summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-15 22:43:34 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-15 23:02:35 +0200
commitfb984a3fc56de27765c7232cb672b982d2e3eea6 (patch)
tree272da480bc39f10de1d02531d7c2083e97f89ba2 /src/conf_mode
parenteab40258869631b38b4787816c84efb14fc75ad3 (diff)
downloadvyos-1x-fb984a3fc56de27765c7232cb672b982d2e3eea6.tar.gz
vyos-1x-fb984a3fc56de27765c7232cb672b982d2e3eea6.zip
firewall: T4435: Verify parent config applied successfully
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/firewall-interface.py11
-rwxr-xr-xsrc/conf_mode/policy-route-interface.py12
2 files changed, 23 insertions, 0 deletions
diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py
index 9a5d278e9..ab1c69259 100755
--- a/src/conf_mode/firewall-interface.py
+++ b/src/conf_mode/firewall-interface.py
@@ -64,6 +64,11 @@ def get_config(config=None):
return if_firewall
+def verify_chain(table, chain):
+ # Verify firewall applied
+ code = run(f'nft list chain {table} {chain}')
+ return code == 0
+
def verify(if_firewall):
# bail out early - looks like removal from running config
if not if_firewall:
@@ -80,6 +85,9 @@ def verify(if_firewall):
if name not in if_firewall['firewall']['name']:
raise ConfigError(f'Invalid firewall name "{name}"')
+ if not verify_chain('ip filter', f'{NAME_PREFIX}{name}'):
+ raise ConfigError('Firewall did not apply')
+
if 'ipv6_name' in if_firewall[direction]:
name = if_firewall[direction]['ipv6_name']
@@ -89,6 +97,9 @@ def verify(if_firewall):
if name not in if_firewall['firewall']['ipv6_name']:
raise ConfigError(f'Invalid firewall ipv6-name "{name}"')
+ if not verify_chain('ip6 filter', f'{NAME6_PREFIX}{name}'):
+ raise ConfigError('Firewall did not apply')
+
return None
def generate(if_firewall):
diff --git a/src/conf_mode/policy-route-interface.py b/src/conf_mode/policy-route-interface.py
index 1108aebe6..58c5fd93d 100755
--- a/src/conf_mode/policy-route-interface.py
+++ b/src/conf_mode/policy-route-interface.py
@@ -24,6 +24,7 @@ from vyos.config import Config
from vyos.ifconfig import Section
from vyos.template import render
from vyos.util import cmd
+from vyos.util import run
from vyos import ConfigError
from vyos import airbag
airbag.enable()
@@ -47,6 +48,11 @@ def get_config(config=None):
return if_policy
+def verify_chain(table, chain):
+ # Verify policy route applied
+ code = run(f'nft list chain {table} {chain}')
+ return code == 0
+
def verify(if_policy):
# bail out early - looks like removal from running config
if not if_policy:
@@ -62,6 +68,12 @@ def verify(if_policy):
if route_name not in if_policy['policy'][route]:
raise ConfigError(f'Invalid policy route name "{name}"')
+ nft_prefix = 'VYOS_PBR6_' if route == 'route6' else 'VYOS_PBR_'
+ nft_table = 'ip6 mangle' if route == 'route6' else 'ip mangle'
+
+ if not verify_chain(nft_table, nft_prefix + route_name):
+ raise ConfigError('Policy route did not apply')
+
return None
def generate(if_policy):