diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-02-01 21:41:07 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-01 21:41:07 +0100 |
| commit | b24e2cbef7fc5c4b2a1a4533ff75e01dea0c2b42 (patch) | |
| tree | ab74c9d546390b4c5585fe740d0898374df6d1b6 /python | |
| parent | cd4b03898e99b7317d2cbdf614bc14caf2e9bbce (diff) | |
| parent | 3ce9583b9420ed72cf45728f439f00b1c4cf5800 (diff) | |
| download | vyos-1x-b24e2cbef7fc5c4b2a1a4533ff75e01dea0c2b42.tar.gz vyos-1x-b24e2cbef7fc5c4b2a1a4533ff75e01dea0c2b42.zip | |
Merge pull request #2924 from vyos/mergify/bp/sagitta/pr-2756
T4839: firewall: Add dynamic address group in firewall configuration (backport #2756)
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/firewall.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 28ebf282c..eee11bd2d 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -226,6 +226,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): operator = '!=' if exclude else '==' operator = f'& {address_mask} {operator}' output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}') + elif 'dynamic_address_group' in group: + group_name = group['dynamic_address_group'] + operator = '' + exclude = group_name[0] == "!" + if exclude: + operator = '!=' + group_name = group_name[1:] + output.append(f'{ip_name} {prefix}addr {operator} @DA{def_suffix}_{group_name}') # Generate firewall group domain-group elif 'domain_group' in group: group_name = group['domain_group'] @@ -419,6 +427,18 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): output.append('counter') + if 'add_address_to_group' in rule_conf: + for side in ['destination_address', 'source_address']: + if side in rule_conf['add_address_to_group']: + prefix = side[0] + side_conf = rule_conf['add_address_to_group'][side] + dyn_group = side_conf['address_group'] + if 'timeout' in side_conf: + timeout_value = side_conf['timeout'] + output.append(f'set update ip{def_suffix} {prefix}addr timeout {timeout_value} @DA{def_suffix}_{dyn_group}') + else: + output.append(f'set update ip{def_suffix} saddr @DA{def_suffix}_{dyn_group}') + if 'set' in rule_conf: output.append(parse_policy_set(rule_conf['set'], def_suffix)) |