netutils icon indicating copy to clipboard operation
netutils copied to clipboard
verified publisher icon networktocode

[ACL] Expanded rules do not work for same networks

Open mzbroch opened this issue 2 years ago • 2 comments 

>>> input_rule = dict(
...     name="Allow to internal web",
...     src_ip=["192.0.2.0/24"],
...     dst_ip=["192.0.2.0/24"],
...     dst_port=["tcp/80", "tcp/433"],
...     action="permit",
... )
>>>
>>>
>>> acl.ACLRule(input_rule).expanded_rules
[]
>>> input_rule = dict(
...     name="Allow to internal web",
...     src_ip=["192.0.2.1"],
...     dst_ip=["192.0.2.10"],
...     dst_port=["tcp/80", "tcp/433"],
...     action="permit",
... )
>>>
>>> acl.ACLRule(input_rule).expanded_rules
[{'name': 'Allow to internal web', 'src_ip': '192.0.2.1', 'dst_ip': '192.0.2.10', 'dst_port': '6/80', 'action': 'permit'}, {'name': 'Allow to internal web', 'src_ip': '192.0.2.1', 'dst_ip': '192.0.2.10', 'dst_port': '6/433', 'action': 'permit'}]
>>>

mzbroch avatar Oct 13 '23 11:10 mzbroch

This is a bit of unfortunate test case - only if src_ip matches dst_ip, however still applicable for 0.0.0.0/0 to .0.0.0.0/0 or in-vlan firewalls.

mzbroch avatar Oct 13 '23 11:10 mzbroch

Can you look at self.filter_same_ip? I think this is to be expected as currently coded, but perhaps shouldn't be?

https://netutils.readthedocs.io/en/latest/user/lib_use_cases_acl/?h=self.filter_same_ip#initialization-loading-data

itdependsnetworks avatar Oct 13 '23 11:10 itdependsnetworks