From a5ad98b2307af974dd498a84caec94fa613f7491 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 10 Jan 2022 01:00:12 +0100
Subject: firewall: validators: T2199: Improve port validation

---
 src/validators/port-multi | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100755 src/validators/port-multi

(limited to 'src/validators')

diff --git a/src/validators/port-multi b/src/validators/port-multi
new file mode 100755
index 000000000..763d34e57
--- /dev/null
+++ b/src/validators/port-multi
@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+from vyos.util import read_file
+
+services_file = '/etc/services'
+
+def get_services():
+    names = []
+    service_data = read_file(services_file, "")
+    for line in service_data.split("\n"):
+        if not line or line[0] == '#':
+            continue
+        names.append(line.split(None, 1)[0])
+    return names
+
+if __name__ == '__main__':
+    if len(sys.argv)>1:
+        ports = sys.argv[1].split(",")
+        services = get_services()
+
+        for port in ports:
+            if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
+                port_1, port_2 = port.split('-')
+                if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+                if int(port_1) > int(port_2):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+            elif port.isnumeric():
+                if int(port) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port')
+                    sys.exit(1)
+            elif port not in services:
+                print(f'Error: {port} is not a valid service name')
+                sys.exit(1)
+    else:
+        sys.exit(2)
+
+    sys.exit(0)
-- 
cgit v1.2.3


From da370b63b266254d9a7a7ae15274a9a70bcf5417 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sun, 9 Jan 2022 23:37:12 +0100
Subject: validators: T4148: Add text output when validators fail

---
 src/validators/ipv4-range | 13 +++++++++----
 src/validators/port-range |  2 ++
 2 files changed, 11 insertions(+), 4 deletions(-)

(limited to 'src/validators')

diff --git a/src/validators/ipv4-range b/src/validators/ipv4-range
index cc59039f1..6492bfc52 100755
--- a/src/validators/ipv4-range
+++ b/src/validators/ipv4-range
@@ -7,6 +7,11 @@ ip2dec () {
     printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))"
 }
 
+error_exit() {
+  echo "Error: $1 is not a valid IPv4 address range"
+  exit 1
+}
+
 # Only run this if there is a hypen present in $1
 if [[ "$1" =~ "-" ]]; then
   # This only works with real bash (<<<) - split IP addresses into array with
@@ -15,21 +20,21 @@ if [[ "$1" =~ "-" ]]; then
 
   ipaddrcheck --is-ipv4-single ${strarr[0]}
   if [ $? -gt 0 ]; then
-    exit 1
+    error_exit $1
   fi
 
   ipaddrcheck --is-ipv4-single ${strarr[1]}
   if [ $? -gt 0 ]; then
-    exit 1
+    error_exit $1
   fi
 
   start=$(ip2dec ${strarr[0]})
   stop=$(ip2dec ${strarr[1]})
   if [ $start -ge $stop ]; then
-    exit 1
+    error_exit $1
   fi
 
   exit 0
 fi
 
-exit 1
+error_exit $1
diff --git a/src/validators/port-range b/src/validators/port-range
index abf0b09d5..6e68c8733 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -9,9 +9,11 @@ if __name__ == '__main__':
         if re.search('[0-9]{1,5}-[0-9]{1,5}', port_range):
             for tmp in port_range.split('-'):
                 if int(tmp) not in range(1, 65535):
+                    print(f'Error: {port_range} is not a valid port range')
                     sys.exit(1)
         else:
             if int(port_range) not in range(1, 65535):
+                print(f'Error: {port_range} is not a valid port')
                 sys.exit(1)
     else:
         sys.exit(2)
-- 
cgit v1.2.3


From 0a0e7d789e7e482b65cbca47bff1dcb427891a88 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sun, 9 Jan 2022 23:45:04 +0100
Subject: validators: Stricter checking on port-range validator

---
 src/validators/port-range | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'src/validators')

diff --git a/src/validators/port-range b/src/validators/port-range
index 6e68c8733..657a21e20 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -3,18 +3,21 @@
 import sys
 import re
 
+def error(port_range):
+    print(f'Error: {port_range} is not a valid port or port range')
+    sys.exit(1)
+
 if __name__ == '__main__':
     if len(sys.argv)>1:
         port_range = sys.argv[1]
-        if re.search('[0-9]{1,5}-[0-9]{1,5}', port_range):
-            for tmp in port_range.split('-'):
-                if int(tmp) not in range(1, 65535):
-                    print(f'Error: {port_range} is not a valid port range')
-                    sys.exit(1)
-        else:
-            if int(port_range) not in range(1, 65535):
-                print(f'Error: {port_range} is not a valid port')
-                sys.exit(1)
+        if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port_range):
+            port_1, port_2 = port_range.split('-')
+            if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                error(port_range)
+            if int(port_1) > int(port_2):
+                error(port_range)
+        elif not port_range.isnumeric() or int(port_range) not in range(1, 65535):
+                error(port_range)
     else:
         sys.exit(2)
 
-- 
cgit v1.2.3


From f97144259335102c3d96b232cbb0af4970120d62 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 10 Jan 2022 23:24:50 +0100
Subject: validators: T4144: Add error messages to the majority of IP
 validators

---
 src/validators/ip-address     | 7 +++++++
 src/validators/ip-cidr        | 7 +++++++
 src/validators/ip-host        | 7 +++++++
 src/validators/ip-prefix      | 7 +++++++
 src/validators/ip-protocol    | 1 +
 src/validators/ipv4           | 7 +++++++
 src/validators/ipv4-address   | 7 +++++++
 src/validators/ipv4-host      | 7 +++++++
 src/validators/ipv4-multicast | 7 +++++++
 src/validators/ipv4-prefix    | 7 +++++++
 src/validators/ipv6           | 7 +++++++
 src/validators/ipv6-address   | 7 +++++++
 src/validators/ipv6-host      | 7 +++++++
 src/validators/ipv6-multicast | 7 +++++++
 src/validators/ipv6-prefix    | 7 +++++++
 src/validators/ipv6-range     | 1 +
 16 files changed, 100 insertions(+)

(limited to 'src/validators')

diff --git a/src/validators/ip-address b/src/validators/ip-address
index 51fb72c85..11d6df09e 100755
--- a/src/validators/ip-address
+++ b/src/validators/ip-address
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-any-single $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IP address"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ip-cidr b/src/validators/ip-cidr
index 987bf84ca..60d2ac295 100755
--- a/src/validators/ip-cidr
+++ b/src/validators/ip-cidr
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-any-cidr $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IP CIDR"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ip-host b/src/validators/ip-host
index f2906e8cf..77c578fa2 100755
--- a/src/validators/ip-host
+++ b/src/validators/ip-host
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-any-host $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IP host"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ip-prefix b/src/validators/ip-prefix
index e58aad395..e5a64fea8 100755
--- a/src/validators/ip-prefix
+++ b/src/validators/ip-prefix
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-any-net $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IP prefix"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ip-protocol b/src/validators/ip-protocol
index 7898fa6d0..c4c882502 100755
--- a/src/validators/ip-protocol
+++ b/src/validators/ip-protocol
@@ -38,4 +38,5 @@ if __name__ == '__main__':
     if re.match(pattern, input):
         exit(0)
 
+    print(f'Error: {input} is not a valid IP protocol')
     exit(1)
diff --git a/src/validators/ipv4 b/src/validators/ipv4
index 53face090..8676d5800 100755
--- a/src/validators/ipv4
+++ b/src/validators/ipv4
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv4 $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not IPv4"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv4-address b/src/validators/ipv4-address
index 872a7645a..058db088b 100755
--- a/src/validators/ipv4-address
+++ b/src/validators/ipv4-address
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv4-single $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv4 address"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv4-host b/src/validators/ipv4-host
index f42feffa4..74b8c36a7 100755
--- a/src/validators/ipv4-host
+++ b/src/validators/ipv4-host
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv4-host $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv4 host"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv4-multicast b/src/validators/ipv4-multicast
index 5465c728d..3f28c51db 100755
--- a/src/validators/ipv4-multicast
+++ b/src/validators/ipv4-multicast
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv4-multicast $1 && ipaddrcheck --is-ipv4-single $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv4 multicast address"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv4-prefix b/src/validators/ipv4-prefix
index 8ec8a2c45..7e1e0e8dd 100755
--- a/src/validators/ipv4-prefix
+++ b/src/validators/ipv4-prefix
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv4-net $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv4 prefix"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv6 b/src/validators/ipv6
index f18d4a63e..4ae130eb5 100755
--- a/src/validators/ipv6
+++ b/src/validators/ipv6
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv6 $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not IPv6"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv6-address b/src/validators/ipv6-address
index e5d68d756..1fca77668 100755
--- a/src/validators/ipv6-address
+++ b/src/validators/ipv6-address
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv6-single $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv6 address"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv6-host b/src/validators/ipv6-host
index f7a745077..7085809a9 100755
--- a/src/validators/ipv6-host
+++ b/src/validators/ipv6-host
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv6-host $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv6 host"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv6-multicast b/src/validators/ipv6-multicast
index 5afc437e5..5aa7d734a 100755
--- a/src/validators/ipv6-multicast
+++ b/src/validators/ipv6-multicast
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv6-multicast $1 && ipaddrcheck --is-ipv6-single $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv6 multicast address"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv6-prefix b/src/validators/ipv6-prefix
index e43616350..890dda723 100755
--- a/src/validators/ipv6-prefix
+++ b/src/validators/ipv6-prefix
@@ -1,3 +1,10 @@
 #!/bin/sh
 
 ipaddrcheck --is-ipv6-net $1
+
+if [ $? -gt 0 ]; then
+    echo "Error: $1 is not a valid IPv6 prefix"
+    exit 1
+fi
+
+exit 0
\ No newline at end of file
diff --git a/src/validators/ipv6-range b/src/validators/ipv6-range
index 033b6461b..a3c401281 100755
--- a/src/validators/ipv6-range
+++ b/src/validators/ipv6-range
@@ -11,6 +11,7 @@ if __name__ == '__main__':
         if re.search('([a-f0-9:]+:+)+[a-f0-9]+-([a-f0-9:]+:+)+[a-f0-9]+', ipv6_range):
             for tmp in ipv6_range.split('-'):
                 if not is_ipv6(tmp):
+                    print(f'Error: {ipv6_range} is not a valid IPv6 range')
                     sys.exit(1)
 
     sys.exit(0)
-- 
cgit v1.2.3


From 4793e2fc0baf09c8ef128147106acb8bb69ba02b Mon Sep 17 00:00:00 2001
From: Bᴇʀɴᴅ Sᴄʜᴏʀɢᴇʀs <me@bjw-s.dev>
Date: Tue, 11 Jan 2022 20:41:20 +0100
Subject: firewall: validators: T4174: Correct upper port range boundary

---
 src/validators/port-multi | 4 ++--
 src/validators/port-range | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/validators')

diff --git a/src/validators/port-multi b/src/validators/port-multi
index 763d34e57..017ea78fb 100755
--- a/src/validators/port-multi
+++ b/src/validators/port-multi
@@ -24,14 +24,14 @@ if __name__ == '__main__':
         for port in ports:
             if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
                 port_1, port_2 = port.split('-')
-                if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                if int(port_1) not in range(1, 65536) or int(port_2) not in range(1, 65536):
                     print(f'Error: {port} is not a valid port range')
                     sys.exit(1)
                 if int(port_1) > int(port_2):
                     print(f'Error: {port} is not a valid port range')
                     sys.exit(1)
             elif port.isnumeric():
-                if int(port) not in range(1, 65535):
+                if int(port) not in range(1, 65536):
                     print(f'Error: {port} is not a valid port')
                     sys.exit(1)
             elif port not in services:
diff --git a/src/validators/port-range b/src/validators/port-range
index 657a21e20..6c01048f0 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -12,11 +12,11 @@ if __name__ == '__main__':
         port_range = sys.argv[1]
         if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port_range):
             port_1, port_2 = port_range.split('-')
-            if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+            if int(port_1) not in range(1, 65536) or int(port_2) not in range(1, 65536):
                 error(port_range)
             if int(port_1) > int(port_2):
                 error(port_range)
-        elif not port_range.isnumeric() or int(port_range) not in range(1, 65535):
+        elif not port_range.isnumeric() or int(port_range) not in range(1, 65536):
                 error(port_range)
     else:
         sys.exit(2)
-- 
cgit v1.2.3


From a132ba993e786994a3b129c72fb0024931339619 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Wed, 12 Jan 2022 00:59:53 +0100
Subject: firewall: T4160: Fix support for inverse matches

---
 python/vyos/firewall.py   | 35 ++++++++++++++++++++++++++++-------
 src/validators/port-multi |  2 ++
 2 files changed, 30 insertions(+), 7 deletions(-)

(limited to 'src/validators')

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 414ec89c1..66dc8bc40 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -45,13 +45,19 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
 
     if 'state' in rule_conf and rule_conf['state']:
         states = ",".join([s for s, v in rule_conf['state'].items() if v == 'enable'])
-        output.append(f'ct state {{{states}}}')
+
+        if states:
+            output.append(f'ct state {{{states}}}')
 
     if 'protocol' in rule_conf and rule_conf['protocol'] != 'all':
         proto = rule_conf['protocol']
+        operator = ''
+        if proto[0] == '!':
+            operator = '!='
+            proto = proto[1:]
         if proto == 'tcp_udp':
             proto = '{tcp, udp}'
-        output.append('meta l4proto ' + proto)
+        output.append(f'meta l4proto {operator} {proto}')
 
     for side in ['destination', 'source']:
         if side in rule_conf:
@@ -59,7 +65,10 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
             side_conf = rule_conf[side]
 
             if 'address' in side_conf:
-                output.append(f'{ip_name} {prefix}addr {side_conf["address"]}')
+                suffix = side_conf['address']
+                if suffix[0] == '!':
+                    suffix = f'!= {suffix[1:]}'
+                output.append(f'{ip_name} {prefix}addr {suffix}')
 
             if 'mac_address' in side_conf:
                 suffix = side_conf["mac_address"]
@@ -69,15 +78,27 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
 
             if 'port' in side_conf:
                 proto = rule_conf['protocol']
-                port = side_conf["port"]
+                port = side_conf['port'].split(',')
 
-                if isinstance(port, list):
-                    port = ",".join(port)
+                ports = []
+                negated_ports = []
+
+                for p in port:
+                    if p[0] == '!':
+                        negated_ports.append(p[1:])
+                    else:
+                        ports.append(p)
 
                 if proto == 'tcp_udp':
                     proto = 'th'
 
-                output.append(f'{proto} {prefix}port {{{port}}}')
+                if ports:
+                    ports_str = ','.join(ports)
+                    output.append(f'{proto} {prefix}port {{{ports_str}}}')
+
+                if negated_ports:
+                    negated_ports_str = ','.join(negated_ports)
+                    output.append(f'{proto} {prefix}port != {{{negated_ports_str}}}')
 
             if 'group' in side_conf:
                 group = side_conf['group']
diff --git a/src/validators/port-multi b/src/validators/port-multi
index 017ea78fb..cef371563 100755
--- a/src/validators/port-multi
+++ b/src/validators/port-multi
@@ -22,6 +22,8 @@ if __name__ == '__main__':
         services = get_services()
 
         for port in ports:
+            if port and port[0] == '!':
+                port = port[1:]
             if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
                 port_1, port_2 = port.split('-')
                 if int(port_1) not in range(1, 65536) or int(port_2) not in range(1, 65536):
-- 
cgit v1.2.3


From df5a862beb84145dfc8434efde7d7fee783199cf Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Thu, 13 Jan 2022 12:58:37 +0100
Subject: firewall: T4178: Use lowercase for TCP flags and add an validator

---
 .../include/firewall/common-rule.xml.i             | 34 ++++++++++++++++++++--
 .../include/policy/route-common-rule-ipv6.xml.i    | 34 ++++++++++++++++++++--
 .../include/policy/route-common-rule.xml.i         | 34 ++++++++++++++++++++--
 python/vyos/firewall.py                            |  7 ++---
 src/conf_mode/firewall.py                          |  3 ++
 src/conf_mode/policy-route.py                      | 10 +++----
 src/validators/tcp-flag                            | 19 ++++++++++++
 7 files changed, 126 insertions(+), 15 deletions(-)
 create mode 100755 src/validators/tcp-flag

(limited to 'src/validators')

diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 92950cc68..6e8203c88 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -274,12 +274,42 @@
         <help>TCP flags to match</help>
         <valueHelp>
           <format>txt</format>
-          <description>TCP flags to match</description>
+          <description>Multiple comma-separated flags</description>
+        </valueHelp>
+        <valueHelp>
+          <format>syn</format>
+          <description>Syncronise flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ack</format>
+          <description>Acknowledge flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>fin</format>
+          <description>Finish flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>rst</format>
+          <description>Reset flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>urg</format>
+          <description>Urgent flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>psh</format>
+          <description>Push flag</description>
         </valueHelp>
         <valueHelp>
           <format> </format>
-          <description>\n\n  Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n  When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n  the SYN flag set, and the ACK, FIN and RST flags unset</description>
+          <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
         </valueHelp>
+        <completionHelp>
+          <list>syn ack fin rst urg psh</list>
+        </completionHelp>
+        <constraint>
+          <validator name="tcp-flag"/>
+        </constraint>
       </properties>
     </leafNode>
   </children>
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
index 2d6adcd1d..b8fee4b7b 100644
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -330,12 +330,42 @@
         <help>TCP flags to match</help>
         <valueHelp>
           <format>txt</format>
-          <description>TCP flags to match</description>
+          <description>Multiple comma-separated flags</description>
+        </valueHelp>
+        <valueHelp>
+          <format>syn</format>
+          <description>Syncronise flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ack</format>
+          <description>Acknowledge flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>fin</format>
+          <description>Finish flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>rst</format>
+          <description>Reset flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>urg</format>
+          <description>Urgent flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>psh</format>
+          <description>Push flag</description>
         </valueHelp>
         <valueHelp>
           <format> </format>
-          <description>\n\n  Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n  When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n  the SYN flag set, and the ACK, FIN and RST flags unset</description>
+          <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
         </valueHelp>
+        <completionHelp>
+          <list>syn ack fin rst urg psh</list>
+        </completionHelp>
+        <constraint>
+          <validator name="tcp-flag"/>
+        </constraint>
       </properties>
     </leafNode>
   </children>
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
index c4deefd2a..17b47474d 100644
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -330,12 +330,42 @@
         <help>TCP flags to match</help>
         <valueHelp>
           <format>txt</format>
-          <description>TCP flags to match</description>
+          <description>Multiple comma-separated flags</description>
+        </valueHelp>
+        <valueHelp>
+          <format>syn</format>
+          <description>Syncronise flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ack</format>
+          <description>Acknowledge flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>fin</format>
+          <description>Finish flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>rst</format>
+          <description>Reset flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>urg</format>
+          <description>Urgent flag</description>
+        </valueHelp>
+        <valueHelp>
+          <format>psh</format>
+          <description>Push flag</description>
         </valueHelp>
         <valueHelp>
           <format> </format>
-          <description>\n\n  Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n  When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n  the SYN flag set, and the ACK, FIN and RST flags unset</description>
+          <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
         </valueHelp>
+        <completionHelp>
+          <list>syn ack fin rst urg psh</list>
+        </completionHelp>
+        <constraint>
+          <validator name="tcp-flag"/>
+        </constraint>
       </properties>
     </leafNode>
   </children>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 66dc8bc40..acde9f913 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -171,7 +171,6 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
     if tcp_flags:
         output.append(parse_tcp_flags(tcp_flags))
 
-
     output.append('counter')
 
     if 'set' in rule_conf:
@@ -190,10 +189,10 @@ def parse_tcp_flags(flags):
     include = []
     for flag in flags.split(","):
         if flag[0] == '!':
-            flag = flag[1:]
+            flag = flag[1:].lower()
         else:
-            include.append(flag)
-        all_flags.append(flag)
+            include.append(flag.lower())
+        all_flags.append(flag.lower())
     return f'tcp flags & ({"|".join(all_flags)}) == {"|".join(include)}'
 
 def parse_time(time):
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 7b491a325..853470fd8 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -142,6 +142,9 @@ def verify_rule(firewall, rule_conf, ipv6):
         if not {'count', 'time'} <= set(rule_conf['recent']):
             raise ConfigError('Recent "count" and "time" values must be defined')
 
+    if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
+        raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
     for side in ['destination', 'source']:
         if side in rule_conf:
             side_conf = rule_conf[side]
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index c5904309f..30597ef4e 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -76,7 +76,7 @@ def get_config(config=None):
 
     return policy
 
-def verify_rule(policy, rule_conf, ipv6):
+def verify_rule(policy, name, rule_conf, ipv6):
     icmp = 'icmp' if not ipv6 else 'icmpv6'
     if icmp in rule_conf:
         icmp_defined = False
@@ -93,14 +93,14 @@ def verify_rule(policy, rule_conf, ipv6):
 
         if icmp_defined and 'protocol' not in rule_conf or rule_conf['protocol'] != icmp:
             raise ConfigError(f'{name} rule {rule_id}: ICMP type/code or type-name can only be defined if protocol is ICMP')
+
     if 'set' in rule_conf:
         if 'tcp_mss' in rule_conf['set']:
             tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
             if not tcp_flags or 'SYN' not in tcp_flags.split(","):
                 raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
-    if 'tcp' in rule_conf:
-        if 'flags' in rule_conf['tcp']:
-            if 'protocol' not in rule_conf or rule_conf['protocol'] != 'tcp':
+
+    if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
                 raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
 
     for side in ['destination', 'source']:
@@ -138,7 +138,7 @@ def verify(policy):
             for name, pol_conf in policy[route].items():
                 if 'rule' in pol_conf:
                     for rule_id, rule_conf in pol_conf['rule'].items():
-                        verify_rule(policy, rule_conf, ipv6)
+                        verify_rule(policy, name, rule_conf, ipv6)
 
     for ifname, if_policy in policy['interfaces'].items():
         name = dict_search_args(if_policy, 'route')
diff --git a/src/validators/tcp-flag b/src/validators/tcp-flag
new file mode 100755
index 000000000..86ebec189
--- /dev/null
+++ b/src/validators/tcp-flag
@@ -0,0 +1,19 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+if __name__ == '__main__':
+    if len(sys.argv)>1:
+        flags = sys.argv[1].split(",")
+
+        for flag in flags:
+            if flag and flag[0] == '!':
+                flag = flag[1:]
+            if flag.lower() not in ['syn', 'ack', 'rst', 'fin', 'urg', 'psh']:
+                print(f'Error: {flag} is not a valid TCP flag')
+                sys.exit(1)
+    else:
+        sys.exit(2)
+
+    sys.exit(0)
-- 
cgit v1.2.3


From 64668771d5f14fc4b68fff382d166238c164bdde Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sat, 15 Jan 2022 12:48:48 +0100
Subject: firewall: policy: T4178: Migrate and refactor tcp flags

* Add support for ECN and CWR flags
---
 .../include/firewall/common-rule.xml.i             |  51 +--------
 .../include/firewall/tcp-flags.xml.i               | 119 +++++++++++++++++++++
 .../include/policy/route-common-rule-ipv6.xml.i    |  51 +--------
 .../include/policy/route-common-rule.xml.i         |  51 +--------
 python/vyos/firewall.py                            |  10 +-
 smoketest/configs/dialup-router-medium-vpn         |   9 ++
 smoketest/scripts/cli/test_firewall.py             |  16 +--
 smoketest/scripts/cli/test_policy_route.py         |   6 +-
 src/conf_mode/firewall.py                          |  12 ++-
 src/conf_mode/policy-route.py                      |  14 ++-
 src/migration-scripts/firewall/6-to-7              |  21 ++++
 src/migration-scripts/policy/1-to-2                |  19 ++++
 src/validators/tcp-flag                            |  14 ++-
 13 files changed, 213 insertions(+), 180 deletions(-)
 create mode 100644 interface-definitions/include/firewall/tcp-flags.xml.i

(limited to 'src/validators')

diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 6e8203c88..5ffbd639c 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -264,56 +264,7 @@
     </leafNode>
   </children>
 </node>
-<node name="tcp">
-  <properties>
-    <help>TCP flags to match</help>
-  </properties>
-  <children>
-    <leafNode name="flags">
-      <properties>
-        <help>TCP flags to match</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Multiple comma-separated flags</description>
-        </valueHelp>
-        <valueHelp>
-          <format>syn</format>
-          <description>Syncronise flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ack</format>
-          <description>Acknowledge flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>fin</format>
-          <description>Finish flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>rst</format>
-          <description>Reset flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>urg</format>
-          <description>Urgent flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>psh</format>
-          <description>Push flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format> </format>
-          <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
-        </valueHelp>
-        <completionHelp>
-          <list>syn ack fin rst urg psh</list>
-        </completionHelp>
-        <constraint>
-          <validator name="tcp-flag"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
+#include <include/firewall/tcp-flags.xml.i>
 <node name="time">
   <properties>
     <help>Time to match rule</help>
diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
new file mode 100644
index 000000000..b99896687
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -0,0 +1,119 @@
+<!-- include start from firewall/tcp-flags.xml.i -->
+<node name="tcp">
+  <properties>
+    <help>TCP flags to match</help>
+  </properties>
+  <children>
+    <node name="flags">
+      <properties>
+        <help>TCP flags to match</help>
+      </properties>
+      <children>
+        <leafNode name="syn">
+          <properties>
+            <help>Synchronise flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ack">
+          <properties>
+            <help>Acknowledge flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="fin">
+          <properties>
+            <help>Finish flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="rst">
+          <properties>
+            <help>Reset flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="urg">
+          <properties>
+            <help>Urgent flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="psh">
+          <properties>
+            <help>Push flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="ecn">
+          <properties>
+            <help>Explicit Congestion Notification flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <leafNode name="cwr">
+          <properties>
+            <help>Congestion Window Reduced flag</help>
+            <valueless/>
+          </properties>
+        </leafNode>
+        <node name="not">
+          <properties>
+            <help>Match flags not set</help>
+          </properties>
+          <children>
+            <leafNode name="syn">
+              <properties>
+                <help>Synchronise flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="ack">
+              <properties>
+                <help>Acknowledge flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="fin">
+              <properties>
+                <help>Finish flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="rst">
+              <properties>
+                <help>Reset flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="urg">
+              <properties>
+                <help>Urgent flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="psh">
+              <properties>
+                <help>Push flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="ecn">
+              <properties>
+                <help>Explicit Congestion Notification flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+            <leafNode name="cwr">
+              <properties>
+                <help>Congestion Window Reduced flag</help>
+                <valueless/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
index b8fee4b7b..735edbd48 100644
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -320,56 +320,7 @@
     </leafNode>
   </children>
 </node>
-<node name="tcp">
-  <properties>
-    <help>TCP flags to match</help>
-  </properties>
-  <children>
-    <leafNode name="flags">
-      <properties>
-        <help>TCP flags to match</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Multiple comma-separated flags</description>
-        </valueHelp>
-        <valueHelp>
-          <format>syn</format>
-          <description>Syncronise flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ack</format>
-          <description>Acknowledge flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>fin</format>
-          <description>Finish flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>rst</format>
-          <description>Reset flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>urg</format>
-          <description>Urgent flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>psh</format>
-          <description>Push flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format> </format>
-          <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
-        </valueHelp>
-        <completionHelp>
-          <list>syn ack fin rst urg psh</list>
-        </completionHelp>
-        <constraint>
-          <validator name="tcp-flag"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
+#include <include/firewall/tcp-flags.xml.i>
 <node name="time">
   <properties>
     <help>Time to match rule</help>
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
index 17b47474d..4452f78fc 100644
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -320,56 +320,7 @@
     </leafNode>
   </children>
 </node>
-<node name="tcp">
-  <properties>
-    <help>TCP flags to match</help>
-  </properties>
-  <children>
-    <leafNode name="flags">
-      <properties>
-        <help>TCP flags to match</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Multiple comma-separated flags</description>
-        </valueHelp>
-        <valueHelp>
-          <format>syn</format>
-          <description>Syncronise flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ack</format>
-          <description>Acknowledge flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>fin</format>
-          <description>Finish flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>rst</format>
-          <description>Reset flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>urg</format>
-          <description>Urgent flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format>psh</format>
-          <description>Push flag</description>
-        </valueHelp>
-        <valueHelp>
-          <format> </format>
-          <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
-        </valueHelp>
-        <completionHelp>
-          <list>syn ack fin rst urg psh</list>
-        </completionHelp>
-        <constraint>
-          <validator name="tcp-flag"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
+#include <include/firewall/tcp-flags.xml.i>
 <node name="time">
   <properties>
     <help>Time to match rule</help>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index acde9f913..ad84393df 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -185,14 +185,8 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
     return " ".join(output)
 
 def parse_tcp_flags(flags):
-    all_flags = []
-    include = []
-    for flag in flags.split(","):
-        if flag[0] == '!':
-            flag = flag[1:].lower()
-        else:
-            include.append(flag.lower())
-        all_flags.append(flag.lower())
+    include = [flag for flag in flags if flag != 'not']
+    all_flags = include + [flag for flag in flags['not']] if 'not' in flags else []
     return f'tcp flags & ({"|".join(all_flags)}) == {"|".join(include)}'
 
 def parse_time(time):
diff --git a/smoketest/configs/dialup-router-medium-vpn b/smoketest/configs/dialup-router-medium-vpn
index 7ca540b66..63d955738 100644
--- a/smoketest/configs/dialup-router-medium-vpn
+++ b/smoketest/configs/dialup-router-medium-vpn
@@ -6,6 +6,15 @@ firewall {
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
+    name test_tcp_flags {
+        rule 1 {
+            action drop
+            protocol tcp
+            tcp {
+                flags SYN,ACK,!RST,!FIN
+            }
+        }
+    }
     options {
         interface vtun0 {
             adjust-mss 1380
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 2b3b354ba..c70743a9f 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -53,7 +53,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
 
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
 
@@ -61,7 +61,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['iifname "eth0"', 'jump smoketest'],
-            ['ip saddr { 172.16.99.0/24 }', 'ip daddr 172.16.10.10', 'tcp dport { 53, 123 }', 'return'],
+            ['ip saddr { 172.16.99.0/24 }', 'ip daddr 172.16.10.10', 'th dport { 53, 123 }', 'return'],
         ]
 
         nftables_output = cmd('sudo nft list table ip filter')
@@ -72,7 +72,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
                 if all(item in line for item in search):
                     matched = True
                     break
-            self.assertTrue(matched)
+            self.assertTrue(matched, msg=search)
 
     def test_basic_rules(self):
         self.cli_set(['firewall', 'name', 'smoketest', 'default-action', 'drop'])
@@ -80,8 +80,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'address', '172.16.20.10'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'reject'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'protocol', 'tcp_udp'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'protocol', 'tcp'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'destination', 'port', '8888'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'syn'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
 
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
 
@@ -90,7 +92,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         nftables_search = [
             ['iifname "eth0"', 'jump smoketest'],
             ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'return'],
-            ['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'reject'],
+            ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'reject'],
             ['smoketest default-action', 'drop']
         ]
 
@@ -102,7 +104,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
                 if all(item in line for item in search):
                     matched = True
                     break
-            self.assertTrue(matched)
+            self.assertTrue(matched, msg=search)
 
     def test_basic_rules_ipv6(self):
         self.cli_set(['firewall', 'ipv6-name', 'v6-smoketest', 'default-action', 'drop'])
@@ -132,7 +134,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
                 if all(item in line for item in search):
                     matched = True
                     break
-            self.assertTrue(matched)
+            self.assertTrue(matched, msg=search)
 
     def test_state_policy(self):
         self.cli_set(['firewall', 'state-policy', 'established', 'action', 'accept'])
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 4463a2255..9035f0832 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -63,8 +63,10 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             self.assertTrue(matched)
 
     def test_pbr_table(self):
-        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'port', '8888'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'tcp', 'flags', 'syn'])
+        self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'tcp', 'flags', 'not', 'ack'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'table', table_id])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'protocol', 'tcp_udp'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'destination', 'port', '8888'])
@@ -81,7 +83,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['iifname "eth0"', 'jump VYOS_PBR_smoketest'],
-            ['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'meta mark set ' + mark_hex]
+            ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'meta mark set ' + mark_hex]
         ]
 
         nftables_output = cmd('sudo nft list table ip mangle')
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 853470fd8..906d477b0 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -142,8 +142,16 @@ def verify_rule(firewall, rule_conf, ipv6):
         if not {'count', 'time'} <= set(rule_conf['recent']):
             raise ConfigError('Recent "count" and "time" values must be defined')
 
-    if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
-        raise ConfigError('Protocol must be tcp when specifying tcp flags')
+    tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+    if tcp_flags:
+        if dict_search_args(rule_conf, 'protocol') != 'tcp':
+            raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+        not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not')
+        if not_flags:
+            duplicates = [flag for flag in tcp_flags if flag in not_flags]
+            if duplicates:
+                raise ConfigError(f'Cannot match a tcp flag as set and not set')
 
     for side in ['destination', 'source']:
         if side in rule_conf:
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index 30597ef4e..eb13788dd 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -97,11 +97,19 @@ def verify_rule(policy, name, rule_conf, ipv6):
     if 'set' in rule_conf:
         if 'tcp_mss' in rule_conf['set']:
             tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
-            if not tcp_flags or 'SYN' not in tcp_flags.split(","):
+            if not tcp_flags or 'syn' not in tcp_flags:
                 raise ConfigError(f'{name} rule {rule_id}: TCP SYN flag must be set to modify TCP-MSS')
 
-    if dict_search_args(rule_conf, 'tcp', 'flags') and dict_search_args(rule_conf, 'protocol') != 'tcp':
-                raise ConfigError(f'{name} rule {rule_id}: TCP flags can only be set if protocol is set to TCP')
+    tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+    if tcp_flags:
+        if dict_search_args(rule_conf, 'protocol') != 'tcp':
+            raise ConfigError('Protocol must be tcp when specifying tcp flags')
+
+        not_flags = dict_search_args(rule_conf, 'tcp', 'flags', 'not')
+        if not_flags:
+            duplicates = [flag for flag in tcp_flags if flag in not_flags]
+            if duplicates:
+                raise ConfigError(f'Cannot match a tcp flag as set and not set')
 
     for side in ['destination', 'source']:
         if side in rule_conf:
diff --git a/src/migration-scripts/firewall/6-to-7 b/src/migration-scripts/firewall/6-to-7
index 4a4097d56..bc0b19325 100755
--- a/src/migration-scripts/firewall/6-to-7
+++ b/src/migration-scripts/firewall/6-to-7
@@ -17,6 +17,7 @@
 # T2199: Remove unavailable nodes due to XML/Python implementation using nftables
 #        monthdays: nftables does not have a monthdays equivalent
 #        utc: nftables userspace uses localtime and calculates the UTC offset automatically
+# T4178: Update tcp flags to use multi value node
 
 from sys import argv
 from sys import exit
@@ -45,6 +46,7 @@ if config.exists(base + ['name']):
         if config.exists(base + ['name', name, 'rule']):
             for rule in config.list_nodes(base + ['name', name, 'rule']):
                 rule_time = base + ['name', name, 'rule', rule, 'time']
+                rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags']
 
                 if config.exists(rule_time + ['monthdays']):
                     config.delete(rule_time + ['monthdays'])
@@ -52,11 +54,21 @@ if config.exists(base + ['name']):
                 if config.exists(rule_time + ['utc']):
                     config.delete(rule_time + ['utc'])
 
+                if config.exists(rule_tcp_flags):
+                    tmp = config.return_value(rule_tcp_flags)
+                    config.delete(rule_tcp_flags)
+                    for flag in tmp.split(","):
+                        if flag[0] == '!':
+                            config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+                        else:
+                            config.set(rule_tcp_flags + [flag.lower()])
+
 if config.exists(base + ['ipv6-name']):
     for name in config.list_nodes(base + ['ipv6-name']):
         if config.exists(base + ['ipv6-name', name, 'rule']):
             for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
                 rule_time = base + ['ipv6-name', name, 'rule', rule, 'time']
+                rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags']
 
                 if config.exists(rule_time + ['monthdays']):
                     config.delete(rule_time + ['monthdays'])
@@ -64,6 +76,15 @@ if config.exists(base + ['ipv6-name']):
                 if config.exists(rule_time + ['utc']):
                     config.delete(rule_time + ['utc'])
 
+                if config.exists(rule_tcp_flags):
+                    tmp = config.return_value(rule_tcp_flags)
+                    config.delete(rule_tcp_flags)
+                    for flag in tmp.split(","):
+                        if flag[0] == '!':
+                            config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+                        else:
+                            config.set(rule_tcp_flags + [flag.lower()])
+
 try:
     with open(file_name, 'w') as f:
         f.write(config.to_string())
diff --git a/src/migration-scripts/policy/1-to-2 b/src/migration-scripts/policy/1-to-2
index 7ffceef22..eebbf9d41 100755
--- a/src/migration-scripts/policy/1-to-2
+++ b/src/migration-scripts/policy/1-to-2
@@ -16,6 +16,7 @@
 
 # T4170: rename "policy ipv6-route" to "policy route6" to match common
 #        IPv4/IPv6 schema
+# T4178: Update tcp flags to use multi value node
 
 from sys import argv
 from sys import exit
@@ -41,6 +42,24 @@ if not config.exists(base):
 config.rename(base, 'route6')
 config.set_tag(['policy', 'route6'])
 
+for route in ['route', 'route6']:
+    route_path = ['policy', route]
+    if config.exists(route_path):
+        for name in config.list_nodes(route_path):
+            if config.exists(route_path + [name, 'rule']):
+                for rule in config.list_nodes(route_path + [name, 'rule']):
+                    rule_tcp_flags = route_path + [name, 'rule', rule, 'tcp', 'flags']
+
+                    if config.exists(rule_tcp_flags):
+                        tmp = config.return_value(rule_tcp_flags)
+                        config.delete(rule_tcp_flags)
+                        for flag in tmp.split(","):
+                            for flag in tmp.split(","):
+                                if flag[0] == '!':
+                                    config.set(rule_tcp_flags + ['not', flag[1:].lower()])
+                                else:
+                                    config.set(rule_tcp_flags + [flag.lower()])
+
 if config.exists(['interfaces']):
     def if_policy_rename(config, path):
         if config.exists(path + ['policy', 'ipv6-route']):
diff --git a/src/validators/tcp-flag b/src/validators/tcp-flag
index 86ebec189..1496b904a 100755
--- a/src/validators/tcp-flag
+++ b/src/validators/tcp-flag
@@ -5,14 +5,12 @@ import re
 
 if __name__ == '__main__':
     if len(sys.argv)>1:
-        flags = sys.argv[1].split(",")
-
-        for flag in flags:
-            if flag and flag[0] == '!':
-                flag = flag[1:]
-            if flag.lower() not in ['syn', 'ack', 'rst', 'fin', 'urg', 'psh']:
-                print(f'Error: {flag} is not a valid TCP flag')
-                sys.exit(1)
+        flag = sys.argv[1]
+        if flag and flag[0] == '!':
+            flag = flag[1:]
+        if flag not in ['syn', 'ack', 'rst', 'fin', 'urg', 'psh', 'ecn', 'cwr']:
+            print(f'Error: {flag} is not a valid TCP flag')
+            sys.exit(1)
     else:
         sys.exit(2)
 
-- 
cgit v1.2.3


From 53c2b62dda5bcd1f605a8b9ea438f0f76e366e36 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 17 Jan 2022 16:46:03 +0100
Subject: firewall: T2199: Fix `port-range` validator to accept service names

---
 src/validators/port-range | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

(limited to 'src/validators')

diff --git a/src/validators/port-range b/src/validators/port-range
index 6c01048f0..5468000a7 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -3,6 +3,19 @@
 import sys
 import re
 
+from vyos.util import read_file
+
+services_file = '/etc/services'
+
+def get_services():
+    names = []
+    service_data = read_file(services_file, "")
+    for line in service_data.split("\n"):
+        if not line or line[0] == '#':
+            continue
+        names.append(line.split(None, 1)[0])
+    return names
+
 def error(port_range):
     print(f'Error: {port_range} is not a valid port or port range')
     sys.exit(1)
@@ -16,8 +29,11 @@ if __name__ == '__main__':
                 error(port_range)
             if int(port_1) > int(port_2):
                 error(port_range)
-        elif not port_range.isnumeric() or int(port_range) not in range(1, 65536):
-                error(port_range)
+        elif port_range.isnumeric() and int(port_range) not in range(1, 65536):
+            error(port_range)
+        elif not port_range.isnumeric() and port_range not in get_services():
+            print(f'Error: {port_range} is not a valid service name')
+            sys.exit(1)
     else:
         sys.exit(2)
 
-- 
cgit v1.2.3


From 0a5a78621b2b28f06af1f40c10ee8bb880f860a0 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 18 Jan 2022 15:29:03 +0100
Subject: firewall: T3560: Add support for MAC address groups

---
 data/templates/firewall/nftables-defines.tmpl      |  5 ++++
 interface-definitions/firewall.xml.in              | 21 +++++++++++++++++
 .../include/firewall/common-rule.xml.i             |  3 +++
 .../include/firewall/mac-group.xml.i               | 10 ++++++++
 .../firewall/source-destination-group-ipv6.xml.i   |  1 +
 .../firewall/source-destination-group.xml.i        |  1 +
 .../include/policy/route-common-rule-ipv6.xml.i    |  3 +++
 .../include/policy/route-common-rule.xml.i         |  3 +++
 python/vyos/firewall.py                            |  3 +++
 smoketest/scripts/cli/test_firewall.py             |  4 ++++
 src/op_mode/firewall.py                            |  2 ++
 src/validators/mac-address-firewall                | 27 ++++++++++++++++++++++
 12 files changed, 83 insertions(+)
 create mode 100644 interface-definitions/include/firewall/mac-group.xml.i
 create mode 100755 src/validators/mac-address-firewall

(limited to 'src/validators')

diff --git a/data/templates/firewall/nftables-defines.tmpl b/data/templates/firewall/nftables-defines.tmpl
index 3578a9dc5..d9eb7c199 100644
--- a/data/templates/firewall/nftables-defines.tmpl
+++ b/data/templates/firewall/nftables-defines.tmpl
@@ -9,6 +9,11 @@ define A_{{ group_name }} = { {{ group_conf.address | join(",") }} }
 define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} }
 {%     endfor %}
 {%   endif %}
+{%   if group.mac_group is defined %}
+{%     for group_name, group_conf in group.mac_group.items() %}
+define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} }
+{%     endfor %}
+{%   endif %}
 {%   if group.network_group is defined %}
 {%     for group_name, group_conf in group.network_group.items() %}
 define N_{{ group_name }} = { {{ group_conf.network | join(",") }} }
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index fd98ae138..987ccaca6 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -144,6 +144,27 @@
               </leafNode>
             </children>
           </tagNode>
+          <tagNode name="mac-group">
+            <properties>
+              <help>Firewall mac-group</help>
+            </properties>
+            <children>
+              #include <include/generic-description.xml.i>
+              <leafNode name="mac-address">
+                <properties>
+                  <help>Mac-group member</help>
+                  <valueHelp>
+                    <format>&lt;MAC address&gt;</format>
+                    <description>MAC address to match</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="mac-address"/>
+                  </constraint>
+                  <multi/>
+                </properties>
+              </leafNode>
+            </children>
+          </tagNode>
           <tagNode name="network-group">
             <properties>
               <help>Firewall network-group</help>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 5ffbd639c..521fe54f2 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -176,6 +176,9 @@
           <format>!&lt;MAC address&gt;</format>
           <description>Match everything except the specified MAC address</description>
         </valueHelp>
+        <constraint>
+          <validator name="mac-address-firewall"/>
+        </constraint>
       </properties>
     </leafNode>
     #include <include/firewall/port.xml.i>
diff --git a/interface-definitions/include/firewall/mac-group.xml.i b/interface-definitions/include/firewall/mac-group.xml.i
new file mode 100644
index 000000000..dbce3fc88
--- /dev/null
+++ b/interface-definitions/include/firewall/mac-group.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/mac-group.xml.i -->
+<leafNode name="mac-group">
+  <properties>
+    <help>Group of MAC addresses</help>
+    <completionHelp>
+      <path>firewall group mac-group</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include start from firewall/mac-group.xml.i -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
index 7815b78d4..c2cc7edb3 100644
--- a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
@@ -12,6 +12,7 @@
         </completionHelp>
       </properties>
     </leafNode>
+    #include <include/firewall/mac-group.xml.i>
     <leafNode name="network-group">
       <properties>
         <help>Group of networks</help>
diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i
index 9a9bed0fe..ab11e89e9 100644
--- a/interface-definitions/include/firewall/source-destination-group.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group.xml.i
@@ -12,6 +12,7 @@
         </completionHelp>
       </properties>
     </leafNode>
+    #include <include/firewall/mac-group.xml.i>
     <leafNode name="network-group">
       <properties>
         <help>Group of networks</help>
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
index 735edbd48..406125e55 100644
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -232,6 +232,9 @@
           <format>!&lt;MAC address&gt;</format>
           <description>Match everything except the specified MAC address</description>
         </valueHelp>
+        <constraint>
+          <validator name="mac-address-firewall"/>
+        </constraint>
       </properties>
     </leafNode>
     #include <include/firewall/port.xml.i>
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
index 4452f78fc..33c4ba77c 100644
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -232,6 +232,9 @@
           <format>!&lt;MAC address&gt;</format>
           <description>Match everything except the specified MAC address</description>
         </valueHelp>
+        <constraint>
+          <validator name="mac-address-firewall"/>
+        </constraint>
       </properties>
     </leafNode>
     #include <include/firewall/port.xml.i>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index ad84393df..2ab78ff18 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -108,6 +108,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                 elif 'network_group' in group:
                     group_name = group['network_group']
                     output.append(f'{ip_name} {prefix}addr $N{def_suffix}_{group_name}')
+                if 'mac_group' in group:
+                    group_name = group['mac_group']
+                    output.append(f'ether {prefix}addr $M_{group_name}')
                 if 'port_group' in group:
                     proto = rule_conf['protocol']
                     group_name = group['port_group']
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index c70743a9f..6b74e6c92 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -46,6 +46,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
 
     def test_groups(self):
+        self.cli_set(['firewall', 'group', 'mac-group', 'smoketest_mac', 'mac-address', '00:01:02:03:04:05'])
         self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network', 'network', '172.16.99.0/24'])
         self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
         self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '123'])
@@ -54,6 +55,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
 
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
 
@@ -62,6 +65,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         nftables_search = [
             ['iifname "eth0"', 'jump smoketest'],
             ['ip saddr { 172.16.99.0/24 }', 'ip daddr 172.16.10.10', 'th dport { 53, 123 }', 'return'],
+            ['ether saddr { 00:01:02:03:04:05 }', 'return']
         ]
 
         nftables_output = cmd('sudo nft list table ip filter')
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 030a9b19a..b6bb5b802 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -272,6 +272,8 @@ def show_firewall_group(name=None):
                 row.append("\n".join(sorted(group_conf['address'], key=ipaddress.ip_address)))
             elif 'network' in group_conf:
                 row.append("\n".join(sorted(group_conf['network'], key=ipaddress.ip_network)))
+            elif 'mac_address' in group_conf:
+                row.append("\n".join(sorted(group_conf['mac_address'])))
             elif 'port' in group_conf:
                 row.append("\n".join(sorted(group_conf['port'])))
             else:
diff --git a/src/validators/mac-address-firewall b/src/validators/mac-address-firewall
new file mode 100755
index 000000000..70551f86d
--- /dev/null
+++ b/src/validators/mac-address-firewall
@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018-2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import re
+import sys
+
+pattern = "^!?([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$"
+
+if __name__ == '__main__':
+    if len(sys.argv) != 2:
+        sys.exit(1)
+    if not re.match(pattern, sys.argv[1]):
+        sys.exit(1)
+    sys.exit(0)
-- 
cgit v1.2.3


From ff0e43807789f3c5c228683eaeb5fc4fbb8f75ce Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Sat, 12 Mar 2022 15:10:52 +0000
Subject: Firewall: T4286: Correct ipv6-range validator

---
 src/validators/ipv6-range | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

(limited to 'src/validators')

diff --git a/src/validators/ipv6-range b/src/validators/ipv6-range
index a3c401281..7080860c4 100755
--- a/src/validators/ipv6-range
+++ b/src/validators/ipv6-range
@@ -1,17 +1,20 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 
-import sys
-import re
-from vyos.template import is_ipv6
+from ipaddress import IPv6Address
+from sys import argv, exit
 
 if __name__ == '__main__':
-    if len(sys.argv)>1:
-        ipv6_range = sys.argv[1]
-        # Regex for ipv6-ipv6 https://regexr.com/
-        if re.search('([a-f0-9:]+:+)+[a-f0-9]+-([a-f0-9:]+:+)+[a-f0-9]+', ipv6_range):
-            for tmp in ipv6_range.split('-'):
-                if not is_ipv6(tmp):
-                    print(f'Error: {ipv6_range} is not a valid IPv6 range')
-                    sys.exit(1)
-
-    sys.exit(0)
+    if len(argv) > 1:
+        # try to pass validation and raise an error if failed
+        try:
+            ipv6_range = argv[1]
+            range_left = ipv6_range.split('-')[0]
+            range_right = ipv6_range.split('-')[1]
+            if not IPv6Address(range_left) < IPv6Address(range_right):
+                raise ValueError(f'left element {range_left} must be less than right element {range_right}')
+        except Exception as err:
+            print(f'Error: {ipv6_range} is not a valid IPv6 range: {err}')
+            exit(1)
+    else:
+        print('Error: an IPv6 range argument must be provided')
+        exit(1)
-- 
cgit v1.2.3