summaryrefslogtreecommitdiff
path: root/src/conf_mode/policy-route.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-01-14 20:30:56 +0100
committerGitHub <noreply@github.com>2022-01-14 20:30:56 +0100
commit9aa8e51de06bda0099231f2567dbb83e430faee4 (patch)
tree1eecd3caba390e300450af400bffee90ed137887 /src/conf_mode/policy-route.py
parent97472739b4432cdbf8f73275ab00876add071692 (diff)
parentdf5a862beb84145dfc8434efde7d7fee783199cf (diff)
downloadvyos-1x-9aa8e51de06bda0099231f2567dbb83e430faee4.tar.gz
vyos-1x-9aa8e51de06bda0099231f2567dbb83e430faee4.zip
Merge pull request #1167 from sarthurdev/firewall
firewall: T4178: Use lowercase for TCP flags and add an validator
Diffstat (limited to 'src/conf_mode/policy-route.py')
-rwxr-xr-xsrc/conf_mode/policy-route.py10
1 files changed, 5 insertions, 5 deletions
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index c5904309f..30597ef4e 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -76,7 +76,7 @@ def get_config(config=None):
return policy
-def verify_rule(policy, rule_conf, ipv6):
+def verify_rule(policy, name, rule_conf, ipv6):
icmp = 'icmp' if not ipv6 else 'icmpv6'
if icmp in rule_conf:
icmp_defined = False
@@ -93,14 +93,14 @@ def verify_rule(policy, rule_conf, ipv6):
if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp:
raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP')
+
if 'set' in rule_conf:
if 'tcp_mss' in rule_conf['set']:
tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
if not tcp_flags or 'SYN' not in tcp_flags.split(","):
raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
- if 'tcp' in rule_conf:
- if 'flags' in rule_conf['tcp']:
- if 'protocol' not in rule_conf or rule_conf['protocol'] != 'tcp':
+
+ if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
for side in ['destination', 'source']:
@@ -138,7 +138,7 @@ def verify(policy):
for name, pol_conf in policy[route].items():
if 'rule' in pol_conf:
for rule_id, rule_conf in pol_conf['rule'].items():
- verify_rule(policy, rule_conf, ipv6)
+ verify_rule(policy, name, rule_conf, ipv6)
for ifname, if_policy in policy['interfaces'].items():
name = dict_search_args(if_policy, 'route')