diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-10-08 21:17:52 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-10-08 21:20:12 +0200 |
commit | fac3b8fe86700c581fc8b73574a3b9c79a530bb3 (patch) | |
tree | dad9bfe971c2b14466bdcfd800a93f7848394809 /src/conf_mode | |
parent | 30cf3bc79e2253a004fcbbf76c9f99c52e7bc216 (diff) | |
download | vyos-1x-fac3b8fe86700c581fc8b73574a3b9c79a530bb3.tar.gz vyos-1x-fac3b8fe86700c581fc8b73574a3b9c79a530bb3.zip |
tunnel: T3893: harden logic when validating tunnel parameters
Different types of tunnels have different keys set in get_interface_config().
Thus it should be properly verified (by e.g. using dict_search()) that the key
in question esits to not raise KeyError.
(cherry picked from commit 5aadf673497b93e2d4ad304e567de1cd571f9e25)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/interfaces-tunnel.py | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index 22a9f0e18..5fa165190 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -88,18 +88,17 @@ def verify(tunnel): # Prevent the same key for 2 tunnels with same source-address/encap. T2920 for tunnel_if in Section.interfaces('tunnel'): tunnel_cfg = get_interface_config(tunnel_if) - exist_encap = tunnel_cfg['linkinfo']['info_kind'] - exist_source_address = tunnel_cfg['address'] - exist_key = tunnel_cfg['linkinfo']['info_data']['ikey'] + # no match on encapsulation - bail out + if dict_search('linkinfo.info_kind', tunnel_cfg) != tunnel['encapsulation']: + continue new_source_address = tunnel['source_address'] # Convert tunnel key to ip key, format "ip -j link show" # 1 => 0.0.0.1, 999 => 0.0.3.231 - orig_new_key = int(tunnel['parameters']['ip']['key']) - new_key = IPv4Address(orig_new_key) + orig_new_key = dict_search('parameters.ip.key', tunnel) + new_key = IPv4Address(int(orig_new_key)) new_key = str(new_key) - if tunnel['encapsulation'] == exist_encap and \ - new_source_address == exist_source_address and \ - new_key == exist_key: + if dict_search('address', tunnel_cfg) == new_source_address and \ + dict_search('linkinfo.info_data.ikey', tunnel_cfg) == new_key: raise ConfigError(f'Key "{orig_new_key}" for source-address "{new_source_address}" ' \ f'is already used for tunnel "{tunnel_if}"!') |