Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interface full_delete fails if static route references any other interface #481

Open
tintedcorals opened this issue Oct 25, 2022 · 2 comments
Open

Interface full_delete fails if static route references any other interface #481

tintedcorals opened this issue Oct 25, 2022 · 2 comments
Labels
bug

Comments

@tintedcorals
Copy link

tintedcorals commented Oct 25, 2022
edited

Describe the bug

If a static route exists on the firewall which references an interface, a full_delete() will fail on a different interface.

Expected behavior

full_delete() should complete without throwing an exception

Current behavior

A TypeError exception is thrown, such as:

File "/work/panos/network.py", line 595, in full_delete
elif "__iter__" in dir(obj.interface) and self in obj.interface:
TypeError: 'in ' requires string as left operand, not EthernetInterface

Possible solution

StaticRoute's interface attribute gets populated as a string, whereas the full_delete code appears to expect a list (which is the case for other objects such as VirtualRouter or Zone). Since the str type will also pass the __iter__ check, a more specific type check may be needed to avoid the in test that results at network.py:595.

Steps to reproduce

Minimal pan-os-python reproduction without a live firewall (StaticRoute is being added directly to Firewall for brevity but error still triggers with VirtualRouter):

from panos.network import EthernetInterface, StaticRoute
from panos.firewall import Firewall

firewall = Firewall()
ethernet1 = firewall.add(EthernetInterface("ethernet1/1", mode="layer3"))
ethernet2 = firewall.add(EthernetInterface("ethernet1/2", mode="layer3"))
route = firewall.add(StaticRoute("test", interface="ethernet1/1"))

ethernet2.full_delete()  # generates error

Context

This can be a really tricky situation to avoid since the StaticRoute that triggers the error is unrelated to the interface being changed. Routes targeted at interfaces rather than next-hops can be common in environments with IPSec tunnels, but the interface can also be present in addition to a next-hop for any static route.

Your Environment

Python 3.9.15
pan-os-python 1.7.3
@welcome-to-palo-alto-networks
Copy link

🎉 Thanks for opening your first issue here! Welcome to the community!

@pechsteinma
Copy link

The following fixes the problem for me:
In version 1.8.0 in network.py line 594 from
elif "__iter__" in dir(obj.interface) and self in obj.interface:
to
elif "__iter__" in dir(obj.interface) and str(self) in obj.interface:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pechsteinma @tintedcorals