From 37cfa8cdb1c6a1d395109aabd3ee29e83db151da Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Sat, 27 Aug 2022 15:35:52 +0000 Subject: Firewall: T4651: Add options to match packet size on firewall rules. --- python/vyos/firewall.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'python') diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 663c4394a..a4fd64830 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -265,6 +265,32 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if 'type' in rule_conf[icmp]: output.append(icmp + ' type ' + rule_conf[icmp]['type']) + + if 'ip_length' in rule_conf: + #proto = rule_conf['protocol'] + length = rule_conf['ip_length'].split(',') + + lengths = [] + negated_lengths = [] + + for p in length: + if p[0] == '!': + negated_lengths.append(p[1:]) + else: + lengths.append(p) + + #if proto == 'tcp_udp': + # proto = 'th' + + if lengths: + lengths_str = ','.join(lengths) + output.append(f'ip{def_suffix} length {{{lengths_str}}}') + + if negated_lengths: + negated_lengths_str = ','.join(negated_lengths) + output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}') + + if 'ipsec' in rule_conf: if 'match_ipsec' in rule_conf['ipsec']: output.append('meta ipsec == 1') -- cgit v1.2.3