From 1e7d01e5b5a12c5bfaa8989ae6073679f6b647b0 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 12 May 2020 20:58:34 +0200 Subject: nat: T2198: add some basic verify() rules --- src/conf_mode/nat.py | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'src/conf_mode') diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 580a06136..bde6841cc 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -25,6 +25,7 @@ from netifaces import interfaces from vyos.config import Config from vyos.template import render from vyos.util import call, cmd +from vyos.validate import is_addr_assigned from vyos import ConfigError default_config_data = { @@ -176,6 +177,18 @@ def get_config(): return nat +def verify_rule(rule): + if rule['translation_port']: + if rule['protocol'] not in ['tcp', 'udp', 'tcp_udp']: + proto = rule['protocol'] + raise ConfigError(f'{err_msg} ports can only be specified when protocol is "tcp", "udp" or "tcp_udp" (currently "{proto}")') + + if '/' in rule['translation_address']: + raise ConfigError(f'{err_msg}\n' \ + 'Cannot use ports with an IPv4net type translation address as it\n' \ + 'statically maps a whole network of addresses onto another\n' \ + 'network of addresses') + def verify(nat): if nat['deleted']: # no need to verify the CLI as NAT is going to be deactivated @@ -190,6 +203,32 @@ def verify(nat): if interface and interface not in interfaces(): print(f'NAT configuration warning: interface {interface} does not exist on this system') + err_msg = f"Source NAT configuration error in rule {rule['number']}:" + + if not rule['interface_out']: + raise ConfigError(f'{err_msg} outbound-interface not specified') + + if not rule['translation_address']: + raise ConfigError(f'{err_msg} translation address not specified') + else: + addr = rule['translation_address'] + if addr != 'masquerade' and not is_addr_assigned(addr): + printf(f'Warning: IP address {addr} does not exist on the system!') + + # common rule verification + verify_rule(rule) + + for rule in nat['destination']: + interface = rule['interface_in'] + if interface and interface not in interfaces(): + print(f'NAT configuration warning: interface {interface} does not exist on this system') + + if not rule['interface_in']: + raise ConfigError(f'{err_msg} inbound-interface not specified') + + # common rule verification + verify_rule(rule) + return None def generate(nat): -- cgit v1.2.3