def compare_networks(range_to_cidrs_data):
for inet in range_to_cidrs_data:
if IPNetwork(inet) == IPNetwork(start) or IPNetwork(
inet) == IPNetwork(end):
continue
elif IPNetwork(start) in IPNetwork(inet) and IPNetwork(
end) in IPNetwork(inet):
temp_ip_list = netaddr.cidr_exclude(
IPNetwork(inet),
IPNetwork(start))
if IPNetwork(end) in temp_ip_list and len(
temp_ip_list) > 1:
temp_ip_list.remove(IPNetwork(end))
free_space.extend(temp_ip_list)
continue
elif IPNetwork(start) in IPNetwork(inet):
free_space.extend(
netaddr.cidr_exclude(IPNetwork(inet),
IPNetwork(
start)))
continue
elif IPNetwork(end) in IPNetwork(inet):
free_space.extend(
netaddr.cidr_exclude(IPNetwork(inet),
IPNetwork(end)))
continue
else:
free_space.append(IPNetwork(inet))
return free_space
def __init__(self, vpc_cidr, used_subnets=[]):
self.availible_subnets = set((IPNetwork(vpc_cidr), ))
self.used_subnets = cidr_merge(used_subnets)
# Return is a list: [IPNetwork('192.168.0.0/30'), IPNetwork('192.168.0.16/28')]
if len(self.used_subnets) != 0:
for ip_network in self.availible_subnets:
self.availible_subnets = list(
cidr_exclude(ip_network, self.used_subnets[0]))
for used in self.used_subnets:
for free in list(self.availible_subnets):
if IPNetwork(used) in IPNetwork(free):
self.availible_subnets.remove(free)
self.availible_subnets = self.availible_subnets + \
cidr_exclude(free, used)
else:
self.availible_subnets = list(self.availible_subnets)
def test_cidr_exclude_v4():
assert cidr_exclude('192.0.2.1/32', '192.0.2.1/32') == []
assert cidr_exclude('192.0.2.0/31', '192.0.2.1/32') == [IPNetwork('192.0.2.0/32')]
assert cidr_exclude('192.0.2.0/24', '192.0.2.128/25') == [IPNetwork('192.0.2.0/25')]
assert cidr_exclude('192.0.2.0/24', '192.0.2.128/27') == [
IPNetwork('192.0.2.0/25'),
IPNetwork('192.0.2.160/27'),
IPNetwork('192.0.2.192/26'),
]
assert cidr_exclude('192.0.2.1/32', '192.0.2.0/24') == []
assert cidr_exclude('192.0.2.0/28', '192.0.2.16/32') == [IPNetwork('192.0.2.0/28')]
assert cidr_exclude('192.0.1.255/32', '192.0.2.0/28') == [IPNetwork('192.0.1.255/32')]
def GetSubnet(self, prefix):
# Return all prefix of free subnet: [30, 29, 28]
free_subnets_prefix = [_.prefixlen for _ in self.availible_subnets]
# Return max prefix of suit subnets: 28
max_suit_prefix = closest(free_subnets_prefix, prefix)
# Return suit free subnet: 192.168.0.16/28
cidr = self.availible_subnets[free_subnets_prefix.index(
max_suit_prefix)]
# Remove suit free cidr
self.availible_subnets.remove(cidr)
# Getting suit subnets
subnet = list(cidr.subnet(prefix, count=1))
# Exlude subnet, and add free subnets to list "self.availible_subnets"
self.availible_subnets = self.availible_subnets + \
cidr_exclude(cidr, subnet[0])
return str(subnet[0])
def split(subnet, prefix, count=None):
subnet_split = {IPNetwork(subnet)}
for ip_subnet in sorted(subnet_split,
key=lambda x: x.prefixlen,
reverse=True):
subnets = list(
ip_subnet.subnet(int(prefix),
count=int(count) if count is not None else count))
if not subnets:
continue
subnet_split.remove(ip_subnet)
subnet_split = subnet_split.union(
set(cidr_exclude(ip_subnet,
cidr_merge(subnets)[0])))
return subnets
def test_cidr_exclude_v4():
assert cidr_exclude('192.0.2.1/32', '192.0.2.1/32') == []
assert cidr_exclude('192.0.2.0/31',
'192.0.2.1/32') == [IPNetwork('192.0.2.0/32')]
assert cidr_exclude('192.0.2.0/24',
'192.0.2.128/25') == [IPNetwork('192.0.2.0/25')]
assert cidr_exclude('192.0.2.0/24', '192.0.2.128/27') == [
IPNetwork('192.0.2.0/25'),
IPNetwork('192.0.2.160/27'),
IPNetwork('192.0.2.192/26'),
]
assert cidr_exclude('192.0.2.1/32', '192.0.2.0/24') == []
assert cidr_exclude('192.0.2.0/28',
'192.0.2.16/32') == [IPNetwork('192.0.2.0/28')]
assert cidr_exclude('192.0.1.255/32',
'192.0.2.0/28') == [IPNetwork('192.0.1.255/32')]
def route_exclusion(myroutes, remove_routes):
"""
This script shrinks route sizes.
