summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-09-20 06:11:26 +0200
committerGitHub <noreply@github.com>2023-09-20 06:11:26 +0200
commitb52cf1b7b3bc138b26eb21f917967748c40f9d3a (patch)
tree0334c3b369508e68012093d980ccb4e313b99f8a
parent483482f16133d5aa61b07a88cca5bce7bb7776f8 (diff)
parentcdbe969308c1f540050d288ffc6b55abbefa7534 (diff)
downloadvyos-1x-b52cf1b7b3bc138b26eb21f917967748c40f9d3a.tar.gz
vyos-1x-b52cf1b7b3bc138b26eb21f917967748c40f9d3a.zip
Merge pull request #2293 from sarthurdev/conntrack_flowtable
conntrack: firewall: T4502: Update conntrack check for new flowtable CLI
-rwxr-xr-xsmoketest/scripts/cli/test_firewall.py4
-rwxr-xr-xsrc/conf_mode/conntrack.py24
2 files changed, 10 insertions, 18 deletions
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 72e04847a..676be5305 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -637,5 +637,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.verify_nftables(nftables_search, 'ip vyos_filter')
self.verify_nftables(nftables_search, 'ip6 vyos_filter')
+ # Check conntrack
+ self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
+ self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 21a20ea8d..50089508a 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -90,14 +90,6 @@ def get_config(config=None):
get_first_key=True,
no_tag_node_value_mangle=True)
- conntrack['flowtable_enabled'] = False
- flow_offload = dict_search_args(conntrack['firewall'], 'global_options', 'flow_offload')
- if flow_offload and 'disable' not in flow_offload:
- for offload_type in ('software', 'hardware'):
- if dict_search_args(flow_offload, offload_type, 'interface'):
- conntrack['flowtable_enabled'] = True
- break
-
conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return'
conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return'
conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return'
@@ -170,16 +162,12 @@ def generate(conntrack):
conntrack['ipv4_firewall_action'] = 'return'
conntrack['ipv6_firewall_action'] = 'return'
- if conntrack['flowtable_enabled']:
- conntrack['ipv4_firewall_action'] = 'accept'
- conntrack['ipv6_firewall_action'] = 'accept'
- else:
- for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
- if any(('state' in rule_conf or 'connection_status' in rule_conf) for rule_conf in rules.values()):
- if path[0] == 'ipv4':
- conntrack['ipv4_firewall_action'] = 'accept'
- elif path[0] == 'ipv6':
- conntrack['ipv6_firewall_action'] = 'accept'
+ for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
+ if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
+ if path[0] == 'ipv4':
+ conntrack['ipv4_firewall_action'] = 'accept'
+ elif path[0] == 'ipv6':
+ conntrack['ipv6_firewall_action'] = 'accept'
render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)