summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjack9603301 <jack9603301@163.com>2021-03-27 22:45:24 +0800
committerjack9603301 <jack9603301@163.com>2021-04-04 17:44:38 +0800
commitc0ace670de5fc68b8865390690c8f8773f614aa5 (patch)
treef71e0c763a9e0b7e96fb5401dab4a283adaeaf55
parent6dcdb233eae6a909d2899a5f3d8dc5791a846745 (diff)
downloadvyos-1x-c0ace670de5fc68b8865390690c8f8773f614aa5.tar.gz
vyos-1x-c0ace670de5fc68b8865390690c8f8773f614aa5.zip
nat: op-mode: T3435: Improved validation logic for the output of operational mode rules
-rwxr-xr-xsrc/op_mode/show_nat66_rules.py28
-rwxr-xr-xsrc/op_mode/show_nat_rules.py22
2 files changed, 36 insertions, 14 deletions
diff --git a/src/op_mode/show_nat66_rules.py b/src/op_mode/show_nat66_rules.py
index cd4c35b8a..a25e146a7 100755
--- a/src/op_mode/show_nat66_rules.py
+++ b/src/op_mode/show_nat66_rules.py
@@ -36,23 +36,35 @@ if args.source or args.destination:
format_nat66_rule = '{0: <10} {1: <50} {2: <50} {3: <10}'
print(format_nat66_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface"))
print(format_nat66_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------"))
-
+
data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp)
for idx in range(0, len(data_json)):
data = data_json[idx]
- # If there is no index 3, we don't think this is the record we need to check
- # We need to filter the rule for Len (expr) <= 3 first, which is not what we should be concerned with
- if len(data['expr']) <= 3:
- continue
-
# The following key values must exist
# When the rule JSON does not have some keys, this is not a rule we can work with
- for keys in ['comment', 'chain', 'expr']:
- if keys not in data:
+ continue_rule = False
+ for key in ['comment', 'chain', 'expr']:
+ if key not in data:
+ continue_rule = True
continue
+ if continue_rule:
+ continue
comment = data['comment']
+
+ # Check the annotation to see if the annotation format is created by VYOS
+ continue_rule = True
+ for comment_prefix in ['SRC-NAT66-', 'DST-NAT66-']:
+ if comment_prefix in comment:
+ continue_rule = False
+ if continue_rule:
+ continue
+
+ # When log is detected from the second index of expr, then this rule should be ignored
+ if 'log' in data['expr'][2]:
+ continue
+
rule = comment.replace('SRC-NAT66-','')
rule = rule.replace('DST-NAT66-','')
chain = data['chain']
diff --git a/src/op_mode/show_nat_rules.py b/src/op_mode/show_nat_rules.py
index 4bf9ff3b5..68cff61c8 100755
--- a/src/op_mode/show_nat_rules.py
+++ b/src/op_mode/show_nat_rules.py
@@ -41,16 +41,26 @@ if args.source or args.destination:
for idx in range(0, len(data_json)):
data = data_json[idx]
- # If there is no index 3, we don't think this is the record we need to check
- if len(data['expr']) <= 3:
- continue
-
# The following key values must exist
- for keys in ['comment', 'chain', 'expr']:
- if keys not in data:
+ # When the rule JSON does not have some keys, this is not a rule we can work with
+ continue_rule = False
+ for key in ['comment', 'chain', 'expr']:
+ if key not in data:
+ continue_rule = True
continue
+ if continue_rule:
+ continue
comment = data['comment']
+
+ # Check the annotation to see if the annotation format is created by VYOS
+ continue_rule = True
+ for comment_prefix in ['SRC-NAT-', 'DST-NAT-']:
+ if comment_prefix in comment:
+ continue_rule = False
+ if continue_rule:
+ continue
+
rule = int(''.join(list(filter(str.isdigit, comment))))
chain = data['chain']
if not (args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING'):