diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-15 22:43:34 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-15 23:02:35 +0200 |
| commit | fb984a3fc56de27765c7232cb672b982d2e3eea6 (patch) | |
| tree | 272da480bc39f10de1d02531d7c2083e97f89ba2 /src/conf_mode/policy-route-interface.py | |
| parent | eab40258869631b38b4787816c84efb14fc75ad3 (diff) | |
| download | vyos-1x-fb984a3fc56de27765c7232cb672b982d2e3eea6.tar.gz vyos-1x-fb984a3fc56de27765c7232cb672b982d2e3eea6.zip | |
firewall: T4435: Verify parent config applied successfully
Diffstat (limited to 'src/conf_mode/policy-route-interface.py')
| -rwxr-xr-x | src/conf_mode/policy-route-interface.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/conf_mode/policy-route-interface.py b/src/conf_mode/policy-route-interface.py index 1108aebe6..58c5fd93d 100755 --- a/src/conf_mode/policy-route-interface.py +++ b/src/conf_mode/policy-route-interface.py @@ -24,6 +24,7 @@ from vyos.config import Config from vyos.ifconfig import Section from vyos.template import render from vyos.util import cmd +from vyos.util import run from vyos import ConfigError from vyos import airbag airbag.enable() @@ -47,6 +48,11 @@ def get_config(config=None): return if_policy +def verify_chain(table, chain): + # Verify policy route applied + code = run(f'nft list chain {table} {chain}') + return code == 0 + def verify(if_policy): # bail out early - looks like removal from running config if not if_policy: @@ -62,6 +68,12 @@ def verify(if_policy): if route_name not in if_policy['policy'][route]: raise ConfigError(f'Invalid policy route name "{name}"') + nft_prefix = 'VYOS_PBR6_' if route == 'route6' else 'VYOS_PBR_' + nft_table = 'ip6 mangle' if route == 'route6' else 'ip mangle' + + if not verify_chain(nft_table, nft_prefix + route_name): + raise ConfigError('Policy route did not apply') + return None def generate(if_policy): |