summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--python/vyos/configverify.py13
-rwxr-xr-x[-rw-r--r--]python/vyos/firewall.py14
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py8
-rwxr-xr-xsrc/conf_mode/qos.py2
4 files changed, 25 insertions, 12 deletions
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 4cb84194a..b49d66c36 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -237,7 +237,7 @@ def verify_bridge_delete(config):
raise ConfigError(f'Interface "{interface}" cannot be deleted as it '
f'is a member of bridge "{bridge_name}"!')
-def verify_interface_exists(ifname, warning_only=False):
+def verify_interface_exists(ifname, state_required=False, warning_only=False):
"""
Common helper function used by interface implementations to perform
recurring validation if an interface actually exists. We first probe
@@ -249,11 +249,12 @@ def verify_interface_exists(ifname, warning_only=False):
from vyos.utils.dict import dict_search_recursive
from vyos.utils.network import interface_exists
- # Check if interface is present in CLI config
- config = ConfigTreeQuery()
- tmp = config.get_config_dict(['interfaces'], get_first_key=True)
- if bool(list(dict_search_recursive(tmp, ifname))):
- return True
+ if not state_required:
+ # Check if interface is present in CLI config
+ config = ConfigTreeQuery()
+ tmp = config.get_config_dict(['interfaces'], get_first_key=True)
+ if bool(list(dict_search_recursive(tmp, ifname))):
+ return True
# Interface not found on CLI, try Linux Kernel
if interface_exists(ifname):
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 664df28cc..8913ba152 100644..100755
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -164,7 +164,19 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if address_mask:
operator = '!=' if exclude else '=='
operator = f'& {address_mask} {operator} '
- output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
+
+ if suffix.find('-') != -1:
+ # Range
+ start, end = suffix.split('-')
+ if is_ipv4(start):
+ output.append(f'ip {prefix}addr {operator}{suffix}')
+ else:
+ output.append(f'ip6 {prefix}addr {operator}{suffix}')
+ else:
+ if is_ipv4(suffix):
+ output.append(f'ip {prefix}addr {operator}{suffix}')
+ else:
+ output.append(f'ip6 {prefix}addr {operator}{suffix}')
if 'fqdn' in side_conf:
fqdn = side_conf['fqdn']
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 0943d8e24..4de8e0c56 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -311,7 +311,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
- self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+ self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1-198.51.100.50'])
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010'])
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
@@ -331,7 +331,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
nftables_search = [
['chain VYOS_FORWARD_filter'],
['type filter hook forward priority filter; policy accept;'],
- ['ip saddr 198.51.100.1', 'meta mark 0x000003f2', f'jump NAME_{name}'],
+ ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', f'jump NAME_{name}'],
['FWD-filter default-action drop', 'drop'],
['chain VYOS_INPUT_filter'],
['type filter hook input priority filter; policy accept;'],
@@ -455,7 +455,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log'])
self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1'])
+ self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1-2002::10'])
self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log'])
self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit'])
@@ -510,7 +510,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['tcp dport 23', 'drop'],
['PRE-raw default-action accept', 'accept'],
[f'chain NAME6_{name}'],
- ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
+ ['saddr 2002::1-2002::10', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
[f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'],
['jump VYOS_STATE_POLICY6'],
['chain VYOS_STATE_POLICY6'],
diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py
index 45248fb4a..464d7c192 100755
--- a/src/conf_mode/qos.py
+++ b/src/conf_mode/qos.py
@@ -303,7 +303,7 @@ def apply(qos):
return None
for interface, interface_config in qos['interface'].items():
- if not verify_interface_exists(interface, warning_only=True):
+ if not verify_interface_exists(interface, state_required=True, warning_only=True):
# When shaper is bound to a dialup (e.g. PPPoE) interface it is
# possible that it is yet not availbale when to QoS code runs.
# Skip the configuration and inform the user via warning_only=True
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 09:53:09 +0000