summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-01-06 09:28:29 +0100
committerGitHub <noreply@github.com>2022-01-06 09:28:29 +0100
commit83f281c9a3c658f2ca5df77101279f40bd9d4540 (patch)
treeda884ca55ae9ede0f53b911950f3962c8e0af758 /src/conf_mode
parent0a91c5de32b52235f4c9c12a6ec34c017011c3df (diff)
parent79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0 (diff)
downloadvyos-1x-83f281c9a3c658f2ca5df77101279f40bd9d4540.tar.gz
vyos-1x-83f281c9a3c658f2ca5df77101279f40bd9d4540.zip
Merge pull request #1139 from sarthurdev/firewall
firewall: zone-policy: T4133: Prevent firewall from trying to clean-up zone-policy chains
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/firewall.py10
1 files changed, 6 insertions, 4 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 6016d94fa..75382034f 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -183,6 +183,9 @@ def verify(firewall):
if name_id in preserve_chains:
raise ConfigError(f'Firewall name "{name_id}" is reserved for VyOS')
+ if name_id.startswith("VZONE"):
+ raise ConfigError(f'Firewall name "{name_id}" uses reserved prefix')
+
if 'rule' in name_conf:
for rule_id, rule_conf in name_conf['rule'].items():
verify_rule(firewall, rule_conf, name == 'ipv6_name')
@@ -210,14 +213,13 @@ def cleanup_commands(firewall):
continue
for item in obj['nftables']:
if 'chain' in item:
- if item['chain']['name'] in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']:
- chain = item['chain']['name']
+ chain = item['chain']['name']
+ if chain in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']:
if 'state_policy' not in firewall:
commands.append(f'delete chain {table} {chain}')
else:
commands.append(f'flush chain {table} {chain}')
- elif item['chain']['name'] not in preserve_chains:
- chain = item['chain']['name']
+ elif chain not in preserve_chains and not chain.startswith("VZONE"):
if table == 'ip filter' and dict_search_args(firewall, 'name', chain):
commands.append(f'flush chain {table} {chain}')
elif table == 'ip6 filter' and dict_search_args(firewall, 'ipv6_name', chain):