diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-09-03 20:37:10 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-09-03 20:37:10 +0200 |
commit | d9eb48a0ced1eb60bd00fe2f18559b3c780ee98a (patch) | |
tree | 1c435788f7c78d2ec422652695ccb5361af71d40 /python/vyos/firewall.py | |
parent | 2791fd446e54e909bbcdb8e753e0c3774204318c (diff) | |
download | vyos-1x-d9eb48a0ced1eb60bd00fe2f18559b3c780ee98a.tar.gz vyos-1x-d9eb48a0ced1eb60bd00fe2f18559b3c780ee98a.zip |
firewall: T4651: re-implement packet-length CLI option to use <multi/>
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r-- | python/vyos/firewall.py | 25 |
1 files changed, 6 insertions, 19 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index ea28aa91d..0bc5378db 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -150,7 +150,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if suffix[0] == '!': suffix = f'!= {suffix[1:]}' output.append(f'{ip_name} {prefix}addr {suffix}') - + if dict_search_args(side_conf, 'geoip', 'country_code'): operator = '' if dict_search_args(side_conf, 'geoip', 'inverse_match') != None: @@ -267,25 +267,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'packet_length' in rule_conf: - #proto = rule_conf['protocol'] - length = rule_conf['packet_length'].split(',') - - lengths = [] - negated_lengths = [] - - for p in length: - if p[0] == '!': - negated_lengths.append(p[1:]) - else: - lengths.append(p) - - if lengths: - lengths_str = ','.join(lengths) - output.append(f'ip{def_suffix} length {{{lengths_str}}}') + lengths_str = ','.join(rule_conf['packet_length']) + output.append(f'ip{def_suffix} length {{{lengths_str}}}') - if negated_lengths: - negated_lengths_str = ','.join(negated_lengths) - output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}') + if 'packet_length_exclude' in rule_conf: + negated_lengths_str = ','.join(rule_conf['packet_length_exclude']) + output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}') if 'ipsec' in rule_conf: |