbound, name: acl2-out-0, priority: 1, action: deny, source: 10.240.2.0/24 , destination: 10.240.0.0/16, conn: all - direction: outbound, name: acl2-out-1, priority: 2, action: allow, source: 10.240.2.0/24 , destination: 0.0.0.0/0, conn: all + name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, conn: all + name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, conn: all ________________________________________________________________________________________________________________________________________________________________________________________________________ diff --git a/pkg/ibmvpc/nacl_analysis.go b/pkg/ibmvpc/nacl_analysis.go index 33f9f576e..e85d9215d 100644 --- a/pkg/ibmvpc/nacl_analysis.go +++ b/pkg/ibmvpc/nacl_analysis.go @@ -99,8 +99,8 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm ruleRes = &commonvpc.NACLRule{Src: srcIP, Dst: dstIP, Connections: conns, Action: action} isIngress = direction == commonvpc.Inbound priority := na.getNACLRulePriority(direction, index) - ruleStr = fmt.Sprintf("direction: %s, name: %s, priority: %d, action: %s, source: %s , destination: %s,"+ - " conn: %s\n", direction, name, priority, action, src, dst, connStr) + ruleStr = fmt.Sprintf("name: %s, priority: %d, action: %s, direction: %s, source: %s, destination: %s,"+ + " conn: %s\n", name, priority, action, direction, src, dst, connStr) return ruleStr, ruleRes, isIngress, nil } diff --git a/pkg/ibmvpc/sg_analysis.go b/pkg/ibmvpc/sg_analysis.go index bc004e8e0..9a640fc7a 100644 --- a/pkg/ibmvpc/sg_analysis.go +++ b/pkg/ibmvpc/sg_analysis.go @@ -157,8 +157,8 @@ func getRuleStr(direction, id, connStr, remoteCidr, remoteSGName, localCidr stri if remoteSGName != "" { remoteSGStr = remoteSGName + " (" + remoteCidr + ")" } - return fmt.Sprintf("direction: %s, id: %s, remote: %s, local: %s, conns: %s\n", - direction, id, remoteSGStr, localCidr, connStr) + return fmt.Sprintf("id: %s, direction: %s, local: %s, remote: %s, conns: %s\n", + id, direction, localCidr, remoteSGStr, connStr) } func (sga *IBMSGAnalyzer) getProtocolICMPRule(ruleObj *vpc1.SecurityGroupRuleSecurityGroupRuleProtocolIcmp) ( From 00ffc0980739b155db22c46ae9eb19ae2eddadcb Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 10:18:45 +0300 Subject: [PATCH 02/17] change order of fields in aws's nacl --- ...rom_external_public_subnet_all_vpcs_explain_detail.txt | 8 ++++---- .../out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt | 8 ++++---- .../explain_out/nacl_blocking_all_vpcs_explain_detail.txt | 4 ++-- ...locked_only_private_subnet_all_vpcs_explain_detail.txt | 2 +- ...to_external_private_subnet_all_vpcs_explain_detail.txt | 2 +- .../to_external_public_subnet_all_vpcs_explain_detail.txt | 4 ++-- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt index 26419c8a1..1cc6c6cec 100644 --- a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt @@ -17,8 +17,8 @@ Details: Path is enabled; The relevant rules are: Ingress: network ACL acl1 allows connection with the following allow and deny rules - ruleNumber: 10, direction: inbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 9080-9080 - ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all + ruleNumber: 10, action: allow, direction: inbound, cidr: 147.235.0.0/16, conn: protocol: tcp, dstPorts: 9080-9080 + ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, conn: all security group GroupId:35 allows connection with the following allow rules Inbound index: 0, direction: inbound, target: 147.0.0.0/8, conns: protocol: tcp, dstPorts: 0-65535 security group GroupId:9 has no relevant allow rules @@ -27,8 +27,8 @@ Path is enabled; The relevant rules are: TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1 allows connection with the following allow and deny rules - ruleNumber: 10, direction: outbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 1025-5000 - ruleNumber: 32767, direction: outbound ,cidr: 0.0.0.0/0, action: deny, conn: all + ruleNumber: 10, action: allow, direction: outbound, cidr: 147.235.0.0/16, conn: protocol: tcp, dstPorts: 1025-5000 + ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt index 423f610e3..20ad67ab6 100644 --- a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt @@ -17,22 +17,22 @@ Path is enabled; The relevant rules are: security group GroupId:50 allows connection with the following allow rules Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all Ingress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all security group GroupId:42 allows connection with the following allow rules Inbound index: 0, direction: inbound, target: 10.240.40.0/24, conns: protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all Ingress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt index e059119a5..6ebf87869 100644 --- a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt @@ -21,11 +21,11 @@ Path is disabled; The relevant rules are: security group GroupId:9 allows connection with the following allow rules Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all network ACL acl1 allows connection with the following allow rules - ruleNumber: 20, direction: outbound ,cidr: 10.240.32.0/19, action: allow, conn: all + ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, conn: all Ingress: network ACL acl1 blocks connection with the following deny rules: - ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all + ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, conn: all security group GroupId:9 allows connection with the following allow rules Inbound index: 0, direction: inbound, target: 10.240.0.0/18, conns: protocol: all diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt index 2f38eb04f..7307b5956 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt @@ -22,7 +22,7 @@ Path is disabled; The relevant rules are: Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all security group GroupId:42 has no relevant allow rules network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt index e41d54cfd..fc4fe6225 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt @@ -20,7 +20,7 @@ Path is disabled; The relevant rules are: Egress to public internet is blocked since subnet application is private security group GroupId:42 has no relevant allow rules network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt index 9508cec8a..174a8fe2b 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt @@ -19,12 +19,12 @@ Path is enabled; The relevant rules are: security group GroupId:35 allows connection with the following allow rules Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all TCP response is enabled; The relevant rules are: Ingress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all + ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all ------------------------------------------------------------------------------------------------------------------------ From 06d49dcb33a456abeac3d5adf5a8ff839955bfb6 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 10:22:17 +0300 Subject: [PATCH 03/17] update test --- pkg/ibmvpc/sg_analysis_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/ibmvpc/sg_analysis_test.go b/pkg/ibmvpc/sg_analysis_test.go index d2f4f929b..a3813fcec 100644 --- a/pkg/ibmvpc/sg_analysis_test.go +++ b/pkg/ibmvpc/sg_analysis_test.go @@ -104,7 +104,7 @@ func TestSGRule(t *testing.T) { require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Local.String(), "0.0.0.0/0") require.Equal(t, sgRule.Index, 0) - require.Equal(t, "direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all\n", ruleStr) + require.Equal(t, "id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all\n", ruleStr) ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1) require.Nil(t, err) require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") From 20d73182b77bb6f9814b072d9281721c5c79ea4f Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 10:25:39 +0300 Subject: [PATCH 04/17] update test --- pkg/ibmvpc/sg_analysis_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/ibmvpc/sg_analysis_test.go b/pkg/ibmvpc/sg_analysis_test.go index a3813fcec..7a21998b6 100644 --- a/pkg/ibmvpc/sg_analysis_test.go +++ b/pkg/ibmvpc/sg_analysis_test.go @@ -110,7 +110,7 @@ func TestSGRule(t *testing.T) { require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Local.String(), "10.240.10.0") require.Equal(t, sgRule.Index, 1) - require.Equal(t, "direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 10.240.10.0/32, conns: protocol: all\n", ruleStr) + require.Equal(t, "id: id:154, direction: inbound, local: 10.240.10.0/32, remote: 0.0.0.0/0, conns: protocol: all\n", ruleStr) } type sgTest struct { From 586b6ec43bef65e0562a14c4c2964beea72fb883 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 08:11:18 +0300 Subject: [PATCH 05/17] commented until https://github.com/np-guard/vpc-network-config-analyzer/issues/847 is fixed --- pkg/ibmvpc/analysis_output_test.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/ibmvpc/analysis_output_test.go b/pkg/ibmvpc/analysis_output_test.go index 54e0958d0..ab407cef9 100644 --- a/pkg/ibmvpc/analysis_output_test.go +++ b/pkg/ibmvpc/analysis_output_test.go @@ -440,12 +440,13 @@ var tests = []*commonvpc.VpcGeneralTest{ Grouping: true, Format: vpcmodel.ARCHSVG, }, - { - InputConfig: "iks_workers_large", - UseCases: []vpcmodel.OutputUseCase{vpcmodel.AllEndpoints}, - Grouping: true, - Format: vpcmodel.DRAWIO, - }, + // commented until https://github.com/np-guard/vpc-network-config-analyzer/issues/847 is fixed + // { + // InputConfig: "iks_workers_large", + // UseCases: []vpcmodel.OutputUseCase{vpcmodel.AllEndpoints}, + // Grouping: true, + // Format: vpcmodel.DRAWIO, + // }, // Grouping test of identical names different resources and thus different UIDs that should not be merged { InputConfig: "sg_testing1_new_dup_subnets_names", From 2154ddbeb8af7e803d5b4d78ee257ef631bfdaf1 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 14:30:56 +0300 Subject: [PATCH 06/17] CR --- ...xternal_public_subnet_all_vpcs_explain_detail.txt | 10 +++++----- .../explain_out/ip_to_ip_all_vpcs_explain_detail.txt | 12 ++++++------ .../nacl_blocking_all_vpcs_explain_detail.txt | 8 ++++---- ..._subnet_no_connection_all_vpcs_explain_detail.txt | 2 +- ...et_partial_connection_all_vpcs_explain_detail.txt | 4 ++-- ...d_only_private_subnet_all_vpcs_explain_detail.txt | 4 ++-- ...ternal_private_subnet_all_vpcs_explain_detail.txt | 2 +- ...xternal_public_subnet_all_vpcs_explain_detail.txt | 6 +++--- pkg/awsvpc/nacl_analysis.go | 4 ++-- pkg/awsvpc/sg_analysis.go | 2 +- 10 files changed, 27 insertions(+), 27 deletions(-) diff --git a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt index 1cc6c6cec..6354c19cf 100644 --- a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt @@ -17,18 +17,18 @@ Details: Path is enabled; The relevant rules are: Ingress: network ACL acl1 allows connection with the following allow and deny rules - ruleNumber: 10, action: allow, direction: inbound, cidr: 147.235.0.0/16, conn: protocol: tcp, dstPorts: 9080-9080 - ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 10, action: allow, direction: inbound, cidr: 147.235.0.0/16, protocol: tcp, dstPorts: 9080-9080 + ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all security group GroupId:35 allows connection with the following allow rules - Inbound index: 0, direction: inbound, target: 147.0.0.0/8, conns: protocol: tcp, dstPorts: 0-65535 + Inbound index: 0, direction: inbound, target: 147.0.0.0/8, protocol: tcp, dstPorts: 0-65535 security group GroupId:9 has no relevant allow rules Ingress to public internet is allowed since subnet public is public TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1 allows connection with the following allow and deny rules - ruleNumber: 10, action: allow, direction: outbound, cidr: 147.235.0.0/16, conn: protocol: tcp, dstPorts: 1025-5000 - ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 10, action: allow, direction: outbound, cidr: 147.235.0.0/16, protocol: tcp, dstPorts: 1025-5000 + ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt index 20ad67ab6..f54de2a62 100644 --- a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group GroupId:50 allows connection with the following allow rules - Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all + Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all Ingress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all security group GroupId:42 allows connection with the following allow rules - Inbound index: 0, direction: inbound, target: 10.240.40.0/24, conns: protocol: all + Inbound index: 0, direction: inbound, target: 10.240.40.0/24, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all Ingress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt index 6ebf87869..33f057876 100644 --- a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt @@ -19,15 +19,15 @@ Details: Path is disabled; The relevant rules are: Egress: security group GroupId:9 allows connection with the following allow rules - Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all + Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all network ACL acl1 allows connection with the following allow rules - ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, conn: all + ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, protocol: all Ingress: network ACL acl1 blocks connection with the following deny rules: - ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, protocol: all security group GroupId:9 allows connection with the following allow rules - Inbound index: 0, direction: inbound, target: 10.240.0.0/18, conns: protocol: all + Inbound index: 0, direction: inbound, target: 10.240.0.0/18, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/same_subnet_no_connection_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/same_subnet_no_connection_all_vpcs_explain_detail.txt index f4dfb80a7..3e5ce3ab0 100644 --- a/pkg/awsvpc/examples/out/explain_out/same_subnet_no_connection_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/same_subnet_no_connection_all_vpcs_explain_detail.txt @@ -20,7 +20,7 @@ Path is disabled; The relevant rules are: Egress: security group GroupId:35 has no relevant allow rules security group GroupId:9 allows connection with the following allow rules - Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all + Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all Ingress: security group GroupId:35 has no relevant allow rules diff --git a/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt index b56a73622..39d140754 100644 --- a/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/same_subnet_partial_connection_all_vpcs_explain_detail.txt @@ -15,11 +15,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group GroupId:9 allows connection with the following allow rules - Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all + Outbound index: 0, direction: outbound, target: 10.240.0.0/18, protocol: all Ingress: security group GroupId:15 allows connection with the following allow rules - Inbound index: 0, direction: inbound, target: 0.0.0.0/0, conns: protocol: udp, dstPorts: 0-65535 + Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: udp, dstPorts: 0-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt index 7307b5956..c0ff3b508 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt @@ -19,10 +19,10 @@ Path is disabled; The relevant rules are: Egress: Egress to public internet is blocked since subnet application is private security group GroupId:35 allows connection with the following allow rules - Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all + Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all security group GroupId:42 has no relevant allow rules network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt index fc4fe6225..26ad25dd3 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt @@ -20,7 +20,7 @@ Path is disabled; The relevant rules are: Egress to public internet is blocked since subnet application is private security group GroupId:42 has no relevant allow rules network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt index 174a8fe2b..3b8cca370 100644 --- a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt +++ b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt @@ -17,14 +17,14 @@ Path is enabled; The relevant rules are: Egress: Egress to public internet is allowed since subnet edge is public security group GroupId:35 allows connection with the following allow rules - Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all + Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Ingress: network ACL NetworkAclId:65 allows connection with the following allow rules - ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all + ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/awsvpc/nacl_analysis.go b/pkg/awsvpc/nacl_analysis.go index bb5bb016a..6c9ba5f05 100644 --- a/pkg/awsvpc/nacl_analysis.go +++ b/pkg/awsvpc/nacl_analysis.go @@ -62,7 +62,7 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm switch protocol { case allProtocols: conns = connection.All() - connStr = protocol + connStr = fmt.Sprintf("protocol: %s", protocol) case protocolTCP, protocolUDP: minPort := int64(*ruleObj.PortRange.From) maxPort := int64(*ruleObj.PortRange.To) @@ -99,7 +99,7 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm direction = commonvpc.Inbound } ruleRes = &commonvpc.NACLRule{Src: src, Dst: dst, Connections: conns, Action: action} - ruleStr = fmt.Sprintf("ruleNumber: %d, action: %s, direction: %s, cidr: %s, conn: %s\n", + ruleStr = fmt.Sprintf("ruleNumber: %d, action: %s, direction: %s, cidr: %s, %s\n", ruleNumber, action, direction, ip, connStr) return ruleStr, ruleRes, isIngress, nil } diff --git a/pkg/awsvpc/sg_analysis.go b/pkg/awsvpc/sg_analysis.go index 2b195a5fa..ed65d7367 100644 --- a/pkg/awsvpc/sg_analysis.go +++ b/pkg/awsvpc/sg_analysis.go @@ -104,7 +104,7 @@ func (sga *AWSSGAnalyzer) getProtocolTCPUDPRule(ruleObj *types.IpPermission, dir } func getRuleStr(direction, connStr, ipRanges string) string { - return fmt.Sprintf("direction: %s, target: %s, conns: %s\n", direction, ipRanges, connStr) + return fmt.Sprintf("direction: %s, target: %s, %s\n", direction, ipRanges, connStr) } func handleIcmpTypeCode(icmpType, icmpCode *int32) (newIcmpTypeMin, newIcmpTypeMax, From 2515b6ea39535972eb2d0062000a0a335ffb9ca9 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 14:39:14 +0300 Subject: [PATCH 07/17] CR --- ...ingExternalSG1_all_vpcs_explain_detail.txt | 6 +- ...sNodeToIksNode_all_vpcs_explain_detail.txt | 24 +-- .../LBToIksNode_all_vpcs_explain_detail.txt | 172 +++++++++--------- .../LBToResIPNode_all_vpcs_explain_detail.txt | 104 +++++------ .../NACLExternal1_all_vpcs_explain_detail.txt | 4 +- .../NACLExternal2_all_vpcs_explain_detail.txt | 2 +- .../NACLGrouping_all_vpcs_explain_detail.txt | 6 +- .../NACLInternal1_all_vpcs_explain_detail.txt | 14 +- .../NACLInternal2_all_vpcs_explain_detail.txt | 12 +- .../NACLInternal3_all_vpcs_explain_detail.txt | 6 +- .../NACLInternal4_all_vpcs_explain_detail.txt | 4 +- ...To4DstInternal_all_vpcs_explain_detail.txt | 12 +- ...enyNoConnQuery_all_vpcs_explain_detail.txt | 8 +- ...eryAllowSubset_all_vpcs_explain_detail.txt | 4 +- ...eryConnection1_all_vpcs_explain_detail.txt | 4 +- ...eryConnection2_all_vpcs_explain_detail.txt | 2 +- ...nnectionRules2_all_vpcs_explain_detail.txt | 6 +- ...nnectionRules3_all_vpcs_explain_detail.txt | 4 +- ...nnectionRules4_all_vpcs_explain_detail.txt | 4 +- ...lTCPAndRespond_all_vpcs_explain_detail.txt | 16 +- ...tialTCPRespond_all_vpcs_explain_detail.txt | 16 +- ...ectionSGBasic1_all_vpcs_explain_detail.txt | 4 +- ...ectionSGBasic2_all_vpcs_explain_detail.txt | 4 +- ...ectionSGBasic3_all_vpcs_explain_detail.txt | 4 +- ...ectionSGBasic4_all_vpcs_explain_detail.txt | 6 +- ...ectionSGBasic5_all_vpcs_explain_detail.txt | 4 +- ...ectionSGRules1_all_vpcs_explain_detail.txt | 16 +- ...ectionSGRules2_all_vpcs_explain_detail.txt | 8 +- ...ectionSGRules3_all_vpcs_explain_detail.txt | 14 +- ...ectionSGRules4_all_vpcs_explain_detail.txt | 16 +- ...nSGSubsetPorts_all_vpcs_explain_detail.txt | 6 +- ...pleExternalSG1_all_vpcs_explain_detail.txt | 4 +- ...pleExternalSG3_all_vpcs_explain_detail.txt | 4 +- ...pondPortsQuery_all_vpcs_explain_detail.txt | 14 +- .../VsiToVsi1_all_vpcs_explain_detail.txt | 14 +- .../VsiToVsi2_all_vpcs_explain_detail.txt | 12 +- .../VsiToVsi3_all_vpcs_explain_detail.txt | 16 +- .../VsiToVsi4_all_vpcs_explain_detail.txt | 6 +- .../VsiToVsi5_all_vpcs_explain_detail.txt | 10 +- ...eitherEnabling_all_vpcs_explain_detail.txt | 10 +- ...SgsOneEnabling_all_vpcs_explain_detail.txt | 16 +- .../VsiWithTwoSgs_all_vpcs_explain_detail.txt | 18 +- ...iNIsToSingleNI_all_vpcs_explain_detail.txt | 14 +- ...CVsiToExternal_all_vpcs_explain_detail.txt | 6 +- ...ltiVPCVsiToVsi_all_vpcs_explain_detail.txt | 12 +- ...bledDenyPrefix_all_vpcs_explain_detail.txt | 8 +- ...blesTCPRespond_all_vpcs_explain_detail.txt | 12 +- ...eDefaultFilter_all_vpcs_explain_detail.txt | 12 +- ...SpecificFilter_all_vpcs_explain_detail.txt | 12 +- ...tgwExampleCidr_all_vpcs_explain_detail.txt | 80 ++++---- ...NoProtocolConn_all_vpcs_explain_detail.txt | 8 +- ...odeSubsetRules_all_vpcs_explain_detail.txt | 14 +- .../out/lint_out/PartialTCPRespond_Lint | 24 +-- .../examples/out/lint_out/acl3_3rd_Lint | 8 +- .../out/lint_out/acl3_shadowed_rules_Lint | 16 +- ...3_shadowed_rules_other_lints_disabled_Lint | 6 +- .../examples/out/lint_out/basic_acl3_Lint | 8 +- .../examples/out/lint_out/basic_sg1_Lint | 24 +-- .../examples/out/lint_out/multivpc_Lint | 12 +- .../out/lint_out/multivpc_partly_overlap_Lint | 12 +- .../out/lint_out/multivpc_print_all_Lint | 12 +- pkg/ibmvpc/nacl_analysis.go | 4 +- pkg/ibmvpc/sg_analysis.go | 4 +- 63 files changed, 472 insertions(+), 472 deletions(-) diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt index 7c59a1e8f..72e9dc049 100644 --- a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 + direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -38,7 +38,7 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt index f262044b4..90d33ac22 100644 --- a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt @@ -15,32 +15,32 @@ Details: Path is enabled; The relevant rules are: Egress: security group kube-clusterid:1 allows connection with the following allow rules - id: id:304, direction: outbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all + direction: outbound, id: id:304, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, protocol: all security group ky-test-default-sg allows connection with the following allow rules - id: id:318, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:318, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 - id: id:302, direction: inbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + direction: inbound, id: id:302, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, protocol: all security group ky-test-default-sg allows connection with the following allow rules - id: id:320, direction: inbound, local: 0.0.0.0/0, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:320, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt index 340c68068..fbf23739b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt @@ -18,29 +18,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -59,29 +59,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -100,29 +100,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -141,29 +141,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, conn: all + name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -182,29 +182,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, conn: all + name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -223,29 +223,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, conn: all + name: allow-traffic-subnet-transit-outbound, priority: 4, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.16.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -264,29 +264,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -305,16 +305,16 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 Ingress: security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -333,29 +333,29 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all + name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt index 8bad24c85..527578e77 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt @@ -22,17 +22,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -55,17 +55,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -88,17 +88,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -121,17 +121,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -154,17 +154,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -187,17 +187,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -220,13 +220,13 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 Ingress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -249,17 +249,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -282,17 +282,17 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 - id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp, dstPorts: 1-65535 + direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt index d79eb3e17..1060e1bc5 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt index 4028e0b32..a9d4e7e8d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt @@ -18,7 +18,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt index 2400e340f..b0e49710e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -37,7 +37,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt index af818ad19..f7b9c0072 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow and deny rules - name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: protocol: icmp - name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: icmp + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt index 6a1c835a6..31c54aa08 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl2-ky allows connection with the following allow rules - name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt index e303acbcb..4d4e98e4e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt @@ -18,14 +18,14 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules Ingress: network ACL acl3-ky allows connection with the following allow rules - name: acl3-in-1, priority: 1, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 0.0.0.0/0, conn: all + name: acl3-in-1, priority: 1, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt index 0167e870f..11cd1d6ec 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt @@ -15,11 +15,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt index cd9a2e27d..7cb0cb9fa 