A Firewall.
See: https://cloud.google.com/compute/docs/reference/latest/firewalls
FirewallAction(firewall_rules=None, firewall_rule_action='allowed')[source]¶Bases: object
An association of allowed or denied ports and protocols.
MATCH_ANY = '*'¶VALID_ACTIONS = frozenset({'allowed', 'denied'})¶__eq__(other)[source]¶Equals.
| Parameters: | other (FirewallAction) – The FirewallAction to compare to. |
|---|---|
| Returns: | If this action is the exact same as the other FirewallAction. |
| Return type: | bool |
__gt__(other)[source]¶Greater than.
| Parameters: | other (FirewallAction) – The FirewallAction to compare to. |
|---|---|
| Returns: | Whether this action is a superset of the other action. |
| Return type: | bool |
__lt__(other)[source]¶Less than.
| Parameters: | other (FirewallAction) – The FirewallAction to compare to. |
|---|---|
| Returns: | Whether this action is a subset of the other action. |
| Return type: | bool |
__str__()[source]¶String representation.
| Returns: | A string representation of FirewallAction. |
|---|---|
| Return type: | str |
any_value¶Returns whether this rule matches any value.
| Returns: | Whether this rule matches any value. |
|---|---|
| Return type: | bool |
applies_to_all¶Returns whether this applies to all ports and protocols or not.
| Returns: | Whether this applies to all ports and protocols or not. |
|---|---|
| Return type: | bool |
expanded_rules¶Returns an expanded set of ports.
| Returns: | A dict of protocol to all port numbers. |
|---|---|
| Return type: | dict |
is_equivalent(other)[source]¶Returns whether this action and another are functionally equivalent.
| Parameters: | other (FirewallAction) – Another FirewallAction. |
|---|---|
| Returns: | Whether these two FirewallActions are functionally equivalent. |
| Return type: | bool |
json_dict()[source]¶Gets the JSON key and values for the firewall action.
| Returns: | Of key (‘allowed’ or ‘denied’) and the firewall rules. |
|---|---|
| Return type: | tuple |
| Raises: | InvalidFirewallActionError – If a rule is not formatted for the API. |
ports_are_equal(ports_1, ports_2)[source]¶Returns whether two port lists are the same.
| Parameters: |
|
|---|---|
| Returns: | Whether ports_1 have the same ports as ports_2. |
| Return type: | bool |
ports_are_subset(ports_1, ports_2)[source]¶Returns whether one port list is a subset of another.
| Parameters: |
|
|---|---|
| Returns: | Whether ports_1 are a subset of ports_2 or not. |
| Return type: | bool |
validate()[source]¶Validates that the firewall rules are valid for use in the API.
| Raises: | InvalidFirewallActionError – If a rule is not formatted for the API. |
|---|
FirewallRule(validate=False, **kwargs)[source]¶Bases: object
Represents Firewall resource.
__eq__(other)[source]¶Test whether this policy is the same as the other policy.
| Parameters: | other (FirewallRule) – object to compare to |
|---|---|
| Returns: | comparison result |
| Return type: | bool |
__gt__(other)[source]¶Test whether this policy contains the other policy.
Checks if this rule is a superset of the allowed/denied ports and protocols that are in the other rule.
| Parameters: | other (FirewallRule) – object to compare to |
|---|---|
| Returns: | comparison result |
| Return type: | bool |
__lt__(other)[source]¶Test whether this policy is contained in another policy.
Checks if this rule is a subset of the allowed/denied ports and protocols that are in the other rule.
| Parameters: | other (FirewallRule) – object to compare to |
|---|---|
| Returns: | comparison result |
| Return type: | bool |
__str__()[source]¶String representation.
| Returns: | A string representation of FirewallRule. |
|---|---|
| Return type: | str |
_transform(firewall_dict, project_id=None, validate=None)[source]¶Transforms firewall dictionary into FirewallRule.
| Parameters: |
|
|---|---|
| Returns: | A FirewallRule created from the input dictionary. |
| Return type: |
_validate_direction()[source]¶Checks that the direction and associated fields are valid.
| Raises: |
|
|---|
_validate_keys()[source]¶Checks that required keys and value restrictions.
Required fields: name and network Length restrictions:
- name <= 63 characters
- <= 256 values: sourceRanges, sourceTags, targetTags, destinationRanges
| Raises: | InvalidFirewallRuleError – If keys don’t meet requirements. |
|---|
_validate_priority()[source]¶Checks that the priority of the rule is a valid value.
| Raises: | InvalidFirewallRuleError – If the priority can’t be converted to an int
or if it is outside the allowed range. |
|---|
as_json()[source]¶Returns a valid JSON representation of this firewall rule.
