diff options
| -rw-r--r-- | python/vyos/firewall.py | 4 | ||||
| -rwxr-xr-x | src/conf_mode/policy.py | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 808e90e38..4993d855e 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -190,8 +190,8 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): def parse_tcp_flags(flags): include = [flag for flag in flags if flag != 'not'] - all_flags = include + [flag for flag in flags['not']] if 'not' in flags else [] - return f'tcp flags & ({"|".join(all_flags)}) == {"|".join(include)}' + exclude = flags['not'].keys() if 'not' in flags else [] + return f'tcp flags & ({"|".join(include + exclude)}) == {"|".join(include)}' def parse_time(time): out = [] diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py index e251396c7..6b1d3bf1a 100755 --- a/src/conf_mode/policy.py +++ b/src/conf_mode/policy.py @@ -87,6 +87,7 @@ def verify(policy): # human readable instance name (hypen instead of underscore) policy_hr = policy_type.replace('_', '-') + entries = [] for rule, rule_config in instance_config['rule'].items(): mandatory_error = f'must be specified for "{policy_hr} {instance} rule {rule}"!' if 'action' not in rule_config: @@ -113,6 +114,11 @@ def verify(policy): if 'prefix' not in rule_config: raise ConfigError(f'A prefix {mandatory_error}') + # Check prefix duplicates + if rule_config['prefix'] in entries and ('ge' not in rule_config and 'le' not in rule_config): + raise ConfigError(f'Prefix {rule_config["prefix"]} is duplicated!') + entries.append(rule_config['prefix']) + # route-maps tend to be a bit more complex so they get their own verify() section if 'route_map' in policy: |