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt @@ -15,11 +15,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -35,11 +35,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -55,11 +55,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt index ce9b550cb..5cf7d2c87 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt @@ -18,15 +18,15 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky blocks connection with the following deny rules: - name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt index 54d02985e..4047f3302 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt @@ -17,9 +17,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-600, dstPorts: 1-50 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-600, dstPorts: 1-50 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt index d172ea214..06ca51e0f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt index 795b7318d..dffced663 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt @@ -18,7 +18,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt index 824c9eddd..edb62ce93 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt @@ -17,10 +17,10 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 - name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: all + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: all TCP response is disabled; The relevant rules are: Ingress: diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt index fe2277422..3e2a87484 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt @@ -17,9 +17,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: all + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: all TCP response is disabled; The relevant rules are: Ingress: diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt index e4845c06e..c4b4ee468 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, conn: protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 + name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt index a2a04097a..033d76c6b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt @@ -16,26 +16,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 110-205, dstPorts: 20-100 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 110-205, dstPorts: 20-100 Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 115-215, dstPorts: 25-95 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 115-215, dstPorts: 25-95 security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt index 84b558edb..a080cf3f9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt @@ -16,26 +16,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt index f31e3ae82..bd07c313a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 + direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt index 9cf0a1032..1eaa52665 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 + direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt index b42a0e75f..c3179f136 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 + direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt index b9bea9cf7..4c76bfa76 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 + direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -38,7 +38,7 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt index b9546f560..92559ae6e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic5_all_vpcs_explain_detail.txt @@ -19,11 +19,11 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg3-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt index 2b3d69db6..4de5a33f7 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt @@ -15,26 +15,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt index fdbae6f24..8766b967c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt @@ -15,15 +15,15 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt index db03d5107..ce4404518 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt index 0a3fde63f..5b6e68863 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt @@ -15,26 +15,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt index 22d823214..de75db68c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt @@ -17,14 +17,14 @@ Details: Path is enabled; The relevant rules are: Ingress: network ACL acl2-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg2-ky allows connection with the following allow rules - id: id:143, direction: inbound, local: 0.0.0.0/0, remote: 147.235.219.206/32, conns: protocol: tcp, dstPorts: 22-22 + direction: inbound, id: id:143, remote: 147.235.219.206/32, local: 0.0.0.0/0, protocol: tcp, dstPorts: 22-22 TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt index e3b490879..b611ff2a5 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 + direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt index 7a00c094e..aa7d9723f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp, dstPorts: 1-65535 + direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt index 00d3b4e08..370c8d0a9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt @@ -16,25 +16,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all TCP response is partly enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 1-50, dstPorts: 100-200 Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 10-60, dstPorts: 100-220 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt index 307d71edc..a2014e3e6 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all - id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 network ACL acl2-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg2-ky allows connection with the following allow rules - id: id:153, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 + direction: inbound, id: id:153, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 TCP response is enabled; The relevant rules are: Egress: network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt index 2557d9ded..e5b52eac9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - id: id:141, direction: outbound, local: 0.0.0.0/0, remote: 10.240.10.0/24, conns: protocol: all + direction: outbound, id: id:141, remote: 10.240.10.0/24, local: 0.0.0.0/0, protocol: all network ACL acl2-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: all + direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt index 33111d8a4..383e405a0 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt @@ -15,26 +15,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt index de9988303..472f0d065 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt @@ -19,13 +19,13 @@ Path is disabled; The relevant rules are: Egress: security group sg1-ky has no relevant allow rules network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg2-ky allows connection with the following allow rules - id: id:147, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), conns: protocol: all + direction: inbound, id: id:147, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt index dc810eed8..a5b8c7462 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt @@ -19,15 +19,15 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg2-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt index be7fc12c7..1b6bd742f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt @@ -19,15 +19,15 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky has no relevant allow rules security group sg3-ky has no relevant allow rules diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt index 61137ee53..ef0033314 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt @@ -15,27 +15,27 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all security group sg3-ky has no relevant allow rules TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt index 205779e60..5891c0e72 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt @@ -15,28 +15,28 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), conns: protocol: all + direction: inbound, id: id:137, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all security group sg3-ky allows connection with the following allow rules - id: id:127, direction: inbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all + direction: inbound, id: id:127, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl3-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt index 6cc9f62f8..df05b5774 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - id: id:96, direction: outbound, local: 0.0.0.0/0, remote: 10.240.10.0/24, conns: protocol: all + direction: outbound, id: id:96, remote: 10.240.10.0/24, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:89, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/31), conns: protocol: all + direction: inbound, id: id:89, remote: sg2-ky (10.240.20.4/31), local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl1-ky allows connection with the following allow rules - name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -54,7 +54,7 @@ Path is disabled; The relevant rules are: Ingress: security group sg1-ky allows connection with the following allow rules - id: id:87, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/31), conns: protocol: all + direction: inbound, id: id:87, remote: sg1-ky (10.240.10.4/31), local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt index c1b28605c..ffa412d2b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt @@ -16,14 +16,14 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:412, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:412, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 10.240.1.0/24, destination: 172.217.22.46/32, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 10.240.1.0/24, destination: 172.217.22.46/32, protocol: all TCP response is enabled; The relevant rules are: Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 172.217.22.46/32, destination: 10.240.1.0/24, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 172.217.22.46/32, destination: 10.240.1.0/24, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt index a4e1fdab6..bbc278f67 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt @@ -15,24 +15,24 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg31-ky allows connection with the following allow rules - id: id:405, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:405, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl31-ky allows connection with the following allow rules - name: acl31-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl31-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl31-ky allows connection with the following allow rules - name: acl31-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl31-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg31-ky allows connection with the following allow rules - id: id:403, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:403, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl31-ky allows connection with the following allow rules - name: acl31-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl31-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL acl31-ky allows connection with the following allow rules - name: acl31-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl31-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt index dbd4ec5db..ecc3f28e5 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt @@ -20,18 +20,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt index 51c8dbaae..7691616d3 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt @@ -17,30 +17,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:346, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:346, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection1 with the following prefix filter default prefix, action: permit Ingress: network ACL acl11-ky allows connection with the following allow rules - name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg11-ky allows connection with the following allow rules - id: id:371, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:371, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is disabled; The relevant rules are: Egress: network ACL acl11-ky allows connection with the following allow rules - name: acl11-out-2, priority: 2, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl11-out-2, priority: 2, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt index 7114f1c77..bbf584096 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt @@ -16,30 +16,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:346, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:346, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl3-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection1 with the following prefix filter default prefix, action: permit Ingress: network ACL acl11-ky allows connection with the following allow rules - name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg11-ky allows connection with the following allow rules - id: id:371, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:371, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl11-ky allows connection with the following allow rules - name: acl11-out-2, priority: 2, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl11-out-2, priority: 2, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter default prefix, action: permit Ingress: network ACL acl3-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt index 40bc988a4..6906f59c3 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt @@ -16,30 +16,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt index 07fc92db8..a924a402b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt @@ -16,30 +16,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -56,30 +56,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -96,30 +96,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -136,30 +136,30 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection0 with the following prefix filter index: 0, action: permit, prefix: 10.240.4.0/22 Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky allows connection via transit connection tg_connection2 with the following prefix filter default prefix, action: permit Ingress: network ACL acl21-ky allows connection with the following allow rules - name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -180,18 +180,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -212,18 +212,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -244,18 +244,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -276,18 +276,18 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules - name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all transit gateway local-tg-ky blocks connection via transit connection tg_connection0 with the following prefix filter index: 1, action: deny, ge: 22, le: 23, prefix: 10.240.0.0/21 Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt index 19f518252..cffa8175f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt @@ -19,15 +19,15 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 has no relevant allow rules network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8 + direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt index 4c900a6fe..b0f241ca9 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt @@ -16,26 +16,26 @@ Details: Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all Ingress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, conn: all + name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 30000-32767 + direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 security group ky-test-default-sg allows connection with the following allow rules - id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL ky-test-private-2-others-acl allows connection with the following allow rules - name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, conn: all + name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all Ingress: network ACL ky-test-edge-acl allows connection with the following allow rules - name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all + name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint b/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint index f599736b5..40ab8d74f 100644 --- a/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint @@ -20,11 +20,11 @@ ________________________________________________________________________________ "SGs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet1-ky" (10.240.10.0/24). - Rule details: id: id:131, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), conns: protocol: all + Rule details: direction: inbound, id: id:131, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + Rule details: direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnets "subnet2-ky" (10.240.20.0/24), "subnet3-ky" (10.240.30.0/24). - Rule details: id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: all + Rule details: direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: all ... (3 more) ________________________________________________________________________________________________________________________________________________________________________________________________________ @@ -32,19 +32,19 @@ ________________________________________________________________________________ "Security group rules implied by other rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg2-ky" rule is implied by other rules - Rule details: id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 + Rule details: direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 Implying rules: - id: id:139, direction: outbound, local: 0.0.0.0/0, remote: 10.240.20.0/24, conns: protocol: all - id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all + direction: outbound, id: id:139, remote: 10.240.20.0/24, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 Implying rules: - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 Implying rules: - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint b/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint index 9e6acb55e..b38f5a895 100644 --- a/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/acl3_3rd_Lint @@ -15,19 +15,19 @@ ________________________________________________________________________________ "Network ACL rules referencing CIDRs outside of the VPC address space" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.206/31 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.207 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACLs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, conn: all + Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, protocol: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, conn: all + Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, protocol: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "SG not applied to any resources" issues: diff --git a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint index bd48b8e1b..10634809a 100644 --- a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_Lint @@ -15,31 +15,31 @@ ________________________________________________________________________________ "Network ACL rules referencing CIDRs outside of the VPC address space" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.206/31 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.207 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, conn: all + Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, protocol: all Shadowing rules: - name: acl2-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: protocol: icmp - name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl2-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: icmp + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACLs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" rule splits subnet "subnet2-ky" (10.240.20.0/24). - Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, conn: all + Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, protocol: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, conn: all + Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, protocol: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, conn: all + Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, protocol: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "SG not applied to any resources" issues: diff --git a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint index 42c65500e..da6b9db66 100644 --- a/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/acl3_shadowed_rules_other_lints_disabled_Lint @@ -1,7 +1,7 @@ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, conn: all + Rule details: name: acl2-in-4-shadowed-by, priority: 4, action: allow, direction: outbound, source: 10.240.20.0/28, destination: 10.240.10.0/24, protocol: all Shadowing rules: - name: acl2-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: protocol: icmp - name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl2-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: icmp + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all diff --git a/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint b/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint index b4e5423c3..46f380e22 100644 --- a/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/basic_acl3_Lint @@ -15,19 +15,19 @@ ________________________________________________________________________________ "Network ACL rules referencing CIDRs outside of the VPC address space" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.206/31 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-2, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.206/31, protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 In VPC "test-vpc1-ky", network ACL "acl2-ky" ingress rule with destination 147.235.219.207 is outside of the VPC's Address Range (10.240.10.0/24, 10.240.20.0/24, 10.240.30.0/24) - Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, conn: protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 + Rule details: name: acl2-in-1, priority: 1, action: deny, direction: inbound, source: 0.0.0.0/0, destination: 147.235.219.207/32, protocol: tcp, srcPorts: 1-65535, dstPorts: 22-22 ________________________________________________________________________________________________________________________________________________________________________________________________________ "Network ACLs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, conn: all + Rule details: name: acl3-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.30.0/31, protocol: all In VPC "test-vpc1-ky", network ACL "acl3-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, conn: all + Rule details: name: acl3-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.30.0/31, destination: 10.240.20.0/24, protocol: all ________________________________________________________________________________________________________________________________________________________________________________________________________ "SG not applied to any resources" issues: diff --git a/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint b/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint index 2f233d13d..d9b382023 100644 --- a/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint @@ -11,11 +11,11 @@ ________________________________________________________________________________ "SGs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet1-ky" (10.240.10.0/24). - Rule details: id: id:131, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), conns: protocol: all + Rule details: direction: inbound, id: id:131, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), conns: protocol: all + Rule details: direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnets "subnet2-ky" (10.240.20.0/24), "subnet3-ky" (10.240.30.0/24). - Rule details: id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: all + Rule details: direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: all ... (3 more) ________________________________________________________________________________________________________________________________________________________________________________________________________ @@ -23,19 +23,19 @@ ________________________________________________________________________________ "Security group rules implied by other rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg2-ky" rule is implied by other rules - Rule details: id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), conns: protocol: tcp, dstPorts: 1-65535 + Rule details: direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 Implying rules: - id: id:139, direction: outbound, local: 0.0.0.0/0, remote: 10.240.20.0/24, conns: protocol: all - id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, conns: protocol: all + direction: outbound, id: id:139, remote: 10.240.20.0/24, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 Implying rules: - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 Implying rules: - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all - id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint b/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint index 3334b6747..6c46f8067 100644 --- a/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/multivpc_Lint @@ -16,16 +16,16 @@ ________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, conn: all + Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, protocol: all Shadowing rules: - name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, conn: all - name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, conn: all + name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, protocol: all + name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, protocol: all In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, conn: all + Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, protocol: all Shadowing rules: - name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, conn: all - name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, conn: all + name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, protocol: all + name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, protocol: all ________________________________________________________________________________________________________________________________________________________________________________________________________ diff --git a/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint b/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint index fcb32b320..757c3c6e7 100644 --- a/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/multivpc_partly_overlap_Lint @@ -16,16 +16,16 @@ ________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, conn: all + Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, protocol: all Shadowing rules: - name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, conn: all - name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, conn: all + name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, protocol: all + name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, protocol: all In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, conn: all + Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, protocol: all Shadowing rules: - name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, conn: all - name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, conn: all + name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, protocol: all + name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, protocol: all ________________________________________________________________________________________________________________________________________________________________________________________________________ diff --git a/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint b/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint index f854dac26..c694fba3a 100644 --- a/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/multivpc_print_all_Lint @@ -17,16 +17,16 @@ ________________________________________________________________________________ "Network ACL rules shadowed by higher priority rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, conn: all + Rule details: name: acl2-in-2, priority: 3, action: allow, direction: inbound, source: 10.240.1.0/24, destination: 10.240.2.0/24, protocol: all Shadowing rules: - name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, conn: all - name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, conn: all + name: acl2-in-0, priority: 1, action: deny, direction: inbound, source: 10.240.0.0/16, destination: 10.240.2.0/24, protocol: all + name: acl2-in-1, priority: 2, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 10.240.2.0/24, protocol: all In VPC "test-vpc0-ky", network ACL "acl2-ky" rule is shadowed by higher priority rules - Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, conn: all + Rule details: name: acl2-out-2, priority: 3, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 10.240.1.0/24, protocol: all Shadowing rules: - name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, conn: all - name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, conn: all + name: acl2-out-0, priority: 1, action: deny, direction: outbound, source: 10.240.2.0/24, destination: 10.240.0.0/16, protocol: all + name: acl2-out-1, priority: 2, action: allow, direction: outbound, source: 10.240.2.0/24, destination: 0.0.0.0/0, protocol: all ________________________________________________________________________________________________________________________________________________________________________________________________________ diff --git a/pkg/ibmvpc/nacl_analysis.go b/pkg/ibmvpc/nacl_analysis.go index e85d9215d..1e7827f7c 100644 --- a/pkg/ibmvpc/nacl_analysis.go +++ b/pkg/ibmvpc/nacl_analysis.go @@ -59,7 +59,7 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm case *vpc1.NetworkACLRuleItemNetworkACLRuleProtocolAll: name = *ruleObj.Name conns = connection.All() - connStr = *ruleObj.Protocol + connStr = fmt.Sprintf("protocol: %s", *ruleObj.Protocol) direction = *ruleObj.Direction src = *ruleObj.Source dst = *ruleObj.Destination @@ -100,7 +100,7 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm isIngress = direction == commonvpc.Inbound priority := na.getNACLRulePriority(direction, index) ruleStr = fmt.Sprintf("name: %s, priority: %d, action: %s, direction: %s, source: %s, destination: %s,"+ - " conn: %s\n", name, priority, action, direction, src, dst, connStr) + " %s\n", name, priority, action, direction, src, dst, connStr) return ruleStr, ruleRes, isIngress, nil } diff --git a/pkg/ibmvpc/sg_analysis.go b/pkg/ibmvpc/sg_analysis.go index 9a640fc7a..56ab1e054 100644 --- a/pkg/ibmvpc/sg_analysis.go +++ b/pkg/ibmvpc/sg_analysis.go @@ -157,8 +157,8 @@ func getRuleStr(direction, id, connStr, remoteCidr, remoteSGName, localCidr stri if remoteSGName != "" { remoteSGStr = remoteSGName + " (" + remoteCidr + ")" } - return fmt.Sprintf("id: %s, direction: %s, local: %s, remote: %s, conns: %s\n", - id, direction, localCidr, remoteSGStr, connStr) + return fmt.Sprintf("direction: %s, id: %s, remote: %s, local: %s, %s\n", + direction, id, remoteSGStr, localCidr, connStr) } func (sga *IBMSGAnalyzer) getProtocolICMPRule(ruleObj *vpc1.SecurityGroupRuleSecurityGroupRuleProtocolIcmp) ( From 4e510c117f10bc94df7122fe6d5a0b1a141262fa Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 14:49:17 +0300 Subject: [PATCH 08/17] CR --- pkg/awsvpc/sg_analysis_test.go | 8 ++++---- pkg/ibmvpc/sg_analysis_test.go | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/awsvpc/sg_analysis_test.go b/pkg/awsvpc/sg_analysis_test.go index 878d118f7..4e03f7fe4 100644 --- a/pkg/awsvpc/sg_analysis_test.go +++ b/pkg/awsvpc/sg_analysis_test.go @@ -84,12 +84,12 @@ func TestSGRule(t *testing.T) { require.Nil(t, err) require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Index, 0) - require.Equal(t, "Inbound index: 0, direction: inbound, target: 0.0.0.0/0, conns: protocol: all\n", ruleStr) + require.Equal(t, "Inbound index: 0, direction: inbound, target: 0.0.0.0/0, protocol: all\n", ruleStr) ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1) require.Nil(t, err) require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Index, 1) - require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all\n", ruleStr) + require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: all\n", ruleStr) } func newSGobj(groupID, groupName, vpcID string, ipPermissions []types.IpPermission, @@ -131,13 +131,13 @@ func TestWithSgObj(t *testing.T) { require.Nil(t, err) require.Equal(t, "4.2.0.0/16", sgRule.Remote.Cidr.String()) require.Equal(t, 0, sgRule.Index) - require.Equal(t, "Inbound index: 0, direction: inbound, target: 4.2.0.0/16, conns: protocol: tcp,"+ + require.Equal(t, "Inbound index: 0, direction: inbound, target: 4.2.0.0/16, protocol: tcp,"+ " dstPorts: 5-1000\n", ruleStr) ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1) require.Nil(t, err) require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Index, 1) - require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: tcp, "+ + require.Equal(t, "Outbound index: 0, direction: outbound, target: 0.0.0.0/0, protocol: tcp, "+ "dstPorts: 23-10030\n", ruleStr) } diff --git a/pkg/ibmvpc/sg_analysis_test.go b/pkg/ibmvpc/sg_analysis_test.go index 7a21998b6..b9fece36d 100644 --- a/pkg/ibmvpc/sg_analysis_test.go +++ b/pkg/ibmvpc/sg_analysis_test.go @@ -104,13 +104,13 @@ func TestSGRule(t *testing.T) { require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Local.String(), "0.0.0.0/0") require.Equal(t, sgRule.Index, 0) - require.Equal(t, "id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all\n", ruleStr) + require.Equal(t, "direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all\n", ruleStr) ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1) require.Nil(t, err) require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Local.String(), "10.240.10.0") require.Equal(t, sgRule.Index, 1) - require.Equal(t, "id: id:154, direction: inbound, local: 10.240.10.0/32, remote: 0.0.0.0/0, conns: protocol: all\n", ruleStr) + require.Equal(t, "direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 10.240.10.0/32, protocol: all\n", ruleStr) } type sgTest struct { From 2f445fab962062464fedd1808c3e583bacc7c3e9 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 15:02:57 +0300 Subject: [PATCH 09/17] lint --- pkg/awsvpc/nacl_analysis.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/awsvpc/nacl_analysis.go b/pkg/awsvpc/nacl_analysis.go index 6c9ba5f05..485341db1 100644 --- a/pkg/awsvpc/nacl_analysis.go +++ b/pkg/awsvpc/nacl_analysis.go @@ -59,10 +59,10 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm ruleObj := na.prioritiesEntries[index] protocol := convertProtocol(*ruleObj.Protocol) ruleNumber := *ruleObj.RuleNumber + portsStr := "" switch protocol { case allProtocols: conns = connection.All() - connStr = fmt.Sprintf("protocol: %s", protocol) case protocolTCP, protocolUDP: minPort := int64(*ruleObj.PortRange.From) maxPort := int64(*ruleObj.PortRange.To) @@ -72,7 +72,7 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm minPort, maxPort, ) - connStr = fmt.Sprintf("protocol: %s, dstPorts: %d-%d", protocol, minPort, maxPort) + portsStr = fmt.Sprintf(", dstPorts: %d-%d", minPort, maxPort) case protocolICMP: icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax, err := handleIcmpTypeCode(ruleObj.IcmpTypeCode.Type, ruleObj.IcmpTypeCode.Code) @@ -81,11 +81,11 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm return "", nil, false, err } conns = connection.ICMPConnection(icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax) - connStr = fmt.Sprintf("protocol: %s", protocol) default: err = fmt.Errorf("GetNACLRule unsupported protocol type: %s ", *ruleObj.Protocol) return "", nil, false, err } + connStr = "protocol: " + protocol + portsStr action := string(ruleObj.RuleAction) ip, err := ipblock.FromCidr(*ruleObj.CidrBlock) if err != nil { From 3b396b433f93054315eeb914852e97d228f08f08 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 15:08:00 +0300 Subject: [PATCH 10/17] lint --- pkg/ibmvpc/nacl_analysis.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/ibmvpc/nacl_analysis.go b/pkg/ibmvpc/nacl_analysis.go index 1e7827f7c..a6c4e5d6d 100644 --- a/pkg/ibmvpc/nacl_analysis.go +++ b/pkg/ibmvpc/nacl_analysis.go @@ -55,11 +55,12 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm var direction, src, dst, action string var name, connStr string rule := na.naclResource.Rules[index] + var protocol, portsStr string switch ruleObj := rule.(type) { case *vpc1.NetworkACLRuleItemNetworkACLRuleProtocolAll: name = *ruleObj.Name conns = connection.All() - connStr = fmt.Sprintf("protocol: %s", *ruleObj.Protocol) + protocol = *ruleObj.Protocol direction = *ruleObj.Direction src = *ruleObj.Source dst = *ruleObj.Destination @@ -74,7 +75,8 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm ) srcPorts := getPortsStr(*ruleObj.SourcePortMin, *ruleObj.SourcePortMax) dstPorts := getPortsStr(*ruleObj.DestinationPortMin, *ruleObj.DestinationPortMax) - connStr = fmt.Sprintf("protocol: %s, srcPorts: %s, dstPorts: %s", *ruleObj.Protocol, srcPorts, dstPorts) + protocol = *ruleObj.Protocol + portsStr = fmt.Sprintf(", srcPorts: %s, dstPorts: %s", srcPorts, dstPorts) direction = *ruleObj.Direction src = *ruleObj.Source dst = *ruleObj.Destination @@ -82,7 +84,7 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm case *vpc1.NetworkACLRuleItemNetworkACLRuleProtocolIcmp: name = *ruleObj.Name conns = commonvpc.GetICMPconn(ruleObj.Type, ruleObj.Code) - connStr = fmt.Sprintf("protocol: %s", *ruleObj.Protocol) + protocol = *ruleObj.Protocol direction = *ruleObj.Direction src = *ruleObj.Source dst = *ruleObj.Destination @@ -91,6 +93,7 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm err = fmt.Errorf("GetNACLRule unsupported type for rule: %s ", rule) return "", nil, false, err } + connStr = "protocol: " + protocol + portsStr srcIP, dstIP, err := ipblock.PairCIDRsToIPBlocks(src, dst) if err != nil { From 2664f97e6771584c9f4620c56cf23beb5935ce43 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 15:16:10 +0300 Subject: [PATCH 11/17] update test --- .../expected_out/acl_testing3_detailed_explain.txt | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt index d40333dbf..4ceb30829 100644 --- a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt +++ b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt @@ -15,25 +15,25 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow and deny rules - name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: protocol: icmp - name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: icmp + name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all Ingress: network ACL acl2-ky allows connection with the following allow rules - name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all + name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all + direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: network ACL acl2-ky allows connection with the following allow rules - name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all Ingress: network ACL acl1-ky allows connection with the following allow rules - name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all + name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all ------------------------------------------------------------------------------------------------------------------------ From 3ca3c71c2037bce06f77958ca6054e4d1cc2f4cd Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 15:22:13 +0300 Subject: [PATCH 12/17] revert change by mistake --- cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt | 4 ++-- pkg/ibmvpc/sg_analysis.go | 4 ++-- pkg/ibmvpc/sg_analysis_test.go | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt index 4ceb30829..a28c43647 100644 --- a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt +++ b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt @@ -15,7 +15,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow and deny rules name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: icmp name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all @@ -24,7 +24,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/sg_analysis.go b/pkg/ibmvpc/sg_analysis.go index 56ab1e054..1a220021f 100644 --- a/pkg/ibmvpc/sg_analysis.go +++ b/pkg/ibmvpc/sg_analysis.go @@ -157,8 +157,8 @@ func getRuleStr(direction, id, connStr, remoteCidr, remoteSGName, localCidr stri if remoteSGName != "" { remoteSGStr = remoteSGName + " (" + remoteCidr + ")" } - return fmt.Sprintf("direction: %s, id: %s, remote: %s, local: %s, %s\n", - direction, id, remoteSGStr, localCidr, connStr) + return fmt.Sprintf("id: %s, direction: %s, local: %s, remote: %s, %s\n", + id, direction, localCidr, remoteSGStr, connStr) } func (sga *IBMSGAnalyzer) getProtocolICMPRule(ruleObj *vpc1.SecurityGroupRuleSecurityGroupRuleProtocolIcmp) ( diff --git a/pkg/ibmvpc/sg_analysis_test.go b/pkg/ibmvpc/sg_analysis_test.go index b9fece36d..f2a818dca 100644 --- a/pkg/ibmvpc/sg_analysis_test.go +++ b/pkg/ibmvpc/sg_analysis_test.go @@ -104,13 +104,13 @@ func TestSGRule(t *testing.T) { require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Local.String(), "0.0.0.0/0") require.Equal(t, sgRule.Index, 0) - require.Equal(t, "direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all\n", ruleStr) + require.Equal(t, "id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all\n", ruleStr) ruleStr, sgRule, _, err = sgResource.Analyzer.SgAnalyzer.GetSGRule(1) require.Nil(t, err) require.Equal(t, sgRule.Remote.Cidr.String(), "0.0.0.0/0") require.Equal(t, sgRule.Local.String(), "10.240.10.0") require.Equal(t, sgRule.Index, 1) - require.Equal(t, "direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 10.240.10.0/32, protocol: all\n", ruleStr) + require.Equal(t, "id: id:154, direction: inbound, local: 10.240.10.0/32, remote: 0.0.0.0/0, protocol: all\n", ruleStr) } type sgTest struct { From fd2a2c6bca91412435acb2140ec42a675cfbdf30 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 15:25:13 +0300 Subject: [PATCH 13/17] revert change by mistake --- ...ingExternalSG1_all_vpcs_explain_detail.txt | 2 +- ...sNodeToIksNode_all_vpcs_explain_detail.txt | 16 +-- .../LBToIksNode_all_vpcs_explain_detail.txt | 108 +++++++++--------- .../LBToResIPNode_all_vpcs_explain_detail.txt | 72 ++++++------ .../NACLExternal1_all_vpcs_explain_detail.txt | 2 +- .../NACLExternal2_all_vpcs_explain_detail.txt | 2 +- .../NACLGrouping_all_vpcs_explain_detail.txt | 4 +- .../NACLInternal1_all_vpcs_explain_detail.txt | 4 +- .../NACLInternal2_all_vpcs_explain_detail.txt | 4 +- .../NACLInternal3_all_vpcs_explain_detail.txt | 4 +- .../NACLInternal4_all_vpcs_explain_detail.txt | 4 +- ...To4DstInternal_all_vpcs_explain_detail.txt | 12 +- ...enyNoConnQuery_all_vpcs_explain_detail.txt | 4 +- ...eryAllowSubset_all_vpcs_explain_detail.txt | 2 +- ...eryConnection1_all_vpcs_explain_detail.txt | 2 +- ...eryConnection2_all_vpcs_explain_detail.txt | 2 +- ...nnectionRules2_all_vpcs_explain_detail.txt | 2 +- ...nnectionRules3_all_vpcs_explain_detail.txt | 2 +- ...nnectionRules4_all_vpcs_explain_detail.txt | 2 +- ...lTCPAndRespond_all_vpcs_explain_detail.txt | 8 +- ...tialTCPRespond_all_vpcs_explain_detail.txt | 8 +- ...ectionSGBasic1_all_vpcs_explain_detail.txt | 2 +- ...ectionSGBasic2_all_vpcs_explain_detail.txt | 2 +- ...ectionSGBasic3_all_vpcs_explain_detail.txt | 2 +- ...ectionSGBasic4_all_vpcs_explain_detail.txt | 2 +- ...ectionSGRules1_all_vpcs_explain_detail.txt | 8 +- ...ectionSGRules2_all_vpcs_explain_detail.txt | 4 +- ...ectionSGRules3_all_vpcs_explain_detail.txt | 6 +- ...ectionSGRules4_all_vpcs_explain_detail.txt | 8 +- ...nSGSubsetPorts_all_vpcs_explain_detail.txt | 2 +- ...pleExternalSG1_all_vpcs_explain_detail.txt | 2 +- ...pleExternalSG3_all_vpcs_explain_detail.txt | 2 +- ...pondPortsQuery_all_vpcs_explain_detail.txt | 6 +- .../VsiToVsi1_all_vpcs_explain_detail.txt | 6 +- .../VsiToVsi2_all_vpcs_explain_detail.txt | 4 +- .../VsiToVsi3_all_vpcs_explain_detail.txt | 8 +- .../VsiToVsi4_all_vpcs_explain_detail.txt | 2 +- .../VsiToVsi5_all_vpcs_explain_detail.txt | 6 +- ...eitherEnabling_all_vpcs_explain_detail.txt | 6 +- ...SgsOneEnabling_all_vpcs_explain_detail.txt | 8 +- .../VsiWithTwoSgs_all_vpcs_explain_detail.txt | 10 +- ...iNIsToSingleNI_all_vpcs_explain_detail.txt | 6 +- ...CVsiToExternal_all_vpcs_explain_detail.txt | 2 +- ...ltiVPCVsiToVsi_all_vpcs_explain_detail.txt | 4 +- ...bledDenyPrefix_all_vpcs_explain_detail.txt | 4 +- ...blesTCPRespond_all_vpcs_explain_detail.txt | 4 +- ...eDefaultFilter_all_vpcs_explain_detail.txt | 4 +- ...SpecificFilter_all_vpcs_explain_detail.txt | 4 +- ...tgwExampleCidr_all_vpcs_explain_detail.txt | 32 +++--- ...NoProtocolConn_all_vpcs_explain_detail.txt | 4 +- ...odeSubsetRules_all_vpcs_explain_detail.txt | 6 +- .../out/lint_out/PartialTCPRespond_Lint | 24 ++-- .../examples/out/lint_out/basic_sg1_Lint | 24 ++-- 53 files changed, 240 insertions(+), 240 deletions(-) diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt index 72e9dc049..023568a14 100644 --- a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt index 90d33ac22..357f577a6 100644 --- a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt @@ -15,9 +15,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group kube-clusterid:1 allows connection with the following allow rules - direction: outbound, id: id:304, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, protocol: all + id: id:304, direction: outbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), protocol: all security group ky-test-default-sg allows connection with the following allow rules - direction: outbound, id: id:318, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:318, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all @@ -25,13 +25,13 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 - direction: inbound, id: id:302, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, protocol: all + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:302, direction: inbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), protocol: all security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:320, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, protocol: all - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:320, direction: inbound, local: 0.0.0.0/0, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt index fbf23739b..8eee56432 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToIksNode_all_vpcs_explain_detail.txt @@ -18,8 +18,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -27,11 +27,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -59,8 +59,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -68,11 +68,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -100,8 +100,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all @@ -109,11 +109,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -141,8 +141,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -150,11 +150,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -182,8 +182,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -191,11 +191,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -223,8 +223,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -232,11 +232,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-transit-inbound, priority: 4, action: allow, direction: inbound, source: 192.168.16.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -264,8 +264,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -273,11 +273,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -305,16 +305,16 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 Ingress: security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -333,8 +333,8 @@ Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, protocol: all @@ -342,11 +342,11 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt index 527578e77..1e171626f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/LBToResIPNode_all_vpcs_explain_detail.txt @@ -22,8 +22,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -31,8 +31,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -55,8 +55,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -64,8 +64,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -88,8 +88,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all @@ -97,8 +97,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -121,8 +121,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -130,8 +130,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -154,8 +154,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -163,8 +163,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -187,8 +187,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -196,8 +196,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -220,13 +220,13 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 Ingress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -249,8 +249,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all @@ -258,8 +258,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ @@ -282,8 +282,8 @@ Path is disabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 - direction: outbound, id: id:279, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:279, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 30000-32767 network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.32.0/20, protocol: all @@ -291,8 +291,8 @@ Path is disabled; The relevant rules are: network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: inbound, id: id:281, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: inbound, id: id:283, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:281, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:283, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt index 1060e1bc5..d578fdb7f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal1_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt index a9d4e7e8d..ee303a7b5 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLExternal2_all_vpcs_explain_detail.txt @@ -18,7 +18,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt index b0e49710e..3a2d03115 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLGrouping_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 @@ -37,7 +37,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt index f7b9c0072..1e3f66aeb 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal1_all_vpcs_explain_detail.txt @@ -15,7 +15,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow and deny rules name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: icmp name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all @@ -24,7 +24,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt index 31c54aa08..40c4cb26f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal2_all_vpcs_explain_detail.txt @@ -15,7 +15,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl2-ky allows connection with the following allow rules name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all @@ -23,7 +23,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt index 4d4e98e4e..87ba0ea18 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal3_all_vpcs_explain_detail.txt @@ -18,14 +18,14 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules Ingress: network ACL acl3-ky allows connection with the following allow rules name: acl3-in-1, priority: 1, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt index 11cd1d6ec..e6368a0b5 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternal4_all_vpcs_explain_detail.txt @@ -15,11 +15,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt index 7cb0cb9fa..6f3233a09 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLInternalSrcTo4DstInternal_all_vpcs_explain_detail.txt @@ -15,11 +15,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -35,11 +35,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -55,11 +55,11 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt index 5cf7d2c87..9f8e16720 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLOnlyDenyNoConnQuery_all_vpcs_explain_detail.txt @@ -18,7 +18,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky blocks connection with the following deny rules: name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all @@ -26,7 +26,7 @@ Path is disabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt index 4047f3302..7de9edc13 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryAllowSubset_all_vpcs_explain_detail.txt @@ -17,7 +17,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-600, dstPorts: 1-50 diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt index 06ca51e0f..4f6987ee5 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection1_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt index dffced663..27228d083 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnection2_all_vpcs_explain_detail.txt @@ -18,7 +18,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky has no relevant allow rules ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt index edb62ce93..dadd8f497 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules2_all_vpcs_explain_detail.txt @@ -17,7 +17,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt index 3e2a87484..7b77e02ba 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules3_all_vpcs_explain_detail.txt @@ -17,7 +17,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt index c4b4ee468..6afcff26d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/NACLQueryConnectionRules4_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-2, priority: 2, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 161.26.0.0/16, protocol: udp, srcPorts: 1-65535, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt index 033d76c6b..1dd260449 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPAndRespond_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 110-205, dstPorts: 20-100 @@ -26,7 +26,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: tcp, srcPorts: 115-215, dstPorts: 25-95 security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all TCP response is partly enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt index a080cf3f9..f7a9c24dc 100644 --- a/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_detail.txt @@ -16,9 +16,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -26,7 +26,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all TCP response is partly enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt index bd07c313a..c14a23f7c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic1_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt index 1eaa52665..7ffc79bb3 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic2_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt index c3179f136..119dda1ee 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic3_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt index 4c76bfa76..098bdfc1f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGBasic4_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt index 4de5a33f7..0e85369c8 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules1_all_vpcs_explain_detail.txt @@ -15,9 +15,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -25,7 +25,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt index 8766b967c..2e7bdf19a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules2_all_vpcs_explain_detail.txt @@ -15,7 +15,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -23,7 +23,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt index ce4404518..d19308c61 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules3_all_vpcs_explain_detail.txt @@ -15,8 +15,8 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -24,7 +24,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt index 5b6e68863..bfdff2b6d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGRules4_all_vpcs_explain_detail.txt @@ -15,9 +15,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -25,7 +25,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt index de75db68c..bb27cac11 100644 --- a/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/QueryConnectionSGSubsetPorts_all_vpcs_explain_detail.txt @@ -19,7 +19,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg2-ky allows connection with the following allow rules - direction: inbound, id: id:143, remote: 147.235.219.206/32, local: 0.0.0.0/0, protocol: tcp, dstPorts: 22-22 + id: id:143, direction: inbound, local: 0.0.0.0/0, remote: 147.235.219.206/32, protocol: tcp, dstPorts: 22-22 TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt index b611ff2a5..a10f76aff 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG1_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt index aa7d9723f..45d2ae1a2 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SimpleExternalSG3_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, protocol: udp, dstPorts: 1-65535 + id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, protocol: udp, dstPorts: 1-65535 network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt index 370c8d0a9..f473ffb5a 100644 --- a/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/TCPRespondPortsQuery_all_vpcs_explain_detail.txt @@ -16,8 +16,8 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -25,7 +25,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all TCP response is partly enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt index a2014e3e6..e0f8ccb94 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi1_all_vpcs_explain_detail.txt @@ -15,8 +15,8 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, protocol: all + id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), protocol: tcp, dstPorts: 1-65535 network ACL acl2-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -24,7 +24,7 @@ Path is enabled; The relevant rules are: network ACL acl3-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg2-ky allows connection with the following allow rules - direction: inbound, id: id:153, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:153, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), protocol: tcp, dstPorts: 1-65535 TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt index e5b52eac9..fa2c985a4 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi2_all_vpcs_explain_detail.txt @@ -15,7 +15,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - direction: outbound, id: id:141, remote: 10.240.10.0/24, local: 0.0.0.0/0, protocol: all + id: id:141, direction: outbound, local: 0.0.0.0/0, remote: 10.240.10.0/24, protocol: all network ACL acl2-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -23,7 +23,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: all + id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt index 383e405a0..0130f43b7 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi3_all_vpcs_explain_detail.txt @@ -15,9 +15,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -25,7 +25,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt index 472f0d065..a3521252d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi4_all_vpcs_explain_detail.txt @@ -25,7 +25,7 @@ Path is disabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg2-ky allows connection with the following allow rules - direction: inbound, id: id:147, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, protocol: all + id: id:147, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt index a5b8c7462..ea101a06d 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiToVsi5_all_vpcs_explain_detail.txt @@ -19,9 +19,9 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt index 1b6bd742f..d12c190a3 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsNeitherEnabling_all_vpcs_explain_detail.txt @@ -19,9 +19,9 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt index ef0033314..a2697d3f1 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgsOneEnabling_all_vpcs_explain_detail.txt @@ -15,9 +15,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -25,7 +25,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), protocol: all security group sg3-ky has no relevant allow rules TCP response is enabled; The relevant rules are: diff --git a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt index 5891c0e72..d11c8a4d2 100644 --- a/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/VsiWithTwoSgs_all_vpcs_explain_detail.txt @@ -15,9 +15,9 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -25,9 +25,9 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:137, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.10.4/32,10.240.30.5/32,10.240.30.6/32), protocol: all security group sg3-ky allows connection with the following allow rules - direction: inbound, id: id:127, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all + id: id:127, direction: inbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt index df05b5774..b682fac93 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiNIsToSingleNI_all_vpcs_explain_detail.txt @@ -15,7 +15,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg2-ky allows connection with the following allow rules - direction: outbound, id: id:96, remote: 10.240.10.0/24, local: 0.0.0.0/0, protocol: all + id: id:96, direction: outbound, local: 0.0.0.0/0, remote: 10.240.10.0/24, protocol: all network ACL acl1-ky allows connection with the following allow rules name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -23,7 +23,7 @@ Path is enabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: inbound, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:89, remote: sg2-ky (10.240.20.4/31), local: 0.0.0.0/0, protocol: all + id: id:89, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/31), protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -54,7 +54,7 @@ Path is disabled; The relevant rules are: Ingress: security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:87, remote: sg1-ky (10.240.10.4/31), local: 0.0.0.0/0, protocol: all + id: id:87, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/31), protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt index ffa412d2b..4c0995cdd 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternal_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:412, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:412, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 10.240.1.0/24, destination: 172.217.22.46/32, protocol: all diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt index bbc278f67..348907ed1 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToVsi_all_vpcs_explain_detail.txt @@ -15,7 +15,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg31-ky allows connection with the following allow rules - direction: outbound, id: id:405, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:405, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl31-ky allows connection with the following allow rules name: acl31-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -23,7 +23,7 @@ Path is enabled; The relevant rules are: network ACL acl31-ky allows connection with the following allow rules name: acl31-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg31-ky allows connection with the following allow rules - direction: inbound, id: id:403, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:403, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt index ecc3f28e5..ea6f68885 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisabledDenyPrefix_all_vpcs_explain_detail.txt @@ -20,7 +20,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -31,7 +31,7 @@ Path is disabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt index 7691616d3..eedbba25e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwDisablesTCPRespond_all_vpcs_explain_detail.txt @@ -17,7 +17,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:346, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:346, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl1-ky allows connection with the following allow rules name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -28,7 +28,7 @@ Path is enabled; The relevant rules are: network ACL acl11-ky allows connection with the following allow rules name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg11-ky allows connection with the following allow rules - direction: inbound, id: id:371, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:371, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is disabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt index bbf584096..41b129a6c 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnableDefaultFilter_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg1-ky allows connection with the following allow rules - direction: outbound, id: id:346, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:346, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl3-ky allows connection with the following allow rules name: acl1-out-1, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -27,7 +27,7 @@ Path is enabled; The relevant rules are: network ACL acl11-ky allows connection with the following allow rules name: acl11-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg11-ky allows connection with the following allow rules - direction: inbound, id: id:371, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:371, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt index 6906f59c3..64b2a70c8 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwEnabledSpecificFilter_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -27,7 +27,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt index a924a402b..67eb7172e 100644 --- a/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/tgwExampleCidr_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -27,7 +27,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -56,7 +56,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -67,7 +67,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -96,7 +96,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -107,7 +107,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -136,7 +136,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -147,7 +147,7 @@ Path is enabled; The relevant rules are: network ACL acl2-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: @@ -180,7 +180,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -191,7 +191,7 @@ Path is disabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -212,7 +212,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -223,7 +223,7 @@ Path is disabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -244,7 +244,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -255,7 +255,7 @@ Path is disabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -276,7 +276,7 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg21-ky allows