Offer a rule policy existence checker

Question

Offer a rule policy existence checker

chadell opened this issue a year ago · comments

Christian Adell commented a year ago

Environment

nautobot-plugin-firewall-model version: 1.2.1

Proposed Functionality

Expose a method to check if a rule to be created already exists

Use Case

Before creating a new rule with the same source and destination params, I would like to check if it already exists (and avoid creating it) in a very efficient way.

Christian Adell · Answer 1 · Mon Jul 03 2023 21:27:22 GMT+0800 (China Standard Time)

please @dnewood , add any extra considerations

Donnie Wood · Answer 2 · Mon Jul 03 2023 21:55:16 GMT+0800 (China Standard Time)

I am currently doing this with annotations but the solution has already proven to not be scalable:

# TODO Add better filter instead of using .all() to increase performance
rule_match = PolicyRule.objects.all().\
                annotate(
                    source_matches=Count("source_addresses", filter=Q(source_addresses__in=sources)),
                    destination_matches=Count("destination_addresses", filter=Q(destination_addresses__in=destinations)),
                    dst_service_matches=Count("destination_services", filter=Q(destination_services__in=services))
                ).\
                filter(
                    Q(source_matches=Count('source_addresses')) &\
                    Q(destination_matches=Count('destination_addresses')) &\
                    Q(dst_service_matches=Count('destination_services'))
                )

At ~3500 Policy Rules this function takes 35-40 seconds to execute for each rule we test against.