diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-01-14 20:30:56 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-14 20:30:56 +0100 |
commit | 9aa8e51de06bda0099231f2567dbb83e430faee4 (patch) | |
tree | 1eecd3caba390e300450af400bffee90ed137887 /src/conf_mode/policy-route.py | |
parent | 97472739b4432cdbf8f73275ab00876add071692 (diff) | |
parent | df5a862beb84145dfc8434efde7d7fee783199cf (diff) | |
download | vyos-1x-9aa8e51de06bda0099231f2567dbb83e430faee4.tar.gz vyos-1x-9aa8e51de06bda0099231f2567dbb83e430faee4.zip |
Merge pull request #1167 from sarthurdev/firewall
firewall: T4178: Use lowercase for TCP flags and add an validator
Diffstat (limited to 'src/conf_mode/policy-route.py')
-rwxr-xr-x | src/conf_mode/policy-route.py | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py index c5904309f..30597ef4e 100755 --- a/src/conf_mode/policy-route.py +++ b/src/conf_mode/policy-route.py @@ -76,7 +76,7 @@ def get_config(config=None): return policy -def verify_rule(policy, rule_conf, ipv6): +def verify_rule(policy, name, rule_conf, ipv6): icmp = 'icmp' if not ipv6 else 'icmpv6' if icmp in rule_conf: icmp_defined = False @@ -93,14 +93,14 @@ def verify_rule(policy, rule_conf, ipv6): if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp: raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP') + if 'set' in rule_conf: if 'tcp_mss' in rule_conf['set']: tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') if not tcp_flags or 'SYN' not in tcp_flags.split(","): raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS') - if 'tcp' in rule_conf: - if 'flags' in rule_conf['tcp']: - if 'protocol' not in rule_conf or rule_conf['protocol'] != 'tcp': + + if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp': raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP') for side in ['destination', 'source']: @@ -138,7 +138,7 @@ def verify(policy): for name, pol_conf in policy[route].items(): if 'rule' in pol_conf: for rule_id, rule_conf in pol_conf['rule'].items(): - verify_rule(policy, rule_conf, ipv6) + verify_rule(policy, name, rule_conf, ipv6) for ifname, if_policy in policy['interfaces'].items(): name = dict_search_args(if_policy, 'route') |