connection with the following allow rules - direction: outbound, id: id:353, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:353, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl21-ky allows connection with the following allow rules name: acl21-out-2, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -287,7 +287,7 @@ Path is disabled; The relevant rules are: network ACL acl1-ky allows connection with the following allow rules name: acl1-in-1, priority: 1, action: allow, direction: inbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all security group sg1-ky allows connection with the following allow rules - direction: inbound, id: id:344, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:344, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt index cffa8175f..fe5ddb06b 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeNoProtocolConn_all_vpcs_explain_detail.txt @@ -25,9 +25,9 @@ Path is disabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: ICMP icmp-type: 8 + id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: ICMP icmp-type: 8 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt index b0f241ca9..8ef6ad285 100644 --- a/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/vpeToIksNodeSubsetRules_all_vpcs_explain_detail.txt @@ -16,7 +16,7 @@ Details: Path is enabled; The relevant rules are: Egress: security group kube-r006-d7cfb31a-1d4b-40c8-83df-ce2e6f8f2e57 allows connection with the following allow rules - direction: outbound, id: id:277, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:277, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 network ACL ky-test-edge-acl allows connection with the following allow rules name: allow-outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all @@ -24,9 +24,9 @@ Path is enabled; The relevant rules are: network ACL ky-test-private-2-others-acl allows connection with the following allow rules name: allow-traffic-subnet-edge-inbound, priority: 1, action: allow, direction: inbound, source: 192.168.32.0/20, destination: 0.0.0.0/0, protocol: all security group kube-clusterid:1 allows connection with the following allow rules - direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 + id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 30000-32767 security group ky-test-default-sg allows connection with the following allow rules - direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all + id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all TCP response is enabled; The relevant rules are: Egress: diff --git a/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint b/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint index 40ab8d74f..2cd1a6861 100644 --- a/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/PartialTCPRespond_Lint @@ -20,11 +20,11 @@ ________________________________________________________________________________ "SGs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet1-ky" (10.240.10.0/24). - Rule details: direction: inbound, id: id:131, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, protocol: all + Rule details: id: id:131, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + Rule details: id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnets "subnet2-ky" (10.240.20.0/24), "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: all + Rule details: id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), protocol: all ... (3 more) ________________________________________________________________________________________________________________________________________________________________________________________________________ @@ -32,19 +32,19 @@ ________________________________________________________________________________ "Security group rules implied by other rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg2-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:139, remote: 10.240.20.0/24, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all + id: id:139, direction: outbound, local: 0.0.0.0/0, remote: 10.240.20.0/24, protocol: all + id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, protocol: all In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 diff --git a/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint b/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint index d9b382023..a447fa077 100644 --- a/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint +++ b/pkg/ibmvpc/examples/out/lint_out/basic_sg1_Lint @@ -11,11 +11,11 @@ ________________________________________________________________________________ "SGs implying different connectivity for endpoints inside a subnet" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet1-ky" (10.240.10.0/24). - Rule details: direction: inbound, id: id:131, remote: sg1-ky (10.240.10.4/32), local: 0.0.0.0/0, protocol: all + Rule details: id: id:131, direction: inbound, local: 0.0.0.0/0, remote: sg1-ky (10.240.10.4/32), protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnet "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:137, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0, protocol: all + Rule details: id: id:137, direction: inbound, local: 0.0.0.0/0, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), protocol: all In VPC "test-vpc1-ky", security group "sg1-ky" rule splits subnets "subnet2-ky" (10.240.20.0/24), "subnet3-ky" (10.240.30.0/24). - Rule details: direction: inbound, id: id:135, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: all + Rule details: id: id:135, direction: inbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), protocol: all ... (3 more) ________________________________________________________________________________________________________________________________________________________________________________________________________ @@ -23,19 +23,19 @@ ________________________________________________________________________________ "Security group rules implied by other rules" issues: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In VPC "test-vpc1-ky", security group "sg2-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:151, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:151, direction: outbound, local: 0.0.0.0/0, remote: sg2-ky (10.240.20.4/32,10.240.30.4/32), protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:139, remote: 10.240.20.0/24, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:149, remote: 10.240.30.0/24, local: 0.0.0.0/0, protocol: all + id: id:139, direction: outbound, local: 0.0.0.0/0, remote: 10.240.20.0/24, protocol: all + id: id:149, direction: outbound, local: 0.0.0.0/0, remote: 10.240.30.0/24, protocol: all In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 In VPC "test-vpc1-ky", security group "sg3-ky" rule is implied by other rules - Rule details: direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 + Rule details: id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 Implying rules: - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 From 7802bf53a54efb384fe30ff740c815e78c834a92 Mon Sep 17 00:00:00 2001 From: shirim Date: Thu, 5 Sep 2024 15:38:47 +0300 Subject: [PATCH 14/17] merge with main --- ...ToExternalGroup_all_vpcs_explain_detail.txt | 18 +++++++++--------- ...alMissingRouter_all_vpcs_explain_detail.txt | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt index e5a64b525..963c23d38 100644 --- a/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/SGInternal3SrcToExternalGroup_all_vpcs_explain_detail.txt @@ -18,11 +18,11 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -41,11 +41,11 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg3-ky allows connection with the following allow rules - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 1-65535 - direction: outbound, id: id:125, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp, dstPorts: 100-200 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 1-65535 + id: id:125, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: tcp, dstPorts: 100-200 network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ @@ -64,7 +64,7 @@ Path is disabled; The relevant rules are: Egress: security group sg2-ky has no relevant allow rules network ACL acl3-ky allows connection with the following allow rules - direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ diff --git a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt index 81965bdc2..5f245486f 100644 --- a/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt +++ b/pkg/ibmvpc/examples/out/explain_out/multiVPCVsiToExternalMissingRouter_all_vpcs_explain_detail.txt @@ -18,9 +18,9 @@ Details: Path is disabled; The relevant rules are: Egress: security group sg11-ky allows connection with the following allow rules - direction: outbound, id: id:419, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all + id: id:419, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, protocol: all network ACL acl11-ky allows connection with the following allow rules - direction: outbound, name: acl11-out-3, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all + name: acl11-out-3, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, protocol: all ------------------------------------------------------------------------------------------------------------------------ From 0b076a9d4070643707bb9744baf75108f69c7b2b Mon Sep 17 00:00:00 2001 From: shirim Date: Mon, 9 Sep 2024 10:20:27 +0300 Subject: [PATCH 15/17] added icmp details for nacl rule's describing string --- pkg/awsvpc/nacl_analysis.go | 6 ++++++ pkg/ibmvpc/nacl_analysis.go | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/pkg/awsvpc/nacl_analysis.go b/pkg/awsvpc/nacl_analysis.go index 485341db1..dfb71432c 100644 --- a/pkg/awsvpc/nacl_analysis.go +++ b/pkg/awsvpc/nacl_analysis.go @@ -80,6 +80,12 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm if err != nil { return "", nil, false, err } + if ruleObj.IcmpTypeCode.Type != nil && *ruleObj.IcmpTypeCode.Type != -1 { + portsStr = fmt.Sprintf("icmp type: %d", *ruleObj.IcmpTypeCode.Type) + } + if ruleObj.IcmpTypeCode.Code != nil && *ruleObj.IcmpTypeCode.Code != -1 { + portsStr += fmt.Sprintf("icmp code: %d", *ruleObj.IcmpTypeCode.Code) + } conns = connection.ICMPConnection(icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax) default: err = fmt.Errorf("GetNACLRule unsupported protocol type: %s ", *ruleObj.Protocol) diff --git a/pkg/ibmvpc/nacl_analysis.go b/pkg/ibmvpc/nacl_analysis.go index a6c4e5d6d..f51754138 100644 --- a/pkg/ibmvpc/nacl_analysis.go +++ b/pkg/ibmvpc/nacl_analysis.go @@ -89,6 +89,12 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm src = *ruleObj.Source dst = *ruleObj.Destination action = *ruleObj.Action + if ruleObj.Type != nil && *ruleObj.Type != -1 { + portsStr = fmt.Sprintf("icmp type: %d", *ruleObj.Type) + } + if ruleObj.Code != nil && *ruleObj.Code != -1 { + portsStr += fmt.Sprintf("icmp code: %d", *ruleObj.Code) + } default: err = fmt.Errorf("GetNACLRule unsupported type for rule: %s ", rule) return "", nil, false, err From 384777dbfce5e63260dcdb3ce6ec9302a424fb0f Mon Sep 17 00:00:00 2001 From: ShiriMoran <139739065+ShiriMoran@users.noreply.github.com> Date: Mon, 9 Sep 2024 12:00:24 +0300 Subject: [PATCH 16/17] Update pkg/ibmvpc/nacl_analysis.go Co-authored-by: Ziv Nevo <79099626+zivnevo@users.noreply.github.com> --- pkg/ibmvpc/nacl_analysis.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/ibmvpc/nacl_analysis.go b/pkg/ibmvpc/nacl_analysis.go index f51754138..72a854600 100644 --- a/pkg/ibmvpc/nacl_analysis.go +++ b/pkg/ibmvpc/nacl_analysis.go @@ -89,11 +89,11 @@ func (na *IBMNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm src = *ruleObj.Source dst = *ruleObj.Destination action = *ruleObj.Action - if ruleObj.Type != nil && *ruleObj.Type != -1 { - portsStr = fmt.Sprintf("icmp type: %d", *ruleObj.Type) + if ruleObj.Type != nil { + portsStr = fmt.Sprintf(", type: %d", *ruleObj.Type) } - if ruleObj.Code != nil && *ruleObj.Code != -1 { - portsStr += fmt.Sprintf("icmp code: %d", *ruleObj.Code) + if ruleObj.Code != nil { + portsStr += fmt.Sprintf(", code: %d", *ruleObj.Code) } default: err = fmt.Errorf("GetNACLRule unsupported type for rule: %s ", rule) From 5c98e37177c4ec721d55c82735bd1b2ff28fb18d Mon Sep 17 00:00:00 2001 From: ShiriMoran <139739065+ShiriMoran@users.noreply.github.com> Date: Mon, 9 Sep 2024 12:00:31 +0300 Subject: [PATCH 17/17] Update pkg/awsvpc/nacl_analysis.go Co-authored-by: Ziv Nevo <79099626+zivnevo@users.noreply.github.com> --- pkg/awsvpc/nacl_analysis.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/awsvpc/nacl_analysis.go b/pkg/awsvpc/nacl_analysis.go index dfb71432c..5d4a920b4 100644 --- a/pkg/awsvpc/nacl_analysis.go +++ b/pkg/awsvpc/nacl_analysis.go @@ -81,10 +81,10 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm return "", nil, false, err } if ruleObj.IcmpTypeCode.Type != nil && *ruleObj.IcmpTypeCode.Type != -1 { - portsStr = fmt.Sprintf("icmp type: %d", *ruleObj.IcmpTypeCode.Type) + portsStr = fmt.Sprintf(", type: %d", *ruleObj.IcmpTypeCode.Type) } if ruleObj.IcmpTypeCode.Code != nil && *ruleObj.IcmpTypeCode.Code != -1 { - portsStr += fmt.Sprintf("icmp code: %d", *ruleObj.IcmpTypeCode.Code) + portsStr += fmt.Sprintf(", code: %d", *ruleObj.IcmpTypeCode.Code) } conns = connection.ICMPConnection(icmpTypeMin, icmpTypeMax, icmpCodeMin, icmpCodeMax) default: