summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2024-03-18 14:53:03 +0000
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-03-18 19:53:02 +0000
commit4a186b0d3c143b88de6c3d39980a6f13fb5179bb (patch)
tree43d0b69f0c0bab11e97f45639a23ae88883d58d4
parent20e08490e0a2c84c4925400c51fa9eb05f96f5b6 (diff)
downloadvyos-1x-4a186b0d3c143b88de6c3d39980a6f13fb5179bb.tar.gz
vyos-1x-4a186b0d3c143b88de6c3d39980a6f13fb5179bb.zip
T6136: add error checks when using dynamic firewall groups
(cherry picked from commit e2df1f4929774792c1d4bfb78c2dfa5bdf7f0825)
-rwxr-xr-xsrc/conf_mode/firewall.py12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 3c27655b0..810437dda 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -268,6 +268,18 @@ def verify_rule(firewall, rule_conf, ipv6):
if 'port' in side_conf and dict_search_args(side_conf, 'group', 'port_group'):
raise ConfigError(f'{side} port-group and port cannot both be defined')
+ if 'add_address_to_group' in rule_conf:
+ for type in ['destination_address', 'source_address']:
+ if type in rule_conf['add_address_to_group']:
+ if 'address_group' not in rule_conf['add_address_to_group'][type]:
+ raise ConfigError(f'Dynamic address group must be defined.')
+ else:
+ target = rule_conf['add_address_to_group'][type]['address_group']
+ fwall_group = 'ipv6_address_group' if ipv6 else 'address_group'
+ group_obj = dict_search_args(firewall, 'group', 'dynamic_group', fwall_group, target)
+ if group_obj is None:
+ raise ConfigError(f'Invalid dynamic address group on firewall rule')
+
if 'log_options' in rule_conf:
if 'log' not in rule_conf:
raise ConfigError('log-options defined, but log is not enable')