search

np-guard / vpc-network-config-analyzer

A tool for analyzing the configured network connectivity of VPCs as specified by various VPC resources
Apache License 2.0
7 stars 0 forks source link

fix string returned for NACL rule in AWS #807

Closed ShiriMoran closed 1 week ago

ShiriMoran commented 3 weeks ago

1.The string describing rules in aws NACL contains conn: -1 which should be fixed. This occurs for rules with the following (which stands for "all connections" ?)


                    "Ipv6CidrBlock": null,
                    "PortRange": null,
                    "Protocol": "-1",```
1. The string does not contain `"RuleNumber" ` which is the priority of the rule and thus is crucial 
(I wonder how are ties broken for rules with the same RuleNumber and how is consistency guranteed @kyorav )
1. Instead of the title CIDR - or in addition to it - we should add src/dst for ingress/egress as described in [here](https://docs.aws.amazon.com/vpc/latest/userguide/nacl-rules.html)

Examples can be seen in `vpc-network-config-analyzer\pkg\awsvpc\examples\out\explain_out\ip_to_ip_all_vpcs_explain_detail.txt`
kyorav commented 3 weeks ago

The API does not allow creating multiple nACL rules with the same rule number (priority).

ShiriMoran commented 3 weeks ago

The API does not allow creating multiple nACL rules with the same rule number (priority).

But e.g in this example there are multiple rules with the same priortity image

kyorav commented 3 weeks ago

Ingress and Egress are evaluated separately. There will never be two rules in the same ACL with the same rule number and the same value for "Egress".

haim-kermany commented 2 weeks ago

@ShiriMoran , is this done?

ShiriMoran commented 1 week ago

apart from the last item, all is solved by https://github.com/np-guard/vpc-network-config-analyzer/pull/826/files If we decide to change the format as in the last item here - so that it will look like the GUI - we will do it in another issue