Merge pull request #3159 from sarthurdev/T6147

conntrack: T6147: Enable conntrack when firewall state-policy is defined

2 files changed, 31 insertions, 16 deletions

diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 9e8473fa4..fe6977252 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -598,14 +598,30 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         self.verify_nftables(nftables_search, 'ip6 vyos_filter')
 
-    def test_ipv4_state_and_status_rules(self):
-        name = 'smoketest-state'
-        interface = 'eth0'
-
+    def test_ipv4_global_state(self):
         self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
         self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
         self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])
 
+        self.cli_commit()
+
+        nftables_search = [
+            ['jump VYOS_STATE_POLICY'],
+            ['chain VYOS_STATE_POLICY'],
+            ['ct state established', 'accept'],
+            ['ct state invalid', 'drop'],
+            ['ct state related', 'accept']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_filter')
+
+        # Check conntrack is enabled from state-policy
+        self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
+        self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')
+
+    def test_ipv4_state_and_status_rules(self):
+        name = 'smoketest-state'
+
         self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established'])
@@ -632,12 +648,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['ct state new', 'ct status dnat', 'accept'],
             ['ct state { established, new }', 'ct status snat', 'accept'],
             ['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
-            ['drop', f'comment "{name} default-action drop"'],
-            ['jump VYOS_STATE_POLICY'],
-            ['chain VYOS_STATE_POLICY'],
-            ['ct state established', 'accept'],
-            ['ct state invalid', 'drop'],
-            ['ct state related', 'accept']
+            ['drop', f'comment "{name} default-action drop"']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
index a1472aaaa..3d42389f6 100755
--- a/src/conf_mode/system_conntrack.py
+++ b/src/conf_mode/system_conntrack.py
@@ -185,12 +185,16 @@ def generate(conntrack):
     conntrack['ipv4_firewall_action'] = 'return'
     conntrack['ipv6_firewall_action'] = 'return'
 
-    for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
-        if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
-            if path[0] == 'ipv4':
-                conntrack['ipv4_firewall_action'] = 'accept'
-            elif path[0] == 'ipv6':
-                conntrack['ipv6_firewall_action'] = 'accept'
+    if dict_search_args(conntrack['firewall'], 'global_options', 'state_policy') != None:
+        conntrack['ipv4_firewall_action'] = 'accept'
+        conntrack['ipv6_firewall_action'] = 'accept'
+    else:
+        for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
+            if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
+                if path[0] == 'ipv4':
+                    conntrack['ipv4_firewall_action'] = 'accept'
+                elif path[0] == 'ipv6':
+                    conntrack['ipv6_firewall_action'] = 'accept'
 
     render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
     render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)