diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-15 21:19:18 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-16 18:25:58 +0200 |
commit | b2ead2d037b860f0a6a12b177e70e5d698fd00e8 (patch) | |
tree | 980201d8a570df07f63d6063d2d5c85ccd0625fa | |
parent | 5abe2db17a6e085441e674f8c2d92277014a7189 (diff) | |
download | vyos-1x-b2ead2d037b860f0a6a12b177e70e5d698fd00e8.tar.gz vyos-1x-b2ead2d037b860f0a6a12b177e70e5d698fd00e8.zip |
nat: T2198: verify translation address for SNAT and DNAT
-rwxr-xr-x | src/conf_mode/nat.py | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 8fd8272d2..4d739068f 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -64,6 +64,7 @@ def get_handler(json, chain, target): def verify_rule(rule, err_msg): + """ Common verify steps used for both source and destination NAT """ if rule['translation_port'] or rule['dest_port']: if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']: proto = rule['protocol'] @@ -75,6 +76,13 @@ def verify_rule(rule, err_msg): 'statically maps a whole network of addresses onto another\n' \ 'network of addresses') + if not rule['translation_address']: + raise ConfigError(f'{err_msg} translation address not specified') + else: + addr = rule['translation_address'] + if addr != 'masquerade' and not is_addr_assigned(addr): + print(f'Warning: IP address {addr} does not exist on the system!') + def parse_source_destination(conf, source_dest): """ Common wrapper to read in both NAT source and destination CLI """ @@ -209,13 +217,6 @@ def verify(nat): if not rule['interface_out']: raise ConfigError(f'{err_msg} outbound-interface not specified') - if not rule['translation_address']: - raise ConfigError(f'{err_msg} translation address not specified') - else: - addr = rule['translation_address'] - if addr != 'masquerade' and not is_addr_assigned(addr): - printf(f'Warning: IP address {addr} does not exist on the system!') - # common rule verification verify_rule(rule, err_msg) |