From a5ad98b2307af974dd498a84caec94fa613f7491 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 10 Jan 2022 01:00:12 +0100
Subject: firewall: validators: T2199: Improve port validation

---
 interface-definitions/firewall.xml.in             |  3 ++
 interface-definitions/include/firewall/port.xml.i |  5 ++-
 src/validators/port-multi                         | 43 +++++++++++++++++++++++
 3 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100755 src/validators/port-multi

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 78a48a522..07a36093f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -182,6 +182,9 @@
                     <description>Numbered port range (e.g. 1001-1050)</description>
                   </valueHelp>
                   <multi/>
+                  <constraint>
+                    <validator name="port-range"/>
+                  </constraint>
                 </properties>
               </leafNode>
             </children>
diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i
index 59d92978b..3bacafff8 100644
--- a/interface-definitions/include/firewall/port.xml.i
+++ b/interface-definitions/include/firewall/port.xml.i
@@ -16,8 +16,11 @@
     </valueHelp>
     <valueHelp>
       <format> </format>
-      <description>\n\n  Multiple destination ports can be specified as a comma-separated list.\n  The whole list can also be negated using '!'.\n  For example: '!22,telnet,http,123,1001-1005'</description>
+      <description>\n\n  Multiple destination ports can be specified as a comma-separated list.\n  For example: 'telnet,http,123,1001-1005'</description>
     </valueHelp>
+    <constraint>
+      <validator name="port-multi"/>
+    </constraint>
   </properties>
 </leafNode>
 <!-- include end -->
diff --git a/src/validators/port-multi b/src/validators/port-multi
new file mode 100755
index 000000000..763d34e57
--- /dev/null
+++ b/src/validators/port-multi
@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+from vyos.util import read_file
+
+services_file = '/etc/services'
+
+def get_services():
+    names = []
+    service_data = read_file(services_file, "")
+    for line in service_data.split("\n"):
+        if not line or line[0] == '#':
+            continue
+        names.append(line.split(None, 1)[0])
+    return names
+
+if __name__ == '__main__':
+    if len(sys.argv)>1:
+        ports = sys.argv[1].split(",")
+        services = get_services()
+
+        for port in ports:
+            if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
+                port_1, port_2 = port.split('-')
+                if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+                if int(port_1) > int(port_2):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+            elif port.isnumeric():
+                if int(port) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port')
+                    sys.exit(1)
+            elif port not in services:
+                print(f'Error: {port} is not a valid service name')
+                sys.exit(1)
+    else:
+        sys.exit(2)
+
+    sys.exit(0)
-- 
cgit v1.2.3