summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.github/workflows/package-smoketest.yml3
-rw-r--r--data/templates/firewall/nftables-nat.j213
-rw-r--r--interface-definitions/include/nat-rule.xml.i2
-rw-r--r--interface-definitions/policy.xml.in48
-rwxr-xr-xpython/vyos/firewall.py47
-rw-r--r--python/vyos/nat.py7
-rwxr-xr-xsmoketest/scripts/cli/test_nat.py26
-rwxr-xr-xsrc/conf_mode/firewall.py21
-rwxr-xr-xsrc/conf_mode/nat.py20
-rwxr-xr-xsrc/helpers/vyos-domain-resolver.py107
-rw-r--r--src/systemd/vyos-domain-resolver.service1
-rwxr-xr-xsrc/validators/interface-address2
-rwxr-xr-xsrc/validators/ip-address4
-rwxr-xr-xsrc/validators/ip-cidr4
-rwxr-xr-xsrc/validators/ip-host4
-rwxr-xr-xsrc/validators/ip-prefix4
-rwxr-xr-xsrc/validators/ipv44
-rwxr-xr-xsrc/validators/ipv4-address4
-rwxr-xr-xsrc/validators/ipv4-host4
-rwxr-xr-xsrc/validators/ipv4-multicast4
-rwxr-xr-xsrc/validators/ipv4-prefix4
-rwxr-xr-xsrc/validators/ipv64
-rwxr-xr-xsrc/validators/ipv6-address4
-rwxr-xr-xsrc/validators/ipv6-host4
-rwxr-xr-xsrc/validators/ipv6-multicast4
-rwxr-xr-xsrc/validators/ipv6-prefix4
26 files changed, 244 insertions, 109 deletions
diff --git a/.github/workflows/package-smoketest.yml b/.github/workflows/package-smoketest.yml
index a74c35adf..289ad70f3 100644
--- a/.github/workflows/package-smoketest.yml
+++ b/.github/workflows/package-smoketest.yml
@@ -1,7 +1,7 @@
name: VyOS ISO integration Test
on:
- pull_request:
+ pull_request_target:
branches:
- current
paths:
@@ -39,6 +39,7 @@ jobs:
path: packages/vyos-1x
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
+ repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Build vyos-1x package
run: |
cd packages/vyos-1x; dpkg-buildpackage -uc -us -tc -b
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index 4254f6a0e..8c8dd3a8b 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -19,6 +19,12 @@ table ip vyos_nat {
{% endfor %}
{% endif %}
}
+{% for set_name in ip_fqdn %}
+ set FQDN_nat_{{ set_name }} {
+ type ipv4_addr
+ flags interval
+ }
+{% endfor %}
#
# Source NAT rules build up here
@@ -31,7 +37,14 @@ table ip vyos_nat {
{{ config | nat_rule(rule, 'source') }}
{% endfor %}
{% endif %}
+
+ }
+{% for set_name in ip_fqdn %}
+ set FQDN_nat_{{ set_name }} {
+ type ipv4_addr
+ flags interval
}
+{% endfor %}
chain VYOS_PRE_DNAT_HOOK {
return
diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i
index deb13529d..0a7179ff1 100644
--- a/interface-definitions/include/nat-rule.xml.i
+++ b/interface-definitions/include/nat-rule.xml.i
@@ -18,6 +18,7 @@
<help>NAT destination parameters</help>
</properties>
<children>
+ #include <include/firewall/fqdn.xml.i>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
#include <include/firewall/source-destination-group.xml.i>
@@ -315,6 +316,7 @@
<help>NAT source parameters</help>
</properties>
<children>
+ #include <include/firewall/fqdn.xml.i>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
#include <include/firewall/source-destination-group.xml.i>
diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in
index eb907cb9e..cbab6173f 100644
--- a/interface-definitions/policy.xml.in
+++ b/interface-definitions/policy.xml.in
@@ -202,11 +202,11 @@
<properties>
<help>Regular expression to match against a community-list</help>
<completionHelp>
- <list>local-AS no-advertise no-export internet additive</list>
+ <list>local-AS no-advertise no-export internet graceful-shutdown accept-own-nexthop accept-own route-filter-translated-v4 route-filter-v4 route-filter-translated-v6 route-filter-v6 llgr-stale no-llgr blackhole no-peer additive</list>
</completionHelp>
<valueHelp>
<format>&lt;aa:nn&gt;</format>
- <description>Community number in AA:NN format</description>
+ <description>Community number in AA:NN format where AA and NN are (0-65535)</description>
</valueHelp>
<valueHelp>
<format>local-AS</format>
@@ -225,6 +225,50 @@
<description>Well-known communities value 0</description>
</valueHelp>
<valueHelp>
+ <format>graceful-shutdown</format>
+ <description>Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000</description>
+ </valueHelp>
+ <valueHelp>
+ <format>accept-own-nexthop</format>
+ <description>Well-known communities value ACCEPT_OWN_NEXTHOP 0xFFFF0008</description>
+ </valueHelp>
+ <valueHelp>
+ <format>accept-own</format>
+ <description>Well-known communities value ACCEPT_OWN 0xFFFF0001 65535:1</description>
+ </valueHelp>
+ <valueHelp>
+ <format>route-filter-translated-v4</format>
+ <description>Well-known communities value ROUTE_FILTER_TRANSLATED_v4 0xFFFF0002 65535:2</description>
+ </valueHelp>
+ <valueHelp>
+ <format>route-filter-v4</format>
+ <description>Well-known communities value ROUTE_FILTER_v4 0xFFFF0003 65535:3</description>
+ </valueHelp>
+ <valueHelp>
+ <format>route-filter-translated-v6</format>
+ <description>Well-known communities value ROUTE_FILTER_TRANSLATED_v6 0xFFFF0004 65535:4</description>
+ </valueHelp>
+ <valueHelp>
+ <format>route-filter-v6</format>
+ <description>Well-known communities value ROUTE_FILTER_v6 0xFFFF0005 65535:5</description>
+ </valueHelp>
+ <valueHelp>
+ <format>llgr-stale</format>
+ <description>Well-known communities value LLGR_STALE 0xFFFF0006 65535:6</description>
+ </valueHelp>
+ <valueHelp>
+ <format>no-llgr</format>
+ <description>Well-known communities value NO_LLGR 0xFFFF0007 65535:7</description>
+ </valueHelp>
+ <valueHelp>
+ <format>blackhole</format>
+ <description>Well-known communities value BLACKHOLE 0xFFFF029A 65535:666</description>
+ </valueHelp>
+ <valueHelp>
+ <format>no-peer</format>
+ <description>Well-known communities value NOPEER 0xFFFFFF04 65535:65284</description>
+ </valueHelp>
+ <valueHelp>
<format>additive</format>
<description>New value is appended to the existing value</description>
</valueHelp>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 64fed8177..34d0b73f6 100755
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -53,25 +53,32 @@ def conntrack_required(conf):
# Domain Resolver
-def fqdn_config_parse(firewall):
- firewall['ip_fqdn'] = {}
- firewall['ip6_fqdn'] = {}
-
- for domain, path in dict_search_recursive(firewall, 'fqdn'):
- hook_name = path[1]
- priority = path[2]
-
- fw_name = path[2]
- rule = path[4]
- suffix = path[5][0]
- set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
-
- if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
- firewall['ip_fqdn'][set_name] = domain
- elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
- if path[1] == 'name':
- set_name = f'name6_{priority}_{rule}_{suffix}'
- firewall['ip6_fqdn'][set_name] = domain
+def fqdn_config_parse(config, node):
+ config['ip_fqdn'] = {}
+ config['ip6_fqdn'] = {}
+
+ for domain, path in dict_search_recursive(config, 'fqdn'):
+ if node != 'nat':
+ hook_name = path[1]
+ priority = path[2]
+
+ rule = path[4]
+ suffix = path[5][0]
+ set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
+
+ if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+ config['ip_fqdn'][set_name] = domain
+ elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+ if path[1] == 'name':
+ set_name = f'name6_{priority}_{rule}_{suffix}'
+ config['ip6_fqdn'][set_name] = domain
+ else:
+ # Parse FQDN for NAT
+ nat_direction = path[0]
+ nat_rule = path[2]
+ suffix = path[3][0]
+ set_name = f'{nat_direction}_{nat_rule}_{suffix}'
+ config['ip_fqdn'][set_name] = domain
def fqdn_resolve(fqdn, ipv6=False):
try:
@@ -80,8 +87,6 @@ def fqdn_resolve(fqdn, ipv6=False):
except:
return None
-# End Domain Resolver
-
def find_nftables_rule(table, chain, rule_matches=[]):
# Find rule in table/chain that matches all criteria and return the handle
results = cmd(f'sudo nft --handle list chain {table} {chain}').split("\n")
diff --git a/python/vyos/nat.py b/python/vyos/nat.py
index 5fab3c2a1..29f8e961b 100644
--- a/python/vyos/nat.py
+++ b/python/vyos/nat.py
@@ -242,6 +242,13 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
+ if 'fqdn' in side_conf:
