summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2024-07-24 14:08:19 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2024-08-01 13:25:31 -0300
commit20551379e8e2b4b6e342b39ea67738876e559bbf (patch)
treebf8237ba1039c90a079ebafa848fcff4193fcaae /python/vyos/firewall.py
parent962ead698e191ff413aaa1585270dfed48100547 (diff)
downloadvyos-1x-20551379e8e2b4b6e342b39ea67738876e559bbf.tar.gz
vyos-1x-20551379e8e2b4b6e342b39ea67738876e559bbf.zip
T4072: firewall: extend firewall bridge capabilities, in order to include new chains, priorities, and firewall groups
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r--python/vyos/firewall.py56
1 files changed, 34 insertions, 22 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index facd498ca..cac6d2953 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -167,7 +167,10 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if address_mask:
operator = '!=' if exclude else '=='
operator = f'& {address_mask} {operator} '
- output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
+ if is_ipv4(suffix):
+ output.append(f'ip {prefix}addr {operator}{suffix}')
+ else:
+ output.append(f'ip6 {prefix}addr {operator}{suffix}')
if 'fqdn' in side_conf:
fqdn = side_conf['fqdn']
@@ -236,22 +239,38 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if 'group' in side_conf:
group = side_conf['group']
- if 'address_group' in group:
- group_name = group['address_group']
- operator = ''
- exclude = group_name[0] == "!"
- if exclude:
- operator = '!='
- group_name = group_name[1:]
- if address_mask:
- operator = '!=' if exclude else '=='
- operator = f'& {address_mask} {operator}'
- output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
- elif 'dynamic_address_group' in group:
+ for ipvx_address_group in ['address_group', 'ipv4_address_group', 'ipv6_address_group']:
+ if ipvx_address_group in group:
+ group_name = group[ipvx_address_group]
+ operator = ''
+ exclude = group_name[0] == "!"
+ if exclude:
+ operator = '!='
+ group_name = group_name[1:]
+ if address_mask:
+ operator = '!=' if exclude else '=='
+ operator = f'& {address_mask} {operator}'
+ # for bridge, change ip_name
+ if ip_name == 'bri':
+ ip_name = 'ip' if ipvx_address_group == 'ipv4_address_group' else 'ip6'
+ def_suffix = '6' if ipvx_address_group == 'ipv6_address_group' else ''
+ output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
+ for ipvx_network_group in ['network_group', 'ipv4_network_group', 'ipv6_network_group']:
+ if ipvx_network_group in group:
+ group_name = group[ipvx_network_group]
+ operator = ''
+ if group_name[0] == "!":
+ operator = '!='
+ group_name = group_name[1:]
+ # for bridge, change ip_name
+ if ip_name == 'bri':
+ ip_name = 'ip' if ipvx_network_group == 'ipv4_network_group' else 'ip6'
+ def_suffix = '6' if ipvx_network_group == 'ipv6_network_group' else ''
+ output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}')
+ if 'dynamic_address_group' in group:
group_name = group['dynamic_address_group']
operator = ''
- exclude = group_name[0] == "!"
- if exclude:
+ if group_name[0] == "!":
operator = '!='
group_name = group_name[1:]
output.append(f'{ip_name} {prefix}addr {operator} @DA{def_suffix}_{group_name}')
@@ -263,13 +282,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
operator = '!='
group_name = group_name[1:]
output.append(f'{ip_name} {prefix}addr {operator} @D_{group_name}')
- elif 'network_group' in group:
- group_name = group['network_group']
- operator = ''
- if group_name[0] == '!':
- operator = '!='
- group_name = group_name[1:]
- output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}')
if 'mac_group' in group:
group_name = group['mac_group']
operator = ''