diff --git a/vppcfg/config/acl.py b/vppcfg/config/acl.py index 68d9e74..d7b477c 100644 --- a/vppcfg/config/acl.py +++ b/vppcfg/config/acl.py @@ -165,17 +165,25 @@ def is_ip(ip_string): return False -def get_network_list(yaml, network_string): +def get_network_list(yaml, network_string, want_ipv4=True, want_ipv6=True): """Return the full list of source or destination address(es). This function resolves the 'source' or 'destination' field, which can either be an IP address, a Prefix, or the name of a Prefix List. It returns a list of ip_network() objects, including prefix. IP addresses - will receive prefixlen /32 or /128.""" + will receive prefixlen /32 or /128. Optionally, want_ipv4 or want_ipv6 can be set to False + to filter the list.""" + ret = [] if is_ip(network_string): ipn = ipaddress.ip_network(network_string, strict=False) - return [ipn] + if ipn.version == 4 and want_ipv4: + ret = [ipn] + if ipn.version == 6 and want_ipv6: + ret = [ipn] + return ret - return prefixlist.get_network_list(yaml, network_string) + return prefixlist.get_network_list( + yaml, network_string, want_ipv4=want_ipv4, want_ipv6=want_ipv6 + ) def get_protocol(protostring): diff --git a/vppcfg/config/prefixlist.py b/vppcfg/config/prefixlist.py index b7cc16c..8160b60 100644 --- a/vppcfg/config/prefixlist.py +++ b/vppcfg/config/prefixlist.py @@ -36,17 +36,20 @@ def get_by_name(yaml, plname): return None, None -def get_network_list(yaml, plname): +def get_network_list(yaml, plname, want_ipv4=True, want_ipv6=True): """Returns a list of 0 or more ip_network elements, that represent the members in a prefixlist of given name. Return the empty list if the prefixlist doesn't - exist""" + exist. Optionally, want_ipv4 or want_ipv6 can be set to False to filter the list.""" ret = [] plname, pl = get_by_name(yaml, plname) if not pl: return ret for m in pl["members"]: ipn = ipaddress.ip_network(m, strict=False) - ret.append(ipn) + if ipn.version == 4 and want_ipv4: + ret.append(ipn) + if ipn.version == 6 and want_ipv6: + ret.append(ipn) return ret diff --git a/vppcfg/config/test_acl.py b/vppcfg/config/test_acl.py index d307849..b699daa 100644 --- a/vppcfg/config/test_acl.py +++ b/vppcfg/config/test_acl.py @@ -135,7 +135,19 @@ class TestACLMethods(unittest.TestCase): l = acl.get_network_list(self.cfg, "trusted") self.assertIsInstance(l, list) - self.assertEquals(4, len(l)) + self.assertEquals(5, len(l)) + + l = acl.get_network_list(self.cfg, "trusted", want_ipv6=False) + self.assertIsInstance(l, list) + self.assertEquals(2, len(l)) + + l = acl.get_network_list(self.cfg, "trusted", want_ipv4=False) + self.assertIsInstance(l, list) + self.assertEquals(3, len(l)) + + l = acl.get_network_list(self.cfg, "trusted", want_ipv4=False, want_ipv6=False) + self.assertIsInstance(l, list) + self.assertEquals(0, len(l)) l = acl.get_network_list(self.cfg, "pl-notexist") self.assertIsInstance(l, list) diff --git a/vppcfg/config/test_prefixlist.py b/vppcfg/config/test_prefixlist.py index fc41a2b..d0f37bc 100644 --- a/vppcfg/config/test_prefixlist.py +++ b/vppcfg/config/test_prefixlist.py @@ -41,7 +41,7 @@ class TestACLMethods(unittest.TestCase): def test_count(self): v4, v6 = prefixlist.count(self.cfg, "trusted") self.assertEqual(2, v4) - self.assertEqual(2, v6) + self.assertEqual(3, v6) v4, v6 = prefixlist.count(self.cfg, "empty") self.assertEqual(0, v4) @@ -57,7 +57,7 @@ class TestACLMethods(unittest.TestCase): self.assertEqual(0, prefixlist.count_ipv4(self.cfg, "pl-noexist")) def test_count_ipv6(self): - self.assertEqual(2, prefixlist.count_ipv6(self.cfg, "trusted")) + self.assertEqual(3, prefixlist.count_ipv6(self.cfg, "trusted")) self.assertEqual(0, prefixlist.count_ipv6(self.cfg, "empty")) self.assertEqual(0, prefixlist.count_ipv6(self.cfg, "pl-noexist")) @@ -79,7 +79,21 @@ class TestACLMethods(unittest.TestCase): def test_get_network_list(self): l = prefixlist.get_network_list(self.cfg, "trusted") self.assertIsInstance(l, list) - self.assertEquals(4, len(l)) + self.assertEquals(5, len(l)) + + l = prefixlist.get_network_list(self.cfg, "trusted", want_ipv6=False) + self.assertIsInstance(l, list) + self.assertEquals(2, len(l)) + + l = prefixlist.get_network_list(self.cfg, "trusted", want_ipv4=False) + self.assertIsInstance(l, list) + self.assertEquals(3, len(l)) + + l = prefixlist.get_network_list( + self.cfg, "trusted", want_ipv4=False, want_ipv6=False + ) + self.assertIsInstance(l, list) + self.assertEquals(0, len(l)) l = prefixlist.get_network_list(self.cfg, "pl-notexist") self.assertIsInstance(l, list) diff --git a/vppcfg/unittest/test_acl.yaml b/vppcfg/unittest/test_acl.yaml index 80bbf5b..f3bf8a7 100644 --- a/vppcfg/unittest/test_acl.yaml +++ b/vppcfg/unittest/test_acl.yaml @@ -1,7 +1,19 @@ +prefixlists: + trusted: + members: + - 192.0.2.1 + - 192.0.2.0/24 + - 2001:db8::1 + - 2001:db8::/64 + - 2001:db8::/48 + acls: acl01: description: "Test ACL #1" terms: + - description: "Allow a Prefixlist" + action: permit + source: trusted - description: "Allow a specific IPv6 TCP flow" action: permit source: 2001:db8::/64 diff --git a/vppcfg/unittest/test_prefixlist.yaml b/vppcfg/unittest/test_prefixlist.yaml index 47e7739..47c6826 100644 --- a/vppcfg/unittest/test_prefixlist.yaml +++ b/vppcfg/unittest/test_prefixlist.yaml @@ -6,6 +6,7 @@ prefixlists: - 192.0.2.0/24 - 2001:db8::1 - 2001:db8::/64 + - 2001:db8::/48 deny-all: description: "Default for IPv4 and IPv6" members: