From a5ad98b2307af974dd498a84caec94fa613f7491 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 10 Jan 2022 01:00:12 +0100
Subject: firewall: validators: T2199: Improve port validation
---
interface-definitions/firewall.xml.in | 3 ++
interface-definitions/include/firewall/port.xml.i | 5 ++-
src/validators/port-multi | 43 +++++++++++++++++++++++
3 files changed, 50 insertions(+), 1 deletion(-)
create mode 100755 src/validators/port-multi
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 78a48a522..07a36093f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -182,6 +182,9 @@
Numbered port range (e.g. 1001-1050)
+
+
+
diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i
index 59d92978b..3bacafff8 100644
--- a/interface-definitions/include/firewall/port.xml.i
+++ b/interface-definitions/include/firewall/port.xml.i
@@ -16,8 +16,11 @@
- \n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'
+ \n\n Multiple destination ports can be specified as a comma-separated list.\n For example: 'telnet,http,123,1001-1005'
+
+
+
diff --git a/src/validators/port-multi b/src/validators/port-multi
new file mode 100755
index 000000000..763d34e57
--- /dev/null
+++ b/src/validators/port-multi
@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+from vyos.util import read_file
+
+services_file = '/etc/services'
+
+def get_services():
+ names = []
+ service_data = read_file(services_file, "")
+ for line in service_data.split("\n"):
+ if not line or line[0] == '#':
+ continue
+ names.append(line.split(None, 1)[0])
+ return names
+
+if __name__ == '__main__':
+ if len(sys.argv)>1:
+ ports = sys.argv[1].split(",")
+ services = get_services()
+
+ for port in ports:
+ if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
+ port_1, port_2 = port.split('-')
+ if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+ print(f'Error: {port} is not a valid port range')
+ sys.exit(1)
+ if int(port_1) > int(port_2):
+ print(f'Error: {port} is not a valid port range')
+ sys.exit(1)
+ elif port.isnumeric():
+ if int(port) not in range(1, 65535):
+ print(f'Error: {port} is not a valid port')
+ sys.exit(1)
+ elif port not in services:
+ print(f'Error: {port} is not a valid service name')
+ sys.exit(1)
+ else:
+ sys.exit(2)
+
+ sys.exit(0)
--
cgit v1.2.3