diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-10 16:57:21 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-10 21:08:24 +0200 |
commit | 9791258d7d5320d3a8bfa45d43b59fd35e8a2131 (patch) | |
tree | 110a5a3fce0282f3140b1d792a3f1ec093dc2cbe /src/conf_mode/firewall.py | |
parent | fcad9572e880ab5dd71636e0aa4842dc8997bc44 (diff) | |
download | vyos-1x-9791258d7d5320d3a8bfa45d43b59fd35e8a2131.tar.gz vyos-1x-9791258d7d5320d3a8bfa45d43b59fd35e8a2131.zip |
firewall: T478: Add support for nesting groups
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-x | src/conf_mode/firewall.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 335098bf1..82a51f4af 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -85,10 +85,16 @@ nft6_iface_chains = ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL'] valid_groups = [ 'address_group', + 'domain_group', 'network_group', 'port_group' ] +group_types = [ + 'address_group', 'network_group', 'port_group', + 'ipv6_address_group', 'ipv6_network_group' +] + snmp_change_type = { 'unknown': 0, 'add': 1, @@ -241,11 +247,34 @@ def verify_rule(firewall, rule_conf, ipv6): if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']: raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group') +def verify_nested_group(group_name, group, groups, seen): + if 'include' not in group: + return + + for g in group['include']: + if g not in groups: + raise ConfigError(f'Nested group "{g}" does not exist') + + if g in seen: + raise ConfigError(f'Group "{group_name}" has a circular reference') + + seen.append(g) + + if 'include' in groups[g]: + verify_nested_group(g, groups[g], groups, seen) + def verify(firewall): if 'config_trap' in firewall and firewall['config_trap'] == 'enable': if not firewall['trap_targets']: raise ConfigError(f'Firewall config-trap enabled but "service snmp trap-target" is not defined') + if 'group' in firewall: + for group_type in group_types: + if group_type in firewall['group']: + groups = firewall['group'][group_type] + for group_name, group in groups.items(): + verify_nested_group(group_name, group, groups, []) + for name in ['name', 'ipv6_name']: if name in firewall: for name_id, name_conf in firewall[name].items(): |