search

vmware-archive / powernsx

PowerShell module that abstracts the VMware NSX-v API to a set of easily used PowerShell functions
173 stars 89 forks source link

remove-nsxfirewallsection doesnt remove the section #423

Closed g0ldingkev closed 7 years ago

g0ldingkev commented 7 years ago

when piping in a firewallsection name from get-nsxfirewallsection, the section isn't removed, it looks like it is but the section doesn't disappear.

this is with pre-created ones, or sections I create using PowerNSX to test if I was going bonkers

nmbradford commented 7 years ago

please provides steps to reproduce. My testing shows no such behaviour (and our CI tests include the removal of firewall sections)

Here is an example of successful section removal.

PS C:\Users\Nick> get-nsxfirewallsection

id               : 1004
name             : test
generationNumber : 1508309060392
timestamp        : 1508309060392
type             : LAYER3
rule             : rule

id               : 1003
name             : Default Section Layer3
generationNumber : 1508306178666
timestamp        : 1508306178666
type             : LAYER3
rule             : {Default Rule NDP, Default Rule DHCP, Default Rule}

PS C:\Users\Nick> New-NsxFirewallSection test2

id               : 1005
name             : test2
generationNumber : 1509666195564
timestamp        : 1509666195564
type             : LAYER3

PS C:\Users\Nick> Get-NsxFirewallSection

id               : 1005
name             : test2
generationNumber : 1509666195564
timestamp        : 1509666195564
type             : LAYER3

id               : 1004
name             : test
generationNumber : 1508309060392
timestamp        : 1508309060392
type             : LAYER3
rule             : rule

id               : 1003
name             : Default Section Layer3
generationNumber : 1508306178666
timestamp        : 1508306178666
type             : LAYER3
rule             : {Default Rule NDP, Default Rule DHCP, Default Rule}

PS C:\Users\Nick> Get-NsxFirewallSection test2 | new-nsxfirewallrule -Name testrule -Action allow

id            : 1006
disabled      : false
logged        : false
name          : testrule
action        : allow
appliedToList : appliedToList
sectionId     : 1005
direction     : inout
packetType    : any

PS C:\Users\Nick> Get-NsxFirewallSection test2 | get-nsxfirewallrule

id            : 1006
disabled      : false
logged        : false
name          : testrule
action        : allow
appliedToList : appliedToList
sectionId     : 1005
direction     : inout
packetType    : any

PS C:\Users\Nick> Get-NsxFirewallSection test2 | Remove-NsxFirewallSection

Firewall Section removal is permanent and cannot be reversed.
Proceed with removal of Section test2?
[Y] Yes  [N] No  [?] Help (default is "N"): y
Section test2 contains rules.  Specify -force to delete this section
At C:\Users\Nick\Documents\WindowsPowerShell\Modules\PowerNSX\3.0.1054\PowerNSX.psm1:27298 char:25
+ ...             throw "Section $($section.name) contains rules.  Specify  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Section test2 c...te this section:String) [], RuntimeException
    + FullyQualifiedErrorId : Section test2 contains rules.  Specify -force to delete this section

PS C:\Users\Nick> Get-NsxFirewallSection test2 | Remove-NsxFirewallSection -force

Firewall Section removal is permanent and cannot be reversed.
Proceed with removal of Section test2?
[Y] Yes  [N] No  [?] Help (default is "N"): y
PS C:\Users\Nick> Get-NsxFirewallSection

id               : 1004
name             : test
generationNumber : 1508309060392
timestamp        : 1508309060392
type             : LAYER3
rule             : rule

id               : 1003
name             : Default Section Layer3
generationNumber : 1508306178666
timestamp        : 1508306178666
type             : LAYER3
rule             : {Default Rule NDP, Default Rule DHCP, Default Rule}
g0ldingkev commented 7 years ago

thanks.. but i tried this ....

PowerCLI C:> Get-NsxFirewallSection KRG_Test | remove-nsxfirewallsection -force -confirm:$false PowerCLI C:> new-nsxfirewallsection KRG-Test

id : 6684 name : KRG-Test generationNumber : 1509704859563 timestamp : 1509704859563 type : LAYER3

PowerCLI C:>

On 2 November 2017 at 23:46, Nick Bradford notifications@github.com wrote:

please provides steps to reproduce. My testing shows no such behaviour (and our CI tests include the removal of firewall sections)

Here is an example of successful section removal.

PS C:\Users\Nick> get-nsxfirewallsection

id : 1004 name : test generationNumber : 1508309060392 timestamp : 1508309060392 type : LAYER3 rule : rule

id : 1003 name : Default Section Layer3 generationNumber : 1508306178666 timestamp : 1508306178666 type : LAYER3 rule : {Default Rule NDP, Default Rule DHCP, Default Rule}

PS C:\Users\Nick> New-NsxFirewallSection test2

id : 1005 name : test2 generationNumber : 1509666195564 timestamp : 1509666195564 type : LAYER3