+ fqdn = side_conf['fqdn']
+ operator = ''
+ if fqdn[0] == '!':
+ operator = '!='
+ output.append(f' ip {prefix}addr {operator} @FQDN_nat_{nat_type}_{rule_id}_{prefix}')
+
output.append('counter')
if 'log' in rule_conf:
diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py
index 5161e47fd..0beafcc6c 100755
--- a/smoketest/scripts/cli/test_nat.py
+++ b/smoketest/scripts/cli/test_nat.py
@@ -304,5 +304,31 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
self.verify_nftables(nftables_search, 'ip vyos_nat')
+ def test_nat_fqdn(self):
+ source_domain = 'vyos.dev'
+ destination_domain = 'vyos.io'
+
+ self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'name', 'eth0'])
+ self.cli_set(src_path + ['rule', '1', 'source', 'fqdn', source_domain])
+ self.cli_set(src_path + ['rule', '1', 'translation', 'address', 'masquerade'])
+
+ self.cli_set(dst_path + ['rule', '1', 'destination', 'fqdn', destination_domain])
+ self.cli_set(dst_path + ['rule', '1', 'source', 'fqdn', source_domain])
+ self.cli_set(dst_path + ['rule', '1', 'destination', 'port', '5122'])
+ self.cli_set(dst_path + ['rule', '1', 'protocol', 'tcp'])
+ self.cli_set(dst_path + ['rule', '1', 'translation', 'address', '198.51.100.1'])
+ self.cli_set(dst_path + ['rule', '1', 'translation', 'port', '22'])
+
+
+ self.cli_commit()
+
+ nftables_search = [
+ ['set FQDN_nat_destination_1_d'],
+ ['set FQDN_nat_source_1_s'],
+ ['oifname "eth0"', 'ip saddr @FQDN_nat_source_1_s', 'masquerade', 'comment "SRC-NAT-1"'],
+ ['tcp dport 5122', 'ip saddr @FQDN_nat_destination_1_s', 'ip daddr @FQDN_nat_destination_1_d', 'dnat to 198.51.100.1:22', 'comment "DST-NAT-1"']
+ ]
+
+ self.verify_nftables(nftables_search, 'ip vyos_nat')
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 5638a9668..ffbd915a2 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -36,11 +36,15 @@ from vyos.utils.process import cmd
from vyos.utils.process import rc_cmd
from vyos import ConfigError
from vyos import airbag
+from pathlib import Path
from subprocess import run as subp_run
airbag.enable()
nftables_conf = '/run/nftables.conf'
+domain_resolver_usage = '/run/use-vyos-domain-resolver-firewall'
+domain_resolver_usage_nat = '/run/use-vyos-domain-resolver-nat'
+
sysctl_file = r'/run/sysctl/10-vyos-firewall.conf'
valid_groups = [
@@ -128,7 +132,7 @@ def get_config(config=None):
firewall['geoip_updated'] = geoip_updated(conf, firewall)
- fqdn_config_parse(firewall)
+ fqdn_config_parse(firewall, 'firewall')
set_dependents('conntrack', conf)
@@ -570,12 +574,15 @@ def apply(firewall):
call_dependents()
- # T970 Enable a resolver (systemd daemon) that checks
- # domain-group/fqdn addresses and update entries for domains by timeout
- # If router loaded without internet connection or for synchronization
- domain_action = 'stop'
- if dict_search_args(firewall, 'group', 'domain_group') or firewall['ip_fqdn'] or firewall['ip6_fqdn']:
- domain_action = 'restart'
+ ## DOMAIN RESOLVER
+ domain_action = 'restart'
+ if dict_search_args(firewall, 'group', 'domain_group') or firewall['ip_fqdn'].items() or firewall['ip6_fqdn'].items():
+ text = f'# Automatically generated by firewall.py\nThis file indicates that vyos-domain-resolver service is used by the firewall.\n'
+ Path(domain_resolver_usage).write_text(text)
+ else:
+ Path(domain_resolver_usage).unlink(missing_ok=True)
+ if not Path('/run').glob('use-vyos-domain-resolver*'):
+ domain_action = 'stop'
call(f'systemctl {domain_action} vyos-domain-resolver.service')
if firewall['geoip_updated']:
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 39803fa02..98b2f3f29 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -26,10 +26,13 @@ from vyos.template import is_ip_network
from vyos.utils.kernel import check_kmod
from vyos.utils.dict import dict_search
from vyos.utils.dict import dict_search_args
+from vyos.utils.file import write_file
from vyos.utils.process import cmd
from vyos.utils.process import run
+from vyos.utils.process import call
from vyos.utils.network import is_addr_assigned
from vyos.utils.network import interface_exists
+from vyos.firewall import fqdn_config_parse
from vyos import ConfigError
from vyos import airbag
@@ -39,6 +42,8 @@ k_mod = ['nft_nat', 'nft_chain_nat']
nftables_nat_config = '/run/nftables_nat.conf'
nftables_static_nat_conf = '/run/nftables_static-nat-rules.nft'
+domain_resolver_usage = '/run/use-vyos-domain-resolver-nat'
+domain_resolver_usage_firewall = '/run/use-vyos-domain-resolver-firewall'
valid_groups = [
'address_group',
@@ -71,6 +76,8 @@ def get_config(config=None):
if 'dynamic_group' in nat['firewall_group']:
del nat['firewall_group']['dynamic_group']
+ fqdn_config_parse(nat, 'nat')
+
return nat
def verify_rule(config, err_msg, groups_dict):
@@ -251,6 +258,19 @@ def apply(nat):
call_dependents()
+ # DOMAIN RESOLVER
+ if nat and 'deleted' not in nat:
+ domain_action = 'restart'
+ if nat['ip_fqdn'].items():
+ text = f'# Automatically generated by nat.py\nThis file indicates that vyos-domain-resolver service is used by nat.\n'
+ write_file(domain_resolver_usage, text)
+ elif os.path.exists(domain_resolver_usage):
+ os.unlink(domain_resolver_usage)
+ if not os.path.exists(domain_resolver_usage_firewall):
+ # Firewall not using domain resolver
+ domain_action = 'stop'
+ call(f'systemctl {domain_action} vyos-domain-resolver.service')
+
return None
if __name__ == '__main__':
diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py
index 57cfcabd7..f5a1d9297 100755
--- a/src/helpers/vyos-domain-resolver.py
+++ b/src/helpers/vyos-domain-resolver.py
@@ -30,6 +30,8 @@ from vyos.xml_ref import get_defaults
base = ['firewall']
timeout = 300
cache = False
+base_firewall = ['firewall']
+base_nat = ['nat']
domain_state = {}
@@ -46,25 +48,25 @@ ipv6_tables = {
'ip6 raw'
}
-def get_config(conf):
- firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
+def get_config(conf, node):
+ node_config = conf.get_config_dict(node, key_mangling=('-', '_'), get_first_key=True,
no_tag_node_value_mangle=True)
- default_values = get_defaults(base, get_first_key=True)
+ default_values = get_defaults(node, get_first_key=True)
- firewall = dict_merge(default_values, firewall)
+ node_config = dict_merge(default_values, node_config)
global timeout, cache
- if 'resolver_interval' in firewall:
- timeout = int(firewall['resolver_interval'])
+ if 'resolver_interval' in node_config:
+ timeout = int(node_config['resolver_interval'])
- if 'resolver_cache' in firewall:
+ if 'resolver_cache' in node_config:
cache = True
- fqdn_config_parse(firewall)
+ fqdn_config_parse(node_config, node[0])
- return firewall
+ return node_config
def resolve(domains, ipv6=False):
global domain_state
@@ -108,55 +110,60 @@ def nft_valid_sets():
except:
return []
-def update(firewall):
+def update_fqdn(config, node):
conf_lines = []
count = 0
-
valid_sets = nft_valid_sets()
- domain_groups = dict_search_args(firewall, 'group', 'domain_group')
- if domain_groups:
- for set_name, domain_config in domain_groups.items():
- if 'address' not in domain_config:
- continue
-
- nft_set_name = f'D_{set_name}'
- domains = domain_config['address']
-
- ip_list = resolve(domains, ipv6=False)
- for table in ipv4_tables:
- if (table, nft_set_name) in valid_sets:
- conf_lines += nft_output(table, nft_set_name, ip_list)
-
- ip6_list = resolve(domains, ipv6=True)
- for table in ipv6_tables:
- if (table, nft_set_name) in valid_sets:
- conf_lines += nft_output(table, nft_set_name, ip6_list)
+ if node == 'firewall':
+ domain_groups = dict_search_args(config, 'group', 'domain_group')
+ if domain_groups:
+ for set_name, domain_config in domain_groups.items():
+ if 'address' not in domain_config:
+ continue
+ nft_set_name = f'D_{set_name}'
+ domains = domain_config['address']
+
+ ip_list = resolve(domains, ipv6=False)
+ for table in ipv4_tables:
+ if (table, nft_set_name) in valid_sets:
+ conf_lines += nft_output(table, nft_set_name, ip_list)
