summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-11-24 20:45:10 +0100
committerGitHub <noreply@github.com>2022-11-24 20:45:10 +0100
commite0182613a2013ed7efa5bf99766c89cddefc1b29 (patch)
treeac2431811f9134616cc668f8abee3eef83dbabc0 /python/vyos/firewall.py
parentf9a5286f163b27b51eb5e9a801c5d646c07a7990 (diff)
parentca6b7340714c6161337f508978b9834722be58dc (diff)
downloadvyos-1x-e0182613a2013ed7efa5bf99766c89cddefc1b29.tar.gz
vyos-1x-e0182613a2013ed7efa5bf99766c89cddefc1b29.zip
Merge pull request #1641 from Rain/T4612-arbitrary-netmasks
firewall: T4612: Support arbitrary netmasks
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r--python/vyos/firewall.py19
1 files changed, 15 insertions, 4 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 59ec4948f..48263eef5 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -113,12 +113,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if side in rule_conf:
prefix = side[0]
side_conf = rule_conf[side]
+ address_mask = side_conf.get('address_mask', None)
if 'address' in side_conf:
suffix = side_conf['address']
- if suffix[0] == '!':
- suffix = f'!= {suffix[1:]}'
- output.append(f'{ip_name} {prefix}addr {suffix}')
+ operator = ''
+ exclude = suffix[0] == '!'
+ if exclude:
+ operator = '!= '
+ suffix = suffix[1:]
+ if address_mask:
+ operator = '!=' if exclude else '=='
+ operator = f'& {address_mask} {operator} '
+ output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
if 'fqdn' in side_conf:
fqdn = side_conf['fqdn']
@@ -168,9 +175,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if 'address_group' in group:
group_name = group['address_group']
operator = ''
- if group_name[0] == '!':
+ exclude = group_name[0] == "!"
+ if exclude:
operator = '!='
group_name = group_name[1:]
+ if address_mask:
+ operator = '!=' if exclude else '=='
+ operator = f'& {address_mask} {operator}'
output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
# Generate firewall group domain-group
elif 'domain_group' in group: