diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-01-06 09:28:29 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-06 09:28:29 +0100 |
commit | 83f281c9a3c658f2ca5df77101279f40bd9d4540 (patch) | |
tree | da884ca55ae9ede0f53b911950f3962c8e0af758 /src/conf_mode | |
parent | 0a91c5de32b52235f4c9c12a6ec34c017011c3df (diff) | |
parent | 79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0 (diff) | |
download | vyos-1x-83f281c9a3c658f2ca5df77101279f40bd9d4540.tar.gz vyos-1x-83f281c9a3c658f2ca5df77101279f40bd9d4540.zip |
Merge pull request #1139 from sarthurdev/firewall
firewall: zone-policy: T4133: Prevent firewall from trying to clean-up zone-policy chains
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/firewall.py | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 6016d94fa..75382034f 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -183,6 +183,9 @@ def verify(firewall): if name_id in preserve_chains: raise ConfigError(f'Firewall name "{name_id}" is reserved for VyOS') + if name_id.startswith("VZONE"): + raise ConfigError(f'Firewall name "{name_id}" uses reserved prefix') + if 'rule' in name_conf: for rule_id, rule_conf in name_conf['rule'].items(): verify_rule(firewall, rule_conf, name == 'ipv6_name') @@ -210,14 +213,13 @@ def cleanup_commands(firewall): continue for item in obj['nftables']: if 'chain' in item: - if item['chain']['name'] in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']: - chain = item['chain']['name'] + chain = item['chain']['name'] + if chain in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']: if 'state_policy' not in firewall: commands.append(f'delete chain {table} {chain}') else: commands.append(f'flush chain {table} {chain}') - elif item['chain']['name'] not in preserve_chains: - chain = item['chain']['name'] + elif chain not in preserve_chains and not chain.startswith("VZONE"): if table == 'ip filter' and dict_search_args(firewall, 'name', chain): commands.append(f'flush chain {table} {chain}') elif table == 'ip6 filter' and dict_search_args(firewall, 'ipv6_name', chain): |