dcoghlan / dfwoptimzer Goto Github PK

View Code? Open in Web Editor NEW

6.0 6.0 0.0 41 KB

A Collection of scripts to help optimize NSX Distributed Firewall rules

License: GNU General Public License v3.0

Python 100.00%

dfwoptimzer's People

Contributors

Stargazers

Watchers

dfwoptimzer's Issues

dfw_appliedto doesn't take into account DIRECTION of rule

When evaluating the rule as part of the dfw_appliedto mode, the direction of the rule is not taken into account.

Multiple ALG reported twice in optimized_service_other

    "7883": {
        "total": 18,
        "total_tcp": 7,
        "total_udp": 5,
        "total_icmp": 0,
        "total_igmp": 0,
        "total_gre": 0,
        "total_non_port": 0,
        "total_alg": 2,
        "total_internal": 4,
        "original_rules": [
            "  rule 7883 at 81 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 21 accept with log as ftp;",
            "  # internal # rule 7883 at 82 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 21 accept with log;",
            "  # internal # rule 7883 at 83 inout protocol tcp from addrset ip-securitygroup-6677 to addrset ip-securitygroup-6676 port 21 accept with log;",
            "  rule 7883 at 84 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 445 accept with log;",
            "  rule 7883 at 85 inout protocol udp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 49152-65535 accept with log;",
            "  rule 7883 at 86 inout protocol udp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 445 accept with log;",
            "  rule 7883 at 87 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 88 accept with log;",
            "  rule 7883 at 88 inout protocol udp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 88 accept with log;",
            "  rule 7883 at 89 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 464 accept with log;",
            "  rule 7883 at 90 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 135 accept with log;",
            "  rule 7883 at 91 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 389 accept with log;",
            "  rule 7883 at 92 inout protocol udp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 464 accept with log;",
            "  rule 7883 at 93 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 49152-65535 accept with log;",
            "  rule 7883 at 94 inout protocol udp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 389 accept with log;",
            "  rule 7883 at 95 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 636 accept with log;",
            "  rule 7883 at 96 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 21 accept with log as ftp;",
            "  # internal # rule 7883 at 97 inout protocol tcp from addrset ip-securitygroup-6676 to addrset ip-securitygroup-6677 port 21 accept with log;",
            "  # internal # rule 7883 at 98 inout protocol tcp from addrset ip-securitygroup-6677 to addrset ip-securitygroup-6676 port 21 accept with log;"
        ],
        "optimized_service_tcp": [
            [
                "445",
                "88",
                "464",
                "135",
                "389",
                "49152-65535",
                "636"
            ]
        ],
        "optimized_service_udp": [
            [
                "49152-65535",
                "445",
                "88",
                "464",
                "389"
            ]
        ],
        "optimized_service_other": [
            "ftp",
            "ftp"
        ]
    },

Parsing errors

  rule 15452 at 9824 inout protocol ipv6-auth from addrset rsrc15452 to ip 10.0.0.0/8 accept with log;
  rule 15222 at 9862 inout protocol ipv6-auth from addrset rsrc15222 to ip 10.176.5.0/24 accept with log;
  rule 12244 at 16736 inout protocol ipv6-auth from ip 10.189.217.0/24 to ip 10.176.80.20 accept with log;
  rule 12243 at 16738 inout protocol ipv6-auth from ip 10.176.80.20 to ip 10.189.217.0/24 accept with log;
  rule 12242 at 16740 inout protocol ipv6-auth from ip 10.176.5.0/24 to addrset ip-ipset-679 accept with log;
  rule 12241 at 16742 inout protocol ipv6-auth from addrset ip-ipset-679 to ip 10.176.5.0/24 accept with log;

parse_error: parser should ignore vsipioctl command

/bin/vsipioctl getrules -f nic-496673265-eth0-vmware-sfw.2

Refactor to make more pythonic

The current code is not very pythonic and was written in a very short period of time.

