summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-07-26 13:25:19 +0200
committerChristian Breunig <christian@breunig.cc>2024-07-26 13:52:19 +0200
commitd6e9824f1612bd8c876437c071f31a1a0f44af5d (patch)
tree0fa6fc0c7678233410c21234b6c7e2631bf5c972 /src/conf_mode
parent87741c1a7b1896a0c2f220b98a79c5d3f24e1845 (diff)
downloadvyos-1x-d6e9824f1612bd8c876437c071f31a1a0f44af5d.tar.gz
vyos-1x-d6e9824f1612bd8c876437c071f31a1a0f44af5d.zip
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every VRF on the CLI we install one rule into nftables for conntrack: chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map } This is superfluous.
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/vrf.py12
1 files changed, 11 insertions, 1 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index 184725573..33ef70559 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -15,6 +15,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from sys import exit
+from jmespath import search
from json import loads
from vyos.config import Config
@@ -70,6 +71,14 @@ def has_rule(af : str, priority : int, table : str=None):
return True
return False
+def is_nft_vrf_zone_rule_setup() -> bool:
+ """
+ Check if an nftables connection tracking rule already exists
+ """
+ tmp = loads(cmd('sudo nft -j list table inet vrf_zones'))
+ num_rules = len(search("nftables[].rule[].chain", tmp))
+ return bool(num_rules)
+
def vrf_interfaces(c, match):
matched = []
old_level = c.get_level()
@@ -302,7 +311,8 @@ def apply(vrf):
nft_add_element = f'add element inet vrf_zones ct_iface_map {{ "{name}" : {table} }}'
cmd(f'nft {nft_add_element}')
- if vrf['conntrack']:
+ # Install nftables conntrack rules only once
+ if vrf['conntrack'] and not is_nft_vrf_zone_rule_setup():
for chain, rule in nftables_rules.items():
cmd(f'nft add rule inet vrf_zones {chain} {rule}')