summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-06-10 21:28:41 +0200
committerGitHub <noreply@github.com>2022-06-10 21:28:41 +0200
commitfe18efba34c5d95d3052c9e6fda69668bbfe63f3 (patch)
tree10975bc70e44fb839a46813286ecf5d2c11c2973 /src
parent2f4031c810a297c8ef81b0dc79242ef584b48662 (diff)
parent9791258d7d5320d3a8bfa45d43b59fd35e8a2131 (diff)
downloadvyos-1x-fe18efba34c5d95d3052c9e6fda69668bbfe63f3.tar.gz
vyos-1x-fe18efba34c5d95d3052c9e6fda69668bbfe63f3.zip
Merge pull request #1356 from sarthurdev/nested_groups
firewall: T478: Add support for nesting groups
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/firewall.py29
1 files changed, 29 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index fbe0a3a13..792e17b85 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -85,10 +85,16 @@ nft6_iface_chains = ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']
valid_groups = [
'address_group',
+ 'domain_group',
'network_group',
'port_group'
]
+group_types = [
+ 'address_group', 'network_group', 'port_group',
+ 'ipv6_address_group', 'ipv6_network_group'
+]
+
snmp_change_type = {
'unknown': 0,
'add': 1,
@@ -241,11 +247,34 @@ def verify_rule(firewall, rule_conf, ipv6):
if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group')
+def verify_nested_group(group_name, group, groups, seen):
+ if 'include' not in group:
+ return
+
+ for g in group['include']:
+ if g not in groups:
+ raise ConfigError(f'Nested group "{g}" does not exist')
+
+ if g in seen:
+ raise ConfigError(f'Group "{group_name}" has a circular reference')
+
+ seen.append(g)
+
+ if 'include' in groups[g]:
+ verify_nested_group(g, groups[g], groups, seen)
+
def verify(firewall):
if 'config_trap' in firewall and firewall['config_trap'] == 'enable':
if not firewall['trap_targets']:
raise ConfigError(f'Firewall config-trap enabled but "service snmp trap-target" is not defined')
+ if 'group' in firewall:
+ for group_type in group_types:
+ if group_type in firewall['group']:
+ groups = firewall['group'][group_type]
+ for group_name, group in groups.items():
+ verify_nested_group(group_name, group, groups, [])
+
for name in ['name', 'ipv6_name']:
if name in firewall:
for name_id, name_conf in firewall[name].items():