summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-09-03 20:37:10 +0200
committerChristian Poessinger <christian@poessinger.com>2022-09-03 20:37:10 +0200
commitd9eb48a0ced1eb60bd00fe2f18559b3c780ee98a (patch)
tree1c435788f7c78d2ec422652695ccb5361af71d40 /python/vyos/firewall.py
parent2791fd446e54e909bbcdb8e753e0c3774204318c (diff)
downloadvyos-1x-d9eb48a0ced1eb60bd00fe2f18559b3c780ee98a.tar.gz
vyos-1x-d9eb48a0ced1eb60bd00fe2f18559b3c780ee98a.zip
firewall: T4651: re-implement packet-length CLI option to use <multi/>
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r--python/vyos/firewall.py25
1 files changed, 6 insertions, 19 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index ea28aa91d..0bc5378db 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -150,7 +150,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if suffix[0] == '!':
suffix = f'!= {suffix[1:]}'
output.append(f'{ip_name} {prefix}addr {suffix}')
-
+
if dict_search_args(side_conf, 'geoip', 'country_code'):
operator = ''
if dict_search_args(side_conf, 'geoip', 'inverse_match') != None:
@@ -267,25 +267,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if 'packet_length' in rule_conf:
- #proto = rule_conf['protocol']
- length = rule_conf['packet_length'].split(',')
-
- lengths = []
- negated_lengths = []
-
- for p in length:
- if p[0] == '!':
- negated_lengths.append(p[1:])
- else:
- lengths.append(p)
-
- if lengths:
- lengths_str = ','.join(lengths)
- output.append(f'ip{def_suffix} length {{{lengths_str}}}')
+ lengths_str = ','.join(rule_conf['packet_length'])
+ output.append(f'ip{def_suffix} length {{{lengths_str}}}')
- if negated_lengths:
- negated_lengths_str = ','.join(negated_lengths)
- output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}')
+ if 'packet_length_exclude' in rule_conf:
+ negated_lengths_str = ','.join(rule_conf['packet_length_exclude'])
+ output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}')
if 'ipsec' in rule_conf: