diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2024-03-05 13:20:44 +0000 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-03-06 11:34:26 +0000 |
commit | d2ce5c18498ad054c5c1fa1294892d25317fb589 (patch) | |
tree | 3f8f86789cf0875212d48f4cd583ed6ff9071129 /src/conf_mode/firewall.py | |
parent | 0fc8b17901fe8bdaa4cb5a0eb88884c9c35ff84c (diff) | |
download | vyos-1x-d2ce5c18498ad054c5c1fa1294892d25317fb589.tar.gz vyos-1x-d2ce5c18498ad054c5c1fa1294892d25317fb589.zip |
T6075: firewall and NAT: check if interface-group exists when using them in firewall|nat rules.
(cherry picked from commit 3c0634e572ffdecaf24a9dac16678427f22761ab)
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-x | src/conf_mode/firewall.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index acb7dfa41..3c27655b0 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -282,6 +282,15 @@ def verify_rule(firewall, rule_conf, ipv6): if direction in rule_conf: if 'name' in rule_conf[direction] and 'group' in rule_conf[direction]: raise ConfigError(f'Cannot specify both interface group and interface name for {direction}') + if 'group' in rule_conf[direction]: + group_name = rule_conf[direction]['group'] + if group_name[0] == '!': + group_name = group_name[1:] + group_obj = dict_search_args(firewall, 'group', 'interface_group', group_name) + if group_obj is None: + raise ConfigError(f'Invalid interface group "{group_name}" on firewall rule') + if not group_obj: + Warning(f'interface-group "{group_name}" has no members!') def verify_nested_group(group_name, group, groups, seen): if 'include' not in group: |