summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-12 20:58:34 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-16 15:30:26 +0200
commit1e7d01e5b5a12c5bfaa8989ae6073679f6b647b0 (patch)
tree5a4b4f430d227525ac285efc35565c4e58ff47b2 /src
parentac4f99ac3b176f1804b17b32e6615e8b3701dfe8 (diff)
downloadvyos-1x-1e7d01e5b5a12c5bfaa8989ae6073679f6b647b0.tar.gz
vyos-1x-1e7d01e5b5a12c5bfaa8989ae6073679f6b647b0.zip
nat: T2198: add some basic verify() rules
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/nat.py39
1 files changed, 39 insertions, 0 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 580a06136..bde6841cc 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -25,6 +25,7 @@ from netifaces import interfaces
from vyos.config import Config
from vyos.template import render
from vyos.util import call, cmd
+from vyos.validate import is_addr_assigned
from vyos import ConfigError
default_config_data = {
@@ -176,6 +177,18 @@ def get_config():
return nat
+def verify_rule(rule):
+ if rule['translation_port']:
+ if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
+ proto = rule['protocol']
+ raise ConfigError(f'{err_msg} ports can only be specified when protocol is "tcp", "udp" or "tcp_udp" (currently "{proto}")')
+
+ if '/' in rule['translation_address']:
+ raise ConfigError(f'{err_msg}\n' \
+ 'Cannot use ports with an IPv4net type translation address as it\n' \
+ 'statically maps a whole network of addresses onto another\n' \
+ 'network of addresses')
+
def verify(nat):
if nat['deleted']:
# no need to verify the CLI as NAT is going to be deactivated
@@ -190,6 +203,32 @@ def verify(nat):
if interface and interface not in interfaces():
print(f'NAT configuration warning: interface {interface} does not exist on this system')
+ err_msg = f"Source NAT configuration error in rule {rule['number']}:"
+
+ if not rule['interface_out']:
+ raise ConfigError(f'{err_msg} outbound-interface not specified')
+
+ if not rule['translation_address']:
+ raise ConfigError(f'{err_msg} translation address not specified')
+ else:
+ addr = rule['translation_address']
+ if addr != 'masquerade' and not is_addr_assigned(addr):
+ printf(f'Warning: IP address {addr} does not exist on the system!')
+
+ # common rule verification
+ verify_rule(rule)
+
+ for rule in nat['destination']:
+ interface = rule['interface_in']
+ if interface and interface not in interfaces():
+ print(f'NAT configuration warning: interface {interface} does not exist on this system')
+
+ if not rule['interface_in']:
+ raise ConfigError(f'{err_msg} inbound-interface not specified')
+
+ # common rule verification
+ verify_rule(rule)
+
return None
def generate(nat):