From 10a76e846be2d920e5831ec207d458b42d01fc3b Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Thu, 29 Sep 2022 11:20:57 +0200
Subject: firewall: T2199: Fix op-mode script for interface migration and
vyos_filter table name
---
src/op_mode/firewall.py | 52 ++++++++++++++++++++-----------------------------
1 file changed, 21 insertions(+), 31 deletions(-)
(limited to 'src/op_mode')
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 0aea17b3a..950feb625 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -24,43 +24,33 @@ from vyos.config import Config
from vyos.util import cmd
from vyos.util import dict_search_args
-def get_firewall_interfaces(conf, firewall, name=None, ipv6=False):
- interfaces = conf.get_config_dict(['interfaces'], key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
-
+def get_firewall_interfaces(firewall, name=None, ipv6=False):
directions = ['in', 'out', 'local']
- def parse_if(ifname, if_conf):
- if 'firewall' in if_conf:
+ if 'interface' in firewall:
+ for ifname, if_conf in firewall['interface'].items():
for direction in directions:
- if direction in if_conf['firewall']:
- fw_conf = if_conf['firewall'][direction]
- name_str = f'({ifname},{direction})'
-
- if 'name' in fw_conf:
- fw_name = fw_conf['name']
+ if direction not in if_conf:
+ continue
- if not name:
- firewall['name'][fw_name]['interface'].append(name_str)
- elif not ipv6 and name == fw_name:
- firewall['interface'].append(name_str)
+ fw_conf = if_conf[direction]
+ name_str = f'({ifname},{direction})'
- if 'ipv6_name' in fw_conf:
- fw_name = fw_conf['ipv6_name']
+ if 'name' in fw_conf:
+ fw_name = fw_conf['name']
- if not name:
- firewall['ipv6_name'][fw_name]['interface'].append(name_str)
- elif ipv6 and name == fw_name:
- firewall['interface'].append(name_str)
+ if not name:
+ firewall['name'][fw_name]['interface'].append(name_str)
+ elif not ipv6 and name == fw_name:
+ firewall['interface'].append(name_str)
- for iftype in ['vif', 'vif_s', 'vif_c']:
- if iftype in if_conf:
- for vifname, vif_conf in if_conf[iftype].items():
- parse_if(f'{ifname}.{vifname}', vif_conf)
+ if 'ipv6_name' in fw_conf:
+ fw_name = fw_conf['ipv6_name']
- for iftype, iftype_conf in interfaces.items():
- for ifname, if_conf in iftype_conf.items():
- parse_if(ifname, if_conf)
+ if not name:
+ firewall['ipv6_name'][fw_name]['interface'].append(name_str)
+ elif ipv6 and name == fw_name:
+ firewall['interface'].append(name_str)
return firewall
@@ -83,13 +73,13 @@ def get_config_firewall(conf, name=None, ipv6=False, interfaces=True):
for fw_name, name_conf in firewall['ipv6_name'].items():
name_conf['interface'] = []
- get_firewall_interfaces(conf, firewall, name, ipv6)
+ get_firewall_interfaces(firewall, name, ipv6)
return firewall
def get_nftables_details(name, ipv6=False):
suffix = '6' if ipv6 else ''
name_prefix = 'NAME6_' if ipv6 else 'NAME_'
- command = f'sudo nft list chain ip{suffix} filter {name_prefix}{name}'
+ command = f'sudo nft list chain ip{suffix} vyos_filter {name_prefix}{name}'
try:
results = cmd(command)
except:
--
cgit v1.2.3