+ ip6_list = resolve(domains, ipv6=True)
+ for table in ipv6_tables:
+ if (table, nft_set_name) in valid_sets:
+ conf_lines += nft_output(table, nft_set_name, ip6_list)
+ count += 1
+
+ for set_name, domain in config['ip_fqdn'].items():
+ table = 'ip vyos_filter'
+ nft_set_name = f'FQDN_{set_name}'
+ ip_list = resolve([domain], ipv6=False)
+ if (table, nft_set_name) in valid_sets:
+ conf_lines += nft_output(table, nft_set_name, ip_list)
count += 1
- for set_name, domain in firewall['ip_fqdn'].items():
- table = 'ip vyos_filter'
- nft_set_name = f'FQDN_{set_name}'
-
- ip_list = resolve([domain], ipv6=False)
-
- if (table, nft_set_name) in valid_sets:
- conf_lines += nft_output(table, nft_set_name, ip_list)
- count += 1
-
- for set_name, domain in firewall['ip6_fqdn'].items():
- table = 'ip6 vyos_filter'
- nft_set_name = f'FQDN_{set_name}'
+ for set_name, domain in config['ip6_fqdn'].items():
+ table = 'ip6 vyos_filter'
+ nft_set_name = f'FQDN_{set_name}'
+ ip_list = resolve([domain], ipv6=True)
+ if (table, nft_set_name) in valid_sets:
+ conf_lines += nft_output(table, nft_set_name, ip_list)
+ count += 1
- ip_list = resolve([domain], ipv6=True)
- if (table, nft_set_name) in valid_sets:
- conf_lines += nft_output(table, nft_set_name, ip_list)
- count += 1
+ else:
+ # It's NAT
+ for set_name, domain in config['ip_fqdn'].items():
+ table = 'ip vyos_nat'
+ nft_set_name = f'FQDN_nat_{set_name}'
+ ip_list = resolve([domain], ipv6=False)
+ if (table, nft_set_name) in valid_sets:
+ conf_lines += nft_output(table, nft_set_name, ip_list)
+ count += 1
nft_conf_str = "\n".join(conf_lines) + "\n"
code = run(f'nft --file -', input=nft_conf_str)
- print(f'Updated {count} sets - result: {code}')
+ print(f'Updated {count} sets in {node} - result: {code}')
if __name__ == '__main__':
print(f'VyOS domain resolver')
@@ -169,10 +176,12 @@ if __name__ == '__main__':
time.sleep(1)
conf = ConfigTreeQuery()
- firewall = get_config(conf)
+ firewall = get_config(conf, base_firewall)
+ nat = get_config(conf, base_nat)
print(f'interval: {timeout}s - cache: {cache}')
while True:
- update(firewall)
+ update_fqdn(firewall, 'firewall')
+ update_fqdn(nat, 'nat')
time.sleep(timeout)
diff --git a/src/systemd/vyos-domain-resolver.service b/src/systemd/vyos-domain-resolver.service
index c56b51f0c..e63ae5e34 100644
--- a/src/systemd/vyos-domain-resolver.service
+++ b/src/systemd/vyos-domain-resolver.service
@@ -1,6 +1,7 @@
[Unit]
Description=VyOS firewall domain resolver
After=vyos-router.service
+ConditionPathExistsGlob=/run/use-vyos-domain-resolver*
[Service]
Type=simple
diff --git a/src/validators/interface-address b/src/validators/interface-address
index 4c203956b..2a2583fc3 100755
--- a/src/validators/interface-address
+++ b/src/validators/interface-address
@@ -1,3 +1,3 @@
#!/bin/sh
-ipaddrcheck --is-ipv4-host $1 || ipaddrcheck --is-ipv6-host $1
+ipaddrcheck --is-any-host "$1"
diff --git a/src/validators/ip-address b/src/validators/ip-address
index 11d6df09e..351f728a6 100755
--- a/src/validators/ip-address
+++ b/src/validators/ip-address
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-any-single $1
+ipaddrcheck --is-any-single "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IP address"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ip-cidr b/src/validators/ip-cidr
index 60d2ac295..8a01e7ad9 100755
--- a/src/validators/ip-cidr
+++ b/src/validators/ip-cidr
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-any-cidr $1
+ipaddrcheck --is-any-cidr "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IP CIDR"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ip-host b/src/validators/ip-host
index 77c578fa2..7c5ad2612 100755
--- a/src/validators/ip-host
+++ b/src/validators/ip-host
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-any-host $1
+ipaddrcheck --is-any-host "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IP host"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ip-prefix b/src/validators/ip-prefix
