From 654c8cad2daaf84a07e4664d2c0469a863a46bdc Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 25 May 2021 23:17:16 +0300 Subject: firewall: T3568: add XML definitions for firewall Add XML for configuration mode firewall. Used for future rewriting it to Python style. --- Makefile | 1 + interface-definitions/firewall.xml.in | 782 +++++++++++++++++++++ .../firewall/action-accept-drop-reject.xml.i | 25 + .../include/firewall/action.xml.i | 21 + .../include/firewall/address-ipv6.xml.i | 37 + .../include/firewall/address.xml.i | 39 + .../include/firewall/common-rule.xml.i | 326 +++++++++ .../include/firewall/description.xml.i | 11 + .../include/firewall/icmp-type-name.xml.i | 173 +++++ interface-definitions/include/firewall/log.xml.i | 15 + .../include/firewall/name-default-action.xml.i | 25 + .../include/firewall/name-default-log.xml.i | 8 + interface-definitions/include/firewall/port.xml.i | 23 + .../firewall/source-destination-group.xml.i | 24 + src/conf_mode/firewall.py | 73 ++ src/validators/ipv6-exclude | 7 + src/validators/ipv6-range | 16 + src/validators/ipv6-range-exclude | 7 + 18 files changed, 1613 insertions(+) create mode 100644 interface-definitions/firewall.xml.in create mode 100644 interface-definitions/include/firewall/action-accept-drop-reject.xml.i create mode 100644 interface-definitions/include/firewall/action.xml.i create mode 100644 interface-definitions/include/firewall/address-ipv6.xml.i create mode 100644 interface-definitions/include/firewall/address.xml.i create mode 100644 interface-definitions/include/firewall/common-rule.xml.i create mode 100644 interface-definitions/include/firewall/description.xml.i create mode 100644 interface-definitions/include/firewall/icmp-type-name.xml.i create mode 100644 interface-definitions/include/firewall/log.xml.i create mode 100644 interface-definitions/include/firewall/name-default-action.xml.i create mode 100644 interface-definitions/include/firewall/name-default-log.xml.i create mode 100644 interface-definitions/include/firewall/port.xml.i create mode 100644 interface-definitions/include/firewall/source-destination-group.xml.i create mode 100755 src/conf_mode/firewall.py create mode 100755 src/validators/ipv6-exclude create mode 100755 src/validators/ipv6-range create mode 100755 src/validators/ipv6-range-exclude diff --git a/Makefile b/Makefile index 24a811e47..fcd43c4a7 100644 --- a/Makefile +++ b/Makefile @@ -41,6 +41,7 @@ interface_definitions: $(config_xml_obj) rm -f $(TMPL_DIR)/firewall/node.def rm -f $(TMPL_DIR)/vpn/node.def rm -f $(TMPL_DIR)/vpn/ipsec/node.def + rm -rf $(TMPL_DIR)/nfirewall rm -rf $(TMPL_DIR)/vpn/nipsec # XXX: test if there are empty node.def files - this is not allowed as these diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in new file mode 100644 index 000000000..5528d6bc5 --- /dev/null +++ b/interface-definitions/firewall.xml.in @@ -0,0 +1,782 @@ + + + + + 199 + Firewall + + + + + Policy for handling of all IPv4 ICMP echo requests + + enable disable + + + enable + Enable processing of all IPv4 ICMP echo requests + + + disable + Disable processing of all IPv4 ICMP echo requests + + + ^(enable|disable)$ + + + + + + Policy for handling broadcast IPv4 ICMP echo and timestamp requests + + enable disable + + + enable + Enable processing of broadcast IPv4 ICMP echo/timestamp requests + + + disable + Disable processing of broadcast IPv4 ICMP echo/timestamp requests + + + ^(enable|disable)$ + + + + + + SNMP trap generation on firewall configuration changes + + enable disable + + + enable + Enable sending SNMP trap on firewall configuration change + + + disable + Disable sending SNMP trap on firewall configuration change + + + ^(enable|disable)$ + + + + + + Firewall group + + + + + Firewall address-group + + + + + Address-group member + + ipv4 + IPv4 address to match + + + ipv4range + IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) + + + + + + + + + #include + + + + + Firewall ipv6-address-group + + + + + Address-group member + + ipv6 + IPv6 address to match + + + + + + + + #include + + + + + Network-group member + + + #include + + + Network-group member + + ipv6net + IPv6 address to match + + + + + + + + + + + + Firewall network-group + + + #include + + + Network-group member + + ipv4net + IPv4 Subnet to match + + + + + + + + + + + + Firewall port-group + + + #include + + + Port-group member + + txt + Named port (any name in /etc/services, e.g., http) + + + u32:1-65535 + Numbered port + + + start-end + Numbered port range (e.g. 1001-1050) + + + + + + + + + + + Policy for handling IPv4 packets with source route option + + enable disable + + + enable + Enable processing of IPv4 packets with source route option + + + disable + Disable processing of IPv4 packets with source route option + + + ^(enable|disable)$ + + + + + + IPv6 firewall rule-set name + + + #include + #include + #include + + + Rule number (1-9999) + + + #include + #include + + + Destination parameters + + + #include + #include + #include + + + + + Source parameters + + + #include + #include + #include + + + #include + + + Hop Limit + + + + + Value to match a hop limit equal to it + + u32:0-255 + Hop limit equal to value + + + + + + + + + Value to match a hop limit greater than or equal to it + + u32:0-255 + Hop limit greater than value + + + + + + + + + Value to match a hop limit less than or equal to it + + u32:0-255 + Hop limit less than value + + + + + + + + + + + ICMPv6 type and code information + + + + + ICMP type-name + + any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply + + + any + Any ICMP type/code + + + echo-reply + ICMP type/code name + + + pong + ICMP type/code name + + + destination-unreachable + ICMP type/code name + + + network-unreachable + ICMP type/code name + + + host-unreachable + ICMP type/code name + + + protocol-unreachable + ICMP type/code name + + + port-unreachable + ICMP type/code name + + + fragmentation-needed + ICMP type/code name + + + source-route-failed + ICMP type/code name + + + network-unknown + ICMP type/code name + + + host-unknown + ICMP type/code name + + + network-prohibited + ICMP type/code name + + + host-prohibited + ICMP type/code name + + + TOS-network-unreachable + ICMP type/code name + + + TOS-host-unreachable + ICMP type/code name + + + communication-prohibited + ICMP type/code name + + + host-precedence-violation + ICMP type/code name + + + precedence-cutoff + ICMP type/code name + + + source-quench + ICMP type/code name + + + redirect + ICMP type/code name + + + network-redirect + ICMP type/code name + + + host-redirect + ICMP type/code name + + + TOS-network-redirect + ICMP type/code name + + + TOS host-redirect + ICMP type/code name + + + echo-request + ICMP type/code name + + + ping + ICMP type/code name + + + router-advertisement + ICMP type/code name + + + router-solicitation + ICMP type/code name + + + time-exceeded + ICMP type/code name + + + ttl-exceeded + ICMP type/code name + + + ttl-zero-during-transit + ICMP type/code name + + + ttl-zero-during-reassembly + ICMP type/code name + + + parameter-problem + ICMP type/code name + + + ip-header-bad + ICMP type/code name + + + required-option-missing + ICMP type/code name + + + timestamp-request + ICMP type/code name + + + timestamp-reply + ICMP type/code name + + + address-mask-request + ICMP type/code name + + + address-mask-reply + ICMP type/code name + + + ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$ + + + + + + + + + P2P application packets + + + + + AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets + + + + + + AppleJuice application packets + + + + + + BitTorrent application packets + + + + + + Direct Connect application packets + + + + + + eDonkey/eMule application packets + + + + + + Gnutella application packets + + + + + + KaZaA application packets + + + + + + + + + + + + Policy for handling received ICMPv6 redirect messages + + enable disable + + + enable + Enable processing of received ICMPv6 redirect messages + + + disable + Disable processing of received ICMPv6 redirect messages + + + ^(enable|disable)$ + + + + + + Policy for handling IPv6 packets with routing extension header + + enable disable + + + enable + Enable processing of IPv6 packets with routing header type 2 + + + disable + Disable processing of IPv6 packets with routing header + + + ^(enable|disable)$ + + + + + + Policy for logging