zone_policy: T3873: Implement intra-zone-filtering

1 files changed, 20 insertions, 0 deletions

diff --git a/src/conf_mode/zone_policy.py b/src/conf_mode/zone_policy.py
index 92f5624c2..2535ea33b 100755
--- a/src/conf_mode/zone_policy.py
+++ b/src/conf_mode/zone_policy.py
@@ -63,6 +63,8 @@ def verify(zone_policy):
                     raise ConfigError('There cannot be multiple local zones')
                 if 'interface' in zone_conf:
                     raise ConfigError('Local zone cannot have interfaces assigned')
+                if 'intra_zone_filtering' in zone_conf:
+                    raise ConfigError('Local zone cannot use intra-zone-filtering')
                 local_zone = True
 
             if 'interface' in zone_conf:
@@ -73,6 +75,24 @@ def verify(zone_policy):
 
                 interfaces += zone_conf['interface']
 
+            if 'intra_zone_filtering' in zone_conf:
+                intra_zone = zone_conf['intra_zone_filtering']
+
+                if len(intra_zone) > 1:
+                    raise ConfigError('Only one intra-zone-filtering action must be specified')
+
+                if 'firewall' in intra_zone:
+                    v4_name = dict_search_args(intra_zone, 'firewall', 'name')
+                    if v4_name and not dict_search_args(zone_policy, 'firewall', 'name', v4_name):
+                        raise ConfigError(f'Firewall name "{v4_name}" does not exist')
+
+                    v6_name = dict_search_args(intra_zone, 'firewall', 'ipv6-name')
+                    if v6_name and not dict_search_args(zone_policy, 'firewall', 'ipv6-name', v6_name):
+                        raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist')
+
+                    if not v4_name and not v6_name:
+                        raise ConfigError('No firewall names specified for intra-zone-filtering')
+
             if 'from' in zone_conf:
                 for from_zone, from_conf in zone_conf['from'].items():
                     v4_name = dict_search_args(from_conf, 'firewall', 'name')