diff options
author | talmakion <andrewt@telekinetica.net> | 2024-07-28 21:47:07 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-28 14:47:07 +0300 |
commit | e2bf8812f73a75356f56274968be8859a2186d73 (patch) | |
tree | 2f71b4042bb602ca58f03792af0143903e8e3f24 /python/vyos/firewall.py | |
parent | ba4198fc3cb80628ad38118f4dcc3bfe43181de1 (diff) | |
download | vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.tar.gz vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.zip |
firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r-- | python/vyos/firewall.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 664df28cc..40399f481 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -366,10 +366,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): output.append(f'ip{def_suffix} dscp != {{{negated_dscp_str}}}') if 'ipsec' in rule_conf: - if 'match_ipsec' in rule_conf['ipsec']: + if 'match_ipsec_in' in rule_conf['ipsec']: output.append('meta ipsec == 1') - if 'match_none' in rule_conf['ipsec']: + if 'match_none_in' in rule_conf['ipsec']: output.append('meta ipsec == 0') + if 'match_ipsec_out' in rule_conf['ipsec']: + output.append('rt ipsec exists') + if 'match_none_out' in rule_conf['ipsec']: + output.append('rt ipsec missing') if 'fragment' in rule_conf: # Checking for fragmentation after priority -400 is not possible, |