adds possibility to exclude subnets from permitted_subnets bb-Ricardo…

…#203
andreiKuznets0v · Feb 27, 2023 · 7bdfca4 · 7bdfca4
1 parent 11f6518
commit 7bdfca4
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 11 deletions.
diff --git a/module/common/support.py b/module/common/support.py
@@ -45,7 +45,7 @@ def normalize_mac_address(mac_address=None):
     return mac_address
 
 
-def ip_valid_to_add_to_netbox(ip, permitted_subnets, interface_name=None):
+def ip_valid_to_add_to_netbox(ip, permitted_subnets, excluded_subnets=None, interface_name=None):
     """
     performs a couple of checks to see if an IP address is valid and allowed
     to be added to NetBox
@@ -59,8 +59,10 @@ def ip_valid_to_add_to_netbox(ip, permitted_subnets, interface_name=None):
     ----------
     ip: str
         IP address to validate
-    permitted_subnets:
+    permitted_subnets: list
         list of permitted subnets where each subnet/prefix is an instance of IP4Network or IP6Network
+    excluded_subnets: list
+        list of excluded subnets where each subnet/prefix is an instance of IP4Network or IP6Network
     interface_name: str
         name of the interface this IP shall be added. Important for meaningful log messages
 
@@ -76,6 +78,9 @@ def ip_valid_to_add_to_netbox(ip, permitted_subnets, interface_name=None):
     if permitted_subnets is None:
         return False
 
+    if excluded_subnets is None:
+        excluded_subnets = list()
+
     ip_text = f"'{ip}'"
     if interface_name is not None:
         ip_text = f"{ip_text} for {interface_name}"
@@ -104,6 +109,11 @@ def ip_valid_to_add_to_netbox(ip, permitted_subnets, interface_name=None):
             ip_permitted = True
             break
 
+    for excluded_subnet in excluded_subnets:
+        if ip_a in excluded_subnet:
+            ip_permitted = False
+            break
+
     if ip_permitted is False:
         log.debug(f"IP address {ip_text} not part of any permitted subnet. Skipping.")
         return False

diff --git a/module/sources/check_redfish/import_inventory.py b/module/sources/check_redfish/import_inventory.py
@@ -827,13 +827,13 @@ def update_network_interface(self):
             # collect ip addresses
             nic_ips[port_name] = list()
             for ipv4_address in grab(nic_port, "ipv4_addresses", fallback=list()):
-                if ip_valid_to_add_to_netbox(ipv4_address, self.permitted_subnets, port_name) is False:
+                if ip_valid_to_add_to_netbox(ipv4_address, self.permitted_subnets, interface_name=port_name) is False:
                     continue
 
                 nic_ips[port_name].append(ipv4_address)
 
             for ipv6_address in grab(nic_port, "ipv6_addresses", fallback=list()):
-                if ip_valid_to_add_to_netbox(ipv6_address, self.permitted_subnets, port_name) is False:
+                if ip_valid_to_add_to_netbox(ipv6_address, self.permitted_subnets, interface_name=port_name) is False:
                     continue
 
                 nic_ips[port_name].append(ipv6_address)

diff --git a/module/sources/vmware/connection.py b/module/sources/vmware/connection.py
@@ -227,14 +227,27 @@ def parse_config_settings(self, config_settings):
                 [x.strip() for x in config_settings.get("permitted_subnets").split(",") if x.strip() != ""]
 
             permitted_subnets = list()
-            for permitted_subnet in config_settings["permitted_subnets"]:
+            excluded_subnets = list()
+            # add "invisible" config option
+            self.settings["excluded_subnets"] = None
+
+            for subnet in config_settings["permitted_subnets"]:
+                excluded = False
+                if subnet[0] == "!":
+                    excluded = True
+                    subnet = subnet[1:].strip()
+
                 try:
-                    permitted_subnets.append(ip_network(permitted_subnet))
+                    if excluded is True:
+                        excluded_subnets.append(ip_network(subnet))
+                    else:
+                        permitted_subnets.append(ip_network(subnet))
                 except Exception as e:
                     log.error(f"Problem parsing permitted subnet: {e}")
                     validation_failed = True
 
             config_settings["permitted_subnets"] = permitted_subnets
+            config_settings["excluded_subnets"] = excluded_subnets
 
         # check include and exclude filter expressions
         for setting in [x for x in config_settings.keys() if "filter" in x]:
@@ -1959,7 +1972,7 @@ def add_host(self, obj):
 
             int_v4 = "{}/{}".format(grab(vnic, "spec.ip.ipAddress"), grab(vnic, "spec.ip.subnetMask"))
 
-            if ip_valid_to_add_to_netbox(int_v4, self.permitted_subnets, vnic_name) is True:
+            if ip_valid_to_add_to_netbox(int_v4, self.permitted_subnets, self.excluded_subnets, vnic_name) is True:
                 vnic_ips[vnic_name].append(int_v4)
 
                 if vnic_is_primary is True and host_primary_ip4 is None:
@@ -1969,7 +1982,7 @@ def add_host(self, obj):
 
                 int_v6 = "{}/{}".format(grab(ipv6_entry, "ipAddress"), grab(ipv6_entry, "prefixLength"))
 
-                if ip_valid_to_add_to_netbox(int_v6, self.permitted_subnets, vnic_name) is True:
+                if ip_valid_to_add_to_netbox(int_v6, self.permitted_subnets, self.excluded_subnets, vnic_name) is True:
                     vnic_ips[vnic_name].append(int_v6)
 
                     # set first valid IPv6 address as primary IPv6
@@ -2297,7 +2310,8 @@ def add_virtual_machine(self, obj):
 
                     int_ip_address = f"{int_ip.ipAddress}/{int_ip.prefixLength}"
 
-                    if ip_valid_to_add_to_netbox(int_ip_address, self.permitted_subnets, int_full_name) is False:
+                    if ip_valid_to_add_to_netbox(int_ip_address, self.permitted_subnets,
+                                                 self.excluded_subnets, int_full_name) is False:
                         continue
 
                     nic_ips[int_full_name].append(int_ip_address)
@@ -2385,7 +2399,8 @@ def add_virtual_machine(self, obj):
 
                     int_ip_address = f"{int_ip.ipAddress}/{int_ip.prefixLength}"
 
-                    if ip_valid_to_add_to_netbox(int_ip_address, self.permitted_subnets, int_full_name) is False:
+                    if ip_valid_to_add_to_netbox(int_ip_address, self.permitted_subnets,
+                                                 self.excluded_subnets, int_full_name) is False:
                         continue
 
                     nic_ips[int_full_name].append(int_ip_address)

diff --git a/settings-example.ini b/settings-example.ini
@@ -308,7 +308,9 @@ type = check_redfish
 inventory_file_path = /full/path/to/inventory/files
 
 # IP networks eligible to be synced to NetBox.
-# If an IP address is not part of this networks then it WON'T be synced to NetBox
+# If an IP address is not part of this networks then it WON'T be synced to NetBox.
+# To excluded small blocks from bigger IP blocks a leading '!' has to be added.
+# example: 10.0.0.0/8, !10.23.42.0/24
 permitted_subnets = 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, fd00::/8
 
 # define if the host name discovered via check_redfish overwrites the device host name in NetBox