Checks each route in A and B's piece of it.
Note that this is vastly different from route_subtraction
"""
# This is a little twisty to read. When you exclude a subnet
# B from a larger subnet A, you end up with a list of smaller
# subnets. That means, if you have multiple B's, you need
# to progressively keep the list A updated, so that each B is
# removed from the ever-longer list of smaller A's.
# This is probably overkill, since we only really do one extract
# of B, but, just in case.
if not isinstance(myroutes, list):
myroutes = [myroutes]
if not isinstance(remove_routes, list):
remove_routes = [remove_routes]
for remove_route in remove_routes:
newroutelist = []
for myroute in myroutes:
newroutelist = (newroutelist +
cidr_exclude(myroute, remove_route))
myroutes = newroutelist
return sorted(list(set(myroutes)))
def _parse_sg_rules(self, sg_rule_body_list, direction, policy):
"""Parse policy into security group rules.
This method inspects the policy object and create the equivalent
security group rules associating them to the referenced sg_id.
It returns the rules by adding them to the sg_rule_body_list list,
for the stated direction.
It accounts for special cases, such as:
- PolicyTypes stating only Egress: ensuring ingress is not restricted
- PolicyTypes not including Egress: ensuring egress is not restricted
- {} ingress/egress rules: applying default open for all
"""
rule_list = policy['spec'].get(direction)
if not rule_list:
policy_types = policy['spec'].get('policyTypes')
if direction == 'ingress':
if len(policy_types) == 1 and policy_types[0] == 'Egress':
# NOTE(ltomasbo): add default rule to enable all ingress
# traffic as NP policy is not affecting ingress
LOG.debug('Applying default all open for ingress for '
'policy %s', policy['metadata']['selfLink'])
self._create_default_sg_rule(direction, sg_rule_body_list)
elif direction == 'egress':
if policy_types and 'Egress' not in policy_types:
# NOTE(ltomasbo): add default rule to enable all egress
# traffic as NP policy is not affecting egress
LOG.debug('Applying default all open for egress for '
'policy %s', policy['metadata']['selfLink'])
self._create_default_sg_rule(direction, sg_rule_body_list)
else:
LOG.warning('Not supported policyType at network policy %s',
policy['metadata']['selfLink'])
return
policy_namespace = policy['metadata']['namespace']
pod_selector = policy['spec'].get('podSelector')
rule_direction = 'from'
if direction == 'egress':
rule_direction = 'to'
if rule_list[0] == {}:
LOG.debug('Applying default all open policy from %s',
policy['metadata']['selfLink'])
for ethertype in (constants.IPv4, constants.IPv6):
rule = driver_utils.create_security_group_rule_body(
direction, ethertype=ethertype)
sg_rule_body_list.append(rule)
for rule_block in rule_list:
