Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IP filtering by network #56394

Merged
merged 5 commits into from
Apr 14, 2020
Merged

Conversation

agraul
Copy link
Contributor

@agraul agraul commented Mar 17, 2020

What does this PR do?

Add IP filtering by network

IPs are filtered out if they don't belong to any of the given networks.
If no network is passed, all items are returned.

Example:

{% set networks = ['192.168.0.0/24', 'fe80::/64'] %}
{{ grains['ip_interfaces'] | filter_by_networks(networks) }}
{{ grains['ipv6'] | filter_by_networks(networks) }}
{{ grains['ipv4'] | filter_by_networks(networks) }}

What issues does this PR fix or reference?

Tests written?

Not yet, I will do it next.

Commits signed with GPG?

Yes

Please review Salt's Contributing Guide for best practices.

See GitHub's page on GPG signing for more information about signing commits with GPG.

salt/utils/network.py Outdated Show resolved Hide resolved
salt/utils/network.py Outdated Show resolved Hide resolved
{{ grains['ipv6'] | filter_by_networks(networks) }}
{{ grains['ipv4'] | filter_by_networks(networks) }}
'''
if filters:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not make filters optional, as this is counter-intuitive. For example if filters=[], the empty array, there is not possible match, and we would expect to return also the empty array. None and [] are semantically similar, but in this case would to just the opposite: will return the full set of values.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes code with filters loaded from a pillar easier. "if no filter in pillar gimme everything" otherwise you would need to stick a default filter into the pillar.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could check if filters is None to treat the [] case differently, but I don't know if that is the best approach. Passing an explicit default¹ as the filter conveys intention better than leaving the filter out in my opinion.

¹ such as ['0.0.0.0/0', '::/0']

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, but do not make the filter parameter optional. By default the pillar data is not optional (KeyError exception), and to make it optional you need to provide an explicit fallback value: pillar.get('networks', None)

I would expect that an empty list of networks will produce no match, but I guess that is OK to go to the opposite semantic if is documented.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not make the filter parameter optional. By default the pillar data is not optional (KeyError exception)

okay, in that case I don't see a reason not to require a filter (now networks) parameter.

About the sematics of networks=None vs networks=[]: I definitely think that [] should return [], but I am not sure about None. I am leaning towards treating it the same as [], but I can see the argument that None is the absence of filtering.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. The semantic confuses me. For me [] and None are the same, so I would expect the same return value: [].

If we make it different, we need to document it, and we cannot change it later. @darix argument is not very convincing for me, as you can be explicit in the SLS and an {% if %} to apply the filter. But I can see how this is more verbose. Is OK to maintain the semantic where both a different, and see if another review have a stronger opinion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My opinion on this is the following: I see no need for the filters argument to be optional since if someone uses the filter they definitely wants to filter by some condition. The same is about empty filter values like None or []. So since it's documented I'm okay with this implementation.
@saltstack/team-core comments on this?

salt/utils/network.py Outdated Show resolved Hide resolved
salt/utils/network.py Outdated Show resolved Hide resolved
salt/utils/network.py Outdated Show resolved Hide resolved
tests/unit/utils/test_network.py Outdated Show resolved Hide resolved
aplanas
aplanas previously approved these changes Mar 19, 2020
@agraul agraul force-pushed the add-filter-by-networks branch 2 times, most recently from 029479c to 06bdd2f Compare March 19, 2020 16:26
@agraul agraul changed the title [WIP] Add IP filtering by network Add IP filtering by network Mar 23, 2020
salt/utils/network.py Outdated Show resolved Hide resolved
darix and others added 2 commits April 7, 2020 11:36
IPs are filtered out if they don't belong to any of the given networks.
If `None` is passed as the network, all IPs are returned. An empty list
rejects all IPs.

Example:

	{% set networks = ['192.168.0.0/24', 'fe80::/64'] %}
	{{ grains['ip_interfaces'] | filter_by_networks(networks) }}
	{{ grains['ipv6'] | filter_by_networks(networks) }}
	{{ grains['ipv4'] | filter_by_networks(networks) }}

Co-authored-by: Alexander Graul <agraul@suse.com>
@dwoz
Copy link
Contributor

dwoz commented Apr 13, 2020

I've re-started the failing windows build. When it passes this will get merged.

@DmitryKuzmenko
Copy link
Contributor

Just re-started it once more because it timed out again.

@dwoz dwoz merged commit ebb40ac into saltstack:master Apr 14, 2020
@sagetherage sagetherage added the ZRelease-Sodium retired label label May 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ZRelease-Sodium retired label
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants