summaryrefslogtreecommitdiff
path: root/python/vyos
diff options
context:
space:
mode:
authorRain <6818611+Rain@users.noreply.github.com>2022-10-08 18:04:01 -0400
committerRain <6818611+Rain@users.noreply.github.com>2022-10-08 18:04:01 -0400
commitca6b7340714c6161337f508978b9834722be58dc (patch)
tree349bbc00ff73a84851960a6fca7a40c38ba6de2d /python/vyos
parent8248aaaa7952db580a199bd36202e7f26c19ec88 (diff)
downloadvyos-1x-ca6b7340714c6161337f508978b9834722be58dc.tar.gz
vyos-1x-ca6b7340714c6161337f508978b9834722be58dc.zip
firewall: T4612: Support arbitrary netmasks
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically.
Diffstat (limited to 'python/vyos')
-rw-r--r--python/vyos/firewall.py19
1 files changed, 15 insertions, 4 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 4075e55b0..2ebb220fe 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -144,12 +144,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if side in rule_conf:
prefix = side[0]
side_conf = rule_conf[side]
+ address_mask = side_conf.get('address_mask', None)
if 'address' in side_conf:
suffix = side_conf['address']
- if suffix[0] == '!':
- suffix = f'!= {suffix[1:]}'
- output.append(f'{ip_name} {prefix}addr {suffix}')
+ operator = ''
+ exclude = suffix[0] == '!'
+ if exclude:
+ operator = '!= '
+ suffix = suffix[1:]
+ if address_mask:
+ operator = '!=' if exclude else '=='
+ operator = f'& {address_mask} {operator} '
+ output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
if dict_search_args(side_conf, 'geoip', 'country_code'):
operator = ''
@@ -192,9 +199,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if 'address_group' in group:
group_name = group['address_group']
operator = ''
- if group_name[0] == '!':
+ exclude = group_name[0] == "!"
+ if exclude:
operator = '!='
group_name = group_name[1:]
+ if address_mask:
+ operator = '!=' if exclude else '=='
+ operator = f'& {address_mask} {operator}'
output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
# Generate firewall group domain-group
elif 'domain_group' in group: