diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-10-08 21:17:52 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-10-08 21:17:52 +0200 |
| commit | 5aadf673497b93e2d4ad304e567de1cd571f9e25 (patch) | |
| tree | e32d9c58db07ff62dff147b168b6c55f802068dc /src | |
| parent | adc7ef387d40e92bd7163ee6b401e99e554394a3 (diff) | |
| download | vyos-1x-5aadf673497b93e2d4ad304e567de1cd571f9e25.tar.gz vyos-1x-5aadf673497b93e2d4ad304e567de1cd571f9e25.zip | |
tunnel: T3893: harden logic when validating tunnel parameters
Different types of tunnels have different keys set in get_interface_config().
Thus it should be properly verified (by e.g. using dict_search()) that the key
in question esits to not raise KeyError.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/interfaces-tunnel.py | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index ef385d2e7..51127127d 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -108,18 +108,17 @@ def verify(tunnel): # Prevent the same key for 2 tunnels with same source-address/encap. T2920 for tunnel_if in Section.interfaces('tunnel'): tunnel_cfg = get_interface_config(tunnel_if) - exist_encap = tunnel_cfg['linkinfo']['info_kind'] - exist_source_address = tunnel_cfg['address'] - exist_key = tunnel_cfg['linkinfo']['info_data']['ikey'] + # no match on encapsulation - bail out + if dict_search('linkinfo.info_kind', tunnel_cfg) != tunnel['encapsulation']: + continue new_source_address = tunnel['source_address'] # Convert tunnel key to ip key, format "ip -j link show" # 1 => 0.0.0.1, 999 => 0.0.3.231 - orig_new_key = int(tunnel['parameters']['ip']['key']) - new_key = IPv4Address(orig_new_key) + orig_new_key = dict_search('parameters.ip.key', tunnel) + new_key = IPv4Address(int(orig_new_key)) new_key = str(new_key) - if tunnel['encapsulation'] == exist_encap and \ - new_source_address == exist_source_address and \ - new_key == exist_key: + if dict_search('address', tunnel_cfg) == new_source_address and \ + dict_search('linkinfo.info_data.ikey', tunnel_cfg) == new_key: raise ConfigError(f'Key "{orig_new_key}" for source-address "{new_source_address}" ' \ f'is already used for tunnel "{tunnel_if}"!') |