summaryrefslogtreecommitdiff
path: root/src/conf_mode/firewall.py
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2022-11-18 13:42:08 +0000
committerGitHub <noreply@github.com>2022-11-18 13:42:08 +0000
commit97056cad18664bea06310d59e8a769add077f6d0 (patch)
tree7fe5078144c074a447aec93831c8ec493f436ecb /src/conf_mode/firewall.py
parent0094bdfd15b4732a4be417f1777e903a41a8a954 (diff)
parentb8bda7c8d54fb500716c78ca39107e33988311ea (diff)
downloadvyos-1x-97056cad18664bea06310d59e8a769add077f6d0.tar.gz
vyos-1x-97056cad18664bea06310d59e8a769add077f6d0.zip
Merge pull request #1662 from jestabro/config-script-dependency
firewall: T4821: correct calling of conf_mode script dependencies
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-xsrc/conf_mode/firewall.py26
1 files changed, 10 insertions, 16 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 783adec46..9fee20358 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -26,6 +26,7 @@ from vyos.config import Config
from vyos.configdict import dict_merge
from vyos.configdict import node_changed
from vyos.configdiff import get_config_diff, Diff
+from vyos.configdep import set_dependent, call_dependents
# from vyos.configverify import verify_interface_exists
from vyos.firewall import fqdn_config_parse
from vyos.firewall import geoip_update
@@ -41,8 +42,8 @@ from vyos import ConfigError
from vyos import airbag
airbag.enable()
-nat_conf_script = '/usr/libexec/vyos/conf_mode/nat.py'
-policy_route_conf_script = '/usr/libexec/vyos/conf_mode/policy-route.py'
+nat_conf_script = 'nat.py'
+policy_route_conf_script = 'policy-route.py'
nftables_conf = '/run/nftables.conf'
@@ -160,6 +161,12 @@ def get_config(config=None):
firewall['zone'][zone] = dict_merge(default_values, firewall['zone'][zone])
firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
+ if firewall['group_resync']:
+ # Update nat as firewall groups were updated
+ set_dependent(nat_conf_script, conf)
+ # Update policy route as firewall groups were updated
+ set_dependent(policy_route_conf_script, conf)
+
if 'config_trap' in firewall and firewall['config_trap'] == 'enable':
diff = get_config_diff(conf)
@@ -464,18 +471,6 @@ def post_apply_trap(firewall):
cmd(base_cmd + ' '.join(objects))
-def resync_nat():
- # Update nat as firewall groups were updated
- tmp, out = rc_cmd(nat_conf_script)
- if tmp > 0:
- Warning(f'Failed to re-apply nat configuration! {out}')
-
-def resync_policy_route():
- # Update policy route as firewall groups were updated
- tmp, out = rc_cmd(policy_route_conf_script)
- if tmp > 0:
- Warning(f'Failed to re-apply policy route configuration! {out}')
-
def apply(firewall):
install_result, output = rc_cmd(f'nft -f {nftables_conf}')
if install_result == 1:
@@ -484,8 +479,7 @@ def apply(firewall):
apply_sysfs(firewall)
if firewall['group_resync']:
- resync_nat()
- resync_policy_route()
+ call_dependents()
# T970 Enable a resolver (systemd daemon) that checks
# domain-group/fqdn addresses and update entries for domains by timeout