diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-06-10 21:28:41 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-10 21:28:41 +0200 |
commit | fe18efba34c5d95d3052c9e6fda69668bbfe63f3 (patch) | |
tree | 10975bc70e44fb839a46813286ecf5d2c11c2973 /src | |
parent | 2f4031c810a297c8ef81b0dc79242ef584b48662 (diff) | |
parent | 9791258d7d5320d3a8bfa45d43b59fd35e8a2131 (diff) | |
download | vyos-1x-fe18efba34c5d95d3052c9e6fda69668bbfe63f3.tar.gz vyos-1x-fe18efba34c5d95d3052c9e6fda69668bbfe63f3.zip |
Merge pull request #1356 from sarthurdev/nested_groups
firewall: T478: Add support for nesting groups
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/firewall.py | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index fbe0a3a13..792e17b85 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -85,10 +85,16 @@ nft6_iface_chains = ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL'] valid_groups = [ 'address_group', + 'domain_group', 'network_group', 'port_group' ] +group_types = [ + 'address_group', 'network_group', 'port_group', + 'ipv6_address_group', 'ipv6_network_group' +] + snmp_change_type = { 'unknown': 0, 'add': 1, @@ -241,11 +247,34 @@ def verify_rule(firewall, rule_conf, ipv6): if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']: raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group') +def verify_nested_group(group_name, group, groups, seen): + if 'include' not in group: + return + + for g in group['include']: + if g not in groups: + raise ConfigError(f'Nested group "{g}" does not exist') + + if g in seen: + raise ConfigError(f'Group "{group_name}" has a circular reference') + + seen.append(g) + + if 'include' in groups[g]: + verify_nested_group(g, groups[g], groups, seen) + def verify(firewall): if 'config_trap' in firewall and firewall['config_trap'] == 'enable': if not firewall['trap_targets']: raise ConfigError(f'Firewall config-trap enabled but "service snmp trap-target" is not defined') + if 'group' in firewall: + for group_type in group_types: + if group_type in firewall['group']: + groups = firewall['group'][group_type] + for group_name, group in groups.items(): + verify_nested_group(group_name, group, groups, []) + for name in ['name', 'ipv6_name']: if name in firewall: for name_id, name_conf in firewall[name].items(): |