diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-01-31 19:26:37 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-31 19:26:37 +0100 |
| commit | 36e54482a242e785c7a052035549bb45a117ea9a (patch) | |
| tree | 3d947addcb9ea4c375e2771eed68e393e9295cbe /python | |
| parent | 3aa1ec3f03a95ad41d3476b92b8b31a68b516b14 (diff) | |
| parent | ff2cc45f8ba6d7ad1bc75ef384643692a54f31cc (diff) | |
| download | vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.tar.gz vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.zip | |
Merge pull request #1199 from sarthurdev/T4218
firewall: T4218: T4216: Add prefix to user defined chains, support negated groups, fixes
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/firewall.py | 25 | ||||
| -rw-r--r-- | python/vyos/template.py | 3 |
2 files changed, 23 insertions, 5 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index a2e133217..a74fd922a 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -104,13 +104,25 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): group = side_conf['group'] if 'address_group' in group: group_name = group['address_group'] - output.append(f'{ip_name} {prefix}addr $A{def_suffix}_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_name} {prefix}addr {operator} $A{def_suffix}_{group_name}') elif 'network_group' in group: group_name = group['network_group'] - output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_name} {prefix}addr {operator} $N{def_suffix}_{group_name}') if 'mac_group' in group: group_name = group['mac_group'] - output.append(f'ether {prefix}addr $M_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + output.append(f'ether {prefix}addr {operator} $M_{group_name}') if 'port_group' in group: proto = rule_conf['protocol'] group_name = group['port_group'] @@ -118,7 +130,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if proto == 'tcp_udp': proto = 'th' - output.append(f'{proto} {prefix}port $P_{group_name}') + operator = '' + if group_name[0] == '!': + operator = '!=' + group_name = group_name[1:] + + output.append(f'{proto} {prefix}port {operator} $P_{group_name}') if 'log' in rule_conf and rule_conf['log'] == 'enable': action = rule_conf['action'] if 'action' in rule_conf else 'accept' diff --git a/python/vyos/template.py b/python/vyos/template.py index 4d081b4c2..dabf53692 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -556,6 +556,7 @@ def nft_intra_zone_action(zone_conf, ipv6=False): if 'intra_zone_filtering' in zone_conf: intra_zone = zone_conf['intra_zone_filtering'] fw_name = 'ipv6_name' if ipv6 else 'name' + name_prefix = 'NAME6_' if ipv6 else 'NAME_' if 'action' in intra_zone: if intra_zone['action'] == 'accept': @@ -563,5 +564,5 @@ def nft_intra_zone_action(zone_conf, ipv6=False): return intra_zone['action'] elif dict_search_args(intra_zone, 'firewall', fw_name): name = dict_search_args(intra_zone, 'firewall', fw_name) - return f'jump {name}' + return f'jump {name_prefix}{name}' return 'return' |