From 8ef944b854de54bce95b91257d7a3cd22ed48064 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Mon, 10 Apr 2023 17:55:48 +0000
Subject: T5065: Add verify for firewall port-group and port

We cannot use both 'port' and 'port-group' for the same direction
in one rule at the same time
Otherwise it generates wrong rules that don't block anything

  set P_pgrp {
	type inet_service
	flags interval
	auto-merge
	elements = { 101-105 }
  }

  chain NAME_foo {
	tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10"
	counter return comment "foo default-action accept"
  }
---
 src/conf_mode/firewall.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index c41a442df..190587980 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -282,6 +282,9 @@ def verify_rule(firewall, rule_conf, ipv6):
                 if rule_conf['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
                     raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port or port-group')
 
+            if 'port' in side_conf and dict_search_args(side_conf, 'group', 'port_group'):
+                raise ConfigError(f'{side} port-group and port cannot both be defined')
+
     if 'log_options' in rule_conf:
         if 'log' not in rule_conf or 'enable' not in rule_conf['log']:
             raise ConfigError('log-options defined, but log is not enable')
-- 
cgit v1.2.3