Need to refactor to make it more modular and more pythonic.

parse errors

The following parse errors were encountered in an NSX-T 2.5.1 setup.

  rule 4151 at 8 inout protocol any from addrset 953c5cd8-100d-47d0-b333-e7cd28c71772 to addrset c96d6075-1d3d-4705-98cb-69a5b5bdfc90 with attribute profile a4175bf4-6aff-4caa-8a9f-fb5f9f24c2f8 accept with log tag 'My_Test-DFW(M&A)';
  rule 4151 at 9 inout protocol any from addrset 953c5cd8-100d-47d0-b333-e7cd28c71772 to addrset c96d6075-1d3d-4705-98cb-69a5b5bdfc90 with attribute profile 7fb7cc4c-08c6-4f37-909c-4509cad9f4ff accept with log tag 'My_Test-DFW(M&A)';
  rule 4151 at 10 inout protocol any from addrset 953c5cd8-100d-47d0-b333-e7cd28c71772 to addrset c96d6075-1d3d-4705-98cb-69a5b5bdfc90 with attribute profile 6399ef25-fd7b-41fc-94c7-b8885c1fa307 accept with log tag 'My_Test-DFW(M&A)';
  rule 4134 at 21 inout protocol any from addrset 8ed1b6fd-fa60-4d74-80a0-9c5ea8341249 to addrset 7fbdc37a-4f47-4df7-9cc9-cf31a6595bc4 with attribute profile a4175bf4-6aff-4caa-8a9f-fb5f9f24c2f8 accept with log tag 'WindowsMachines';
  rule 4134 at 22 inout protocol any from addrset 8ed1b6fd-fa60-4d74-80a0-9c5ea8341249 to addrset 7fbdc37a-4f47-4df7-9cc9-cf31a6595bc4 with attribute profile 7fb7cc4c-08c6-4f37-909c-4509cad9f4ff accept with log tag 'WindowsMachines';
  rule 4149 at 54 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile e0a2e2eb-0fe1-4d48-bf16-5ede3755bf1b accept with log tag 'LBDFWTag';
  rule 4149 at 55 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile a4175bf4-6aff-4caa-8a9f-fb5f9f24c2f8 accept with log tag 'LBDFWTag';
  rule 4149 at 56 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 7fb7cc4c-08c6-4f37-909c-4509cad9f4ff accept with log tag 'LBDFWTag';
  rule 4149 at 57 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 91faf9e8-d825-4415-89f7-f64424b7746a accept with log tag 'LBDFWTag';
  rule 4149 at 58 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 6399ef25-fd7b-41fc-94c7-b8885c1fa307 accept with log tag 'LBDFWTag';
  rule 4149 at 59 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 8cd8637e-2455-43a9-94d4-222e4dfa3252 accept with log tag 'LBDFWTag';
  rule 4149 at 60 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 42b762f5-1309-4c87-827a-dec25de900a4 accept with log tag 'LBDFWTag';
  rule 4149 at 61 inout protocol any from addrset 77cb1f67-a198-425e-8a17-7436462a9929 to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 43a52857-4ad8-44a0-9951-d70a5f04a74d accept with log tag 'LBDFWTag';
  rule 4140 at 65 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile e0a2e2eb-0fe1-4d48-bf16-5ede3755bf1b accept with log tag 'WebDFWTag';
  rule 4140 at 66 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile a4175bf4-6aff-4caa-8a9f-fb5f9f24c2f8 accept with log tag 'WebDFWTag';
  rule 4140 at 67 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 7fb7cc4c-08c6-4f37-909c-4509cad9f4ff accept with log tag 'WebDFWTag';
  rule 4140 at 68 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 91faf9e8-d825-4415-89f7-f64424b7746a accept with log tag 'WebDFWTag';
  rule 4140 at 69 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 6399ef25-fd7b-41fc-94c7-b8885c1fa307 accept with log tag 'WebDFWTag';
  rule 4140 at 70 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 8cd8637e-2455-43a9-94d4-222e4dfa3252 accept with log tag 'WebDFWTag';
  rule 4140 at 71 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 42b762f5-1309-4c87-827a-dec25de900a4 accept with log tag 'WebDFWTag';
  rule 4140 at 72 inout protocol any from addrset e93bdd08-d93f-44ac-9eeb-b31b8b9eefca to addrset 77cb1f67-a198-425e-8a17-7436462a9929 with attribute profile 43a52857-4ad8-44a0-9951-d70a5f04a74d accept with log tag 'WebDFWTag';

Parse Errors

Following rules raised parse errors

  rule 1010 at 45 inout protocol any from any to any with attribute any accept;
  rule 1010 at 138 inout protocol ipv6-opts from any to any accept;
  rule 1010 at 142 inout protocol ipv6-nonxt from any to any accept;

ESXi heap usage reporting

With the outputs of vsipioctl getrules and getaddrsets, calculate the amount of heap the filter is utilizing.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.