diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-14 16:19:55 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-06-14 22:57:52 +0200 |
| commit | 7e59b2a3f31edd4793264876d87af725771a222d (patch) | |
| tree | 5f400fd788bd04a5e0bde9c98b04a436fe998de2 | |
| parent | 34db435e7a74ee8509777802e03927de2dd57627 (diff) | |
| download | vyos-1x-7e59b2a3f31edd4793264876d87af725771a222d.tar.gz vyos-1x-7e59b2a3f31edd4793264876d87af725771a222d.zip | |
firewall: T970: Use set prefix to domain groups
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 2 | ||||
| -rw-r--r-- | python/vyos/firewall.py | 2 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 6 | ||||
| -rwxr-xr-x | src/conf_mode/firewall.py | 5 | ||||
| -rwxr-xr-x | src/helpers/vyos-domain-group-resolve.py | 2 |
5 files changed, 9 insertions, 8 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index ca24b7db2..b91fed615 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -47,7 +47,7 @@ table ip filter { {% endfor %} {% if group is vyos_defined and group.domain_group is vyos_defined %} {% for name, name_config in group.domain_group.items() %} - set {{ name }} { + set D_{{ name }} { type ipv4_addr flags interval } diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index f8f913944..7d1278d0e 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -200,7 +200,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name): if group_name[0] == '!': operator = '!=' group_name = group_name[1:] - output.append(f'{ip_name} {prefix}addr {operator} @{group_name}') + output.append(f'{ip_name} {prefix}addr {operator} @D_{group_name}') elif 'network_group' in group: group_name = group['network_group'] operator = '' diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 8b8c27a9f..ce06b9074 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -62,7 +62,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['set M_smoketest_mac'], ['set N_smoketest_network'], ['set P_smoketest_port'], - ['set smoketest_domain'], + ['set D_smoketest_domain'], ['set RECENT_smoketest_4'], ['chain NAME_smoketest'] ] @@ -116,10 +116,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['elements = { 53, 123 }'], ['ether saddr @M_smoketest_mac', 'return'], ['elements = { 00:01:02:03:04:05 }'], - ['set smoketest_domain'], + ['set D_smoketest_domain'], ['elements = { 192.0.2.5, 192.0.2.8,'], ['192.0.2.10, 192.0.2.11 }'], - ['ip saddr @smoketest_domain', 'return'] + ['ip saddr @D_smoketest_domain', 'return'] ] self.verify_nftables(nftables_search, 'ip filter') diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 78dffe9dd..07eca722f 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -100,6 +100,7 @@ nested_group_types = [ group_set_prefix = { 'A_': 'address_group', 'A6_': 'ipv6_address_group', + 'D_': 'domain_group', 'M_': 'mac_group', 'N_': 'network_group', 'N6_': 'ipv6_network_group', @@ -535,8 +536,8 @@ def apply(firewall): # and add elements to nft set ip_dict = get_ips_domains_dict(domains) elements = sum(ip_dict.values(), []) - nft_init_set(group) - nft_add_set_elements(group, elements) + nft_init_set(f'D_{group}') + nft_add_set_elements(f'D_{group}', elements) else: call('systemctl stop vyos-domain-group-resolve.service') diff --git a/src/helpers/vyos-domain-group-resolve.py b/src/helpers/vyos-domain-group-resolve.py index e8501cfc6..6b677670b 100755 --- a/src/helpers/vyos-domain-group-resolve.py +++ b/src/helpers/vyos-domain-group-resolve.py @@ -56,5 +56,5 @@ if __name__ == '__main__': # Resolve successful if elements: - nft_update_set_elements(set_name, elements) + nft_update_set_elements(f'D_{set_name}', elements) time.sleep(timeout) |