diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2024-08-09 14:03:21 +0000 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2024-08-11 14:53:57 +0200 |
commit | fc59359c52b4ad4e762ce1330497425652a884da (patch) | |
tree | 253fb2c4777940712de9eb71710d78510bb86616 | |
parent | 30506a53fa02bc514f3570af4d870eba9695aa08 (diff) | |
download | vyos-1x-fc59359c52b4ad4e762ce1330497425652a884da.tar.gz vyos-1x-fc59359c52b4ad4e762ce1330497425652a884da.zip |
T6643: firewall: fix ip address range parsing on firewall rules.
(cherry picked from commit ff58f3e5f30d3775487a6a3b561863aa37d11d43)
-rwxr-xr-x[-rw-r--r--] | python/vyos/firewall.py | 14 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 8 |
2 files changed, 17 insertions, 5 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 664df28cc..8913ba152 100644..100755 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -164,7 +164,19 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if address_mask: operator = '!=' if exclude else '==' operator = f'& {address_mask} {operator} ' - output.append(f'{ip_name} {prefix}addr {operator}{suffix}') + + if suffix.find('-') != -1: + # Range + start, end = suffix.split('-') + if is_ipv4(start): + output.append(f'ip {prefix}addr {operator}{suffix}') + else: + output.append(f'ip6 {prefix}addr {operator}{suffix}') + else: + if is_ipv4(suffix): + output.append(f'ip {prefix}addr {operator}{suffix}') + else: + output.append(f'ip6 {prefix}addr {operator}{suffix}') if 'fqdn' in side_conf: fqdn = side_conf['fqdn'] diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 0943d8e24..4de8e0c56 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -311,7 +311,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop']) - self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1-198.51.100.50']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name]) @@ -331,7 +331,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy accept;'], - ['ip saddr 198.51.100.1', 'meta mark 0x000003f2', f'jump NAME_{name}'], + ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', f'jump NAME_{name}'], ['FWD-filter default-action drop', 'drop'], ['chain VYOS_INPUT_filter'], ['type filter hook input priority filter; policy accept;'], @@ -455,7 +455,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1-2002::10']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit']) @@ -510,7 +510,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['tcp dport 23', 'drop'], ['PRE-raw default-action accept', 'accept'], [f'chain NAME6_{name}'], - ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'], + ['saddr 2002::1-2002::10', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'], [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'], ['jump VYOS_STATE_POLICY6'], ['chain VYOS_STATE_POLICY6'], |