From a5ad98b2307af974dd498a84caec94fa613f7491 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 10 Jan 2022 01:00:12 +0100
Subject: firewall: validators: T2199: Improve port validation

---
 src/validators/port-multi | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100755 src/validators/port-multi

(limited to 'src/validators/port-multi')

diff --git a/src/validators/port-multi b/src/validators/port-multi
new file mode 100755
index 000000000..763d34e57
--- /dev/null
+++ b/src/validators/port-multi
@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+from vyos.util import read_file
+
+services_file = '/etc/services'
+
+def get_services():
+    names = []
+    service_data = read_file(services_file, "")
+    for line in service_data.split("\n"):
+        if not line or line[0] == '#':
+            continue
+        names.append(line.split(None, 1)[0])
+    return names
+
+if __name__ == '__main__':
+    if len(sys.argv)>1:
+        ports = sys.argv[1].split(",")
+        services = get_services()
+
+        for port in ports:
+            if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
+                port_1, port_2 = port.split('-')
+                if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+                if int(port_1) > int(port_2):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+            elif port.isnumeric():
+                if int(port) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port')
+                    sys.exit(1)
+            elif port not in services:
+                print(f'Error: {port} is not a valid service name')
+                sys.exit(1)
+    else:
+        sys.exit(2)
+
+    sys.exit(0)
-- 
cgit v1.2.3


From 4793e2fc0baf09c8ef128147106acb8bb69ba02b Mon Sep 17 00:00:00 2001
From: Bᴇʀɴᴅ Sᴄʜᴏʀɢᴇʀs <me@bjw-s.dev>
Date: Tue, 11 Jan 2022 20:41:20 +0100
Subject: firewall: validators: T4174: Correct upper port range boundary

---
 src/validators/port-multi | 4 ++--
 src/validators/port-range | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/validators/port-multi')

diff --git a/src/validators/port-multi b/src/validators/port-multi
index 763d34e57..017ea78fb 100755
--- a/src/validators/port-multi
+++ b/src/validators/port-multi
@@ -24,14 +24,14 @@ if __name__ == '__main__':
         for port in ports:
             if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
                 port_1, port_2 = port.split('-')
-                if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                if int(port_1) not in range(1, 65536) or int(port_2) not in range(1, 65536):
                     print(f'Error: {port} is not a valid port range')
                     sys.exit(1)
                 if int(port_1) > int(port_2):
                     print(f'Error: {port} is not a valid port range')
                     sys.exit(1)
             elif port.isnumeric():
-                if int(port) not in range(1, 65535):
+                if int(port) not in range(1, 65536):
                     print(f'Error: {port} is not a valid port')
                     sys.exit(1)
             elif port not in services:
diff --git a/src/validators/port-range b/src/validators/port-range
index 657a21e20..6c01048f0 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -12,11 +12,11 @@ if __name__ == '__main__':
         port_range = sys.argv[1]
         if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port_range):
             port_1, port_2 = port_range.split('-')
-            if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+            if int(port_1) not in range(1, 65536) or int(port_2) not in range(1, 65536):
                 error(port_range)
             if int(port_1) > int(port_2):
                 error(port_range)
-        elif not port_range.isnumeric() or int(port_range) not in range(1, 65535):
+        elif not port_range.isnumeric() or int(port_range) not in range(1, 65536):
                 error(port_range)
     else:
         sys.exit(2)
-- 
cgit v1.2.3


From a132ba993e786994a3b129c72fb0024931339619 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Wed, 12 Jan 2022 00:59:53 +0100
Subject: firewall: T4160: Fix support for inverse matches

---
 python/vyos/firewall.py   | 35 ++++++++++++++++++++++++++++-------
 src/validators/port-multi |  2 ++
 2 files changed, 30 insertions(+), 7 deletions(-)

(limited to 'src/validators/port-multi')

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 414ec89c1..66dc8bc40 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -45,13 +45,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
 
     if 'state' in rule_conf and rule_conf['state']:
         states = ",".join([s for s, v in rule_conf['state'].items() if v == 'enable'])
-        output.append(f'ct state {{{states}}}')
+
+        if states:
+            output.append(f'ct state {{{states}}}')
 
     if 'protocol' in rule_conf and rule_conf['protocol'] != 'all':
         proto = rule_conf['protocol']
+        operator = ''
+        if proto[0] == '!':
+            operator = '!='
+            proto = proto[1:]
         if proto == 'tcp_udp':
             proto = '{tcp, udp}'
-        output.append('meta l4proto ' + proto)
+        output.append(f'meta l4proto {operator} {proto}')
 
     for side in ['destination', 'source']:
         if side in rule_conf:
@@ -59,7 +65,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
             side_conf = rule_conf[side]
 
             if 'address' in side_conf:
-                output.append(f'{ip_name} {prefix}addr {side_conf["address"]}')
+                suffix = side_conf['address']
+                if suffix[0] == '!':
+                    suffix = f'!= {suffix[1:]}'
+                output.append(f'{ip_name} {prefix}addr {suffix}')
 
             if 'mac_address' in side_conf:
                 suffix = side_conf["mac_address"]
@@ -69,15 +78,27 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
 
             if 'port' in side_conf:
                 proto = rule_conf['protocol']
-                port = side_conf["port"]
+                port = side_conf['port'].split(',')
 
-                if isinstance(port, list):
-                    port = ",".join(port)
+                ports = []
+                negated_ports = []
+
+                for p in port:
+                    if p[0] == '!':
+                        negated_ports.append(p[1:])
+                    else:
+                        ports.append(p)
 
                 if proto == 'tcp_udp':
                     proto = 'th'
 
-                output.append(f'{proto} {prefix}port {{{port}}}')
+                if ports:
+                    ports_str = ','.join(ports)
+                    output.append(f'{proto} {prefix}port {{{ports_str}}}')
+
+                if negated_ports:
+                    negated_ports_str = ','.join(negated_ports)
+                    output.append(f'{proto} {prefix}port != {{{negated_ports_str}}}')
 
             if 'group' in side_conf:
                 group = side_conf['group']
diff --git a/src/validators/port-multi b/src/validators/port-multi
index 017ea78fb..cef371563 100755
--- a/src/validators/port-multi
+++ b/src/validators/port-multi
@@ -22,6 +22,8 @@ if __name__ == '__main__':
         services = get_services()
 
         for port in ports:
+            if port and port[0] == '!':
+                port = port[1:]
             if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
                 port_1, port_2 = port.split('-')
                 if int(port_1) not in range(1, 65536) or int(port_2) not in range(1, 65536):
-- 
cgit v1.2.3