diff options
author | Daniil Baturin <daniil@vyos.io> | 2022-11-18 13:42:08 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-18 13:42:08 +0000 |
commit | 97056cad18664bea06310d59e8a769add077f6d0 (patch) | |
tree | 7fe5078144c074a447aec93831c8ec493f436ecb | |
parent | 0094bdfd15b4732a4be417f1777e903a41a8a954 (diff) | |
parent | b8bda7c8d54fb500716c78ca39107e33988311ea (diff) | |
download | vyos-1x-97056cad18664bea06310d59e8a769add077f6d0.tar.gz vyos-1x-97056cad18664bea06310d59e8a769add077f6d0.zip |
Merge pull request #1662 from jestabro/config-script-dependency
firewall: T4821: correct calling of conf_mode script dependencies
-rw-r--r-- | python/vyos/configdep.py | 65 | ||||
-rw-r--r-- | python/vyos/util.py | 8 | ||||
-rwxr-xr-x | src/conf_mode/firewall.py | 26 |
3 files changed, 83 insertions, 16 deletions
diff --git a/python/vyos/configdep.py b/python/vyos/configdep.py new file mode 100644 index 000000000..e6b82ca93 --- /dev/null +++ b/python/vyos/configdep.py @@ -0,0 +1,65 @@ +# Copyright 2022 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. + +import os +from inspect import stack + +from vyos.util import load_as_module + +dependents = {} + +def canon_name(name: str) -> str: + return os.path.splitext(name)[0].replace('-', '_') + +def canon_name_of_path(path: str) -> str: + script = os.path.basename(path) + return canon_name(script) + +def caller_name() -> str: + return stack()[-1].filename + +def run_config_mode_script(script: str, config): + from vyos.defaults import directories + + path = os.path.join(directories['conf_mode'], script) + name = canon_name(script) + mod = load_as_module(name, path) + + config.set_level([]) + try: + c = mod.get_config(config) + mod.verify(c) + mod.generate(c) + mod.apply(c) + except (VyOSError, ConfigError) as e: + raise ConfigError(repr(e)) + +def def_closure(script: str, config): + def func_impl(): + run_config_mode_script(script, config) + return func_impl + +def set_dependent(target: str, config): + k = canon_name_of_path(caller_name()) + l = dependents.setdefault(k, []) + func = def_closure(target, config) + l.append(func) + +def call_dependents(): + k = canon_name_of_path(caller_name()) + l = dependents.get(k, []) + while l: + f = l.pop(0) + f() diff --git a/python/vyos/util.py b/python/vyos/util.py index a80584c5a..9ebe69b6c 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -1143,3 +1143,11 @@ def camel_to_snake_case(name: str) -> str: pattern = r'\d+|[A-Z]?[a-z]+|\W|[A-Z]{2,}(?=[A-Z][a-z]|\d|\W|$)' words = re.findall(pattern, name) return '_'.join(map(str.lower, words)) + +def load_as_module(name: str, path: str): + import importlib.util + + spec = importlib.util.spec_from_file_location(name, path) + mod = importlib.util.module_from_spec(spec) + spec.loader.exec_module(mod) + return mod diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 783adec46..9fee20358 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -26,6 +26,7 @@ from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed from vyos.configdiff import get_config_diff, Diff +from vyos.configdep import set_dependent, call_dependents # from vyos.configverify import verify_interface_exists from vyos.firewall import fqdn_config_parse from vyos.firewall import geoip_update @@ -41,8 +42,8 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -nat_conf_script = '/usr/libexec/vyos/conf_mode/nat.py' -policy_route_conf_script = '/usr/libexec/vyos/conf_mode/policy-route.py' +nat_conf_script = 'nat.py' +policy_route_conf_script = 'policy-route.py' nftables_conf = '/run/nftables.conf' @@ -160,6 +161,12 @@ def get_config(config=None): firewall['zone'][zone] = dict_merge(default_values, firewall['zone'][zone]) firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group'])) + if firewall['group_resync']: + # Update nat as firewall groups were updated + set_dependent(nat_conf_script, conf) + # Update policy route as firewall groups were updated + set_dependent(policy_route_conf_script, conf) + if 'config_trap' in firewall and firewall['config_trap'] == 'enable': diff = get_config_diff(conf) @@ -464,18 +471,6 @@ def post_apply_trap(firewall): cmd(base_cmd + ' '.join(objects)) -def resync_nat(): - # Update nat as firewall groups were updated - tmp, out = rc_cmd(nat_conf_script) - if tmp > 0: - Warning(f'Failed to re-apply nat configuration! {out}') - -def resync_policy_route(): - # Update policy route as firewall groups were updated - tmp, out = rc_cmd(policy_route_conf_script) - if tmp > 0: - Warning(f'Failed to re-apply policy route configuration! {out}') - def apply(firewall): install_result, output = rc_cmd(f'nft -f {nftables_conf}') if install_result == 1: @@ -484,8 +479,7 @@ def apply(firewall): apply_sysfs(firewall) if firewall['group_resync']: - resync_nat() - resync_policy_route() + call_dependents() # T970 Enable a resolver (systemd daemon) that checks # domain-group/fqdn addresses and update entries for domains by timeout |