diff options
author | Daniil Baturin <daniil@vyos.io> | 2024-03-19 18:01:09 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-19 18:01:09 +0100 |
commit | d2f341739e7d8e941b61ed00fe21b990cb2e0b26 (patch) | |
tree | c6c91909b4d87c37c8d666b1ca0390867814658b /src/conf_mode/firewall.py | |
parent | 7956eced02862253d28a64befe4add2449df0c89 (diff) | |
parent | 4a186b0d3c143b88de6c3d39980a6f13fb5179bb (diff) | |
download | vyos-1x-d2f341739e7d8e941b61ed00fe21b990cb2e0b26.tar.gz vyos-1x-d2f341739e7d8e941b61ed00fe21b990cb2e0b26.zip |
Merge pull request #3149 from vyos/mergify/bp/sagitta/pr-3146
T6136: add error checks when using dynamic firewall groups (backport #3146)
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-x | src/conf_mode/firewall.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 3c27655b0..810437dda 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -268,6 +268,18 @@ def verify_rule(firewall, rule_conf, ipv6): if 'port' in side_conf and dict_search_args(side_conf, 'group', 'port_group'): raise ConfigError(f'{side} port-group and port cannot both be defined') + if 'add_address_to_group' in rule_conf: + for type in ['destination_address', 'source_address']: + if type in rule_conf['add_address_to_group']: + if 'address_group' not in rule_conf['add_address_to_group'][type]: + raise ConfigError(f'Dynamic address group must be defined.') + else: + target = rule_conf['add_address_to_group'][type]['address_group'] + fwall_group = 'ipv6_address_group' if ipv6 else 'address_group' + group_obj = dict_search_args(firewall, 'group', 'dynamic_group', fwall_group, target) + if group_obj is None: + raise ConfigError(f'Invalid dynamic address group on firewall rule') + if 'log_options' in rule_conf: if 'log' not in rule_conf: raise ConfigError('log-options defined, but log is not enable') |