diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-04-18 10:19:16 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-04-18 11:18:21 +0200 |
| commit | 2e0fd99318a8fd3c6c42a04ea5be8f2494db23ca (patch) | |
| tree | 28f2df99606ffde4023df46151b9f195311fd482 /src/conf_mode/policy.py | |
| parent | 0f4e7eccc8abf61d6242c03cb7b160a786ac3593 (diff) | |
| download | vyos-1x-2e0fd99318a8fd3c6c42a04ea5be8f2494db23ca.tar.gz vyos-1x-2e0fd99318a8fd3c6c42a04ea5be8f2494db23ca.zip | |
policy: T2425: add common verify() code for all types of policies
Diffstat (limited to 'src/conf_mode/policy.py')
| -rwxr-xr-x | src/conf_mode/policy.py | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py index fec9a206e..a8244ca26 100755 --- a/src/conf_mode/policy.py +++ b/src/conf_mode/policy.py @@ -36,29 +36,42 @@ def get_config(config=None): base = ['policy'] policy = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + return policy def verify(policy): if not policy: return None - if 'access-list' in policy: - for acl, acl_config in policy['access-list'].items(): - if 'rule' not in acl_config: + def verify_access_list(acl, rule, rule_config): + error_append = f'must be specified for rule {rule} in access-list {acl}!' + if 'source' not in rule_config: + raise ConfigError(f'Source {error_append}') + + if int(acl) in range(100, 200) or int(acl) in range(2000, 2700): + if 'destination' not in rule_config: + raise ConfigError(f'Destination {error_append}') + + for type in ['access_list', 'access_list6', 'as_path_list', 'community_list', + 'extcommunity_list', 'large_community_list', 'prefix_list', + 'prefix_list6', 'route_map']: + # Bail out early and continue with next policy type + if type not in policy: + continue + # instance can be an ACL name/number, prefix-list name or route-map name + for instance, instance_config in policy[type].items(): + # If no rule was found within the instance ... sad, but we can leave + # early as nothing needs to be verified + if 'rule' not in instance_config: continue - - for rule, rule_config in acl_config['rule'].items(): - if 'source' not in rule_config: - raise ConfigError(f'Source must be specified for rule {rule} '\ - f'for access-list {acl}!') + for rule, rule_config in instance_config['rule'].items(): if 'action' not in rule_config: - raise ConfigError(f'Action must be specified for rule {rule} '\ - f'for access-list {acl}!') + error_msg = 'Action must be specified for ' + type.replace('_','-') + raise ConfigError(f'{error_msg} {instance}, rule {rule}!') + + if type == 'access_list': + verify_access_list(instance, rule, rule_config) - if int(acl) not in range(100, 200) or int(acl) not in range(2000, 2700): - if 'destination' not in rule_config: - raise ConfigError(f'Destination must be specified for rule {rule} '\ - f'for access-list {acl}!') return None |