Do not delete active ACL gener. earlier by Netspoc

hknutzen · Feb 15, 2024 · 5e47bea · 5e47bea
1 parent 63eb563
commit 5e47bea
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 15 deletions.
diff --git a/Changes b/Changes
@@ -1,5 +1,8 @@
 {{$NEXT}}
 
+ - Still referenced ACLs must not be deleted even if name has -DRC- .
+ - Again allow comment '#' as header of JSON for NSX.
+
 3.021     2024-02-14 18:01:57+01:00 Europe/Berlin
 
  - Migrated approve for IOS from Perl to Go.

diff --git a/go/pkg/cisco/diff.go b/go/pkg/cisco/diff.go
@@ -1470,17 +1470,13 @@ func (s *State) checkIOSInterfaces() error {
 		name := strings.Fields(c.parsed)[1]
 		bIntf[name] = extractIntfInfo(c)
 	}
-	// If config from Netspoc has no interface definitions, it is probably
-	// of type "managed=routing_only", and Netspoc won't change any
-	// interface config.
-	if len(bIntf) == 0 {
-		return nil
-	}
 	for _, c := range s.a.lookup["interface"][""] {
 		name := strings.Fields(c.parsed)[1]
 		aInfo := extractIntfInfo(c)
 		aKnown[name] = true
 		if aInfo.shut {
+			// Mark referenced ACLs that must not be deleted.
+			s.markNeeded(c)
 			continue
 		}
 		if bInfo := bIntf[name]; bInfo != nil {
@@ -1500,9 +1496,16 @@ func (s *State) checkIOSInterfaces() error {
 					"Different VRFs defined for interface %s:"+
 						" Device: %s, Netspoc: %s", name, aInfo.vrf, bInfo.vrf)
 			}
-		} else if aInfo.addr != "" {
-			device.Warning(
-				"Interface '%s' on device is not known by Netspoc", name)
+		} else {
+			// Mark referenced ACLs that must not be deleted.
+			s.markNeeded(c)
+			// If config from Netspoc has no interface definitions, it is
+			// probably of type "managed=routing_only", and Netspoc won't
+			// change any interface config.
+			if aInfo.addr != "" && len(bIntf) != 0 {
+				device.Warning(
+					"Interface '%s' on device is not known by Netspoc", name)
+			}
 		}
 	}
 	for _, c := range s.b.lookup["interface"][""] {
@@ -1561,6 +1564,10 @@ func (s *State) alignVRFs() {
 					l[j] = c
 					j++
 				} else {
+					// If this unmanaged interface references some ACL, that
+					// was previously generated by Netspoc, this ACL must
+					// not accidently be deleted.
+					s.markNeeded(c)
 					removed[vrf] = true
 				}
 			}
@@ -1580,6 +1587,20 @@ func (s *State) alignVRFs() {
 	}
 }
 
+// Mark command and referenced commands as still needed.
+func (s *State) markNeeded(c *cmd) {
+	c.needed = true
+	for i, name := range c.ref {
+		prefix := c.typ.ref[i]
+		for _, ref := range s.a.lookup[prefix][name] {
+			s.markNeeded(ref)
+		}
+	}
+	for _, sub := range c.sub {
+		s.markNeeded(sub)
+	}
+}
+
 // 'crypto map gdoi' is currently not supported by Netspoc.
 // That commands must be left unchanged on device.
 func (s *State) ignoreCryptoGDOI() {

diff --git a/go/testdata/ios_parse.t b/go/testdata/ios_parse.t
@@ -628,6 +628,21 @@ WARNING>>> Different address defined for interface Serial1: Device: "10.1.1.1 25
 WARNING>>> Interface 'Serial3' on device is not known by Netspoc
 =END=
 
+############################################################
+=TITLE=Must not delete ACL referenced by shutdown or unknown interface
+=DEVICE=
+ip access-list extended eth0_in-DRC-0
+ deny ip any any
+interface eth0
+ shutdown
+ ip access-group eth0_in-DRC-0 in
+ip access-list extended eth1_in-DRC-0
+ deny ip any any
+interface eth1
+ ip access-group eth1_in-DRC-0 in
+=NETSPOC=NONE
+=OUTPUT=NONE
+
 ############################################################
 =TITLE=Check 'ip inspect'
 =DEVICE=
@@ -651,20 +666,27 @@ ERROR>>> Different 'ip inspect' defined for interface Serial1: Device: enabled,
 =END=
 
 ############################################################
-=TITLE=Only change VRFs mentioned in Netspoc
+=TITLE=Only change VRFs mentioned in Netspoc, leave other ACL unchanged
 =DEVICE=
 ip route vrf 002 10.20.0.0 255.255.0.0 10.2.2.2
-ip access-list extended acl2
+ip access-list extended acl2-DRC-0
  permit ip any host 10.0.1.1
 interface Ethernet1
  ip address 10.0.1.1 255.255.255.0
  ip vrf forwarding 001
- ip access-group acl2 in
+ ip access-group acl2-DRC-0 in
 interface Ethernet2
  ip address 10.0.2.1 255.255.255.0
  ip vrf forwarding 002
+ip access-list extended crypto-filter-Ethernet3-1-DRC-0
+ permit tcp host 10.127.18.1 host 10.1.11.40 eq 48
+ deny ip any any
+crypto map crypto-Ethernet3 1 ipsec-isakmp
+ set ip access-group crypto-filter-Ethernet3-1-DRC-0 in
+ set peer 10.156.4.206
 interface Ethernet3
  ip address 10.0.3.1 255.255.255.0
+ crypto map crypto-Ethernet3
 =NETSPOC=
 ip route vrf 013 10.30.0.0 255.255.0.0 10.3.3.3
 ip access-list extended acl2
@@ -674,11 +696,11 @@ interface Ethernet2
  ip vrf forwarding 002
  ip access-group acl2 in
 =OUTPUT=
-ip access-list extended acl2-DRC-0
+ip access-list extended acl2-DRC-1
 permit ip any host 10.0.1.1
 exit
 interface Ethernet2
-ip access-group acl2-DRC-0 in
+ip access-group acl2-DRC-1 in
 ip route vrf 013 10.30.0.0 255.255.0.0 10.3.3.3
 =WARNING=
 Leaving VRF <global> untouched
@@ -823,4 +845,4 @@ interface eth0
  ip address 10.1.2.3 255.255.255.252
 interface eth1
  ip address 10.1.2.5 255.255.255.252
-=OUTPUT=NONE
+=OUTPUT=NONE