diff options
author | Andrew Topp <andrewt@telekinetica.net> | 2024-05-31 21:51:25 +1000 |
---|---|---|
committer | Andrew Topp <andrewt@telekinetica.net> | 2024-05-31 21:54:25 +1000 |
commit | 34024e630ec70ac5dc59fc57f818f6cd9dc15cd2 (patch) | |
tree | 62fe0d31ddd776624461e0ac81fe223ec597871e /src/conf_mode | |
parent | ea477ed0cec87041cb94c0eb2bc2ce9523a92a0a (diff) | |
download | vyos-1x-34024e630ec70ac5dc59fc57f818f6cd9dc15cd2.tar.gz vyos-1x-34024e630ec70ac5dc59fc57f818f6cd9dc15cd2.zip |
tunnel: T6157: fixing GRE tunnel uniqueness checks
Unset params would mistakenly match when None and trigger a validation error even when used params were unique.
Updated check to ensure unique source-addresses if not None, and that (source-interfaces, source-addresses) are
unique together appropriately.
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/interfaces_tunnel.py | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/src/conf_mode/interfaces_tunnel.py b/src/conf_mode/interfaces_tunnel.py index 43ba72857..98ef98d12 100755 --- a/src/conf_mode/interfaces_tunnel.py +++ b/src/conf_mode/interfaces_tunnel.py @@ -145,11 +145,20 @@ def verify(tunnel): # If no IP GRE key is defined we can not have more then one GRE tunnel # bound to any one interface/IP address and the same remote. This will # result in a OS PermissionError: add tunnel "gre0" failed: File exists - if (their_address == our_address or our_source_if == their_source_if) and \ - our_remote == their_remote: - raise ConfigError(f'Missing required "ip key" parameter when '\ - 'running more then one GRE based tunnel on the '\ - 'same source-interface/source-address') + if our_remote == their_remote: + if our_address is not None and their_address == our_address: + # If set to the same values, this is always a fail + raise ConfigError(f'Missing required "ip key" parameter when '\ + 'running more then one GRE based tunnel on the '\ + 'same source-address') + + if their_source_if == our_source_if and their_address == our_address: + # Note that lack of None check on these is deliberate. + # source-if and source-ip matching while unset (all None) is a fail + # source-ifs set and matching with unset source-ips is a fail + raise ConfigError(f'Missing required "ip key" parameter when '\ + 'running more then one GRE based tunnel on the '\ + 'same source-interface') # Keys are not allowed with ipip and sit tunnels if tunnel['encapsulation'] in ['ipip', 'sit']: |