summaryrefslogtreecommitdiff
path: root/src/conf_mode/firewall.py
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-11-06 17:41:14 +0100
committerGitHub <noreply@github.com>2023-11-06 17:41:14 +0100
commit148ab6c4382be62c1021ec49e3262de66d38ab0a (patch)
tree10e14a0dd798b7503c68e680de1e6478ef58df44 /src/conf_mode/firewall.py
parentfd9e2c24e739fd327f860c45fa00241fd1acca7e (diff)
parent42f5ae2e7e729e78157c24893b984ef30bd0498d (diff)
downloadvyos-1x-148ab6c4382be62c1021ec49e3262de66d38ab0a.tar.gz
vyos-1x-148ab6c4382be62c1021ec49e3262de66d38ab0a.zip
Merge pull request #2441 from nicolas-fort/T5541-fix-zbf-sagiita
T5541: firewall: fix ZBF template and ruleset generation for local-zone rules
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-xsrc/conf_mode/firewall.py13
1 files changed, 13 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index c66b2a7ec..da22fad68 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -390,6 +390,19 @@ def generate(firewall):
if not os.path.exists(nftables_conf):
firewall['first_install'] = True
+ if 'zone' in firewall:
+ for local_zone, local_zone_conf in firewall['zone'].items():
+ if 'local_zone' not in local_zone_conf:
+ continue
+
+ local_zone_conf['from_local'] = {}
+
+ for zone, zone_conf in firewall['zone'].items():
+ if zone == local_zone or 'from' not in zone_conf:
+ continue
+ if local_zone in zone_conf['from']:
+ local_zone_conf['from_local'][zone] = zone_conf['from'][local_zone]
+
# Determine if conntrack is needed
firewall['ipv4_conntrack_action'] = 'return'
firewall['ipv6_conntrack_action'] = 'return'