Merge pull request #1199 from sarthurdev/T4218

firewall: T4218: T4216: Add prefix to user defined chains, support negated groups, fixes
author: Christian Poessinger <christian@poessinger.com> 2022-01-31 19:26:37 +0100
committer: GitHub <noreply@github.com> 2022-01-31 19:26:37 +0100
commit: 36e54482a242e785c7a052035549bb45a117ea9a (patch)
tree: 3d947addcb9ea4c375e2771eed68e393e9295cbe /src/conf_mode/firewall-interface.py
parent: 3aa1ec3f03a95ad41d3476b92b8b31a68b516b14 (diff)
parent: ff2cc45f8ba6d7ad1bc75ef384643692a54f31cc (diff)
download: vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.tar.gz
vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.zip
1 files changed, 7 insertions, 4 deletions
diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py
index a7442ecbd..9a5d278e9 100755
--- a/src/conf_mode/firewall-interface.py
+++ b/src/conf_mode/firewall-interface.py
@@ -31,6 +31,9 @@ from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
+NAME_PREFIX = 'NAME_'
+NAME6_PREFIX = 'NAME6_'
+
 NFT_CHAINS = {
     'in': 'VYOS_FW_FORWARD',
     'out': 'VYOS_FW_FORWARD',
@@ -127,7 +130,7 @@ def apply(if_firewall):
 
         name = dict_search_args(if_firewall, direction, 'name')
         if name:
-            rule_exists = cleanup_rule('ip filter', chain, if_prefix, ifname, name)
+            rule_exists = cleanup_rule('ip filter', chain, if_prefix, ifname, f'{NAME_PREFIX}{name}')
 
             if not rule_exists:
                 rule_action = 'insert'
@@ -138,13 +141,13 @@ def apply(if_firewall):
                     rule_action = 'add'
                     rule_prefix = f'position {handle}'
 
-                run(f'nft {rule_action} rule ip filter {chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {name}')
+                run(f'nft {rule_action} rule ip filter {chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {NAME_PREFIX}{name}')
         else:
             cleanup_rule('ip filter', chain, if_prefix, ifname)
 
         ipv6_name = dict_search_args(if_firewall, direction, 'ipv6_name')
         if ipv6_name:
-            rule_exists = cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname, ipv6_name)
+            rule_exists = cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname, f'{NAME6_PREFIX}{ipv6_name}')
 
             if not rule_exists:
                 rule_action = 'insert'
@@ -155,7 +158,7 @@ def apply(if_firewall):
                     rule_action = 'add'
                     rule_prefix = f'position {handle}'
 
-                run(f'nft {rule_action} rule ip6 filter {ipv6_chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {ipv6_name}')
+                run(f'nft {rule_action} rule ip6 filter {ipv6_chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {NAME6_PREFIX}{ipv6_name}')
         else:
             cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname)
author	Christian Poessinger <christian@poessinger.com>	2022-01-31 19:26:37 +0100
committer	GitHub <noreply@github.com>	2022-01-31 19:26:37 +0100
commit	36e54482a242e785c7a052035549bb45a117ea9a (patch)
tree	3d947addcb9ea4c375e2771eed68e393e9295cbe /src/conf_mode/firewall-interface.py
parent	3aa1ec3f03a95ad41d3476b92b8b31a68b516b14 (diff)
parent	ff2cc45f8ba6d7ad1bc75ef384643692a54f31cc (diff)
download	vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.tar.gz vyos-1x-36e54482a242e785c7a052035549bb45a117ea9a.zip