summaryrefslogtreecommitdiff
path: root/src/conf_mode/firewall.py
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-03-19 18:01:09 +0100
committerGitHub <noreply@github.com>2024-03-19 18:01:09 +0100
commitd2f341739e7d8e941b61ed00fe21b990cb2e0b26 (patch)
treec6c91909b4d87c37c8d666b1ca0390867814658b /src/conf_mode/firewall.py
parent7956eced02862253d28a64befe4add2449df0c89 (diff)
parent4a186b0d3c143b88de6c3d39980a6f13fb5179bb (diff)
downloadvyos-1x-d2f341739e7d8e941b61ed00fe21b990cb2e0b26.tar.gz
vyos-1x-d2f341739e7d8e941b61ed00fe21b990cb2e0b26.zip
Merge pull request #3149 from vyos/mergify/bp/sagitta/pr-3146
T6136: add error checks when using dynamic firewall groups (backport #3146)
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-xsrc/conf_mode/firewall.py12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 3c27655b0..810437dda 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -268,6 +268,18 @@ def verify_rule(firewall, rule_conf, ipv6):
if 'port' in side_conf and dict_search_args(side_conf, 'group', 'port_group'):
raise ConfigError(f'{side} port-group and port cannot both be defined')
+ if 'add_address_to_group' in rule_conf:
+ for type in ['destination_address', 'source_address']:
+ if type in rule_conf['add_address_to_group']:
+ if 'address_group' not in rule_conf['add_address_to_group'][type]:
+ raise ConfigError(f'Dynamic address group must be defined.')
+ else:
+ target = rule_conf['add_address_to_group'][type]['address_group']
+ fwall_group = 'ipv6_address_group' if ipv6 else 'address_group'
+ group_obj = dict_search_args(firewall, 'group', 'dynamic_group', fwall_group, target)
+ if group_obj is None:
+ raise ConfigError(f'Invalid dynamic address group on firewall rule')
+
if 'log_options' in rule_conf:
if 'log' not in rule_conf:
raise ConfigError('log-options defined, but log is not enable')