diff options
author | jack9603301 <jack9603301@163.com> | 2021-03-27 22:45:24 +0800 |
---|---|---|
committer | jack9603301 <jack9603301@163.com> | 2021-04-04 17:44:38 +0800 |
commit | c0ace670de5fc68b8865390690c8f8773f614aa5 (patch) | |
tree | f71e0c763a9e0b7e96fb5401dab4a283adaeaf55 | |
parent | 6dcdb233eae6a909d2899a5f3d8dc5791a846745 (diff) | |
download | vyos-1x-c0ace670de5fc68b8865390690c8f8773f614aa5.tar.gz vyos-1x-c0ace670de5fc68b8865390690c8f8773f614aa5.zip |
nat: op-mode: T3435: Improved validation logic for the output of operational mode rules
-rwxr-xr-x | src/op_mode/show_nat66_rules.py | 28 | ||||
-rwxr-xr-x | src/op_mode/show_nat_rules.py | 22 |
2 files changed, 36 insertions, 14 deletions
diff --git a/src/op_mode/show_nat66_rules.py b/src/op_mode/show_nat66_rules.py index cd4c35b8a..a25e146a7 100755 --- a/src/op_mode/show_nat66_rules.py +++ b/src/op_mode/show_nat66_rules.py @@ -36,23 +36,35 @@ if args.source or args.destination: format_nat66_rule = '{0: <10} {1: <50} {2: <50} {3: <10}' print(format_nat66_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface")) print(format_nat66_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------")) - + data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp) for idx in range(0, len(data_json)): data = data_json[idx] - # If there is no index 3, we don't think this is the record we need to check - # We need to filter the rule for Len (expr) <= 3 first, which is not what we should be concerned with - if len(data['expr']) <= 3: - continue - # The following key values must exist # When the rule JSON does not have some keys, this is not a rule we can work with - for keys in ['comment', 'chain', 'expr']: - if keys not in data: + continue_rule = False + for key in ['comment', 'chain', 'expr']: + if key not in data: + continue_rule = True continue + if continue_rule: + continue comment = data['comment'] + + # Check the annotation to see if the annotation format is created by VYOS + continue_rule = True + for comment_prefix in ['SRC-NAT66-', 'DST-NAT66-']: + if comment_prefix in comment: + continue_rule = False + if continue_rule: + continue + + # When log is detected from the second index of expr, then this rule should be ignored + if 'log' in data['expr'][2]: + continue + rule = comment.replace('SRC-NAT66-','') rule = rule.replace('DST-NAT66-','') chain = data['chain'] diff --git a/src/op_mode/show_nat_rules.py b/src/op_mode/show_nat_rules.py index 4bf9ff3b5..68cff61c8 100755 --- a/src/op_mode/show_nat_rules.py +++ b/src/op_mode/show_nat_rules.py @@ -41,16 +41,26 @@ if args.source or args.destination: for idx in range(0, len(data_json)): data = data_json[idx] - # If there is no index 3, we don't think this is the record we need to check - if len(data['expr']) <= 3: - continue - # The following key values must exist - for keys in ['comment', 'chain', 'expr']: - if keys not in data: + # When the rule JSON does not have some keys, this is not a rule we can work with + continue_rule = False + for key in ['comment', 'chain', 'expr']: + if key not in data: + continue_rule = True continue + if continue_rule: + continue comment = data['comment'] + + # Check the annotation to see if the annotation format is created by VYOS + continue_rule = True + for comment_prefix in ['SRC-NAT-', 'DST-NAT-']: + if comment_prefix in comment: + continue_rule = False + if continue_rule: + continue + rule = int(''.join(list(filter(str.isdigit, comment)))) chain = data['chain'] if not (args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING'): |