This rule must be valid to return the representation.
| Returns: | A string JSON dump of the firewall rule. |
|---|---|
| Return type: | str |
| Raises: |
|
destination_ranges¶The sorted destination ranges for this policy.
| Returns: | Sorted destination ips ranges. |
|---|---|
| Return type: | list |
firewall_action¶The protocols and ports allowed or denied by this policy.
https://cloud.google.com/compute/docs/reference/beta/firewalls
| Returns: |
|
|---|---|
| Return type: | FirewallAction |
| Raises: | ValueError – If there are both allow and deny actions for a rule. |
from_dict(firewall_dict, project_id=None, validate=False)[source]¶Creates an unvalidated FirewallRule from a dictionary.
| Parameters: |
|
|---|---|
| Returns: | A validated FirewallRule from the JSON string. |
| Return type: | |
| Raises: |
|
from_json(json_string, project_id=None)[source]¶Creates a validated FirewallRule from a valid firewall JSON.
| Parameters: |
|
|---|---|
| Returns: | A validated FirewallRule from the JSON string. |
| Return type: | |
| Raises: |
|
is_equivalent(other)[source]¶Test whether this policy is equivalent to the other policy.
| Parameters: | other (FirewallRule) – object to compare to |
|---|---|
| Returns: | comparison result |
| Return type: | bool |
priority¶The effective priority of the firewall rule.
Per https://cloud.google.com/compute/docs/reference/latest/firewalls the default priority is 1000.
| Returns: | Rule priority (lower is more important) |
|---|---|
| Return type: | int |
source_ranges¶The sorted source ranges for this policy.
| Returns: | Sorted source ips ranges. |
|---|---|
| Return type: | list |
source_service_accounts¶The sorted source tags for this policy.
| Returns: | Sorted source tags. |
|---|---|
| Return type: | list |
The sorted source tags for this policy.
| Returns: | Sorted source tags. |
|---|---|
| Return type: | list |
target_service_accounts¶The sorted target tags for this policy.
| Returns: | Sorted target tags. |
|---|---|
| Return type: | list |
The sorted target tags for this policy.
| Returns: | Sorted target tags. |
|---|---|
| Return type: | list |
validate()[source]¶Validates that a rule is valid.
Validation is based on reference: https://cloud.google.com/compute/docs/reference/beta/firewalls and https://cloud.google.com/compute/docs/vpc/firewalls#gcp_firewall_rule_summary_table
| Returns: | If rule is valid. |
|---|---|
| Return type: | bool |
| Raises: | InvalidFirewallRuleError – One or more rules failed validation. |
InvalidFirewallActionError[source]¶Bases: google.cloud.forseti.common.gcp_type.firewall_rule.Error
Raised if a firewall action doesn’t look like a firewall rule should.
InvalidFirewallRuleError[source]¶Bases: google.cloud.forseti.common.gcp_type.firewall_rule.Error
Raised if a firewall rule doesn’t look like a firewall rule should.
expand_port_range(port_range)[source]¶Expands a port range.
From https://cloud.google.com/compute/docs/reference/beta/firewalls, ports can be of the form “<number>-<number>”.
| Parameters: | port_range (string) – A string of format “<number_1>-<number_2>”. |
|---|---|
| Returns: | A list of string integers from number_1 to number_2. |
| Return type: | list |
expand_ports(ports)[source]¶Expands all ports in a list.
From https://cloud.google.com/compute/docs/reference/beta/firewalls, ports can be of the form “<number” or “<number>-<number>”.
| Parameters: | ports (list) – A list of strings of format “<number>” or “<number_1>-<number_2>”. |
|---|---|
| Returns: | A list of all port number strings with the ranges expanded. |
| Return type: | list |
ip_in_range(ip_addr, ip_range)[source]¶Checks whether the ip/ip range is in another ip range.
Examples
ip_in_range(1.1.1.1, 0.0.0.0/0) = True ip_in_range(1.1.1.1/24, 0.0.0.0/0) = True ip_in_range(0.0.0.0/0, 1.1.1.1) = False
| Parameters: |
|
|---|---|
| Returns: | Whether the ip / ip range is in another ip range. |
| Return type: | bool |
ips_in_list(ips, ips_list)[source]¶Checks whether the ips and ranges are all in a list.
Examples
ips_in_list([1.1.1.1], [0.0.0.0/0]) = True ips_in_list([1.1.1.1/24], [0.0.0.0/0]) = True ips_in_list([1.1.1.1, 1.1.1.2], [0.0.0.0/0]) = True ips_in_list([1.1.1.1, 2.2.2.2], [1.1.1.0/24, 2.2.2.0/24]) = True ips_in_list([0.0.0.0/0], [1.1.1.1]) = False
| Parameters: |
|
|---|---|
| Returns: | Whether the ips are all in the given ips_list. |
| Return type: | bool |
sort_rules(rules)[source]¶Sorts firewall rules by protocol and sorts ports.
| Parameters: | rules (list) – A list of firewall rule dictionaries. |
|---|---|
| Returns: | A list of sorted firewall rules. |
| Return type: | list |
validate_port(port)[source]¶Validates that a string is a valid port number.
| Parameters: | port (str) – A port number string. |
|---|---|
| Returns: | The integer port number. |
| Return type: | int |
| Raises: | InvalidFirewallActionError – If the port string isn’t a valid port. |
validate_port_range(port_range)[source]¶Validates that a string is a valid port number.
| Parameters: | port_range (str) – A port range string. |
|---|---|
| Raises: | InvalidFirewallActionError – If the port range isn’t a valid range. |