Tests - Tools - Firewall Agent: (59f2a1ea) · Commits · TFS / controller

src/tests/tools/firewall_agent/firewall_agent/resources/nft_model/Chain.py

+3 −3

Original line number	Diff line number	Diff line
		@@ -64,7 +64,7 @@ class Chain:
		chain.handle = entry['handle']
		chain.type = entry.get('type', table.value.lower())
		chain.hook = entry.get('hook', name.lower())
		chain.prio = entry.get('prio', ChainPriorityEnum.RAW.value)
		chain.prio = entry.get('prio', ChainPriorityEnum.FILTER.value)
		chain.policy = entry.get('policy', ActionEnum.ACCEPT.value)
		return chain

		@@ -126,8 +126,8 @@ class Chain:
		parts = [
		'add', 'chain', self.family.value, self.table.value, self.chain,
		'{',
		'type', self.table.value, 'hook', chain_hook, 'priority', 'raw', ';',
		'policy', 'accept', ';',
		'type', self.type, 'hook', self.hook, 'priority', str(self.prio), ';',
		'policy', self.policy, ';',
		'}'
		]
		commands.append((-1, ' '.join(parts)))

src/tests/tools/firewall_agent/firewall_agent/resources/nft_model/Exceptions.py

+6 −4

Original line number	Diff line number	Diff line
		@@ -43,10 +43,12 @@ class MalformedOutputException(Exception):
		)

		class UnsupportedElementException(Exception):
		def __init__(self, element : str, value : str) -> None:
		super().__init__(
		f'Unsupported: element={str(element)} value={str(value)}'
		)
		def __init__(
		self, element : str, value : str, extra : Optional[str] = None
		) -> None:
		msg = f'Unsupported: element={str(element)} value={str(value)}'
		if extra is not None: msg += f' {str(extra)}'
		super().__init__(msg)

		class MissingFieldException(Exception):
		def __init__(self, field_name : str, objekt : Dict) -> None:

src/tests/tools/firewall_agent/firewall_agent/resources/nft_model/Rule.py

+38 −10

Original line number	Diff line number	Diff line
		@@ -28,6 +28,40 @@ from .TableEnum import TableEnum
		LOGGER = logging.getLogger(__name__)


		OPENCONFIG_ACL_ACTION_TO_NFT = {
		'ACCEPT' : ActionEnum.ACCEPT,
		'DROP' : ActionEnum.DROP,
		'REJECT' : ActionEnum.REJECT,
		}

		def get_nft_action_from_openconfig(oc_action : str) -> ActionEnum:
		nft_action = OPENCONFIG_ACL_ACTION_TO_NFT.get(oc_action)
		if nft_action is None:
		supported_values = set(OPENCONFIG_ACL_ACTION_TO_NFT.keys())
		raise UnsupportedElementException(
		'acl_entry.actions.config.forwarding-action', str(oc_action),
		extra=f'supported_values={str(supported_values)}'
		)
		return nft_action


		OPENCONFIG_IPV4_PROTOCOL_TO_NFT = {
		'IP_TCP' : ProtocolEnum.TCP,
		'IP_UDP' : ProtocolEnum.UDP,
		'IP_ICMP' : ProtocolEnum.ICMP,
		}

		def get_nft_ipv4_protocol_from_openconfig(oc_ipv4_protocol : str) -> ProtocolEnum:
		nft_protocol = OPENCONFIG_IPV4_PROTOCOL_TO_NFT.get(oc_ipv4_protocol)
		if nft_protocol is None:
		supported_values = set(OPENCONFIG_IPV4_PROTOCOL_TO_NFT.keys())
		raise UnsupportedElementException(
		'acl_entry.ipv4.config.protocol', str(oc_ipv4_protocol),
		extra=f'supported_values={str(supported_values)}'
		)
		return nft_protocol


		@dataclass
		class Rule:
		family : FamilyEnum
		@@ -97,21 +131,15 @@ class Rule:
		rule.dst_ip_addr = ipaddress.IPv4Interface(ipv4_config['destination-address'])

		if 'protocol' in ipv4_config:
		rule.ip_protocol = {
		'IP_TCP' : ProtocolEnum.TCP,
		'IP_UDP' : ProtocolEnum.UDP,
		'IP_ICMP' : ProtocolEnum.ICMP,
		}.get(ipv4_config['protocol'], None)
		ip_protocol = ipv4_config['protocol']
		rule.ip_protocol = get_nft_ipv4_protocol_from_openconfig(ip_protocol)

		transp_config = acl_entry.get('transport', {}).get('config', {})
		rule.src_port = transp_config.get('source-port')
		rule.dst_port = transp_config.get('destination-port')

		rule.action = {
		'ACCEPT' : ActionEnum.ACCEPT,
		'DROP' : ActionEnum.DROP,
		'REJECT' : ActionEnum.REJECT,
		}.get(acl_entry['actions']['config']['forwarding-action'], None)
		action = acl_entry['actions']['config']['forwarding-action']
		rule.action = get_nft_action_from_openconfig(action)

		return rule

src/tests/tools/firewall_agent/scripts/data/allow_30435_from_10_0_2_10.json→src/tests/tools/firewall_agent/scripts/data/accept_30435_from_10_0_2_10.json

+2 −2

Original line number	Diff line number	Diff line
		@@ -5,10 +5,10 @@
		"acl-entries": {"acl-entry": [
		{
		"sequence-id": 1,
		"config": {"sequence-id": 1, "description": "allow-30435-from-10-0-2-10"},
		"config": {"sequence-id": 1, "description": "accept-30435-from-10-0-2-10"},
		"ipv4": {"config": {"source-address": "10.0.2.10/32", "protocol": "IP_TCP"}},
		"transport": {"config": {"destination-port": 30435}},
		"actions": {"config": {"forwarding-action": "ALLOW"}}
		"actions": {"config": {"forwarding-action": "ACCEPT"}}
		}
		]}
		}]},

src/tests/tools/firewall_agent/scripts/data/allow_30435_from_10_0_2_2.json→src/tests/tools/firewall_agent/scripts/data/accept_30435_from_10_0_2_2.json

+2 −2

Original line number	Diff line number	Diff line
		@@ -5,10 +5,10 @@
		"acl-entries": {"acl-entry": [
		{
		"sequence-id": 1,
		"config": {"sequence-id": 1, "description": "allow-30435-from-10-0-2-2"},
		"config": {"sequence-id": 1, "description": "accept-30435-from-10-0-2-2"},
		"ipv4": {"config": {"source-address": "10.0.2.2/32", "protocol": "IP_TCP"}},
		"transport": {"config": {"destination-port": 30435}},
		"actions": {"config": {"forwarding-action": "ALLOW"}}
		"actions": {"config": {"forwarding-action": "ACCEPT"}}
		}
		]}
		}]},