firewall: T4216: Add support for negated firewall groups

author: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-01-29 23:34:05 +0100
committer: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-01-29 23:34:05 +0100
commit: 985a9e8536cb7f049e82dd1c7333ecced34563fa (patch)
tree: e47e9ab8d4750250c3e32ef0ff2d5e37889e6017 /python
parent: ed67750b94e8bc779ec0e2cf6d568a3f7292de13 (diff)
download: vyos-1x-985a9e8536cb7f049e82dd1c7333ecced34563fa.tar.gz
vyos-1x-985a9e8536cb7f049e82dd1c7333ecced34563fa.zip
1 files changed, 21 insertions, 4 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index a2e133217..a74fd922a 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -104,13 +104,25 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                 group = side_conf['group']
                 if 'address_group' in group:
                     group_name = group['address_group']
-                    output.append(f'{ip_name} {prefix}addr $A{def_suffix}_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+                    output.append(f'{ip_name} {prefix}addr {operator} $A{def_suffix}_{group_name}')
                 elif 'network_group' in group:
                     group_name = group['network_group']
-                    output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+                    output.append(f'{ip_name} {prefix}addr {operator} $N{def_suffix}_{group_name}')
                 if 'mac_group' in group:
                     group_name = group['mac_group']
-                    output.append(f'ether {prefix}addr $M_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+                    output.append(f'ether {prefix}addr {operator} $M_{group_name}')
                 if 'port_group' in group:
                     proto = rule_conf['protocol']
                     group_name = group['port_group']
@@ -118,7 +130,12 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                     if proto == 'tcp_udp':
                         proto = 'th'
 
-                    output.append(f'{proto} {prefix}port $P_{group_name}')
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+
+                    output.append(f'{proto} {prefix}port {operator} $P_{group_name}')
 
     if 'log' in rule_conf and rule_conf['log'] == 'enable':
         action = rule_conf['action'] if 'action' in rule_conf else 'accept'
author	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-01-29 23:34:05 +0100
committer	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-01-29 23:34:05 +0100
commit	985a9e8536cb7f049e82dd1c7333ecced34563fa (patch)
tree	e47e9ab8d4750250c3e32ef0ff2d5e37889e6017 /python
parent	ed67750b94e8bc779ec0e2cf6d568a3f7292de13 (diff)
download	vyos-1x-985a9e8536cb7f049e82dd1c7333ecced34563fa.tar.gz vyos-1x-985a9e8536cb7f049e82dd1c7333ecced34563fa.zip