IPv4 packets with invalid addresses + + enable disable + + + enable + Enable logging of IPv4 packets with invalid addresses + + + disable + Disable logging of Ipv4 packets with invalid addresses + + + ^(enable|disable)$ + + + + + + IPv4 firewall rule-set name + + + #include + #include + #include + + + Rule number (1-9999) + + + #include + #include + + + Destination parameters + + + #include + #include + #include + + + + + Source parameters + + + #include + #include + #include + + + #include + + + ICMP type and code information + + + + + ICMP code (0-255) + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type (0-255) + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + + + + + + + Policy for handling received IPv4 ICMP redirect messages + + enable disable + + + enable + Enable processing of received IPv4 ICMP redirect messages + + + disable + Disable processing of received IPv4 ICMP redirect messages + + + ^(enable|disable)$ + + + + + + Policy for sending IPv4 ICMP redirect messages + + enable disable + + + enable + Enable sending IPv4 ICMP redirect messages + + + disable + Disable sending IPv4 ICMP redirect messages + + + ^(enable|disable)$ + + + + + + Policy for source validation by reversed path, as specified in RFC3704 + + strict loose disable + + + strict + Enable Strict Reverse Path Forwarding as defined in RFC3704 + + + loose + Enable Loose Reverse Path Forwarding as defined in RFC3704 + + + disable + No source validation + + + ^(strict|loose|disable)$ + + + + + + Global firewall state-policy + + + + + Global firewall policy for packets part of an established connection + + + #include + #include + + + + + Global firewall policy for packets part of an invalid connection + + + #include + #include + + + + + Global firewall policy for packets part of a related connection + + + #include + #include + + + + + + + Policy for using TCP SYN cookies with IPv4 + + enable disable + + + enable + Enable use of TCP SYN cookies with IPv4 + + + disable + Disable use of TCP SYN cookies with IPv4 + + + ^(enable|disable)$ + + + + + + RFC1337 TCP TIME-WAIT assasination hazards protection + + enable disable + + + enable + Enable RFC1337 TIME-WAIT hazards protection + + + disable + Disable RFC1337 TIME-WAIT hazards protection + + + ^(enable|disable)$ + + + + + + diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i new file mode 100644 index 000000000..9f8baa884 --- /dev/null +++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i @@ -0,0 +1,25 @@ + + + + Action for packets + + accept drop reject + + + accept + Action to accept + + + drop + Action to drop + + + reject + Action to reject + + + ^(accept|drop|reject)$ + + + + diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i new file mode 100644 index 000000000..230f590cb --- /dev/null +++ b/interface-definitions/include/firewall/action.xml.i @@ -0,0 +1,21 @@ + + + + Rule action [REQUIRED] + + permit deny + + + permit + Permit matching entries + + + deny + Deny matching entries + + + ^(permit|deny)$ + + + + diff --git a/interface-definitions/include/firewall/address-ipv6.xml.i b/interface-definitions/include/firewall/address-ipv6.xml.i new file mode 100644 index 000000000..fa60c0c8a --- /dev/null +++ b/interface-definitions/include/firewall/address-ipv6.xml.i @@ -0,0 +1,37 @@ + + + + IP address, subnet, or range + + ipv6 + IP address to match + + + ipv6net + Subnet to match + + + ipv6range + IP range to match + + + !ipv6 + Match everything except the specified address + + + !ipv6net + Match everything except the specified prefix + + + !ipv6range + Match everything except the specified range + + + + + + + + + + diff --git a/interface-definitions/include/firewall/address.xml.i b/interface-definitions/include/firewall/address.xml.i new file mode 100644 index 000000000..2e1bde5a5 --- /dev/null +++ b/interface-definitions/include/firewall/address.xml.i @@ -0,0 +1,39 @@ + + + + IP address, subnet, or range + + ipv4 + IPv4 address to match + + + ipv4net + IPv4 prefix to match + + + ipv4range + IPv4 address range to match + + + !ipv4 + Match everything except the specified address + + + !ipv4net + Match everything except the specified prefix + + + !ipv4range + Match everything except the specified range + + + + + + + + + + + + diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i new file mode 100644 index 000000000..466599e0a --- /dev/null +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -0,0 +1,326 @@ + +#include +#include + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + burst__change_me + + + + + + + + + Maximum average matching rate + + u32:0-4294967295 + rate__change_me + + + + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + ^(enable|disable)$ + + + + + + Protocol to match (protocol name, number, or "all") + + + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + 0-255 + IP protocol number + + + !<protocol> + IP protocol number + + + + + + all + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last N seconds + + u32:0-4294967295 + Source addresses seen in the last N seconds + + + + + + + + + + + Source parameters + + + #include + #include + + + Source MAC address + + <MAC address> + MAC address to match + + + !<MAC address> + Match everything except the specified MAC address + + + + #include + + + + + Session state + + + + + Established state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + Invalid state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + New state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + Related state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + + + TCP flags to match + + + + + TCP flags to match + + txt + TCP flags to match + + + + \n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset + + + + + + + + Time to match rule + + + + + Monthdays to match rule on + + + + + Date to start matching rule + + + + + Time of day to start matching rule + + + + + Date to stop matching rule + + + + + Time of day to stop matching rule + + + + + Interpret times for startdate, stopdate, starttime and stoptime to be UTC + + + + + + Weekdays to match rule on + + + + + diff --git a/interface-definitions/include/firewall/description.xml.i b/interface-definitions/include/firewall/description.xml.i new file mode 100644 index 000000000..b6bae406b --- /dev/null +++ b/interface-definitions/include/firewall/description.xml.i @@ -0,0 +1,11 @@ + + + + Description + + txt + Description + + + + diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i new file mode 100644 index 000000000..b45fb619b --- /dev/null +++ b/interface-definitions/include/firewall/icmp-type-name.xml.i @@ -0,0 +1,173 @@ + + + + ICMP type-name + + any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply + + + any + Any ICMP type/code + + + echo-reply + ICMP type/code name + + + pong + ICMP type/code name + + + destination-unreachable + ICMP type/code name + + + network-unreachable + ICMP type/code name + + + host-unreachable + ICMP type/code name + + + protocol-unreachable + ICMP type/code name + + + port-unreachable + ICMP type/code name + + + fragmentation-needed + ICMP type/code name + + + source-route-failed + ICMP type/code name + + + network-unknown + ICMP type/code name + + + host-unknown + ICMP type/code name + + + network-prohibited + ICMP type/code name + + + host-prohibited + ICMP type/code name + + + TOS-network-unreachable + ICMP type/code name + + + TOS-host-unreachable + ICMP type/code name + + + communication-prohibited + ICMP type/code name + + + host-precedence-violation + ICMP type/code name + + + precedence-cutoff + ICMP type/code name + + + source-quench + ICMP type/code name + + + redirect + ICMP type/code name + + + network-redirect + ICMP type/code name + + + host-redirect + ICMP type/code name + + + TOS-network-redirect + ICMP type/code name + + + TOS host-redirect + ICMP type/code name + + + echo-request + ICMP type/code name + + + ping + ICMP type/code name + + + router-advertisement + ICMP type/code name + + + router-solicitation + ICMP type/code name + + + time-exceeded + ICMP type/code name + + + ttl-exceeded + ICMP type/code name + + + ttl-zero-during-transit + ICMP type/code name + + + ttl-zero-during-reassembly + ICMP type/code name + + + parameter-problem + ICMP type/code name + + + ip-header-bad + ICMP type/code name + + + required-option-missing + ICMP type/code name + + + timestamp-request + ICMP type/code name + + + timestamp-reply + ICMP type/code name + + + address-mask-request + ICMP type/code name + + + address-mask-reply + ICMP type/code name + + + ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$ + + + + diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i new file mode 100644 index 000000000..46d20c1df --- /dev/null +++ b/interface-definitions/include/firewall/log.xml.i @@ -0,0 +1,15 @@ + + + + Option to log packets + + + + + Enable logging + + + + + + diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i new file mode 100644 index 000000000..1b61b076f --- /dev/null +++ b/interface-definitions/include/firewall/name-default-action.xml.i @@ -0,0 +1,25 @@ + + + + Default-action for rule-set + + drop reject accept + + + drop + Drop if no prior rules are hit (default) + + + reject + Drop and notify source if no prior rules are hit + + + accept + Accept if no prior rules are hit + + + ^(drop|reject|accept)$ + + + + diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i new file mode 100644 index 000000000..979395146 --- /dev/null +++ b/interface-definitions/include/firewall/name-default-log.xml.i @@ -0,0 +1,8 @@ + + + + Option to log packets hitting default-action + + + + diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i new file mode 100644 index 000000000..59d92978b --- /dev/null +++ b/interface-definitions/include/firewall/port.xml.i @@ -0,0 +1,23 @@ + + + + Port + + txt + Named port (any name in /etc/services, e.g., http) + + + u32:1-65535 + Numbered port + + + <start-end> + Numbered port range (e.g. 1001-1005) + + + + \n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005' + + + + diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i new file mode 100644 index 000000000..30226b0d8 --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-group.xml.i @@ -0,0 +1,24 @@ + + + + Group + + + + + Group of addresses + + + + + Group of networks + + + + + Group of ports + + + + + diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py new file mode 100755 index 000000000..8e6ce5b14 --- /dev/null +++ b/src/conf_mode/firewall.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit + +from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configdict import node_changed +from vyos.configdict import leaf_node_changed +from vyos.template import render +from vyos.util import call +from vyos import ConfigError +from vyos import airbag +from pprint import pprint +airbag.enable() + + +def get_config(config=None): + + if config: + conf = config + else: + conf = Config() + base = ['nfirewall'] + firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, + no_tag_node_value_mangle=True) + + pprint(firewall) + return firewall + +def verify(firewall): + # bail out early - looks like removal from running config + if not firewall: + return None + + return None + +def generate(firewall): + if not firewall: + return None + + return None + +def apply(firewall): + if not firewall: + return None + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/validators/ipv6-exclude b/src/validators/ipv6-exclude new file mode 100755 index 000000000..893eeab09 --- /dev/null +++ b/src/validators/ipv6-exclude @@ -0,0 +1,7 @@ +#!/bin/sh +arg="$1" +if [ "${arg:0:1}" != "!" ]; then + exit 1 +fi +path=$(dirname "$0") +${path}/ipv6 "${arg:1}" diff --git a/src/validators/ipv6-range b/src/validators/ipv6-range new file mode 100755 index 000000000..033b6461b --- /dev/null +++ b/src/validators/ipv6-range @@ -0,0 +1,16 @@ +#!/usr/bin/python3 + +import sys +import re +from vyos.template import is_ipv6 + +if __name__ == '__main__': + if len(sys.argv)>1: + ipv6_range = sys.argv[1] + # Regex for ipv6-ipv6 https://regexr.com/ + if re.search('([a-f0-9:]+:+)+[a-f0-9]+-([a-f0-9:]+:+)+[a-f0-9]+', ipv6_range): + for tmp in ipv6_range.split('-'): + if not is_ipv6(tmp): + sys.exit(1) + + sys.exit(0) diff --git a/src/validators/ipv6-range-exclude b/src/validators/ipv6-range-exclude new file mode 100755 index 000000000..912b55ae3 --- /dev/null +++ b/src/validators/ipv6-range-exclude @@ -0,0 +1,7 @@ +#!/bin/sh +arg="$1" +if [ "${arg:0:1}" != "!" ]; then + exit 1 +fi +path=$(dirname "$0") +${path}/ipv6-range "${arg:1}" -- cgit v1.2.3