fix/ipv6_rules_implicit_icmp6

b400d56b · David Schmitz · 1bf78e22 · b400d56b · b400d56b · b400d56b
Commit b400d56b authored 2 years ago by David Schmitz
--- a/flowspec/models.py
+++ b/flowspec/models.py
@@ -34,6 +34,7 @@ import json
 from peers.models import PeerRange, Peer

 from flowspec.junos import create_junos_name
+from utils.flowspec_utils import map__ip_proto__for__ip_version__from_flowspec

 #import flowspec.iprange_match
 from flowspec.iprange_match import find_matching_peer_by_ipprefix__simple
@@ -495,6 +496,8 @@ class Route(models.Model):
            logger.error('models::is_synced(): No routing options on device. Exception: %s' % e)
            return True

+        my_ip_version = self.ip_version()
+
        for flow in parsed_netconf_xml__flows:
          for route in flow.routes:
            #logger.debug('models::is_synced(): loop flow='+str(flow)+' route='+str(route))
@@ -559,7 +562,10 @@ class Route(models.Model):
                    assert(self.protocol.all())
                    assert(devicematch['protocol'])
                    devitems = devicematch['protocol']
-                    dbitems = ["%s"%i for i in self.protocol.all()]
+                    #dbitems = ["%s"%i for i in self.protocol.all()]
+                    dbitems = [map__ip_proto__for__ip_version__to_flowspec(my_ip_version, "%s"%i) for i in self.protocol.all()]
+                    logger.info("models::is_synced(): dbitems="+str(dbitems))
+
                    intersect = list(set(devitems).intersection(set(dbitems)))
                    if ((len(intersect) == len(dbitems)) and (len(intersect) == len(devitems))):
                        found = found and True

--- a/utils/flowspec_utils.py
+++ b/utils/flowspec_utils.py
+
+import flowspec.logging_utils
+logger = flowspec.logging_utils.logger_init_default(__name__, "flowspec_utils.log", False)
+
+#
+
+def map__ip_proto__for__ip_version__to_flowspec(ip_version, protocol_str):
+    logger.info("map__ip_proto__for__ip_version__to_flowspec(): called ip_version="+str(ip_version)+" protocol_str="+str(protocol_str))
+    if ip_version==6 and protocol_str=='icmp': 
+        protocol_str='icmp6'
+    logger.info("map__ip_proto__for__ip_version__to_flowspec(): returning protocol_str="+str(protocol_str))
+    return protocol_str
+
+def map__ip_proto__for__ip_version__from_flowspec(ip_version, protocol_str):
+    logger.info("map__ip_proto__for__ip_version__from_flowspec(): called ip_version="+str(ip_version)+" protocol_str="+str(protocol_str))
+    if ip_version==6 and protocol_str=='icmp6': 
+        protocol_str='icmp'
+    logger.info("map__ip_proto__for__ip_version__from_flowspec(): returning protocol_str="+str(protocol_str))
+    return protocol_str
+
--- a/utils/proxy.py
+++ b/utils/proxy.py
@@ -30,6 +30,7 @@ from celery.exceptions import TimeLimitExceeded, SoftTimeLimitExceeded
 from .portrange import parse_portrange
 import traceback
 from ipaddress import ip_network
+from .flowspec_utils import map__ip_proto__for__ip_version__to_flowspec
 #import xml.etree.ElementTree as ET

 import flowspec.logging_utils
@@ -132,6 +133,7 @@ class Applier(object):

            route_obj = self.route_object

+            ip_version = self.route_object.ip_version()
            is_ipv4 = self.route_object.is_ipv4()
            logger.info("proxy::to_xml(): is_ipv4="+str(is_ipv4))

@@ -153,7 +155,8 @@ class Applier(object):
            try:
                if route_obj.protocol:
                    for protocol in route_obj.protocol.all():
-                        route.match['protocol'].append(protocol.protocol)
+                        protocol_id = map__ip_proto__for__ip_version__to_flowspec(ip_version, protocol.protocol)
+                        route.match['protocol'].append(protocol_id)
            except:
                pass
            try: