summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
Diffstat (limited to 'python/vyos/firewall.py')
-rwxr-xr-xpython/vyos/firewall.py53
1 files changed, 32 insertions, 21 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 64fed8177..314e8dfe3 100755
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -53,25 +53,32 @@ def conntrack_required(conf):
# Domain Resolver
-def fqdn_config_parse(firewall):
- firewall['ip_fqdn'] = {}
- firewall['ip6_fqdn'] = {}
-
- for domain, path in dict_search_recursive(firewall, 'fqdn'):
- hook_name = path[1]
- priority = path[2]
-
- fw_name = path[2]
- rule = path[4]
- suffix = path[5][0]
- set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
-
- if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
- firewall['ip_fqdn'][set_name] = domain
- elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
- if path[1] == 'name':
- set_name = f'name6_{priority}_{rule}_{suffix}'
- firewall['ip6_fqdn'][set_name] = domain
+def fqdn_config_parse(config, node):
+ config['ip_fqdn'] = {}
+ config['ip6_fqdn'] = {}
+
+ for domain, path in dict_search_recursive(config, 'fqdn'):
+ if node != 'nat':
+ hook_name = path[1]
+ priority = path[2]
+
+ rule = path[4]
+ suffix = path[5][0]
+ set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
+
+ if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+ config['ip_fqdn'][set_name] = domain
+ elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+ if path[1] == 'name':
+ set_name = f'name6_{priority}_{rule}_{suffix}'
+ config['ip6_fqdn'][set_name] = domain
+ else:
+ # Parse FQDN for NAT
+ nat_direction = path[0]
+ nat_rule = path[2]
+ suffix = path[3][0]
+ set_name = f'{nat_direction}_{nat_rule}_{suffix}'
+ config['ip_fqdn'][set_name] = domain
def fqdn_resolve(fqdn, ipv6=False):
try:
@@ -80,8 +87,6 @@ def fqdn_resolve(fqdn, ipv6=False):
except:
return None
-# End Domain Resolver
-
def find_nftables_rule(table, chain, rule_matches=[]):
# Find rule in table/chain that matches all criteria and return the handle
results = cmd(f'sudo nft --handle list chain {table} {chain}').split("\n")
@@ -578,6 +583,12 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
if 'tcp_mss' in rule_conf['set']:
mss = rule_conf['set']['tcp_mss']
output.append(f'tcp option maxseg size set {mss}')
+ if 'ttl' in rule_conf['set']:
+ ttl = rule_conf['set']['ttl']
+ output.append(f'ip ttl set {ttl}')
+ if 'hop_limit' in rule_conf['set']:
+ hoplimit = rule_conf['set']['hop_limit']
+ output.append(f'ip6 hoplimit set {hoplimit}')
if 'action' in rule_conf:
if rule_conf['action'] == 'offload':