diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-08-28 21:14:00 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-08-28 21:15:00 +0200 |
| commit | 0831c666891506d26cf6b4730c88c2e900121d6a (patch) | |
| tree | 2912d0c6c806a84feff5ff14421c5432fba7bb41 | |
| parent | c29ed43a720f0205dbafa26a0048076bba9d7333 (diff) | |
| download | vyos-1x-0831c666891506d26cf6b4730c88c2e900121d6a.tar.gz vyos-1x-0831c666891506d26cf6b4730c88c2e900121d6a.zip | |
nat: T2813: translation address is mandatory if rule is not excluded
| -rwxr-xr-x | smoketest/scripts/cli/test_nat.py | 19 | ||||
| -rwxr-xr-x | src/conf_mode/nat.py | 5 |
2 files changed, 20 insertions, 4 deletions
diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index 416810e40..b06fa239d 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -23,6 +23,8 @@ from vyos.configsession import ConfigSession, ConfigSessionError from vyos.util import cmd base_path = ['nat'] +source_path = base_path + ['source'] + snat_pattern = 'nftables[?rule].rule[?chain].{chain: chain, comment: comment, address: { network: expr[].match.right.prefix.addr | [0], prefix: expr[].match.right.prefix.len | [0]}}' class TestNAT(unittest.TestCase): @@ -39,16 +41,15 @@ class TestNAT(unittest.TestCase): def test_source_nat(self): """ Configure and validate source NAT rule(s) """ - path = base_path + ['source'] network = '192.168.0.0/16' - self.session.set(path + ['rule', '1', 'destination', 'address', network]) - self.session.set(path + ['rule', '1', 'exclude']) + self.session.set(source_path + ['rule', '1', 'destination', 'address', network]) + self.session.set(source_path + ['rule', '1', 'exclude']) # check validate() - outbound-interface must be defined with self.assertRaises(ConfigSessionError): self.session.commit() - self.session.set(path + ['rule', '1', 'outbound-interface', 'any']) + self.session.set(source_path + ['rule', '1', 'outbound-interface', 'any']) self.session.commit() tmp = cmd('sudo nft -j list table nat') @@ -59,5 +60,15 @@ class TestNAT(unittest.TestCase): self.assertEqual(condensed_json['address']['network'], network.split('/')[0]) self.assertEqual(str(condensed_json['address']['prefix']), network.split('/')[1]) + + def test_validation(self): + """ T2813: Ensure translation address is specified """ + self.session.set(source_path + ['rule', '100', 'outbound-interface', 'eth0']) + + # check validate() - translation address not specified + with self.assertRaises(ConfigSessionError): + self.session.commit() + + if __name__ == '__main__': unittest.main() diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index dd34dfd66..97cd36223 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -232,6 +232,8 @@ def verify(nat): addr = rule['translation_address'] if addr != 'masquerade' and not is_addr_assigned(addr): print(f'Warning: IP address {addr} does not exist on the system!') + elif not rule['exclude']: + raise ConfigError(f'{err_msg} translation address not specified') # common rule verification verify_rule(rule, err_msg) @@ -246,6 +248,9 @@ def verify(nat): if not rule['interface_in']: raise ConfigError(f'{err_msg} inbound-interface not specified') + if not rule['translation_address'] and not rule['exclude']: + raise ConfigError(f'{err_msg} translation address not specified') + # common rule verification verify_rule(rule, err_msg) |