LOG.debug('Parsing %(dir)s Rule %(rule)s', {'dir': direction,
'rule': rule_block})
allow_all, selectors, allowed_resources = self._parse_selectors(
rule_block, rule_direction, policy_namespace)
ipblock_list = []
if rule_direction in rule_block:
ipblock_list = [ipblock.get('ipBlock') for ipblock in
rule_block[rule_direction] if 'ipBlock'
in ipblock]
for ipblock in ipblock_list:
if ipblock.get('except'):
for cidr_except in ipblock.get('except'):
cidr_list = netaddr.cidr_exclude(
ipblock.get('cidr'), cidr_except)
cidr_list = [{'cidr': str(cidr)}
for cidr in cidr_list]
allowed_resources.extend(cidr_list)
else:
allowed_resources.append(ipblock)
if 'ports' in rule_block:
for port in rule_block['ports']:
if allowed_resources or allow_all or selectors:
if type(port.get('port')) is not int:
self._create_sg_rule_body_on_text_port(
direction, port, allowed_resources,
sg_rule_body_list, pod_selector,
policy_namespace)
else:
self._create_sg_rule_on_number_port(
allowed_resources, direction, port,
sg_rule_body_list, policy_namespace)
if allow_all:
self._create_all_pods_sg_rules(
port, direction, sg_rule_body_list,
pod_selector, policy_namespace)
else:
self._create_all_pods_sg_rules(
port, direction, sg_rule_body_list,
pod_selector, policy_namespace)
elif allowed_resources or allow_all or selectors:
for resource in allowed_resources:
cidr, namespace = self._get_resource_details(resource)
# NOTE(maysams): Skipping resource that do not have
# an IP assigned. The security group rule creation
# will be triggered again after the resource is running.
if not cidr:
continue
rule = driver_utils.create_security_group_rule_body(
direction,
port_range_min=1,
port_range_max=65535,
cidr=cidr,
namespace=namespace)
sg_rule_body_list.append(rule)
if direction == 'egress':
self._create_svc_egress_sg_rule(
policy_namespace, sg_rule_body_list,
resource=resource)
if allow_all:
for ethertype in (constants.IPv4, constants.IPv6):
rule = driver_utils.create_security_group_rule_body(
direction,
port_range_min=1,
port_range_max=65535,
ethertype=ethertype)
sg_rule_body_list.append(rule)
if direction == 'egress':
self._create_svc_egress_sg_rule(policy_namespace,
sg_rule_body_list)
else:
LOG.debug('This network policy specifies no %(direction)s '
'%(rule_direction)s and no ports: %(policy)s',
{'direction': direction,
'rule_direction': rule_direction,
'policy': policy['metadata']['selfLink']})
def test_ipset_cidr_fracturing():
s1 = IPSet(['0.0.0.0/0'])
s1.remove('255.255.255.255')
assert s1 == IPSet([
'0.0.0.0/1', '128.0.0.0/2', '192.0.0.0/3', '224.0.0.0/4',
'240.0.0.0/5', '248.0.0.0/6', '252.0.0.0/7', '254.0.0.0/8',
'255.0.0.0/9', '255.128.0.0/10', '255.192.0.0/11', '255.224.0.0/12',
'255.240.0.0/13', '255.248.0.0/14', '255.252.0.0/15', '255.254.0.0/16',
