diff options
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/firewall.py | 22 | ||||
| -rw-r--r-- | python/vyos/nat.py | 9 | ||||
| -rw-r--r-- | python/vyos/utils/network.py | 22 |
3 files changed, 46 insertions, 7 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 4aa509fe2..53ff8259e 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -272,20 +272,34 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): output.append(f'ip6 hoplimit {operator} {value}') if 'inbound_interface' in rule_conf: + operator = '' if 'interface_name' in rule_conf['inbound_interface']: iiface = rule_conf['inbound_interface']['interface_name'] - output.append(f'iifname {{{iiface}}}') + if iiface[0] == '!': + operator = '!=' + iiface = iiface[1:] + output.append(f'iifname {operator} {{{iiface}}}') else: iiface = rule_conf['inbound_interface']['interface_group'] - output.append(f'iifname @I_{iiface}') + if iiface[0] == '!': + operator = '!=' + iiface = iiface[1:] + output.append(f'iifname {operator} @I_{iiface}') if 'outbound_interface' in rule_conf: + operator = '' if 'interface_name' in rule_conf['outbound_interface']: oiface = rule_conf['outbound_interface']['interface_name'] - output.append(f'oifname {{{oiface}}}') + if oiface[0] == '!': + operator = '!=' + oiface = oiface[1:] + output.append(f'oifname {operator} {{{oiface}}}') else: oiface = rule_conf['outbound_interface']['interface_group'] - output.append(f'oifname @I_{oiface}') + if oiface[0] == '!': + operator = '!=' + oiface = oiface[1:] + output.append(f'oifname {operator} @I_{oiface}') if 'ttl' in rule_conf: operators = {'eq': '==', 'gt': '>', 'lt': '<'} diff --git a/python/vyos/nat.py b/python/vyos/nat.py index b6702f7e2..9cbc2b96e 100644 --- a/python/vyos/nat.py +++ b/python/vyos/nat.py @@ -56,10 +56,13 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False): elif 'translation' in rule_conf: addr = dict_search_args(rule_conf, 'translation', 'address') port = dict_search_args(rule_conf, 'translation', 'port') - redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port') - if redirect_port: - translation_output = [f'redirect to {redirect_port}'] + if 'redirect' in rule_conf['translation']: + translation_output = [f'redirect'] + redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port') + if redirect_port: + translation_output.append(f'to {redirect_port}') else: + translation_prefix = nat_type[:1] translation_output = [f'{translation_prefix}nat'] diff --git a/python/vyos/utils/network.py b/python/vyos/utils/network.py index 3f9a3ef4b..2f181d8d9 100644 --- a/python/vyos/utils/network.py +++ b/python/vyos/utils/network.py @@ -36,6 +36,10 @@ def get_protocol_by_name(protocol_name): except socket.error: return protocol_name +def interface_exists(interface) -> bool: + import os + return os.path.exists(f'/sys/class/net/{interface}') + def interface_exists_in_netns(interface_name, netns): from vyos.utils.process import rc_cmd rc, out = rc_cmd(f'ip netns exec {netns} ip link show dev {interface_name}') @@ -43,6 +47,24 @@ def interface_exists_in_netns(interface_name, netns): return True return False +def get_vrf_members(vrf: str) -> list: + """ + Get list of interface VRF members + :param vrf: str + :return: list + """ + import json + from vyos.utils.process import cmd + if not interface_exists(vrf): + raise ValueError(f'VRF "{vrf}" does not exist!') + output = cmd(f'ip --json --brief link show master {vrf}') + answer = json.loads(output) + interfaces = [] + for data in answer: + if 'ifname' in data: + interfaces.append(data.get('ifname')) + return interfaces + def get_interface_vrf(interface): """ Returns VRF of given interface """ from vyos.utils.dict import dict_search |