summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-15 19:09:43 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-16 18:25:58 +0200
commit5abe2db17a6e085441e674f8c2d92277014a7189 (patch)
treeb3148a4cd44be6c6b4018a9eda8928ee5970f5a7
parentd0b24799d9001cb467fd36fe3757bcfee7b9abc1 (diff)
downloadvyos-1x-5abe2db17a6e085441e674f8c2d92277014a7189.tar.gz
vyos-1x-5abe2db17a6e085441e674f8c2d92277014a7189.zip
nat: T2198: extend verify() for destination ports
Destination NAT configuration: destination ports can only be specified when protocol is tcp, udp or tcp_udp.
-rwxr-xr-xsrc/conf_mode/nat.py37
1 files changed, 21 insertions, 16 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index bde6841cc..8fd8272d2 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -63,6 +63,19 @@ def get_handler(json, chain, target):
return None
+def verify_rule(rule, err_msg):
+ if rule['translation_port'] or rule['dest_port']:
+ if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
+ proto = rule['protocol']
+ raise ConfigError(f'{err_msg} ports can only be specified when protocol is "tcp", "udp" or "tcp_udp" (currently "{proto}")')
+
+ if '/' in rule['translation_address']:
+ raise ConfigError(f'{err_msg}\n' \
+ 'Cannot use ports with an IPv4net type translation address as it\n' \
+ 'statically maps a whole network of addresses onto another\n' \
+ 'network of addresses')
+
+
def parse_source_destination(conf, source_dest):
""" Common wrapper to read in both NAT source and destination CLI """
tmp = []
@@ -177,18 +190,6 @@ def get_config():
return nat
-def verify_rule(rule):
- if rule['translation_port']:
- if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
- proto = rule['protocol']
- raise ConfigError(f'{err_msg} ports can only be specified when protocol is "tcp", "udp" or "tcp_udp" (currently "{proto}")')
-
- if '/' in rule['translation_address']:
- raise ConfigError(f'{err_msg}\n' \
- 'Cannot use ports with an IPv4net type translation address as it\n' \
- 'statically maps a whole network of addresses onto another\n' \
- 'network of addresses')
-
def verify(nat):
if nat['deleted']:
# no need to verify the CLI as NAT is going to be deactivated
@@ -200,11 +201,11 @@ def verify(nat):
for rule in nat['source']:
interface = rule['interface_out']
+ err_msg = f"Source NAT configuration error in rule {rule['number']}:"
+
if interface and interface not in interfaces():
print(f'NAT configuration warning: interface {interface} does not exist on this system')
- err_msg = f"Source NAT configuration error in rule {rule['number']}:"
-
if not rule['interface_out']:
raise ConfigError(f'{err_msg} outbound-interface not specified')
@@ -216,10 +217,12 @@ def verify(nat):
printf(f'Warning: IP address {addr} does not exist on the system!')
# common rule verification
- verify_rule(rule)
+ verify_rule(rule, err_msg)
for rule in nat['destination']:
interface = rule['interface_in']
+ err_msg = f"Destination NAT configuration error in rule {rule['number']}:"
+
if interface and interface not in interfaces():
print(f'NAT configuration warning: interface {interface} does not exist on this system')
@@ -227,7 +230,7 @@ def verify(nat):
raise ConfigError(f'{err_msg} inbound-interface not specified')
# common rule verification
- verify_rule(rule)
+ verify_rule(rule, err_msg)
return None
@@ -238,6 +241,8 @@ def generate(nat):
def apply(nat):
cmd(f'{iptables_nat_config}')
+ if os.path.isfile(iptables_nat_config):
+ os.unlink(iptables_nat_config)
return None