summaryrefslogtreecommitdiff
path: root/src/conf_mode/policy.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-04-18 10:19:16 +0200
committerChristian Poessinger <christian@poessinger.com>2021-04-18 11:18:21 +0200
commit2e0fd99318a8fd3c6c42a04ea5be8f2494db23ca (patch)
tree28f2df99606ffde4023df46151b9f195311fd482 /src/conf_mode/policy.py
parent0f4e7eccc8abf61d6242c03cb7b160a786ac3593 (diff)
downloadvyos-1x-2e0fd99318a8fd3c6c42a04ea5be8f2494db23ca.tar.gz
vyos-1x-2e0fd99318a8fd3c6c42a04ea5be8f2494db23ca.zip
policy: T2425: add common verify() code for all types of policies
Diffstat (limited to 'src/conf_mode/policy.py')
-rwxr-xr-xsrc/conf_mode/policy.py41
1 files changed, 27 insertions, 14 deletions
diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py
index fec9a206e..a8244ca26 100755
--- a/src/conf_mode/policy.py
+++ b/src/conf_mode/policy.py
@@ -36,29 +36,42 @@ def get_config(config=None):
base = ['policy']
policy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
no_tag_node_value_mangle=True)
+
return policy
def verify(policy):
if not policy:
return None
- if 'access-list' in policy:
- for acl, acl_config in policy['access-list'].items():
- if 'rule' not in acl_config:
+ def verify_access_list(acl, rule, rule_config):
+ error_append = f'must be specified for rule {rule} in access-list {acl}!'
+ if 'source' not in rule_config:
+ raise ConfigError(f'Source {error_append}')
+
+ if int(acl) in range(100, 200) or int(acl) in range(2000, 2700):
+ if 'destination' not in rule_config:
+ raise ConfigError(f'Destination {error_append}')
+
+ for type in ['access_list', 'access_list6', 'as_path_list', 'community_list',
+ 'extcommunity_list', 'large_community_list', 'prefix_list',
+ 'prefix_list6', 'route_map']:
+ # Bail out early and continue with next policy type
+ if type not in policy:
+ continue
+ # instance can be an ACL name/number, prefix-list name or route-map name
+ for instance, instance_config in policy[type].items():
+ # If no rule was found within the instance ... sad, but we can leave
+ # early as nothing needs to be verified
+ if 'rule' not in instance_config:
continue
-
- for rule, rule_config in acl_config['rule'].items():
- if 'source' not in rule_config:
- raise ConfigError(f'Source must be specified for rule {rule} '\
- f'for access-list {acl}!')
+ for rule, rule_config in instance_config['rule'].items():
if 'action' not in rule_config:
- raise ConfigError(f'Action must be specified for rule {rule} '\
- f'for access-list {acl}!')
+ error_msg = 'Action must be specified for ' + type.replace('_','-')
+ raise ConfigError(f'{error_msg} {instance}, rule {rule}!')
+
+ if type == 'access_list':
+ verify_access_list(instance, rule, rule_config)
- if int(acl) not in range(100, 200) or int(acl) not in range(2000, 2700):
- if 'destination' not in rule_config:
- raise ConfigError(f'Destination must be specified for rule {rule} '\
- f'for access-list {acl}!')
return None