Merge pull request #1174 from sarthurdev/firewall

firewall: T4178: T3873: tcp flags syntax refactor, intra-zone-filtering fix
author: Christian Poessinger <christian@poessinger.com> 2022-01-17 18:08:34 +0100
committer: GitHub <noreply@github.com> 2022-01-17 18:08:34 +0100
commit: 9fb2e1432209f907d6e5e3ce748da243c85f2851 (patch)
tree: 0f3607ccd75cfad67f25ba06b62bdaa1232874fb /src/conf_mode
parent: 7e731c0ef503334eaab2bfd723163a9749d64da2 (diff)
parent: 53c2b62dda5bcd1f605a8b9ea438f0f76e366e36 (diff)
download: vyos-1x-9fb2e1432209f907d6e5e3ce748da243c85f2851.tar.gz
vyos-1x-9fb2e1432209f907d6e5e3ce748da243c85f2851.zip
2 files changed, 21 insertions, 5 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 853470fd8..906d477b0 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -142,8 +142,16 @@ def verify_rule(firewall, rule_conf, ipv6):
         if not {'count', 'time'} <= set(rule_conf['recent']):
             raise ConfigError('Recent "count" and "time" values must be defined')
 
-    if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
-        raise ConfigError('Protocol must be tcp when specifying tcp flags')
+    tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+    if tcp_flags:
+        if dict_search_args(rule_conf, 'protocol') != 'tcp':
+            raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+        not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not')
+        if not_flags:
+            duplicates = [flag for flag in tcp_flags if flag in not_flags]
+            if duplicates:
+                raise ConfigError(f'Cannot match a tcp flag as set and not set')
 
     for side in ['destination', 'source']:
         if side in rule_conf:
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index 30597ef4e..eb13788dd 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -97,11 +97,19 @@ def verify_rule(policy, name, rule_conf, ipv6):
     if 'set' in rule_conf:
         if 'tcp_mss' in rule_conf['set']:
             tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
-            if not tcp_flags or 'SYN' not in tcp_flags.split(","):
+            if not tcp_flags or 'syn' not in tcp_flags:
                 raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
 
-    if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
-                raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
+    tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+    if tcp_flags:
+        if dict_search_args(rule_conf, 'protocol') != 'tcp':
+            raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+        not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not')
+        if not_flags:
+            duplicates = [flag for flag in tcp_flags if flag in not_flags]
+            if duplicates:
+                raise ConfigError(f'Cannot match a tcp flag as set and not set')
 
     for side in ['destination', 'source']:
         if side in rule_conf:
author	Christian Poessinger <christian@poessinger.com>	2022-01-17 18:08:34 +0100
committer	GitHub <noreply@github.com>	2022-01-17 18:08:34 +0100
commit	9fb2e1432209f907d6e5e3ce748da243c85f2851 (patch)
tree	0f3607ccd75cfad67f25ba06b62bdaa1232874fb /src/conf_mode
parent	7e731c0ef503334eaab2bfd723163a9749d64da2 (diff)
parent	53c2b62dda5bcd1f605a8b9ea438f0f76e366e36 (diff)
download	vyos-1x-9fb2e1432209f907d6e5e3ce748da243c85f2851.tar.gz vyos-1x-9fb2e1432209f907d6e5e3ce748da243c85f2851.zip