diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-01-10 22:31:55 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-10 22:31:55 +0100 |
commit | 465939d9c9b413c7033c8833cbb4ebc30b9bcf66 (patch) | |
tree | 361079ff54ed2c5516cc86a8644e98ce629d2a73 | |
parent | fd1b1ff19b0ff852d796e979ab3b596651686f2f (diff) | |
parent | 0a0e7d789e7e482b65cbca47bff1dcb427891a88 (diff) | |
download | vyos-1x-465939d9c9b413c7033c8833cbb4ebc30b9bcf66.tar.gz vyos-1x-465939d9c9b413c7033c8833cbb4ebc30b9bcf66.zip |
Merge pull request #1152 from sarthurdev/firewall_validators
firewall: validators: T4148: Improve validators and firewall validator usage
-rw-r--r-- | interface-definitions/firewall.xml.in | 3 | ||||
-rw-r--r-- | interface-definitions/include/firewall/port.xml.i | 5 | ||||
-rwxr-xr-x | src/validators/ipv4-range | 13 | ||||
-rwxr-xr-x | src/validators/port-multi | 43 | ||||
-rwxr-xr-x | src/validators/port-range | 19 |
5 files changed, 71 insertions, 12 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 78a48a522..07a36093f 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -182,6 +182,9 @@ <description>Numbered port range (e.g. 1001-1050)</description> </valueHelp> <multi/> + <constraint> + <validator name="port-range"/> + </constraint> </properties> </leafNode> </children> diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i index 59d92978b..3bacafff8 100644 --- a/interface-definitions/include/firewall/port.xml.i +++ b/interface-definitions/include/firewall/port.xml.i @@ -16,8 +16,11 @@ </valueHelp> <valueHelp> <format> </format> - <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'</description> + <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n For example: 'telnet,http,123,1001-1005'</description> </valueHelp> + <constraint> + <validator name="port-multi"/> + </constraint> </properties> </leafNode> <!-- include end --> diff --git a/src/validators/ipv4-range b/src/validators/ipv4-range index cc59039f1..6492bfc52 100755 --- a/src/validators/ipv4-range +++ b/src/validators/ipv4-range @@ -7,6 +7,11 @@ ip2dec () { printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))" } +error_exit() { + echo "Error: $1 is not a valid IPv4 address range" + exit 1 +} + # Only run this if there is a hypen present in $1 if [[ "$1" =~ "-" ]]; then # This only works with real bash (<<<) - split IP addresses into array with @@ -15,21 +20,21 @@ if [[ "$1" =~ "-" ]]; then ipaddrcheck --is-ipv4-single ${strarr[0]} if [ $? -gt 0 ]; then - exit 1 + error_exit $1 fi ipaddrcheck --is-ipv4-single ${strarr[1]} if [ $? -gt 0 ]; then - exit 1 + error_exit $1 fi start=$(ip2dec ${strarr[0]}) stop=$(ip2dec ${strarr[1]}) if [ $start -ge $stop ]; then - exit 1 + error_exit $1 fi exit 0 fi -exit 1 +error_exit $1 diff --git a/src/validators/port-multi b/src/validators/port-multi new file mode 100755 index 000000000..763d34e57 --- /dev/null +++ b/src/validators/port-multi @@ -0,0 +1,43 @@ +#!/usr/bin/python3 + +import sys +import re + +from vyos.util import read_file + +services_file = '/etc/services' + +def get_services(): + names = [] + service_data = read_file(services_file, "") + for line in service_data.split("\n"): + if not line or line[0] == '#': + continue + names.append(line.split(None, 1)[0]) + return names + +if __name__ == '__main__': + if len(sys.argv)>1: + ports = sys.argv[1].split(",") + services = get_services() + + for port in ports: + if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port): + port_1, port_2 = port.split('-') + if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535): + print(f'Error: {port} is not a valid port range') + sys.exit(1) + if int(port_1) > int(port_2): + print(f'Error: {port} is not a valid port range') + sys.exit(1) + elif port.isnumeric(): + if int(port) not in range(1, 65535): + print(f'Error: {port} is not a valid port') + sys.exit(1) + elif port not in services: + print(f'Error: {port} is not a valid service name') + sys.exit(1) + else: + sys.exit(2) + + sys.exit(0) diff --git a/src/validators/port-range b/src/validators/port-range index abf0b09d5..657a21e20 100755 --- a/src/validators/port-range +++ b/src/validators/port-range @@ -3,16 +3,21 @@ import sys import re +def error(port_range): + print(f'Error: {port_range} is not a valid port or port range') + sys.exit(1) + if __name__ == '__main__': if len(sys.argv)>1: port_range = sys.argv[1] - if re.search('[0-9]{1,5}-[0-9]{1,5}', port_range): - for tmp in port_range.split('-'): - if int(tmp) not in range(1, 65535): - sys.exit(1) - else: - if int(port_range) not in range(1, 65535): - sys.exit(1) + if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port_range): + port_1, port_2 = port_range.split('-') + if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535): + error(port_range) + if int(port_1) > int(port_2): + error(port_range) + elif not port_range.isnumeric() or int(port_range) not in range(1, 65535): + error(port_range) else: sys.exit(2) |