summaryrefslogtreecommitdiff
path: root/src/conf_mode/conntrack.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/conntrack.py')
-rwxr-xr-xsrc/conf_mode/conntrack.py11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 47b2bea4d..21a20ea8d 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -118,6 +118,17 @@ def verify(conntrack):
if 'protocol' not in rule_config or rule_config['protocol'] not in ['tcp', 'udp']:
raise ConfigError(f'Port requires tcp or udp as protocol in rule {rule}')
+ tcp_flags = dict_search_args(rule_config, 'tcp', 'flags')
+ if tcp_flags:
+ if dict_search_args(rule_config, 'protocol') != 'tcp':
+ raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+ not_flags = dict_search_args(rule_config, 'tcp', 'flags', 'not')
+ if not_flags:
+ duplicates = [flag for flag in tcp_flags if flag in not_flags]
+ if duplicates:
+ raise ConfigError(f'Cannot match a tcp flag as set and not set')
+
for side in ['destination', 'source']:
if side in rule_config:
side_conf = rule_config[side]
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 00:15:14 +0000