summaryrefslogtreecommitdiff
path: root/src/conf_mode/firewall-interface.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-06-25 11:14:31 +0200
committerGitHub <noreply@github.com>2022-06-25 11:14:31 +0200
commit10782837ad7c05224db7f488c79b43c1d932973e (patch)
tree9c4cadba2a08957c9ff320d7a56476071ae40a65 /src/conf_mode/firewall-interface.py
parentb63006b4a5e4e8e39a055311b60c8e166fa811df (diff)
parentfb984a3fc56de27765c7232cb672b982d2e3eea6 (diff)
downloadvyos-1x-10782837ad7c05224db7f488c79b43c1d932973e.tar.gz
vyos-1x-10782837ad7c05224db7f488c79b43c1d932973e.zip
Merge pull request #1362 from sarthurdev/T4435
firewall: T4435: Verify parent config applied successfully
Diffstat (limited to 'src/conf_mode/firewall-interface.py')
-rwxr-xr-xsrc/conf_mode/firewall-interface.py11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py
index 9a5d278e9..ab1c69259 100755
--- a/src/conf_mode/firewall-interface.py
+++ b/src/conf_mode/firewall-interface.py
@@ -64,6 +64,11 @@ def get_config(config=None):
return if_firewall
+def verify_chain(table, chain):
+ # Verify firewall applied
+ code = run(f'nft list chain {table} {chain}')
+ return code == 0
+
def verify(if_firewall):
# bail out early - looks like removal from running config
if not if_firewall:
@@ -80,6 +85,9 @@ def verify(if_firewall):
if name not in if_firewall['firewall']['name']:
raise ConfigError(f'Invalid firewall name "{name}"')
+ if not verify_chain('ip filter', f'{NAME_PREFIX}{name}'):
+ raise ConfigError('Firewall did not apply')
+
if 'ipv6_name' in if_firewall[direction]:
name = if_firewall[direction]['ipv6_name']
@@ -89,6 +97,9 @@ def verify(if_firewall):
if name not in if_firewall['firewall']['ipv6_name']:
raise ConfigError(f'Invalid firewall ipv6-name "{name}"')
+ if not verify_chain('ip6 filter', f'{NAME6_PREFIX}{name}'):
+ raise ConfigError('Firewall did not apply')
+
return None
def generate(if_firewall):