Merge pull request #3964 from nicolas-fort/T6643

T6643: firewall: fix ip address range parsing on firewall rules.
author: Christian Breunig <christian@breunig.cc> 2024-08-10 20:47:50 +0200
committer: GitHub <noreply@github.com> 2024-08-10 20:47:50 +0200
commit: 64e324d7dd9a696a70c9a956ce8792652c6f4191 (patch)
tree: 1632953683d33df2a0613dca506305bb341934f0
parent: be27b8932161b403dfad2551ce791059ff1f3925 (diff)
parent: ff58f3e5f30d3775487a6a3b561863aa37d11d43 (diff)
download: vyos-1x-64e324d7dd9a696a70c9a956ce8792652c6f4191.tar.gz
vyos-1x-64e324d7dd9a696a70c9a956ce8792652c6f4191.zip
2 files changed, 16 insertions, 7 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 3976a5580..f0cf3c924 100644..100755
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -167,10 +167,19 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
                 if address_mask:
                     operator = '!=' if exclude else '=='
                     operator = f'& {address_mask} {operator} '
-                if is_ipv4(suffix):
-                    output.append(f'ip {prefix}addr {operator}{suffix}')
+
+                if suffix.find('-') != -1:
+                    # Range
+                    start, end = suffix.split('-')
+                    if is_ipv4(start):
+                        output.append(f'ip {prefix}addr {operator}{suffix}')
+                    else:
+                        output.append(f'ip6 {prefix}addr {operator}{suffix}')
                 else:
-                    output.append(f'ip6 {prefix}addr {operator}{suffix}')
+                    if is_ipv4(suffix):
+                        output.append(f'ip {prefix}addr {operator}{suffix}')
+                    else:
+                        output.append(f'ip6 {prefix}addr {operator}{suffix}')
 
             if 'fqdn' in side_conf:
                 fqdn = side_conf['fqdn']
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index dfc816a42..8aeeff149 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -311,7 +311,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
 
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1-198.51.100.50'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
@@ -331,7 +331,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         nftables_search = [
             ['chain VYOS_FORWARD_filter'],
             ['type filter hook forward priority filter; policy accept;'],
-            ['ip saddr 198.51.100.1', 'meta mark 0x000003f2', f'jump NAME_{name}'],
+            ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', f'jump NAME_{name}'],
             ['FWD-filter default-action drop', 'drop'],
             ['chain VYOS_INPUT_filter'],
             ['type filter hook input priority filter; policy accept;'],
@@ -455,7 +455,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log'])
 
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1-2002::10'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit'])
@@ -510,7 +510,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['tcp dport 23', 'drop'],
             ['PRE-raw default-action accept', 'accept'],
             [f'chain NAME6_{name}'],
-            ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
+            ['saddr 2002::1-2002::10', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
             [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'],
             ['jump VYOS_STATE_POLICY6'],
             ['chain VYOS_STATE_POLICY6'],
author	Christian Breunig <christian@breunig.cc>	2024-08-10 20:47:50 +0200
committer	GitHub <noreply@github.com>	2024-08-10 20:47:50 +0200
commit	64e324d7dd9a696a70c9a956ce8792652c6f4191 (patch)
tree	1632953683d33df2a0613dca506305bb341934f0
parent	be27b8932161b403dfad2551ce791059ff1f3925 (diff)
parent	ff58f3e5f30d3775487a6a3b561863aa37d11d43 (diff)
download	vyos-1x-64e324d7dd9a696a70c9a956ce8792652c6f4191.tar.gz vyos-1x-64e324d7dd9a696a70c9a956ce8792652c6f4191.zip