diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-06-25 11:14:31 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-25 11:14:31 +0200 |
commit | 10782837ad7c05224db7f488c79b43c1d932973e (patch) | |
tree | 9c4cadba2a08957c9ff320d7a56476071ae40a65 /src/conf_mode/firewall-interface.py | |
parent | b63006b4a5e4e8e39a055311b60c8e166fa811df (diff) | |
parent | fb984a3fc56de27765c7232cb672b982d2e3eea6 (diff) | |
download | vyos-1x-10782837ad7c05224db7f488c79b43c1d932973e.tar.gz vyos-1x-10782837ad7c05224db7f488c79b43c1d932973e.zip |
Merge pull request #1362 from sarthurdev/T4435
firewall: T4435: Verify parent config applied successfully
Diffstat (limited to 'src/conf_mode/firewall-interface.py')
-rwxr-xr-x | src/conf_mode/firewall-interface.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py index 9a5d278e9..ab1c69259 100755 --- a/src/conf_mode/firewall-interface.py +++ b/src/conf_mode/firewall-interface.py @@ -64,6 +64,11 @@ def get_config(config=None): return if_firewall +def verify_chain(table, chain): + # Verify firewall applied + code = run(f'nft list chain {table} {chain}') + return code == 0 + def verify(if_firewall): # bail out early - looks like removal from running config if not if_firewall: @@ -80,6 +85,9 @@ def verify(if_firewall): if name not in if_firewall['firewall']['name']: raise ConfigError(f'Invalid firewall name "{name}"') + if not verify_chain('ip filter', f'{NAME_PREFIX}{name}'): + raise ConfigError('Firewall did not apply') + if 'ipv6_name' in if_firewall[direction]: name = if_firewall[direction]['ipv6_name'] @@ -89,6 +97,9 @@ def verify(if_firewall): if name not in if_firewall['firewall']['ipv6_name']: raise ConfigError(f'Invalid firewall ipv6-name "{name}"') + if not verify_chain('ip6 filter', f'{NAME6_PREFIX}{name}'): + raise ConfigError('Firewall did not apply') + return None def generate(if_firewall): |