diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-18 20:24:22 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-18 20:26:51 +0200 |
| commit | fb3ef9af5e394aa25692003fb3c185bfedefe3cb (patch) | |
| tree | 377a5dd42a9bc0b4c1ee4c3e0670c1cf733f3731 /src | |
| parent | 4c9c2e372aa57aba298915d5d2702ebaf0b7db91 (diff) | |
| download | vyos-1x-fb3ef9af5e394aa25692003fb3c185bfedefe3cb.tar.gz vyos-1x-fb3ef9af5e394aa25692003fb3c185bfedefe3cb.zip | |
conntrack: T5217: Add tcp flag matching to `system conntrack ignore`
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i`
- Update smoketest to verify TCP flag matching
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/conntrack.py | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index 47b2bea4d..21a20ea8d 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -118,6 +118,17 @@ def verify(conntrack): if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']: raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}') + tcp_flags = dict_search_args(rule_config, 'tcp', 'flags') + if tcp_flags: + if dict_search_args(rule_config, 'protocol') != 'tcp': + raise ConfigError('Protocol must be tcp when specifying tcp flags') + + not_flags = dict_search_args(rule_config, 'tcp', 'flags', 'not') + if not_flags: + duplicates = [flag for flag in tcp_flags if flag in not_flags] + if duplicates: + raise ConfigError(f'Cannot match a tcp flag as set and not set') + for side in ['destination', 'source']: if side in rule_config: side_conf = rule_config[side] |