diff options
author | Christian Breunig <christian@breunig.cc> | 2023-09-20 06:11:26 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-20 06:11:26 +0200 |
commit | b52cf1b7b3bc138b26eb21f917967748c40f9d3a (patch) | |
tree | 0334c3b369508e68012093d980ccb4e313b99f8a | |
parent | 483482f16133d5aa61b07a88cca5bce7bb7776f8 (diff) | |
parent | cdbe969308c1f540050d288ffc6b55abbefa7534 (diff) | |
download | vyos-1x-b52cf1b7b3bc138b26eb21f917967748c40f9d3a.tar.gz vyos-1x-b52cf1b7b3bc138b26eb21f917967748c40f9d3a.zip |
Merge pull request #2293 from sarthurdev/conntrack_flowtable
conntrack: firewall: T4502: Update conntrack check for new flowtable CLI
-rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 4 | ||||
-rwxr-xr-x | src/conf_mode/conntrack.py | 24 |
2 files changed, 10 insertions, 18 deletions
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 72e04847a..676be5305 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -637,5 +637,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip vyos_filter') self.verify_nftables(nftables_search, 'ip6 vyos_filter') + # Check conntrack + self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK') + self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK') + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index 21a20ea8d..50089508a 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -90,14 +90,6 @@ def get_config(config=None): get_first_key=True, no_tag_node_value_mangle=True) - conntrack['flowtable_enabled'] = False - flow_offload = dict_search_args(conntrack['firewall'], 'global_options', 'flow_offload') - if flow_offload and 'disable' not in flow_offload: - for offload_type in ('software', 'hardware'): - if dict_search_args(flow_offload, offload_type, 'interface'): - conntrack['flowtable_enabled'] = True - break - conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return' conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return' conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return' @@ -170,16 +162,12 @@ def generate(conntrack): conntrack['ipv4_firewall_action'] = 'return' conntrack['ipv6_firewall_action'] = 'return' - if conntrack['flowtable_enabled']: - conntrack['ipv4_firewall_action'] = 'accept' - conntrack['ipv6_firewall_action'] = 'accept' - else: - for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): - if any(('state' in rule_conf or 'connection_status' in rule_conf) for rule_conf in rules.values()): - if path[0] == 'ipv4': - conntrack['ipv4_firewall_action'] = 'accept' - elif path[0] == 'ipv6': - conntrack['ipv6_firewall_action'] = 'accept' + for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): + if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()): + if path[0] == 'ipv4': + conntrack['ipv4_firewall_action'] = 'accept' + elif path[0] == 'ipv6': + conntrack['ipv6_firewall_action'] = 'accept' render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) |