diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-05-12 20:58:34 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-05-16 15:30:26 +0200 |
| commit | 1e7d01e5b5a12c5bfaa8989ae6073679f6b647b0 (patch) | |
| tree | 5a4b4f430d227525ac285efc35565c4e58ff47b2 /src/conf_mode/nat.py | |
| parent | ac4f99ac3b176f1804b17b32e6615e8b3701dfe8 (diff) | |
| download | vyos-1x-1e7d01e5b5a12c5bfaa8989ae6073679f6b647b0.tar.gz vyos-1x-1e7d01e5b5a12c5bfaa8989ae6073679f6b647b0.zip | |
nat: T2198: add some basic verify() rules
Diffstat (limited to 'src/conf_mode/nat.py')
| -rwxr-xr-x | src/conf_mode/nat.py | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 580a06136..bde6841cc 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -25,6 +25,7 @@ from netifaces import interfaces from vyos.config import Config from vyos.template import render from vyos.util import call, cmd +from vyos.validate import is_addr_assigned from vyos import ConfigError default_config_data = { @@ -176,6 +177,18 @@ def get_config(): return nat +def verify_rule(rule): + if rule['translation_port']: + if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']: + proto = rule['protocol'] + raise ConfigError(f'{err_msg} ports can only be specified when protocol is "tcp", "udp" or "tcp_udp" (currently "{proto}")') + + if '/' in rule['translation_address']: + raise ConfigError(f'{err_msg}\n' \ + 'Cannot use ports with an IPv4net type translation address as it\n' \ + 'statically maps a whole network of addresses onto another\n' \ + 'network of addresses') + def verify(nat): if nat['deleted']: # no need to verify the CLI as NAT is going to be deactivated @@ -190,6 +203,32 @@ def verify(nat): if interface and interface not in interfaces(): print(f'NAT configuration warning: interface {interface} does not exist on this system') + err_msg = f"Source NAT configuration error in rule {rule['number']}:" + + if not rule['interface_out']: + raise ConfigError(f'{err_msg} outbound-interface not specified') + + if not rule['translation_address']: + raise ConfigError(f'{err_msg} translation address not specified') + else: + addr = rule['translation_address'] + if addr != 'masquerade' and not is_addr_assigned(addr): + printf(f'Warning: IP address {addr} does not exist on the system!') + + # common rule verification + verify_rule(rule) + + for rule in nat['destination']: + interface = rule['interface_in'] + if interface and interface not in interfaces(): + print(f'NAT configuration warning: interface {interface} does not exist on this system') + + if not rule['interface_in']: + raise ConfigError(f'{err_msg} inbound-interface not specified') + + # common rule verification + verify_rule(rule) + return None def generate(nat): |