From 42f5ae2e7e729e78157c24893b984ef30bd0498d Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Mon, 6 Nov 2023 14:58:19 +0000 Subject: T5541: firewall: fix ZBF template and ruleset generation for loca-zone rules. --- data/templates/firewall/nftables-zone.j2 | 4 ++-- src/conf_mode/firewall.py | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index 124304e77..ee468c6c1 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -39,8 +39,8 @@ } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return -{% if zone_conf.from is vyos_defined %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} +{% if zone_conf.from_local is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index c66b2a7ec..da22fad68 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -390,6 +390,19 @@ def generate(firewall): if not os.path.exists(nftables_conf): firewall['first_install'] = True + if 'zone' in firewall: + for local_zone, local_zone_conf in firewall['zone'].items(): + if 'local_zone' not in local_zone_conf: + continue + + local_zone_conf['from_local'] = {} + + for zone, zone_conf in firewall['zone'].items(): + if zone == local_zone or 'from' not in zone_conf: + continue + if local_zone in zone_conf['from']: + local_zone_conf['from_local'][zone] = zone_conf['from'][local_zone] + # Determine if conntrack is needed firewall['ipv4_conntrack_action'] = 'return' firewall['ipv6_conntrack_action'] = 'return' -- cgit v1.2.3