Merge pull request #1199 from sarthurdev/T4218

firewall: T4218: T4216: Add prefix to user defined chains, support negated groups, fixes
author: Christian Poessinger <christian@poessinger.com> 2022-01-31 19:26:37 +0100
committer: GitHub <noreply@github.com> 2022-01-31 19:26:37 +0100
commit: 36e54482a242e785c7a052035549bb45a117ea9a (patch)
tree: 3d947addcb9ea4c375e2771eed68e393e9295cbe /python/vyos/firewall.py
parent: 3aa1ec3f03a95ad41d3476b92b8b31a68b516b14 (diff)
parent: ff2cc45f8ba6d7ad1bc75ef384643692a54f31cc (diff)
download: vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.tar.gz
vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.zip
1 files changed, 21 insertions, 4 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index a2e133217..a74fd922a 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -104,13 +104,25 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                 group = side_conf['group']
                 if 'address_group' in group:
                     group_name = group['address_group']
-                    output.append(f'{ip_name} {prefix}addr $A{def_suffix}_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+                    output.append(f'{ip_name} {prefix}addr {operator} $A{def_suffix}_{group_name}')
                 elif 'network_group' in group:
                     group_name = group['network_group']
-                    output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+                    output.append(f'{ip_name} {prefix}addr {operator} $N{def_suffix}_{group_name}')
                 if 'mac_group' in group:
                     group_name = group['mac_group']
-                    output.append(f'ether {prefix}addr $M_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+                    output.append(f'ether {prefix}addr {operator} $M_{group_name}')
                 if 'port_group' in group:
                     proto = rule_conf['protocol']
                     group_name = group['port_group']
@@ -118,7 +130,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                     if proto == 'tcp_udp':
                         proto = 'th'
 
-                    output.append(f'{proto} {prefix}port $P_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+
+                    output.append(f'{proto} {prefix}port {operator} $P_{group_name}')
 
     if 'log' in rule_conf and rule_conf['log'] == 'enable':
         action = rule_conf['action'] if 'action' in rule_conf else 'accept'
author	Christian Poessinger <christian@poessinger.com>	2022-01-31 19:26:37 +0100
committer	GitHub <noreply@github.com>	2022-01-31 19:26:37 +0100
commit	36e54482a242e785c7a052035549bb45a117ea9a (patch)
tree	3d947addcb9ea4c375e2771eed68e393e9295cbe /python/vyos/firewall.py
parent	3aa1ec3f03a95ad41d3476b92b8b31a68b516b14 (diff)
parent	ff2cc45f8ba6d7ad1bc75ef384643692a54f31cc (diff)
download	vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.tar.gz vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.zip