'255.255.0.0/17', '255.255.128.0/18', '255.255.192.0/19',
'255.255.224.0/20', '255.255.240.0/21', '255.255.248.0/22',
'255.255.252.0/23', '255.255.254.0/24', '255.255.255.0/25',
'255.255.255.128/26', '255.255.255.192/27', '255.255.255.224/28',
'255.255.255.240/29', '255.255.255.248/30', '255.255.255.252/31',
'255.255.255.254/32'
])
cidrs = s1.iter_cidrs()
assert len(cidrs) == 32
assert list(cidrs) == [
IPNetwork('0.0.0.0/1'),
IPNetwork('128.0.0.0/2'),
IPNetwork('192.0.0.0/3'),
IPNetwork('224.0.0.0/4'),
IPNetwork('240.0.0.0/5'),
IPNetwork('248.0.0.0/6'),
IPNetwork('252.0.0.0/7'),
IPNetwork('254.0.0.0/8'),
IPNetwork('255.0.0.0/9'),
IPNetwork('255.128.0.0/10'),
IPNetwork('255.192.0.0/11'),
IPNetwork('255.224.0.0/12'),
IPNetwork('255.240.0.0/13'),
IPNetwork('255.248.0.0/14'),
IPNetwork('255.252.0.0/15'),
IPNetwork('255.254.0.0/16'),
IPNetwork('255.255.0.0/17'),
IPNetwork('255.255.128.0/18'),
IPNetwork('255.255.192.0/19'),
IPNetwork('255.255.224.0/20'),
IPNetwork('255.255.240.0/21'),
IPNetwork('255.255.248.0/22'),
IPNetwork('255.255.252.0/23'),
IPNetwork('255.255.254.0/24'),
IPNetwork('255.255.255.0/25'),
IPNetwork('255.255.255.128/26'),
IPNetwork('255.255.255.192/27'),
IPNetwork('255.255.255.224/28'),
IPNetwork('255.255.255.240/29'),
IPNetwork('255.255.255.248/30'),
IPNetwork('255.255.255.252/31'),
IPNetwork('255.255.255.254/32')
]
assert cidrs == cidr_exclude('0.0.0.0/0', '255.255.255.255')
s1.remove('0.0.0.0')
assert s1 == IPSet([
'0.0.0.1/32',
'0.0.0.2/31',
'0.0.0.4/30',
'0.0.0.8/29',
'0.0.0.16/28',
'0.0.0.32/27',
'0.0.0.64/26',
'0.0.0.128/25',
'0.0.1.0/24',
'0.0.2.0/23',
'0.0.4.0/22',
'0.0.8.0/21',
'0.0.16.0/20',
'0.0.32.0/19',
'0.0.64.0/18',
'0.0.128.0/17',
'0.1.0.0/16',
'0.2.0.0/15',
'0.4.0.0/14',
'0.8.0.0/13',
'0.16.0.0/12',
'0.32.0.0/11',
'0.64.0.0/10',
'0.128.0.0/9',
'1.0.0.0/8',
'2.0.0.0/7',
'4.0.0.0/6',
'8.0.0.0/5',
'16.0.0.0/4',
'32.0.0.0/3',
'64.0.0.0/2',
'128.0.0.0/2',
'192.0.0.0/3',
'224.0.0.0/4',
'240.0.0.0/5',
'248.0.0.0/6',
'252.0.0.0/7',
'254.0.0.0/8',
'255.0.0.0/9',
'255.128.0.0/10',
'255.192.0.0/11',
'255.224.0.0/12',
'255.240.0.0/13',
'255.248.0.0/14',
'255.252.0.0/15',
'255.254.0.0/16',
'255.255.0.0/17',
'255.255.128.0/18',
'255.255.192.0/19',
'255.255.224.0/20',
'255.255.240.0/21',
'255.255.248.0/22',
'255.255.252.0/23',
'255.255.254.0/24',
'255.255.255.0/25',
'255.255.255.128/26',
'255.255.255.192/27',
'255.255.255.224/28',
'255.255.255.240/29',
'255.255.255.248/30',
'255.255.255.252/31',
'255.255.255.254/32',
])
assert len(list(s1.iter_cidrs())) == 62
s1.add('255.255.255.255')
s1.add('0.0.0.0')
assert s1 == IPSet(['0.0.0.0/0'])
def test_ipset_cidr_fracturing():
s1 = IPSet(['0.0.0.0/0'])
s1.remove('255.255.255.255')
assert s1 == IPSet([
'0.0.0.0/1', '128.0.0.0/2', '192.0.0.0/3',
'224.0.0.0/4', '240.0.0.0/5', '248.0.0.0/6',
