diff options
| -rw-r--r-- | python/vyos/configverify.py | 13 | ||||
| -rwxr-xr-x[-rw-r--r--] | python/vyos/firewall.py | 14 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 8 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_load-balancing_reverse-proxy.py | 2 | ||||
| -rwxr-xr-x | src/conf_mode/qos.py | 2 |
5 files changed, 25 insertions, 14 deletions
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 4cb84194a..b49d66c36 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -237,7 +237,7 @@ def verify_bridge_delete(config): raise ConfigError(f'Interface "{interface}" cannot be deleted as it ' f'is a member of bridge "{bridge_name}"!') -def verify_interface_exists(ifname, warning_only=False): +def verify_interface_exists(ifname, state_required=False, warning_only=False): """ Common helper function used by interface implementations to perform recurring validation if an interface actually exists. We first probe @@ -249,11 +249,12 @@ def verify_interface_exists(ifname, warning_only=False): from vyos.utils.dict import dict_search_recursive from vyos.utils.network import interface_exists - # Check if interface is present in CLI config - config = ConfigTreeQuery() - tmp = config.get_config_dict(['interfaces'], get_first_key=True) - if bool(list(dict_search_recursive(tmp, ifname))): - return True + if not state_required: + # Check if interface is present in CLI config + config = ConfigTreeQuery() + tmp = config.get_config_dict(['interfaces'], get_first_key=True) + if bool(list(dict_search_recursive(tmp, ifname))): + return True # Interface not found on CLI, try Linux Kernel if interface_exists(ifname): diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index d7b7b80a8..1ef42e9a3 100644..100755 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -164,7 +164,19 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if address_mask: operator = '!=' if exclude else '==' operator = f'& {address_mask} {operator} ' - output.append(f'{ip_name} {prefix}addr {operator}{suffix}') + + if suffix.find('-') != -1: + # Range + start, end = suffix.split('-') + if is_ipv4(start): + output.append(f'ip {prefix}addr {operator}{suffix}') + else: + output.append(f'ip6 {prefix}addr {operator}{suffix}') + else: + if is_ipv4(suffix): + output.append(f'ip {prefix}addr {operator}{suffix}') + else: + output.append(f'ip6 {prefix}addr {operator}{suffix}') if 'fqdn' in side_conf: fqdn = side_conf['fqdn'] diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index c47562714..7e0931eba 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -290,7 +290,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop']) - self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1']) + self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1-198.51.100.50']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'mark', '1010']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump']) self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name]) @@ -310,7 +310,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): nftables_search = [ ['chain VYOS_FORWARD_filter'], ['type filter hook forward priority filter; policy accept;'], - ['ip saddr 198.51.100.1', 'meta mark 0x000003f2', f'jump NAME_{name}'], + ['ip saddr 198.51.100.1-198.51.100.50', 'meta mark 0x000003f2', f'jump NAME_{name}'], ['FWD-filter default-action drop', 'drop'], ['chain VYOS_INPUT_filter'], ['type filter hook input priority filter; policy accept;'], @@ -434,7 +434,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6', 'name', name, 'default-log']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept']) - self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1']) + self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1-2002::10']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log']) self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit']) @@ -473,7 +473,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['meta l4proto gre', f'oifname "{interface}"', 'return'], ['log prefix "[ipv6-OUT-filter-default-D]"','OUT-filter default-action drop', 'drop'], [f'chain NAME6_{name}'], - ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'], + ['saddr 2002::1-2002::10', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'], [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'], ['jump VYOS_STATE_POLICY6'], ['chain VYOS_STATE_POLICY6'], diff --git a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py index db43a78ec..34f77b95d 100755 --- a/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py +++ b/smoketest/scripts/cli/test_load-balancing_reverse-proxy.py @@ -465,8 +465,6 @@ class TestLoadBalancingReverseProxy(VyOSUnitTestSHIM.TestCase): # Ensure default logging configuration is present config = read_file(HAPROXY_CONF) - self.assertIn('log /dev/log local0', config) - self.assertIn('log /dev/log local1 notice', config) # Test global-parameters logging options self.cli_set(base_path + ['global-parameters', 'logging', 'facility', 'local1', 'level', 'err']) diff --git a/src/conf_mode/qos.py b/src/conf_mode/qos.py index 8a590cbc6..a97a09ba0 100755 --- a/src/conf_mode/qos.py +++ b/src/conf_mode/qos.py @@ -237,7 +237,7 @@ def apply(qos): return None for interface, interface_config in qos['interface'].items(): - if not verify_interface_exists(interface, warning_only=True): + if not verify_interface_exists(interface, state_required=True, warning_only=True): # When shaper is bound to a dialup (e.g. PPPoE) interface it is # possible that it is yet not availbale when to QoS code runs. # Skip the configuration and inform the user via warning_only=True |