diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-11-24 20:45:10 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-24 20:45:10 +0100 |
commit | e0182613a2013ed7efa5bf99766c89cddefc1b29 (patch) | |
tree | ac2431811f9134616cc668f8abee3eef83dbabc0 /python/vyos/firewall.py | |
parent | f9a5286f163b27b51eb5e9a801c5d646c07a7990 (diff) | |
parent | ca6b7340714c6161337f508978b9834722be58dc (diff) | |
download | vyos-1x-e0182613a2013ed7efa5bf99766c89cddefc1b29.tar.gz vyos-1x-e0182613a2013ed7efa5bf99766c89cddefc1b29.zip |
Merge pull request #1641 from Rain/T4612-arbitrary-netmasks
firewall: T4612: Support arbitrary netmasks
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r-- | python/vyos/firewall.py | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 59ec4948f..48263eef5 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -113,12 +113,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if side in rule_conf: prefix = side[0] side_conf = rule_conf[side] + address_mask = side_conf.get('address_mask', None) if 'address' in side_conf: suffix = side_conf['address'] - if suffix[0] == '!': - suffix = f'!= {suffix[1:]}' - output.append(f'{ip_name} {prefix}addr {suffix}') + operator = '' + exclude = suffix[0] == '!' + if exclude: + operator = '!= ' + suffix = suffix[1:] + if address_mask: + operator = '!=' if exclude else '==' + operator = f'& {address_mask} {operator} ' + output.append(f'{ip_name} {prefix}addr {operator}{suffix}') if 'fqdn' in side_conf: fqdn = side_conf['fqdn'] @@ -168,9 +175,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'address_group' in group: group_name = group['address_group'] operator = '' - if group_name[0] == '!': + exclude = group_name[0] == "!" + if exclude: operator = '!=' group_name = group_name[1:] + if address_mask: + operator = '!=' if exclude else '==' + operator = f'& {address_mask} {operator}' output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}') # Generate firewall group domain-group elif 'domain_group' in group: |