diff options
author | Christian Breunig <christian@breunig.cc> | 2024-07-26 13:25:19 +0200 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-07-30 07:47:39 +0000 |
commit | a05251f766c68fbff506bc01f6c095350f904bb7 (patch) | |
tree | f2bce85e35c4d366f451dc9b51f3b9d12616c74f /src | |
parent | 7db9c020e27289ec307cb821ac651af4dcef3cec (diff) | |
download | vyos-1x-a05251f766c68fbff506bc01f6c095350f904bb7.tar.gz vyos-1x-a05251f766c68fbff506bc01f6c095350f904bb7.zip |
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname
When any of the following features NAT, NAT66 or Firewall is enabled, for every
VRF on the CLI we install one rule into nftables for conntrack:
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map
counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map
counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map
}
This is superfluous.
(cherry picked from commit d6e9824f1612bd8c876437c071f31a1a0f44af5d)
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/vrf.py | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index 184725573..33ef70559 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from sys import exit +from jmespath import search from json import loads from vyos.config import Config @@ -70,6 +71,14 @@ def has_rule(af : str, priority : int, table : str=None): return True return False +def is_nft_vrf_zone_rule_setup() -> bool: + """ + Check if an nftables connection tracking rule already exists + """ + tmp = loads(cmd('sudo nft -j list table inet vrf_zones')) + num_rules = len(search("nftables[].rule[].chain", tmp)) + return bool(num_rules) + def vrf_interfaces(c, match): matched = [] old_level = c.get_level() @@ -302,7 +311,8 @@ def apply(vrf): nft_add_element = f'add element inet vrf_zones ct_iface_map {{ "{name}" : {table} }}' cmd(f'nft {nft_add_element}') - if vrf['conntrack']: + # Install nftables conntrack rules only once + if vrf['conntrack'] and not is_nft_vrf_zone_rule_setup(): for chain, rule in nftables_rules.items(): cmd(f'nft add rule inet vrf_zones {chain} {rule}') |