diff options
| author | Nicolás Fort <95703796+nicolas-fort@users.noreply.github.com> | 2024-09-10 03:56:18 -0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-10 09:56:18 +0300 |
| commit | ec3ebe8890c60bbb6f657335c212ac7078dc731c (patch) | |
| tree | be7a8cd90f8812991b175b4da209ec063021dc92 | |
| parent | b9076dd2e06215659d6a2e3c9e542703dbe79ea3 (diff) | |
| download | vyos-1x-ec3ebe8890c60bbb6f657335c212ac7078dc731c.tar.gz vyos-1x-ec3ebe8890c60bbb6f657335c212ac7078dc731c.zip | |
T6698: firewall: add matcher for vlan type. (#4027)
| -rw-r--r--[-rwxr-xr-x] | interface-definitions/include/firewall/common-rule-bridge.xml.i | 0 | ||||
| -rw-r--r--[-rwxr-xr-x] | interface-definitions/include/firewall/global-options.xml.i | 0 | ||||
| -rw-r--r--[-rwxr-xr-x] | interface-definitions/include/firewall/match-ether-type.xml.i | 0 | ||||
| -rw-r--r-- | interface-definitions/include/firewall/match-vlan.xml.i | 1 | ||||
| -rwxr-xr-x | python/vyos/firewall.py | 13 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 3 |
6 files changed, 16 insertions, 1 deletions
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i index 80088bbec..80088bbec 100755..100644 --- a/interface-definitions/include/firewall/common-rule-bridge.xml.i +++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i index 05fdd75cb..05fdd75cb 100755..100644 --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i diff --git a/interface-definitions/include/firewall/match-ether-type.xml.i b/interface-definitions/include/firewall/match-ether-type.xml.i index abfa9034d..abfa9034d 100755..100644 --- a/interface-definitions/include/firewall/match-ether-type.xml.i +++ b/interface-definitions/include/firewall/match-ether-type.xml.i diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i index 44ad02c99..d58e84353 100644 --- a/interface-definitions/include/firewall/match-vlan.xml.i +++ b/interface-definitions/include/firewall/match-vlan.xml.i @@ -36,6 +36,7 @@ </constraint> </properties> </leafNode> + #include <include/firewall/match-ether-type.xml.i> </children> </node> <!-- include end -->
\ No newline at end of file diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index b1978c1fa..64fed8177 100755 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -496,6 +496,19 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): output.append(f'vlan id {rule_conf["vlan"]["id"]}') if 'priority' in rule_conf['vlan']: output.append(f'vlan pcp {rule_conf["vlan"]["priority"]}') + if 'ethernet_type' in rule_conf['vlan']: + ether_type_mapping = { + '802.1q': '8021q', + '802.1ad': '8021ad', + 'ipv6': 'ip6', + 'ipv4': 'ip', + 'arp': 'arp' + } + ether_type = rule_conf['vlan']['ethernet_type'] + operator = '!=' if ether_type.startswith('!') else '' + ether_type = ether_type.lstrip('!') + ether_type = ether_type_mapping.get(ether_type, ether_type) + output.append(f'vlan type {operator} {ether_type}') if 'log' in rule_conf: action = rule_conf['action'] if 'action' in rule_conf else 'accept' diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index e4f9b14be..3e9ec2935 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -721,6 +721,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'default-log']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'action', 'accept']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'vlan', 'id', vlan_id]) + self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '1', 'vlan', 'ethernet-type', 'ipv4']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'action', 'jump']) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'jump-target', name]) self.cli_set(['firewall', 'bridge', 'forward', 'filter', 'rule', '2', 'vlan', 'priority', vlan_prior]) @@ -745,7 +746,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy accept;'], ['jump VYOS_STATE_POLICY'], - [f'vlan id {vlan_id}', 'accept'], + [f'vlan id {vlan_id}', 'vlan type ip', 'accept'], [f'vlan pcp {vlan_prior}', f'jump NAME_{name}'], ['log prefix "[bri-FWD-filter-default-D]"', 'drop', 'FWD-filter default-action drop'], [f'chain NAME_{name}'], |