'252.0.0.0/7', '254.0.0.0/8', '255.0.0.0/9',
'255.128.0.0/10', '255.192.0.0/11', '255.224.0.0/12',
'255.240.0.0/13', '255.248.0.0/14', '255.252.0.0/15',
'255.254.0.0/16', '255.255.0.0/17', '255.255.128.0/18',
'255.255.192.0/19', '255.255.224.0/20', '255.255.240.0/21',
'255.255.248.0/22', '255.255.252.0/23', '255.255.254.0/24',
'255.255.255.0/25', '255.255.255.128/26', '255.255.255.192/27',
'255.255.255.224/28', '255.255.255.240/29', '255.255.255.248/30',
'255.255.255.252/31', '255.255.255.254/32'])
cidrs = s1.iter_cidrs()
assert len(cidrs) == 32
assert list(cidrs) == [
IPNetwork('0.0.0.0/1'), IPNetwork('128.0.0.0/2'), IPNetwork('192.0.0.0/3'),
IPNetwork('224.0.0.0/4'), IPNetwork('240.0.0.0/5'), IPNetwork('248.0.0.0/6'),
IPNetwork('252.0.0.0/7'), IPNetwork('254.0.0.0/8'), IPNetwork('255.0.0.0/9'),
IPNetwork('255.128.0.0/10'), IPNetwork('255.192.0.0/11'), IPNetwork('255.224.0.0/12'),
IPNetwork('255.240.0.0/13'), IPNetwork('255.248.0.0/14'), IPNetwork('255.252.0.0/15'),
IPNetwork('255.254.0.0/16'), IPNetwork('255.255.0.0/17'), IPNetwork('255.255.128.0/18'),
IPNetwork('255.255.192.0/19'), IPNetwork('255.255.224.0/20'), IPNetwork('255.255.240.0/21'),
IPNetwork('255.255.248.0/22'), IPNetwork('255.255.252.0/23'), IPNetwork('255.255.254.0/24'),
IPNetwork('255.255.255.0/25'), IPNetwork('255.255.255.128/26'), IPNetwork('255.255.255.192/27'),
IPNetwork('255.255.255.224/28'), IPNetwork('255.255.255.240/29'), IPNetwork('255.255.255.248/30'),
IPNetwork('255.255.255.252/31'), IPNetwork('255.255.255.254/32')
]
assert cidrs == cidr_exclude('0.0.0.0/0', '255.255.255.255')
s1.remove('0.0.0.0')
assert s1 == IPSet([
'0.0.0.1/32', '0.0.0.2/31', '0.0.0.4/30',
'0.0.0.8/29', '0.0.0.16/28', '0.0.0.32/27',
'0.0.0.64/26', '0.0.0.128/25', '0.0.1.0/24',
'0.0.2.0/23', '0.0.4.0/22', '0.0.8.0/21',
'0.0.16.0/20', '0.0.32.0/19', '0.0.64.0/18',
'0.0.128.0/17', '0.1.0.0/16', '0.2.0.0/15',
'0.4.0.0/14', '0.8.0.0/13', '0.16.0.0/12',
'0.32.0.0/11', '0.64.0.0/10', '0.128.0.0/9',
'1.0.0.0/8', '2.0.0.0/7', '4.0.0.0/6',
'8.0.0.0/5', '16.0.0.0/4', '32.0.0.0/3',
'64.0.0.0/2', '128.0.0.0/2', '192.0.0.0/3',
'224.0.0.0/4', '240.0.0.0/5', '248.0.0.0/6',
'252.0.0.0/7', '254.0.0.0/8', '255.0.0.0/9',
'255.128.0.0/10', '255.192.0.0/11', '255.224.0.0/12',
'255.240.0.0/13', '255.248.0.0/14', '255.252.0.0/15',
'255.254.0.0/16', '255.255.0.0/17', '255.255.128.0/18',
'255.255.192.0/19', '255.255.224.0/20', '255.255.240.0/21',
'255.255.248.0/22', '255.255.252.0/23', '255.255.254.0/24',
'255.255.255.0/25', '255.255.255.128/26', '255.255.255.192/27',
'255.255.255.224/28', '255.255.255.240/29', '255.255.255.248/30',
'255.255.255.252/31', '255.255.255.254/32',
])
assert len(list(s1.iter_cidrs())) == 62
s1.add('255.255.255.255')
s1.add('0.0.0.0')
assert s1 == IPSet(['0.0.0.0/0'])
