diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-15 19:09:43 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-16 18:25:58 +0200 |
commit | 5abe2db17a6e085441e674f8c2d92277014a7189 (patch) | |
tree | b3148a4cd44be6c6b4018a9eda8928ee5970f5a7 | |
parent | d0b24799d9001cb467fd36fe3757bcfee7b9abc1 (diff) | |
download | vyos-1x-5abe2db17a6e085441e674f8c2d92277014a7189.tar.gz vyos-1x-5abe2db17a6e085441e674f8c2d92277014a7189.zip |
nat: T2198: extend verify() for destination ports
Destination NAT configuration: destination ports can only be specified when
protocol is tcp, udp or tcp_udp.
-rwxr-xr-x | src/conf_mode/nat.py | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index bde6841cc..8fd8272d2 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -63,6 +63,19 @@ def get_handler(json, chain, target): return None +def verify_rule(rule, err_msg): + if rule['translation_port'] or rule['dest_port']: + if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']: + proto = rule['protocol'] + raise ConfigError(f'{err_msg} ports can only be specified when protocol is "tcp", "udp" or "tcp_udp" (currently "{proto}")') + + if '/' in rule['translation_address']: + raise ConfigError(f'{err_msg}\n' \ + 'Cannot use ports with an IPv4net type translation address as it\n' \ + 'statically maps a whole network of addresses onto another\n' \ + 'network of addresses') + + def parse_source_destination(conf, source_dest): """ Common wrapper to read in both NAT source and destination CLI """ tmp = [] @@ -177,18 +190,6 @@ def get_config(): return nat -def verify_rule(rule): - if rule['translation_port']: - if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']: - proto = rule['protocol'] - raise ConfigError(f'{err_msg} ports can only be specified when protocol is "tcp", "udp" or "tcp_udp" (currently "{proto}")') - - if '/' in rule['translation_address']: - raise ConfigError(f'{err_msg}\n' \ - 'Cannot use ports with an IPv4net type translation address as it\n' \ - 'statically maps a whole network of addresses onto another\n' \ - 'network of addresses') - def verify(nat): if nat['deleted']: # no need to verify the CLI as NAT is going to be deactivated @@ -200,11 +201,11 @@ def verify(nat): for rule in nat['source']: interface = rule['interface_out'] + err_msg = f"Source NAT configuration error in rule {rule['number']}:" + if interface and interface not in interfaces(): print(f'NAT configuration warning: interface {interface} does not exist on this system') - err_msg = f"Source NAT configuration error in rule {rule['number']}:" - if not rule['interface_out']: raise ConfigError(f'{err_msg} outbound-interface not specified') @@ -216,10 +217,12 @@ def verify(nat): printf(f'Warning: IP address {addr} does not exist on the system!') # common rule verification - verify_rule(rule) + verify_rule(rule, err_msg) for rule in nat['destination']: interface = rule['interface_in'] + err_msg = f"Destination NAT configuration error in rule {rule['number']}:" + if interface and interface not in interfaces(): print(f'NAT configuration warning: interface {interface} does not exist on this system') @@ -227,7 +230,7 @@ def verify(nat): raise ConfigError(f'{err_msg} inbound-interface not specified') # common rule verification - verify_rule(rule) + verify_rule(rule, err_msg) return None @@ -238,6 +241,8 @@ def generate(nat): def apply(nat): cmd(f'{iptables_nat_config}') + if os.path.isfile(iptables_nat_config): + os.unlink(iptables_nat_config) return None |