diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-09-16 21:53:17 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-09-16 21:55:31 +0200 |
commit | bd81d5e8d0fc2300c864754804ff8be74f14cfce (patch) | |
tree | 1ff14a097d4d750b6bd4ddf3a8383ee33034e1c8 | |
parent | 748dab43b87c3993bdd5c697e7b778ed7a8e48a1 (diff) | |
download | vyos-1x-bd81d5e8d0fc2300c864754804ff8be74f14cfce.tar.gz vyos-1x-bd81d5e8d0fc2300c864754804ff8be74f14cfce.zip |
firewall: T2199: enable "auto-merge" on sets
vyos@vyos# show firewall
+name foo {
+ rule 1 {
+ action accept
+ packet-length 100
+ packet-length 105
+ packet-length 200-300
+ packet-length 220-250
+ }
+}
will report a nftables error upon load: Error: conflicting intervals specified
With nftables 1.0.3 there is an "auto-merge" option which corrects this:
https://lwn.net/Articles/896732/
-rw-r--r-- | data/templates/firewall/nftables-defines.j2 | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2 index 97fc123d5..5336f7ee6 100644 --- a/data/templates/firewall/nftables-defines.j2 +++ b/data/templates/firewall/nftables-defines.j2 @@ -7,6 +7,7 @@ set A_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.address is vyos_defined or includes %} elements = { {{ group_conf.address | nft_nested_group(includes, group.address_group, 'address') | join(",") }} } {% endif %} @@ -19,6 +20,7 @@ set A6_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.address is vyos_defined or includes %} elements = { {{ group_conf.address | nft_nested_group(includes, group.ipv6_address_group, 'address') | join(",") }} } {% endif %} @@ -42,6 +44,7 @@ set N_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.network is vyos_defined or includes %} elements = { {{ group_conf.network | nft_nested_group(includes, group.network_group, 'network') | join(",") }} } {% endif %} @@ -54,6 +57,7 @@ set N6_{{ group_name }} { type {{ ip_type }} flags interval + auto-merge {% if group_conf.network is vyos_defined or includes %} elements = { {{ group_conf.network | nft_nested_group(includes, group.ipv6_network_group, 'network') | join(",") }} } {% endif %} @@ -66,6 +70,7 @@ set P_{{ group_name }} { type inet_service flags interval + auto-merge {% if group_conf.port is vyos_defined or includes %} elements = { {{ group_conf.port | nft_nested_group(includes, group.port_group, 'port') | join(",") }} } {% endif %} |