diff options
author | Rain <6818611+Rain@users.noreply.github.com> | 2022-10-08 18:04:01 -0400 |
---|---|---|
committer | Rain <6818611+Rain@users.noreply.github.com> | 2022-10-08 18:04:01 -0400 |
commit | ca6b7340714c6161337f508978b9834722be58dc (patch) | |
tree | 349bbc00ff73a84851960a6fca7a40c38ba6de2d /python/vyos/firewall.py | |
parent | 8248aaaa7952db580a199bd36202e7f26c19ec88 (diff) | |
download | vyos-1x-ca6b7340714c6161337f508978b9834722be58dc.tar.gz vyos-1x-ca6b7340714c6161337f508978b9834722be58dc.zip |
firewall: T4612: Support arbitrary netmasks
Add support for arbitrary netmasks on source/destination addresses in
firewall rules. This is particularly useful with DHCPv6-PD when the
delegated prefix changes periodically.
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r-- | python/vyos/firewall.py | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 4075e55b0..2ebb220fe 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -144,12 +144,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if side in rule_conf: prefix = side[0] side_conf = rule_conf[side] + address_mask = side_conf.get('address_mask', None) if 'address' in side_conf: suffix = side_conf['address'] - if suffix[0] == '!': - suffix = f'!= {suffix[1:]}' - output.append(f'{ip_name} {prefix}addr {suffix}') + operator = '' + exclude = suffix[0] == '!' + if exclude: + operator = '!= ' + suffix = suffix[1:] + if address_mask: + operator = '!=' if exclude else '==' + operator = f'& {address_mask} {operator} ' + output.append(f'{ip_name} {prefix}addr {operator}{suffix}') if dict_search_args(side_conf, 'geoip', 'country_code'): operator = '' @@ -192,9 +199,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'address_group' in group: group_name = group['address_group'] operator = '' - if group_name[0] == '!': + exclude = group_name[0] == "!" + if exclude: operator = '!=' group_name = group_name[1:] + if address_mask: + operator = '!=' if exclude else '==' + operator = f'& {address_mask} {operator}' output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}') # Generate firewall group domain-group elif 'domain_group' in group: |