Shade check issue with L2 filters #338
Comments
|
Hey @ProtonBruno thanks for the report here. Yea shade checking has some janky to it. We should be able to fix the above unless you wish to take a stab at it? |
btriller
pushed a commit
to btriller/aerleon
that referenced
this issue
Oct 31, 2023
* initial commit of NSXT integration (aerleon#338) * initial commit of NSXT integration * adding nsxt.py * changed repo link for flake8 pre-hook to point to github * fix for nsxt tests to not use xml * fixed dates and phrasing in commented section. Changed nsxt1 to nsxt_pol * removed commented code and print statements that were for debugging * refactored some documentation and removed commented code * fixed NSXT tests * Fix some PR suggestions Signed-off-by: Jesus Angel <jesusa1@vmware.com> * Add sample NSXT policy * Add NSXT information for direction and logging * Fix some NSXT rule parameters not compliant * NSXT use single action instead of list * Add VSCode project settings to gitignore * Remove unnecesary NSXT test functions * Temporal changes * Add service class to NSXT * Finish base implementation for NSXT * Fix NSXT to match API * Update NSXT tests * Wipe deprecated NSXT unit tests * Add NSXT security group path if it is not specified * Override NSXT policy id if given in the header * Fixed NSXT PR comments --------- Signed-off-by: Jesus Angel <jesusa1@vmware.com> Co-authored-by: Jesus Angel <jesusa1@vmware.com> * Merge pull request aerleon#338 from g-nikoloff:feature/nsxt PiperOrigin-RevId: 524833074 * Add initial NSXT test reference file * Reformat * Ignore reformat --------- Signed-off-by: Jesus Angel <jesusa1@vmware.com> Co-authored-by: Georgi Nikolov <112373816+g-nikoloff@users.noreply.github.com> Co-authored-by: Jesus Angel <jesusa1@vmware.com> Co-authored-by: Capirca Team <no-reply@google.com> Co-authored-by: Jason Benterou <jason.benterou@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi team,
We are using shade check in a pipeline job to validate policy changes.
It's a bit broken when dealing with L2 Juniper filters (Bridge or Ethernet Switching):
If you add for example an allow ARP ether-type term then shade check will report any following term as shaded by this one even if it specifies another protocol.
term allow-arp { ether-type:: arp counter:: allow-arp action:: accept } term allow-icmp { source-address:: MGMT_DHCP destination-address:: INFRA protocol:: icmp icmp-type:: echo-request counter:: allow-icmp action:: accept } term allow-https { source-address:: MGMT_INFRA_SRV destination-address:: INFRA_MS protocol:: tcp destination-port:: HTTPS counter:: allow-https action:: accept } term default-deny { logging:: syslog counter:: default-deny action:: deny }Specifying ether-type in following terms is currently not possible:
<class 'aerleon.lib.policy.TermProtocolEtherTypeError'>ether-type not supported when used with upper-layer protocol restrictions. Term: allow-httpsThanks
The text was updated successfully, but these errors were encountered: