From e389729f4de84ce3f32e1a0cdb471c919d7d7807 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 11 Jan 2022 00:28:37 +0100 Subject: firewall: T4159: Add warning when an empty group is applied to a rule --- src/conf_mode/firewall.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'src/conf_mode') diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index bca5afb2e..7b491a325 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -153,17 +153,16 @@ def verify_rule(firewall, rule_conf, ipv6): for group in valid_groups: if group in side_conf['group']: group_name = side_conf['group'][group] - fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group + error_group = fw_group.replace("_", "-") + group_obj = dict_search_args(firewall, 'group', fw_group, group_name) - if not dict_search_args(firewall, 'group', fw_group): - error_group = fw_group.replace("_", "-") - raise ConfigError(f'Group defined in rule but {error_group} is not configured') - - if group_name not in firewall['group'][fw_group]: - error_group = group.replace("_", "-") + if group_obj is None: raise ConfigError(f'Invalid {error_group} "{group_name}" on firewall rule') + if not group_obj: + print(f'WARNING: {error_group} "{group_name}" has no members') + if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'): if 'protocol' not in rule_conf: raise ConfigError('Protocol must be defined if specifying a port or port-group') -- cgit v1.2.3