diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-04-18 13:22:47 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-04-18 13:22:47 +0200 |
| commit | d40dd615f9ea46b28b2e968c2ba4fff18866cf5f (patch) | |
| tree | 1c697ea35c9a82782b4af790a15b5156a06ffd52 /src/conf_mode/policy.py | |
| parent | 2e0fd99318a8fd3c6c42a04ea5be8f2494db23ca (diff) | |
| download | vyos-1x-d40dd615f9ea46b28b2e968c2ba4fff18866cf5f.tar.gz vyos-1x-d40dd615f9ea46b28b2e968c2ba4fff18866cf5f.zip | |
policy: T2425: verify other policy types and probe for mandatory options
Diffstat (limited to 'src/conf_mode/policy.py')
| -rwxr-xr-x | src/conf_mode/policy.py | 47 |
1 files changed, 27 insertions, 20 deletions
diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py index a8244ca26..d461511f8 100755 --- a/src/conf_mode/policy.py +++ b/src/conf_mode/policy.py @@ -14,8 +14,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os - from sys import exit from vyos.config import Config @@ -43,34 +41,43 @@ def verify(policy): if not policy: return None - def verify_access_list(acl, rule, rule_config): - error_append = f'must be specified for rule {rule} in access-list {acl}!' - if 'source' not in rule_config: - raise ConfigError(f'Source {error_append}') - - if int(acl) in range(100, 200) or int(acl) in range(2000, 2700): - if 'destination' not in rule_config: - raise ConfigError(f'Destination {error_append}') - - for type in ['access_list', 'access_list6', 'as_path_list', 'community_list', - 'extcommunity_list', 'large_community_list', 'prefix_list', - 'prefix_list6', 'route_map']: + for policy_type in ['access_list', 'access_list6', 'as_path_list', + 'community_list', 'extcommunity_list', 'large_community_list', + 'prefix_list', 'prefix_list6', 'route_map']: # Bail out early and continue with next policy type - if type not in policy: + if policy_type not in policy: continue + # instance can be an ACL name/number, prefix-list name or route-map name - for instance, instance_config in policy[type].items(): + for instance, instance_config in policy[policy_type].items(): # If no rule was found within the instance ... sad, but we can leave # early as nothing needs to be verified if 'rule' not in instance_config: continue + + # human readable instance name (hypen instead of underscore) + policy_hr = policy_type.replace('_', '-') for rule, rule_config in instance_config['rule'].items(): + mandatory_error = f'must be specified for "{policy_hr} {instance} rule {rule}"!' if 'action' not in rule_config: - error_msg = 'Action must be specified for ' + type.replace('_','-') - raise ConfigError(f'{error_msg} {instance}, rule {rule}!') + raise ConfigError(f'Action {mandatory_error}') + + if policy_type == 'access_list': + if 'source' not in rule_config: + raise ConfigError(f'Source {mandatory_error}') + + if int(instance) in range(100, 200) or int(instance) in range(2000, 2700): + if 'destination' not in rule_config: + raise ConfigError(f'Destination {mandatory_error}') + + if policy_type == 'access_list6': + if 'source' not in rule_config: + raise ConfigError(f'Source {mandatory_error}') - if type == 'access_list': - verify_access_list(instance, rule, rule_config) + if policy_type in ['as_path_list', 'community_list', 'extcommunity_list', + 'large_community_list']: + if 'regex' not in rule_config: + raise ConfigError(f'Regex {mandatory_error}') return None |