-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shade check issue with L2 filters #338
Comments
Hey @ProtonBruno thanks for the report here. Yea shade checking has some janky to it. We should be able to fix the above unless you wish to take a stab at it? |
btriller
pushed a commit
to btriller/aerleon
that referenced
this issue
Oct 31, 2023
* initial commit of NSXT integration (aerleon#338) * initial commit of NSXT integration * adding nsxt.py * changed repo link for flake8 pre-hook to point to github * fix for nsxt tests to not use xml * fixed dates and phrasing in commented section. Changed nsxt1 to nsxt_pol * removed commented code and print statements that were for debugging * refactored some documentation and removed commented code * fixed NSXT tests * Fix some PR suggestions Signed-off-by: Jesus Angel <jesusa1@vmware.com> * Add sample NSXT policy * Add NSXT information for direction and logging * Fix some NSXT rule parameters not compliant * NSXT use single action instead of list * Add VSCode project settings to gitignore * Remove unnecesary NSXT test functions * Temporal changes * Add service class to NSXT * Finish base implementation for NSXT * Fix NSXT to match API * Update NSXT tests * Wipe deprecated NSXT unit tests * Add NSXT security group path if it is not specified * Override NSXT policy id if given in the header * Fixed NSXT PR comments --------- Signed-off-by: Jesus Angel <jesusa1@vmware.com> Co-authored-by: Jesus Angel <jesusa1@vmware.com> * Merge pull request aerleon#338 from g-nikoloff:feature/nsxt PiperOrigin-RevId: 524833074 * Add initial NSXT test reference file * Reformat * Ignore reformat --------- Signed-off-by: Jesus Angel <jesusa1@vmware.com> Co-authored-by: Georgi Nikolov <112373816+g-nikoloff@users.noreply.github.com> Co-authored-by: Jesus Angel <jesusa1@vmware.com> Co-authored-by: Capirca Team <no-reply@google.com> Co-authored-by: Jason Benterou <jason.benterou@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi team,
We are using shade check in a pipeline job to validate policy changes.
It's a bit broken when dealing with L2 Juniper filters (Bridge or Ethernet Switching):
If you add for example an allow ARP ether-type term then shade check will report any following term as shaded by this one even if it specifies another protocol.
term allow-arp { ether-type:: arp counter:: allow-arp action:: accept } term allow-icmp { source-address:: MGMT_DHCP destination-address:: INFRA protocol:: icmp icmp-type:: echo-request counter:: allow-icmp action:: accept } term allow-https { source-address:: MGMT_INFRA_SRV destination-address:: INFRA_MS protocol:: tcp destination-port:: HTTPS counter:: allow-https action:: accept } term default-deny { logging:: syslog counter:: default-deny action:: deny }
Specifying ether-type in following terms is currently not possible:
<class 'aerleon.lib.policy.TermProtocolEtherTypeError'>ether-type not supported when used with upper-layer protocol restrictions. Term: allow-https
Thanks
The text was updated successfully, but these errors were encountered: