8000 Commiting firewall rule failed because of parameters order · Issue #26 · spotify/pyfg · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Mar 28, 2022. It is now read-only.
This repository was archived by the owner on Mar 28, 2022. It is now read-only.
Commiting firewall rule failed because of parameters order #26
Open
Open
Commiting firewall rule failed because of parameters order#26
@blakkheimgw

Description

@blakkheimgw
blakkheimgw
opened on Dec 19, 2017

Hello there,
I've faced this issue and waste a bit of time to debug it but I've finally hunt it !

I use this bit of code to add new firewall rules :

	d.load_config('firewall policy')
	newRule05 = FortiConfig(config_type='edit', name='0')
	newRule05.set_param('srcintf', subnetDescription)
	newRule05.set_param('dstintf', firewallIntercoZone[0])
	newRule05.set_param('srcaddr', 'all')
	newRule05.set_param('dstaddr', fwObjectGrpSrvTransverses)
	newRule05.set_param('action', 'accept')
	newRule05.set_param('status', 'enable')
	newRule05.set_param('service', fwObjectGrpServicesTransverses)
	newRule05.set_param('schedule', 'always')
	d.candidate_config['firewall policy']['0'] = newRule05
	d.commit()

The commit failed intermittently with this generic error :

    raise exceptions.FailedCommit(wrong_commands)
pyFG.exceptions.FailedCommit: [('-3', 'set dstaddr grp-srv-transverses')]

Sometimes it works without error and before this bit of code, the script commits dozens of other rules. The problem is :

  • in this rule, the firewall object named grp-srv-transverses is a address group full of addresses attached to one interface
  • if you don't specify the dstintf parameter first, you can't specify the dstaddr parameter with this kind of group attached to an interface
  • pyFG generates the config section in random order. See the 2 examples beyond for the same rule :
        edit 0
          set action accept
          set schedule always
          set status enable
          set srcaddr all
          set service grp-services-transverses
          set srcintf PP-SUMIT-BD
          set dstintf Interco-TechRH-HProd
          set dstaddr grp-srv-transverses
        next

AND :

        edit 0
          set srcaddr all
          set status enable
          set service grp-services-transverses
          set dstaddr grp-srv-transverses
          set action accept
          set schedule always
          set srcintf PP-SUMIT-BD
          set dstintf Interco-TechRH-HProd
        next

The generation of the rule set should be in a sequential order to avoid this bug.

Regards.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0