diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-08-25 17:35:51 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-08-25 17:35:51 +0000 |
commit | 1a2237ba91d5d7c21a2be90c47f1f6b75a383627 (patch) | |
tree | e77e5229d2b8e21dc7ec7240ebc8a96c239d4035 | |
parent | 9e0ea586159b5720faeef5a0548edef993b816d8 (diff) | |
download | vyos-1x-1a2237ba91d5d7c21a2be90c47f1f6b75a383627.tar.gz vyos-1x-1a2237ba91d5d7c21a2be90c47f1f6b75a383627.zip |
T5502: firewall: add validator for interface matcher, and allow only interface-name or interface-group
-rwxr-xr-x | src/conf_mode/firewall.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 8ad3f27fc..d32ae497a 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -259,6 +259,11 @@ def verify_rule(firewall, rule_conf, ipv6): if 'queue_threshold' in rule_conf['log_options'] and 'group' not in rule_conf['log_options']: raise ConfigError('log-options queue-threshold defined, but log group is not define') + for direction in ['inbound_interface','outbound_interface']: + if direction in rule_conf: + if 'interface_name' in rule_conf[direction] and 'interface_group' in rule_conf[direction]: + raise ConfigError(f'Cannot specify both interface-group and interface-name for {direction}') + def verify_nested_group(group_name, group, groups, seen): if 'include' not in group: return |