New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pan: application-override rule conversion #6651
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 10 files reviewed, 1 unresolved discussion (waiting on @sfraint)
a discussion (no related file):
Still need to add a couple more tests: trace detail tests w/ app-override rules, app-override conversion warnings
Codecov Report
@@ Coverage Diff @@
## master #6651 +/- ##
============================================
+ Coverage 73.47% 73.49% +0.02%
- Complexity 36506 36544 +38
============================================
Files 2919 2920 +1
Lines 146988 147178 +190
Branches 17729 17755 +26
============================================
+ Hits 108002 108175 +173
- Misses 30473 30479 +6
- Partials 8513 8524 +11 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 9 of 10 files at r1, 1 of 1 files at r2.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @corinaminer and @sfraint)
a discussion (no related file):
I didn't see any tests where the same application is mapped to by multiple rules but with different/conflicting service, e.g., my APP can be running on z1>z2 tcp 50 and z3->z2 tcp 70, and it works well.
projects/batfish/src/main/java/org/batfish/representation/palo_alto/ApplicationOverrideRule.java, line 123 at r2 (raw file):
return _protocol == Protocol.TCP ? IpProtocol.TCP : _protocol == Protocol.UDP ? IpProtocol.UDP : null;
given enum, probably best as a switch?
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1506 at r2 (raw file):
headerspaces
packets? (We don't mean HeaderSpace
, right? that class is on its way out (I hope)).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 5 of 12 files reviewed, 3 unresolved discussions (waiting on @corinaminer and @dhalperi)
a discussion (no related file):
Previously, sfraint (Spencer Fraint) wrote…
Still need to add a couple more tests: trace detail tests w/ app-override rules, app-override conversion warnings
added
a discussion (no related file):
Previously, dhalperi (Dan Halperin) wrote…
I didn't see any tests where the same application is mapped to by multiple rules but with different/conflicting service, e.g., my APP can be running on z1>z2 tcp 50 and z3->z2 tcp 70, and it works well.
added one in the shadowing
test config
projects/batfish/src/main/java/org/batfish/representation/palo_alto/ApplicationOverrideRule.java, line 123 at r2 (raw file):
Previously, dhalperi (Dan Halperin) wrote…
return _protocol == Protocol.TCP ? IpProtocol.TCP : _protocol == Protocol.UDP ? IpProtocol.UDP : null;
given enum, probably best as a switch?
updated, how's that?
projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java, line 1506 at r2 (raw file):
Previously, dhalperi (Dan Halperin) wrote…
headerspaces
packets? (We don't mean
HeaderSpace
, right? that class is on its way out (I hope)).
right, updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 7 of 7 files at r3.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @corinaminer and @dhalperi)
Convert
application-override rules
and use them insecurity rule
ACLs.Includes splitting
service
matching intoservice
andapplication
components sinceapplication-override rules
can conflict withservice
matching.For an application-override rule that looks like this:
Trace details can look something like this now: