summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-15 21:19:18 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-16 18:25:58 +0200
commitb2ead2d037b860f0a6a12b177e70e5d698fd00e8 (patch)
tree980201d8a570df07f63d6063d2d5c85ccd0625fa
parent5abe2db17a6e085441e674f8c2d92277014a7189 (diff)
downloadvyos-1x-b2ead2d037b860f0a6a12b177e70e5d698fd00e8.tar.gz
vyos-1x-b2ead2d037b860f0a6a12b177e70e5d698fd00e8.zip
nat: T2198: verify translation address for SNAT and DNAT
-rwxr-xr-xsrc/conf_mode/nat.py15
1 files changed, 8 insertions, 7 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 8fd8272d2..4d739068f 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -64,6 +64,7 @@ def get_handler(json, chain, target):
def verify_rule(rule, err_msg):
+ """ Common verify steps used for both source and destination NAT """
if rule['translation_port'] or rule['dest_port']:
if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
proto = rule['protocol']
@@ -75,6 +76,13 @@ def verify_rule(rule, err_msg):
'statically maps a whole network of addresses onto another\n' \
'network of addresses')
+ if not rule['translation_address']:
+ raise ConfigError(f'{err_msg} translation address not specified')
+ else:
+ addr = rule['translation_address']
+ if addr != 'masquerade' and not is_addr_assigned(addr):
+ print(f'Warning: IP address {addr} does not exist on the system!')
+
def parse_source_destination(conf, source_dest):
""" Common wrapper to read in both NAT source and destination CLI """
@@ -209,13 +217,6 @@ def verify(nat):
if not rule['interface_out']:
raise ConfigError(f'{err_msg} outbound-interface not specified')
- if not rule['translation_address']:
- raise ConfigError(f'{err_msg} translation address not specified')
- else:
- addr = rule['translation_address']
- if addr != 'masquerade' and not is_addr_assigned(addr):
- printf(f'Warning: IP address {addr} does not exist on the system!')
-
# common rule verification
verify_rule(rule, err_msg)