diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-02-01 21:21:54 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-01 21:21:54 +0100 |
| commit | 8a4017d91d5022cfca294a0873e937c39899c094 (patch) | |
| tree | 34048129f97640eaf36615f658fa4a975101ffec /python | |
| parent | 176a79420c5bf676b0f857a169a9b9c3906ee0c0 (diff) | |
| parent | 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122 (diff) | |
| download | vyos-1x-8a4017d91d5022cfca294a0873e937c39899c094.tar.gz vyos-1x-8a4017d91d5022cfca294a0873e937c39899c094.zip | |
Merge pull request #2756 from nicolas-fort/T4839
T4839: firewall: Add dynamic address group in firewall configuration
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/firewall.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 28ebf282c..eee11bd2d 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -226,6 +226,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): operator = '!=' if exclude else '==' operator = f'& {address_mask} {operator}' output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}') + elif 'dynamic_address_group' in group: + group_name = group['dynamic_address_group'] + operator = '' + exclude = group_name[0] == "!" + if exclude: + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_name} {prefix}addr {operator} @DA{def_suffix}_{group_name}') # Generate firewall group domain-group elif 'domain_group' in group: group_name = group['domain_group'] @@ -419,6 +427,18 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): output.append('counter') + if 'add_address_to_group' in rule_conf: + for side in ['destination_address', 'source_address']: + if side in rule_conf['add_address_to_group']: + prefix = side[0] + side_conf = rule_conf['add_address_to_group'][side] + dyn_group = side_conf['address_group'] + if 'timeout' in side_conf: + timeout_value = side_conf['timeout'] + output.append(f'set update ip{def_suffix} {prefix}addr timeout {timeout_value} @DA{def_suffix}_{dyn_group}') + else: + output.append(f'set update ip{def_suffix} saddr @DA{def_suffix}_{dyn_group}') + if 'set' in rule_conf: output.append(parse_policy_set(rule_conf['set'], def_suffix)) |