diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2024-02-27 21:38:24 +0100 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-02-28 19:36:10 +0000 |
commit | 88dfa47ded706ea53a7b10ed058ddd5023226896 (patch) | |
tree | 90f70d19c3c44f3671c1d77417308356fcbfd7f7 /src/conf_mode/vrf.py | |
parent | e1f34b0c019b9771ace1d6c723d4d84658be5cd8 (diff) | |
download | vyos-1x-88dfa47ded706ea53a7b10ed058ddd5023226896.tar.gz vyos-1x-88dfa47ded706ea53a7b10ed058ddd5023226896.zip |
vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is required
(cherry picked from commit 6f7d1e15665655e37e8ca830e28d9650445c1217)
Diffstat (limited to 'src/conf_mode/vrf.py')
-rwxr-xr-x | src/conf_mode/vrf.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index a2f4956be..16908100f 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -23,6 +23,7 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configverify import verify_route_map +from vyos.firewall import conntrack_required from vyos.ifconfig import Interface from vyos.template import render from vyos.template import render_to_string @@ -41,6 +42,12 @@ airbag.enable() config_file = '/etc/iproute2/rt_tables.d/vyos-vrf.conf' k_mod = ['vrf'] +nftables_table = 'inet vrf_zones' +nftables_rules = { + 'vrf_zones_ct_in': 'counter ct original zone set iifname map @ct_iface_map', + 'vrf_zones_ct_out': 'counter ct original zone set oifname map @ct_iface_map' +} + def has_rule(af : str, priority : int, table : str=None): """ Check if a given ip rule exists @@ -114,6 +121,9 @@ def get_config(config=None): routes = vrf_routing(conf, name) if routes: vrf['vrf_remove'][name]['route'] = routes + if 'name' in vrf: + vrf['conntrack'] = conntrack_required(conf) + # We also need the route-map information from the config # # XXX: one MUST always call this without the key_mangling() option! See @@ -294,6 +304,14 @@ def apply(vrf): nft_add_element = f'add element inet vrf_zones ct_iface_map {{ "{name}" : {table} }}' cmd(f'nft {nft_add_element}') + if vrf['conntrack']: + for chain, rule in nftables_rules.items(): + cmd(f'nft add rule inet vrf_zones {chain} {rule}') + + if 'name' not in vrf or not vrf['conntrack']: + for chain, rule in nftables_rules.items(): + cmd(f'nft flush chain inet vrf_zones {chain}') + # Apply FRR filters zebra_daemon = 'zebra' # Save original configuration prior to starting any commit actions |