index e5a64fea8..25204ace5 100755
--- a/src/validators/ip-prefix
+++ b/src/validators/ip-prefix
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-any-net $1
+ipaddrcheck --is-any-net "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IP prefix"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv4 b/src/validators/ipv4
index 8676d5800..11f854cf1 100755
--- a/src/validators/ipv4
+++ b/src/validators/ipv4
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv4 $1
+ipaddrcheck --is-ipv4 "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not IPv4"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv4-address b/src/validators/ipv4-address
index 058db088b..1cfd961ba 100755
--- a/src/validators/ipv4-address
+++ b/src/validators/ipv4-address
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv4-single $1
+ipaddrcheck --is-ipv4-single "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv4 address"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv4-host b/src/validators/ipv4-host
index 74b8c36a7..eb8faaa2a 100755
--- a/src/validators/ipv4-host
+++ b/src/validators/ipv4-host
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv4-host $1
+ipaddrcheck --is-ipv4-host "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv4 host"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv4-multicast b/src/validators/ipv4-multicast
index 3f28c51db..cf871bd59 100755
--- a/src/validators/ipv4-multicast
+++ b/src/validators/ipv4-multicast
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv4-multicast $1 && ipaddrcheck --is-ipv4-single $1
+ipaddrcheck --is-ipv4-multicast "$1" && ipaddrcheck --is-ipv4-single "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv4 multicast address"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv4-prefix b/src/validators/ipv4-prefix
index 7e1e0e8dd..f8d46c69c 100755
--- a/src/validators/ipv4-prefix
+++ b/src/validators/ipv4-prefix
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv4-net $1
+ipaddrcheck --is-ipv4-net "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv4 prefix"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv6 b/src/validators/ipv6
index 4ae130eb5..57696add7 100755
--- a/src/validators/ipv6
+++ b/src/validators/ipv6
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv6 $1
+ipaddrcheck --is-ipv6 "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not IPv6"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv6-address b/src/validators/ipv6-address
index 1fca77668..460639090 100755
--- a/src/validators/ipv6-address
+++ b/src/validators/ipv6-address
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv6-single $1
+ipaddrcheck --is-ipv6-single "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv6 address"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv6-host b/src/validators/ipv6-host
index 7085809a9..1eb4d8e35 100755
--- a/src/validators/ipv6-host
+++ b/src/validators/ipv6-host
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv6-host $1
+ipaddrcheck --is-ipv6-host "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv6 host"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv6-multicast b/src/validators/ipv6-multicast
index 5aa7d734a..746ff7edf 100755
--- a/src/validators/ipv6-multicast
+++ b/src/validators/ipv6-multicast
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv6-multicast $1 && ipaddrcheck --is-ipv6-single $1
+ipaddrcheck --is-ipv6-multicast "$1" && ipaddrcheck --is-ipv6-single "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv6 multicast address"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0
diff --git a/src/validators/ipv6-prefix b/src/validators/ipv6-prefix
index 890dda723..1bb9b42fe 100755
--- a/src/validators/ipv6-prefix
+++ b/src/validators/ipv6-prefix
@@ -1,10 +1,10 @@
#!/bin/sh
-ipaddrcheck --is-ipv6-net $1
+ipaddrcheck --is-ipv6-net "$1"
if [ $? -gt 0 ]; then
echo "Error: $1 is not a valid IPv6 prefix"
exit 1
fi
-exit 0 \ No newline at end of file
+exit 0