Python IpBlock.get_all_ips_blockの例

コード例 #1

ファイル: CalicoPolicyYamlParser.py プロジェクト: IBM/network-config-analyzer

    def _get_rule_peers(self, entity_rule):
        """
        Parse the peer-specifying parts of the source/destination parts of a rule
        :param dict entity_rule: The object to parse
        :return: The peers that are specified by nets/notNets/selector/notSelector/namespaceSelector
        :rtype: PeerSet
        """
        nets = entity_rule.get('nets')
        if nets:
            rule_ips = IpBlock(nets[0])
            for cidr in nets[1:]:
                rule_ips |= IpBlock(cidr)
        else:
            rule_ips = IpBlock.get_all_ips_block()

        not_nets = entity_rule.get('notNets', [])
        for cidr in not_nets:
            rule_ips -= IpBlock(cidr)

        ns_selector = self._get_value_as_str(entity_rule, 'namespaceSelector')
        pod_selector = self._get_value_as_str(entity_rule, 'selector')
        not_pod_selector = self._get_value_as_str(entity_rule, 'notSelector')
        if ns_selector:
            rule_peers = self._parse_label_selector(ns_selector,
                                                    entity_rule,
                                                    namespace_selector=True)
        elif pod_selector:
            rule_peers = self.peer_container.get_namespace_pods(self.namespace)
        elif nets or not_nets:
            rule_peers = PeerSet()
            rule_peers.add(rule_ips)
        else:
            rule_peers = self.peer_container.get_all_peers_group(True)

        ns_to_use = self.namespace if not ns_selector else None
        if pod_selector is not None:
            selected_pods = self._parse_label_selector(pod_selector,
                                                       entity_rule, ns_to_use)
            if pod_selector.strip() != 'all()' and selected_pods == rule_peers:
                self.warning(
                    'selector has no effect - better delete or use "all()"',
                    entity_rule)
            rule_peers &= selected_pods
        if not_pod_selector:
            rule_peers -= self._parse_label_selector(not_pod_selector,
                                                     entity_rule, ns_to_use)

        if (nets or not_nets) and (ns_selector or pod_selector):
            rule_peers = PeerSet()
            self.warning(
                'Mixing ip-based selection with label-based selection is likely a mistake',
                entity_rule)

        return rule_peers

コード例 #2

 def get_all_peers_group(self, add_external_ips=False, include_globals=True):
     """
     Return all peers known in the system
     :param bool add_external_ips: Whether to also add the full range of ips
     :param bool include_globals: Whether to include global peers
     :return PeerSet: The required set of peers
     """
     res = PeerSet()
     for peer in self.peer_set:
         if include_globals or not peer.is_global_peer():
             res.add(peer)
     if add_external_ips:
         res.add(IpBlock.get_all_ips_block())
     return res

コード例 #3

ファイル: IngressPolicyYamlParser.py プロジェクト: IBM/network-config-analyzer

 def _make_deny_rules(self, allowed_conns):
     """
     Make deny rules from the given connections
     :param TcpLikeProperties allowed_conns: the given allowed connections
     :return: the list of deny IngressPolicyRules
     """
     all_peers_and_ip_blocks = self.peer_container.peer_set.copy()
     all_peers_and_ip_blocks.add(
         IpBlock.get_all_ips_block())  # add IpBlock of all IPs
     all_conns = self._make_tcp_like_properties(PortSet(True),
                                                all_peers_and_ip_blocks)
     denied_conns = all_conns - allowed_conns
     res = self._make_rules_from_conns(denied_conns)
     # Add deny rule for all protocols but TCP , relevant for all peers and ip blocks
     non_tcp_conns = ConnectionSet.get_non_tcp_connections()
     res.append(IngressPolicyRule(all_peers_and_ip_blocks, non_tcp_conns))
     return res

コード例 #4

ファイル: IngressPolicyYamlParser.py プロジェクト: IBM/network-config-analyzer

    def _make_tcp_like_properties(self,
                                  dest_ports,
                                  peers,
                                  paths_dfa=None,
                                  hosts_dfa=None):
        """
        get TcpLikeProperties with TCP allowed connections, corresponding to input properties cube.
        TcpLikeProperties should not contain named ports: substitute them with corresponding port numbers, per peer
        :param PortSet dest_ports: ports set for dest_ports dimension (possibly containing named ports)
        :param PeerSet peers: the set of (target) peers
        :param MinDFA paths_dfa: MinDFA obj for paths dimension
        :param MinDFA hosts_dfa: MinDFA obj for hosts dimension
        :return: TcpLikeProperties with TCP allowed connections, corresponding to input properties cube
        """
        assert peers
        base_peer_set = self.peer_container.peer_set.copy()
        base_peer_set.add(IpBlock.get_all_ips_block())
        if not dest_ports.named_ports:
            peers_interval = base_peer_set.get_peer_interval_of(peers)
            return TcpLikeProperties(source_ports=PortSet(True),
                                     dest_ports=dest_ports,
                                     methods=MethodSet(True),
                                     paths=paths_dfa,
                                     hosts=hosts_dfa,
                                     peers=peers_interval,
                                     base_peer_set=base_peer_set)
        assert not dest_ports.port_set
        assert len(dest_ports.named_ports) == 1
        port = list(dest_ports.named_ports)[0]
        tcp_properties = None
        for peer in peers:
            named_ports = peer.get_named_ports()
            real_port = named_ports.get(port)
            if not real_port:
                self.warning(
                    f'Missing named port {port} in the pod {peer}. Ignoring the pod'
                )
                continue
            if real_port[1] != 'TCP':
                self.warning(
                    f'Illegal protocol {real_port[1]} in the named port {port} ingress target pod {peer}.'
                    f'Ignoring the pod')
                continue
            peer_in_set = PeerSet()
            peer_in_set.add(peer)
            ports = PortSet()
            ports.add_port(real_port[0])
            props = TcpLikeProperties(
                source_ports=PortSet(True),
                dest_ports=ports,
                methods=MethodSet(True),
                paths=paths_dfa,
                hosts=hosts_dfa,
                peers=base_peer_set.get_peer_interval_of(peer_in_set),
                base_peer_set=base_peer_set)
            if tcp_properties:
                tcp_properties |= props
            else:
                tcp_properties = props

        return tcp_properties