PS C:\Users\Nick> Get-NsxFirewallSection

id : 1005 name : test2 generationNumber : 1509666195564 timestamp : 1509666195564 type : LAYER3

id : 1004 name : test generationNumber : 1508309060392 timestamp : 1508309060392 type : LAYER3 rule : rule

id : 1003 name : Default Section Layer3 generationNumber : 1508306178666 timestamp : 1508306178666 type : LAYER3 rule : {Default Rule NDP, Default Rule DHCP, Default Rule}

PS C:\Users\Nick> Get-NsxFirewallSection test2 | new-nsxfirewallrule -Name testrule -Action allow

id : 1006 disabled : false logged : false name : testrule action : allow appliedToList : appliedToList sectionId : 1005 direction : inout packetType : any

PS C:\Users\Nick> Get-NsxFirewallSection test2 | get-nsxfirewallrule

id : 1006 disabled : false logged : false name : testrule action : allow appliedToList : appliedToList sectionId : 1005 direction : inout packetType : any

PS C:\Users\Nick> Get-NsxFirewallSection test2 | Remove-NsxFirewallSection

Firewall Section removal is permanent and cannot be reversed. Proceed with removal of Section test2? [Y] Yes [N] No [?] Help (default is "N"): y Section test2 contains rules. Specify -force to delete this section At C:\Users\Nick\Documents\WindowsPowerShell\Modules\PowerNSX\3.0.1054\PowerNSX.psm1:27298 char:25

  • ... throw "Section $($section.name) contains rules. Specify ...
  • 
+ CategoryInfo          : OperationStopped: (Section test2 c...te this section:String) [], RuntimeException
+ FullyQualifiedErrorId : Section test2 contains rules.  Specify -force to delete this section

PS C:\Users\Nick> Get-NsxFirewallSection test2 | Remove-NsxFirewallSection -force

Firewall Section removal is permanent and cannot be reversed. Proceed with removal of Section test2? [Y] Yes [N] No [?] Help (default is "N"): y PS C:\Users\Nick> Get-NsxFirewallSection

id : 1004 name : test generationNumber : 1508309060392 timestamp : 1508309060392 type : LAYER3 rule : rule

id : 1003 name : Default Section Layer3 generationNumber : 1508306178666 timestamp : 1508306178666 type : LAYER3 rule : {Default Rule NDP, Default Rule DHCP, Default Rule}

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/vmware/powernsx/issues/423#issuecomment-341590850, or mute the thread https://github.com/notifications/unsubscribe-auth/AMbfh_J_VE_mFWj93HGW3jvRnkg0MhOzks5sylRXgaJpZM4QQGZZ .

nmbradford commented 7 years ago

Im sorry, but what are you trying to demonstrate with this?

g0ldingkev commented 7 years ago

The removal of the section in DFW

Sent from my iPhone

On 7 Nov 2017, at 23:13, Nick Bradford notifications@github.com wrote:

Im sorry, but what are you trying to demonstrate with this?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

nmbradford commented 7 years ago

@g0ldingkev you aren't exactly being clear here. Please indicate what your issue is? You have not shown an error or provided any example of unexpected behaviour.

g0ldingkev commented 7 years ago

Ok so the first line SHOULD delete a DFW section, but the second command shows that even after running the command the section still exists.

Which is not the expected outcome. No errors.

Just wondering if I’m missing something about the functionality or syntax?

Sent from my iPhone

On 8 Nov 2017, at 09:11, Nick Bradford notifications@github.com wrote:

@g0ldingkev you aren't exactly being clear here. Please indicate what your issue is? You have not shown an error or provided any example of unexpected behaviour.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

alagoutte commented 7 years ago

the second command CREATE a new section... PowerCLI C:> new-nsxfirewallsection KRG-Test

g0ldingkev commented 7 years ago

Sorry bad example.... lol. Mustn’t have clicked up enough times.. will drop another example in

Sent from my iPhone

On 8 Nov 2017, at 11:39, Alexis La Goutte notifications@github.com wrote:

the second command CREATE a new section... PowerCLI C:> new-nsxfirewallsection KRG-Test <= new

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

g0ldingkev commented 7 years ago

haha. ok so it turns out that the error was actually not an error, just the command running slow probably due to the issue we were trying to resolve (explanation below). I was trying to lab up a way to delete a very large number of sections..

the requirement came from software testing, not going to advertise the vendor (but it isn't Cisco). Background is that the software for some reason decided to create a large number of sections. As it turns out, when I listed the entire lot and piped it to a file, there are around 6K (yes 6000 sections), something which I couldnt really validate with the naked eye. so it looked like it wasn't deleting them.

it turns out it is, but at the rate of about 300 per half hour.. but without first checking the final number before and after, it looked like it wasn't working.

for a laugh, i have attached the two outputs (before and after) if someone wants to validate that there can indeed be many thousands of sections in the DFW :-) The after took about 30 minutes to run

FW Sections - After.txt FW Sections - Before.txt

nmbradford commented 7 years ago

Thanks @g0ldingkev. 10K sections is the published supported maximum for DFW sections, so you are under that. When working at scale, be careful of how you construct pipelines to avoid unnecessary API interaction as its not hard to do things in an inefficient way. If you think there are PowerNSX related performance issues or optimisations required, please let us know here, but if you are having unexpected performance issues with NSX itself - please open an SR with VMware GSS so they can help you out.