1 files changed, 47 insertions, 23 deletions

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 40399f481..cac6d2953 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -30,6 +30,9 @@ from vyos.utils.dict import dict_search_args
 from vyos.utils.dict import dict_search_recursive
 from vyos.utils.process import cmd
 from vyos.utils.process import run
+from vyos.utils.network import get_vrf_tableid
+from vyos.defaults import rt_global_table
+from vyos.defaults import rt_global_vrf
 
 # Conntrack
 def conntrack_required(conf):
@@ -164,7 +167,10 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
                 if address_mask:
                     operator = '!=' if exclude else '=='
                     operator = f'& {address_mask} {operator} '
-                output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
+                if is_ipv4(suffix):
+                    output.append(f'ip {prefix}addr {operator}{suffix}')
+                else:
+                    output.append(f'ip6 {prefix}addr {operator}{suffix}')
 
             if 'fqdn' in side_conf:
                 fqdn = side_conf['fqdn']
@@ -233,22 +239,38 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
 
             if 'group' in side_conf:
                 group = side_conf['group']
-                if 'address_group' in group:
-                    group_name = group['address_group']
-                    operator = ''
-                    exclude = group_name[0] == "!"
-                    if exclude:
-                        operator = '!='
-                        group_name = group_name[1:]
-                    if address_mask:
-                        operator = '!=' if exclude else '=='
-                        operator = f'& {address_mask} {operator}'
-                    output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
-                elif 'dynamic_address_group' in group:
+                for ipvx_address_group in ['address_group', 'ipv4_address_group', 'ipv6_address_group']:
+                    if ipvx_address_group in group:
+                        group_name = group[ipvx_address_group]
+                        operator = ''
+                        exclude = group_name[0] == "!"
+                        if exclude:
+                            operator = '!='
+                            group_name = group_name[1:]
+                        if address_mask:
+                            operator = '!=' if exclude else '=='
+                            operator = f'& {address_mask} {operator}'
+                        # for bridge, change ip_name
+                        if ip_name == 'bri':
+                            ip_name = 'ip' if ipvx_address_group == 'ipv4_address_group' else 'ip6'
+                            def_suffix = '6' if ipvx_address_group == 'ipv6_address_group' else ''
+                        output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
+                for ipvx_network_group in ['network_group', 'ipv4_network_group', 'ipv6_network_group']:
+                    if ipvx_network_group in group:
+                        group_name = group[ipvx_network_group]
+                        operator = ''
+                        if group_name[0] == "!":
+                            operator = '!='
+                            group_name = group_name[1:]
+                        # for bridge, change ip_name
+                        if ip_name == 'bri':
+                            ip_name = 'ip' if ipvx_network_group == 'ipv4_network_group' else 'ip6'
+                            def_suffix = '6' if ipvx_network_group == 'ipv6_network_group' else ''
+                        output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}')
+                if 'dynamic_address_group' in group:
                     group_name = group['dynamic_address_group']
                     operator = ''
-                    exclude = group_name[0] == "!"
-                    if exclude:
+                    if group_name[0] == "!":
                         operator = '!='
                         group_name = group_name[1:]
                     output.append(f'{ip_name} {prefix}addr {operator} @DA{def_suffix}_{group_name}')
@@ -260,13 +282,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
                         operator = '!='
                         group_name = group_name[1:]
                     output.append(f'{ip_name} {prefix}addr {operator} @D_{group_name}')
-                elif 'network_group' in group:
-                    group_name = group['network_group']
-                    operator = ''
-                    if group_name[0] == '!':
-                        operator = '!='
-                        group_name = group_name[1:]
-                    output.append(f'{ip_name} {prefix}addr {operator} @N{def_suffix}_{group_name}')
                 if 'mac_group' in group:
                     group_name = group['mac_group']
                     operator = ''
@@ -473,11 +488,20 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
         if 'mark' in rule_conf['set']:
             mark = rule_conf['set']['mark']
             output.append(f'meta mark set {mark}')
+        if 'vrf' in rule_conf['set']:
+            set_table = True
+            vrf_name = rule_conf['set']['vrf']
+            if vrf_name == 'default':
+                table = rt_global_vrf
+            else:
+                # NOTE: VRF->table ID lookup depends on the VRF iface already existing.
+                table = get_vrf_tableid(vrf_name)
         if 'table' in rule_conf['set']:
             set_table = True
             table = rule_conf['set']['table']
             if table == 'main':
-                table = '254'
+                table = rt_global_table
+        if set_table:
             mark = 0x7FFFFFFF - int(table)
             output.append(f'meta mark set {mark}')
         if 'tcp_mss' in rule_conf['set']: