diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/zone_policy.py | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/src/conf_mode/zone_policy.py b/src/conf_mode/zone_policy.py index 92f5624c2..2535ea33b 100755 --- a/src/conf_mode/zone_policy.py +++ b/src/conf_mode/zone_policy.py @@ -63,6 +63,8 @@ def verify(zone_policy): raise ConfigError('There cannot be multiple local zones') if 'interface' in zone_conf: raise ConfigError('Local zone cannot have interfaces assigned') + if 'intra_zone_filtering' in zone_conf: + raise ConfigError('Local zone cannot use intra-zone-filtering') local_zone = True if 'interface' in zone_conf: @@ -73,6 +75,24 @@ def verify(zone_policy): interfaces += zone_conf['interface'] + if 'intra_zone_filtering' in zone_conf: + intra_zone = zone_conf['intra_zone_filtering'] + + if len(intra_zone) > 1: + raise ConfigError('Only one intra-zone-filtering action must be specified') + + if 'firewall' in intra_zone: + v4_name = dict_search_args(intra_zone, 'firewall', 'name') + if v4_name and not dict_search_args(zone_policy, 'firewall', 'name', v4_name): + raise ConfigError(f'Firewall name "{v4_name}" does not exist') + + v6_name = dict_search_args(intra_zone, 'firewall', 'ipv6-name') + if v6_name and not dict_search_args(zone_policy, 'firewall', 'ipv6-name', v6_name): + raise ConfigError(f'Firewall ipv6-name "{v6_name}" does not exist') + + if not v4_name and not v6_name: + raise ConfigError('No firewall names specified for intra-zone-filtering') + if 'from' in zone_conf: for from_zone, from_conf in zone_conf['from'].items(): v4_name = dict_search_args(from_conf, 'firewall', 'name') |