diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-09-02 07:41:32 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-09-02 06:21:32 +0200 |
commit | 96302a27db8e9aaad3f2c1a81457c5e8e048dd4b (patch) | |
tree | 06c63cba1e38428ebd110685f9ff511ebce22282 /python/vyos | |
parent | 735767f09f891c438e43565f935b927e6f1b317d (diff) | |
parent | 312ee15058fbb26feb6a93520417f0d5343ad15b (diff) | |
download | vyos-1x-96302a27db8e9aaad3f2c1a81457c5e8e048dd4b.tar.gz vyos-1x-96302a27db8e9aaad3f2c1a81457c5e8e048dd4b.zip |
Merge branch 'T4651' of https://github.com/nicolas-fort/vyos-1x into firewall
* 'T4651' of https://github.com/nicolas-fort/vyos-1x:
Firewall: T4651: Change proposed cli from ip-length to packet-length
Firewall: T4651: Add options to match packet size on firewall rules.
Diffstat (limited to 'python/vyos')
-rw-r--r-- | python/vyos/firewall.py | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 663c4394a..ea28aa91d 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -265,6 +265,29 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'type' in rule_conf[icmp]: output.append(icmp + ' type ' + rule_conf[icmp]['type']) + + if 'packet_length' in rule_conf: + #proto = rule_conf['protocol'] + length = rule_conf['packet_length'].split(',') + + lengths = [] + negated_lengths = [] + + for p in length: + if p[0] == '!': + negated_lengths.append(p[1:]) + else: + lengths.append(p) + + if lengths: + lengths_str = ','.join(lengths) + output.append(f'ip{def_suffix} length {{{lengths_str}}}') + + if negated_lengths: + negated_lengths_str = ','.join(negated_lengths) + output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}') + + if 'ipsec' in rule_conf: if 'match_ipsec' in rule_conf['ipsec']: output.append('meta ipsec == 1') |