Merge pull request #4326 from Embezzle/T5493

firewall: T5493: Implement remote-group

2 files changed, 23 insertions, 0 deletions

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 314e8dfe3..9f01f8be1 100755
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -310,6 +310,13 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
                         operator = '!='
                         group_name = group_name[1:]
                     output.append(f'{ip_name} {prefix}addr {operator} @D_{group_name}')
+                elif 'remote_group' in group:
+                    group_name = group['remote_group']
+                    operator = ''
+                    if group_name[0] == '!':
+                        operator = '!='
+                        group_name = group_name[1:]
+                    output.append(f'{ip_name} {prefix}addr {operator} @R_{group_name}')
                 if 'mac_group' in group:
                     group_name = group['mac_group']
                     operator = ''
diff --git a/python/vyos/utils/network.py b/python/vyos/utils/network.py
index dc0c0a6d6..2f666f0ee 100644
--- a/python/vyos/utils/network.py
+++ b/python/vyos/utils/network.py
@@ -599,3 +599,19 @@ def get_nft_vrf_zone_mapping() -> dict:
     for (vrf_name, vrf_id) in vrf_list:
         output.append({'interface' : vrf_name, 'vrf_tableid' : vrf_id})
     return output
+
+def is_valid_ipv4_address_or_range(addr: str) -> bool:
+    """
+    Validates if the provided address is a valid IPv4, CIDR or IPv4 range
+    :param addr: address to test
+    :return: bool: True if provided address is valid
+    """
+    from ipaddress import ip_network
+    try:
+        if '-' in addr: # If we are checking a range, validate both address's individually
+            split = addr.split('-')
+            return is_valid_ipv4_address_or_range(split[0]) and is_valid_ipv4_address_or_range(split[1])
+        else:
+            return ip_network(addr).version == 4
+    except:
+        return False