diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-10-10 20:03:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-10 20:03:59 +0200 |
| commit | dfbec80fac0a524dfd8acb394f865b95a36a2436 (patch) | |
| tree | 0db288a704757ff67c6c3cfd11b5bdaee33b4b2b | |
| parent | 9769f25fdf3bde3775ed5a0108543dc6e89745cf (diff) | |
| parent | 47984a6de93b134820e21c04101c9e844c8fc00e (diff) | |
| download | vyos-1x-dfbec80fac0a524dfd8acb394f865b95a36a2436.tar.gz vyos-1x-dfbec80fac0a524dfd8acb394f865b95a36a2436.zip | |
Merge pull request #1577 from sarthurdev/T4741
firewall: policy: T4741: T4742: Verify zone `from` is defined, autocomplete policy route tables
3 files changed, 22 insertions, 8 deletions
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index 919881e19..17ef5101d 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -39,18 +39,22 @@ {% if zone_conf.local_zone is vyos_defined %} chain VZONE_{{ zone_name }}_IN { iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} +{% if zone_conf.from is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} +{% endfor %} +{% endif %} {{ zone_conf | nft_default_rule('zone_' + zone_name) }} } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %} +{% if zone_conf.from_local is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} +{% endfor %} +{% endif %} {{ zone_conf | nft_default_rule('zone_' + zone_name) }} } {% else %} @@ -59,12 +63,14 @@ {% if zone_conf.intra_zone_filtering is vyos_defined %} iifname { {{ zone_conf.interface | join(",") }} } counter return {% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} -{% if zone[from_zone].local_zone is not defined %} +{% if zone_conf.from is vyos_defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %} +{% if zone[from_zone].local_zone is not defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} +{% endif %} {{ zone_conf | nft_default_rule('zone_' + zone_name) }} } {% endif %} diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i index cfeba1a6c..662206336 100644 --- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i +++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i @@ -198,6 +198,10 @@ <validator name="numeric" argument="--range 1-200"/> <regex>(main)</regex> </constraint> + <completionHelp> + <list>main</list> + <path>protocols static table</path> + </completionHelp> </properties> </leafNode> <leafNode name="tcp-mss"> diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i index 5a17dbc95..35fccca50 100644 --- a/interface-definitions/include/policy/route-common-rule.xml.i +++ b/interface-definitions/include/policy/route-common-rule.xml.i @@ -198,6 +198,10 @@ <validator name="numeric" argument="--range 1-200"/> <regex>(main)</regex> </constraint> + <completionHelp> + <list>main</list> + <path>protocols static table</path> + </completionHelp> </properties> </leafNode> <leafNode name="tcp-mss"> |