summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-08-25 17:35:51 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2023-08-25 17:35:51 +0000
commit1a2237ba91d5d7c21a2be90c47f1f6b75a383627 (patch)
treee77e5229d2b8e21dc7ec7240ebc8a96c239d4035
parent9e0ea586159b5720faeef5a0548edef993b816d8 (diff)
downloadvyos-1x-1a2237ba91d5d7c21a2be90c47f1f6b75a383627.tar.gz
vyos-1x-1a2237ba91d5d7c21a2be90c47f1f6b75a383627.zip
T5502: firewall: add validator for interface matcher, and allow only interface-name or interface-group
-rwxr-xr-xsrc/conf_mode/firewall.py5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 8ad3f27fc..d32ae497a 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -259,6 +259,11 @@ def verify_rule(firewall, rule_conf, ipv6):
if 'queue_threshold' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']:
raise ConfigError('log-options queue-threshold defined, but log group is not define')
+ for direction in ['inbound_interface','outbound_interface']:
+ if direction in rule_conf:
+ if 'interface_name' in rule_conf[direction] and 'interface_group' in rule_conf[direction]:
+ raise ConfigError(f'Cannot specify both interface-group and interface-name for {direction}')
+
def verify_nested_group(group_name, group, groups, seen):
if 'include' not in group:
return