diff options
author | Daniil Baturin <daniil@vyos.io> | 2022-11-18 13:42:08 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-18 13:42:08 +0000 |
commit | 97056cad18664bea06310d59e8a769add077f6d0 (patch) | |
tree | 7fe5078144c074a447aec93831c8ec493f436ecb /src/conf_mode/firewall.py | |
parent | 0094bdfd15b4732a4be417f1777e903a41a8a954 (diff) | |
parent | b8bda7c8d54fb500716c78ca39107e33988311ea (diff) | |
download | vyos-1x-97056cad18664bea06310d59e8a769add077f6d0.tar.gz vyos-1x-97056cad18664bea06310d59e8a769add077f6d0.zip |
Merge pull request #1662 from jestabro/config-script-dependency
firewall: T4821: correct calling of conf_mode script dependencies
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-x | src/conf_mode/firewall.py | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 783adec46..9fee20358 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -26,6 +26,7 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configdiff import get_config_diff, Diff +from vyos.configdep import set_dependent, call_dependents # from vyos.configverify import verify_interface_exists from vyos.firewall import fqdn_config_parse from vyos.firewall import geoip_update @@ -41,8 +42,8 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -nat_conf_script = '/usr/libexec/vyos/conf_mode/nat.py' -policy_route_conf_script = '/usr/libexec/vyos/conf_mode/policy-route.py' +nat_conf_script = 'nat.py' +policy_route_conf_script = 'policy-route.py' nftables_conf = '/run/nftables.conf' @@ -160,6 +161,12 @@ def get_config(config=None): firewall['zone'][zone] = dict_merge(default_values, firewall['zone'][zone]) firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group'])) + if firewall['group_resync']: + # Update nat as firewall groups were updated + set_dependent(nat_conf_script, conf) + # Update policy route as firewall groups were updated + set_dependent(policy_route_conf_script, conf) + if 'config_trap' in firewall and firewall['config_trap'] == 'enable': diff = get_config_diff(conf) @@ -464,18 +471,6 @@ def post_apply_trap(firewall): cmd(base_cmd + ' '.join(objects)) -def resync_nat(): - # Update nat as firewall groups were updated - tmp, out = rc_cmd(nat_conf_script) - if tmp > 0: - Warning(f'Failed to re-apply nat configuration! {out}') - -def resync_policy_route(): - # Update policy route as firewall groups were updated - tmp, out = rc_cmd(policy_route_conf_script) - if tmp > 0: - Warning(f'Failed to re-apply policy route configuration! {out}') - def apply(firewall): install_result, output = rc_cmd(f'nft -f {nftables_conf}') if install_result == 1: @@ -484,8 +479,7 @@ def apply(firewall): apply_sysfs(firewall) if firewall['group_resync']: - resync_nat() - resync_policy_route() + call_dependents() # T970 Enable a resolver (systemd daemon) that checks # domain-group/fqdn addresses and update entries for domains by timeout |