diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-29 23:34:05 +0100 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-29 23:34:05 +0100 |
commit | 985a9e8536cb7f049e82dd1c7333ecced34563fa (patch) | |
tree | e47e9ab8d4750250c3e32ef0ff2d5e37889e6017 | |
parent | ed67750b94e8bc779ec0e2cf6d568a3f7292de13 (diff) | |
download | vyos-1x-985a9e8536cb7f049e82dd1c7333ecced34563fa.tar.gz vyos-1x-985a9e8536cb7f049e82dd1c7333ecced34563fa.zip |
firewall: T4216: Add support for negated firewall groups
-rw-r--r-- | python/vyos/firewall.py | 25 | ||||
-rwxr-xr-x | src/conf_mode/firewall.py | 4 |
2 files changed, 25 insertions, 4 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index a2e133217..a74fd922a 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -104,13 +104,25 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): group = side_conf['group'] if 'address_group' in group: group_name = group['address_group'] - output.append(f'{ip_name} {prefix}addr $A{def_suffix}_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_name} {prefix}addr {operator} $A{def_suffix}_{group_name}') elif 'network_group' in group: group_name = group['network_group'] - output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_name} {prefix}addr {operator} $N{def_suffix}_{group_name}') if 'mac_group' in group: group_name = group['mac_group'] - output.append(f'ether {prefix}addr $M_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'ether {prefix}addr {operator} $M_{group_name}') if 'port_group' in group: proto = rule_conf['protocol'] group_name = group['port_group'] @@ -118,7 +130,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if proto == 'tcp_udp': proto = 'th' - output.append(f'{proto} {prefix}port $P_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + + output.append(f'{proto} {prefix}port {operator} $P_{group_name}') if 'log' in rule_conf and rule_conf['log'] == 'enable': action = rule_conf['action'] if 'action' in rule_conf else 'accept' diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 5b6c57d04..064b2d5a3 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -204,6 +204,10 @@ def verify_rule(firewall, rule_conf, ipv6): for group in valid_groups: if group in side_conf['group']: group_name = side_conf['group'][group] + + if group_name and group_name[0] == '!': + group_name = group_name[1:] + fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group error_group = fw_group.replace("_", "-") group_obj = dict_search_args(firewall, 'group', fw_group, group_name) |