summaryrefslogtreecommitdiff
path: root/src/conf_mode/firewall.py
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2024-03-05 13:20:44 +0000
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-03-06 11:34:26 +0000
commitd2ce5c18498ad054c5c1fa1294892d25317fb589 (patch)
tree3f8f86789cf0875212d48f4cd583ed6ff9071129 /src/conf_mode/firewall.py
parent0fc8b17901fe8bdaa4cb5a0eb88884c9c35ff84c (diff)
downloadvyos-1x-d2ce5c18498ad054c5c1fa1294892d25317fb589.tar.gz
vyos-1x-d2ce5c18498ad054c5c1fa1294892d25317fb589.zip
T6075: firewall and NAT: check if interface-group exists when using them in firewall|nat rules.
(cherry picked from commit 3c0634e572ffdecaf24a9dac16678427f22761ab)
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-xsrc/conf_mode/firewall.py9
1 files changed, 9 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index acb7dfa41..3c27655b0 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -282,6 +282,15 @@ def verify_rule(firewall, rule_conf, ipv6):
if direction in rule_conf:
if 'name' in rule_conf[direction] and 'group' in rule_conf[direction]:
raise ConfigError(f'Cannot specify both interface group and interface name for {direction}')
+ if 'group' in rule_conf[direction]:
+ group_name = rule_conf[direction]['group']
+ if group_name[0] == '!':
+ group_name = group_name[1:]
+ group_obj = dict_search_args(firewall, 'group', 'interface_group', group_name)
+ if group_obj is None:
+ raise ConfigError(f'Invalid interface group "{group_name}" on firewall rule')
+ if not group_obj:
+ Warning(f'interface-group "{group_name}" has no members!')
def verify_nested_group(group_name, group, groups, seen):
if 'include' not in group: