summaryrefslogtreecommitdiff
path: root/src/conf_mode/firewall.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-09-28 17:02:33 +0200
committerGitHub <noreply@github.com>2023-09-28 17:02:33 +0200
commit852e9c3328e61f5d0b92a9efca376aec94533f2b (patch)
tree0aff1a25a0e9ce69b39cc14f609d11c4f547d54f /src/conf_mode/firewall.py
parent5bcd00a2ee5ef92470ddc67f7821bb8c8659765d (diff)
parentbdad4e046872e054ec7783b2f04b73a8a690a045 (diff)
downloadvyos-1x-852e9c3328e61f5d0b92a9efca376aec94533f2b.tar.gz
vyos-1x-852e9c3328e61f5d0b92a9efca376aec94533f2b.zip
Merge pull request #2295 from sever-sever/T5217-synproxy
T5217: Add firewall synproxy
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-xsrc/conf_mode/firewall.py10
1 files changed, 9 insertions, 1 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 3d799318e..2ca4bbe2d 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -173,6 +173,14 @@ def verify_rule(firewall, rule_conf, ipv6):
if not dict_search_args(firewall, 'flowtable', offload_target):
raise ConfigError(f'Invalid offload-target. Flowtable "{offload_target}" does not exist on the system')
+ if rule_conf['action'] != 'synproxy' and 'synproxy' in rule_conf:
+ raise ConfigError('"synproxy" option allowed only for action synproxy')
+ if rule_conf['action'] == 'synproxy':
+ if not rule_conf.get('synproxy', {}).get('tcp'):
+ raise ConfigError('synproxy TCP MSS is not defined')
+ if rule_conf.get('protocol', {}) != 'tcp':
+ raise ConfigError('For action "synproxy" the protocol must be set to TCP')
+
if 'queue_options' in rule_conf:
if 'queue' not in rule_conf['action']:
raise ConfigError('queue-options defined, but action queue needed and it is not defined')