diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-11 00:28:37 +0100 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-11 11:57:56 +0100 |
| commit | e389729f4de84ce3f32e1a0cdb471c919d7d7807 (patch) | |
| tree | 1559602ef1c48c1bff1a58c2416127b777ee9d11 | |
| parent | 1292a69a5fe9fe931676a475e011dece578233df (diff) | |
| download | vyos-1x-e389729f4de84ce3f32e1a0cdb471c919d7d7807.tar.gz vyos-1x-e389729f4de84ce3f32e1a0cdb471c919d7d7807.zip | |
firewall: T4159: Add warning when an empty group is applied to a rule
| -rwxr-xr-x | src/conf_mode/firewall.py | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index bca5afb2e..7b491a325 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -153,17 +153,16 @@ def verify_rule(firewall, rule_conf, ipv6): for group in valid_groups: if group in side_conf['group']: group_name = side_conf['group'][group] - fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group + error_group = fw_group.replace("_", "-") + group_obj = dict_search_args(firewall, 'group', fw_group, group_name) - if not dict_search_args(firewall, 'group', fw_group): - error_group = fw_group.replace("_", "-") - raise ConfigError(f'Group defined in rule but {error_group} is not configured') - - if group_name not in firewall['group'][fw_group]: - error_group = group.replace("_", "-") + if group_obj is None: raise ConfigError(f'Invalid {error_group} "{group_name}" on firewall rule') + if not group_obj: + print(f'WARNING: {error_group} "{group_name}" has no members') + if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'): if 'protocol' not in rule_conf: raise ConfigError('Protocol must be defined if specifying a port or port-group') |