diff options
Diffstat (limited to 'python/vyos/firewall.py')
| -rw-r--r-- | python/vyos/firewall.py | 51 |
1 files changed, 34 insertions, 17 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 8b7402b7e..2ab78ff18 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -45,13 +45,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'state' in rule_conf and rule_conf['state']: states = ",".join([s for s, v in rule_conf['state'].items() if v == 'enable']) - output.append(f'ct state {{{states}}}') + + if states: + output.append(f'ct state {{{states}}}') if 'protocol' in rule_conf and rule_conf['protocol'] != 'all': proto = rule_conf['protocol'] + operator = '' + if proto[0] == '!': + operator = '!=' + proto = proto[1:] if proto == 'tcp_udp': proto = '{tcp, udp}' - output.append('meta l4proto ' + proto) + output.append(f'meta l4proto {operator} {proto}') for side in ['destination', 'source']: if side in rule_conf: @@ -59,7 +65,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): side_conf = rule_conf[side] if 'address' in side_conf: - output.append(f'{ip_name} {prefix}addr {side_conf["address"]}') + suffix = side_conf['address'] + if suffix[0] == '!': + suffix = f'!= {suffix[1:]}' + output.append(f'{ip_name} {prefix}addr {suffix}') if 'mac_address' in side_conf: suffix = side_conf["mac_address"] @@ -69,15 +78,27 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'port' in side_conf: proto = rule_conf['protocol'] - port = side_conf["port"] + port = side_conf['port'].split(',') - if isinstance(port, list): - port = ",".join(port) + ports = [] + negated_ports = [] + + for p in port: + if p[0] == '!': + negated_ports.append(p[1:]) + else: + ports.append(p) if proto == 'tcp_udp': proto = 'th' - output.append(f'{proto} {prefix}port {{{port}}}') + if ports: + ports_str = ','.join(ports) + output.append(f'{proto} {prefix}port {{{ports_str}}}') + + if negated_ports: + negated_ports_str = ','.join(negated_ports) + output.append(f'{proto} {prefix}port != {{{negated_ports_str}}}') if 'group' in side_conf: group = side_conf['group'] @@ -87,6 +108,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): elif 'network_group' in group: group_name = group['network_group'] output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}') + if 'mac_group' in group: + group_name = group['mac_group'] + output.append(f'ether {prefix}addr $M_{group_name}') if 'port_group' in group: proto = rule_conf['protocol'] group_name = group['port_group'] @@ -150,7 +174,6 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if tcp_flags: output.append(parse_tcp_flags(tcp_flags)) - output.append('counter') if 'set' in rule_conf: @@ -165,14 +188,8 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): return " ".join(output) def parse_tcp_flags(flags): - all_flags = [] - include = [] - for flag in flags.split(","): - if flag[0] == '!': - flag = flag[1:] - else: - include.append(flag) - all_flags.append(flag) + include = [flag for flag in flags if flag != 'not'] + all_flags = include + [flag for flag in flags['not']] if 'not' in flags else [] return f'tcp flags & ({"|".join(all_flags)}) == {"|".join(include)}' def parse_time(time): @@ -209,7 +226,7 @@ def parse_policy_set(set_conf, def_suffix): table = set_conf['table'] if table == 'main': table = '254' - mark = 0x7FFFFFFF - int(set_conf['table']) + mark = 0x7FFFFFFF - int(table) out.append(f'meta mark set {mark}') if 'tcp_mss' in set_conf: mss = set_conf['tcp_mss'] |