From 34db435e7a74ee8509777802e03927de2dd57627 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Mon, 13 Jun 2022 01:45:06 +0200 Subject: firewall: T4147: Use named sets for firewall groups * Refactor nftables clean-up code * Adds policy route test for using firewall groups --- python/vyos/firewall.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'python/vyos/firewall.py') diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index a61d0a9f8..f8f913944 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -192,7 +192,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if group_name[0] == '!': operator = '!=' group_name = group_name[1:] - output.append(f'{ip_name} {prefix}addr {operator} $A{def_suffix}_{group_name}') + output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}') # Generate firewall group domain-group elif 'domain_group' in group: group_name = group['domain_group'] @@ -207,14 +207,14 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if group_name[0] == '!': operator = '!=' group_name = group_name[1:] - output.append(f'{ip_name} {prefix}addr {operator} $N{def_suffix}_{group_name}') + output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}') if 'mac_group' in group: group_name = group['mac_group'] operator = '' if group_name[0] == '!': operator = '!=' group_name = group_name[1:] - output.append(f'ether {prefix}addr {operator} $M_{group_name}') + output.append(f'ether {prefix}addr {operator} @M_{group_name}') if 'port_group' in group: proto = rule_conf['protocol'] group_name = group['port_group'] @@ -227,7 +227,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): operator = '!=' group_name = group_name[1:] - output.append(f'{proto} {prefix}port {operator} $P_{group_name}') + output.append(f'{proto} {prefix}port {operator} @P_{group_name}') if 'log' in rule_conf and rule_conf['log'] == 'enable': action = rule_conf['action'] if 'action' in rule_conf else 'accept' -- cgit v1.2.3 From 7e59b2a3f31edd4793264876d87af725771a222d Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 14 Jun 2022 16:19:55 +0200 Subject: firewall: T970: Use set prefix to domain groups --- data/templates/firewall/nftables.j2 | 2 +- python/vyos/firewall.py | 2 +- smoketest/scripts/cli/test_firewall.py | 6 +++--- src/conf_mode/firewall.py | 5 +++-- src/helpers/vyos-domain-group-resolve.py | 2 +- 5 files changed, 9 insertions(+), 8 deletions(-) (limited to 'python/vyos/firewall.py') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index ca24b7db2..b91fed615 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -47,7 +47,7 @@ table ip filter { {% endfor %} {% if group is vyos_defined and group.domain_group is vyos_defined %} {% for name, name_config in group.domain_group.items() %} - set {{ name }} { + set D_{{ name }} { type ipv4_addr flags interval } diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index f8f913944..7d1278d0e 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -200,7 +200,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if group_name[0] == '!': operator = '!=' group_name = group_name[1:] - output.append(f'{ip_name} {prefix}addr {operator} @{group_name}') + output.append(f'{ip_name} {prefix}addr {operator} @D_{group_name}') elif 'network_group' in group: group_name = group['network_group'] operator = '' diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 8b8c27a9f..ce06b9074 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -62,7 +62,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['set M_smoketest_mac'], ['set N_smoketest_network'], ['set P_smoketest_port'], - ['set smoketest_domain'], + ['set D_smoketest_domain'], ['set RECENT_smoketest_4'], ['chain NAME_smoketest'] ] @@ -116,10 +116,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['elements = { 53, 123 }'], ['ether saddr @M_smoketest_mac', 'return'], ['elements = { 00:01:02:03:04:05 }'], - ['set smoketest_domain'], + ['set D_smoketest_domain'], ['elements = { 192.0.2.5, 192.0.2.8,'], ['192.0.2.10, 192.0.2.11 }'], - ['ip saddr @smoketest_domain', 'return'] + ['ip saddr @D_smoketest_domain', 'return'] ] self.verify_nftables(nftables_search, 'ip filter') diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 78dffe9dd..07eca722f 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -100,6 +100,7 @@ nested_group_types = [ group_set_prefix = { 'A_': 'address_group', 'A6_': 'ipv6_address_group', + 'D_': 'domain_group', 'M_': 'mac_group', 'N_': 'network_group', 'N6_': 'ipv6_network_group', @@ -535,8 +536,8 @@ def apply(firewall): # and add elements to nft set ip_dict = get_ips_domains_dict(domains) elements = sum(ip_dict.values(), []) - nft_init_set(group) - nft_add_set_elements(group, elements) + nft_init_set(f'D_{group}') + nft_add_set_elements(f'D_{group}', elements) else: call('systemctl stop vyos-domain-group-resolve.service') diff --git a/src/helpers/vyos-domain-group-resolve.py b/src/helpers/vyos-domain-group-resolve.py index e8501cfc6..6b677670b 100755 --- a/src/helpers/vyos-domain-group-resolve.py +++ b/src/helpers/vyos-domain-group-resolve.py @@ -56,5 +56,5 @@ if __name__ == '__main__': # Resolve successful if elements: - nft_update_set_elements(set_name, elements) + nft_update_set_elements(f'D_{set_name}', elements) time.sleep(timeout) -- cgit v1.2.3