diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-18 12:16:23 +0100 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-18 23:02:27 +0100 |
| commit | 081fc4466f200bf358fdd78b755a8732518f7df4 (patch) | |
| tree | 9187b16b15a3cd3610aa0bfb1b0b90ae21488107 | |
| parent | c77369761f9cb8bec1d026b0e5586a402f4c7285 (diff) | |
| download | vyos-1x-081fc4466f200bf358fdd78b755a8732518f7df4.tar.gz vyos-1x-081fc4466f200bf358fdd78b755a8732518f7df4.zip | |
firewall: policy: T1292: Clean up any rules required to delete a chain
| -rwxr-xr-x | src/conf_mode/firewall.py | 12 | ||||
| -rwxr-xr-x | src/conf_mode/policy-route.py | 12 |
2 files changed, 24 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 906d477b0..ae46801c6 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import re from glob import glob from json import loads @@ -212,6 +213,16 @@ def verify(firewall): return None +def cleanup_rule(table, jump_chain): + commands = [] + results = cmd(f'nft -a list table {table}').split("\n") + for line in results: + if f'jump {jump_chain}' in line: + handle_search = re.search('handle (\d+)', line) + if handle_search: + commands.append(f'delete rule {table} {chain} handle {handle_search[1]}') + return commands + def cleanup_commands(firewall): commands = [] for table in ['ip filter', 'ip6 filter']: @@ -234,6 +245,7 @@ def cleanup_commands(firewall): elif table == 'ip6 filter' and dict_search_args(firewall, 'ipv6_name', chain): commands.append(f'flush chain {table} {chain}') else: + commands += cleanup_rule(table, chain) commands.append(f'delete chain {table} {chain}') elif 'rule' in item: rule = item['rule'] diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py index eb13788dd..ee5197af0 100755 --- a/src/conf_mode/policy-route.py +++ b/src/conf_mode/policy-route.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import re from json import loads from sys import exit @@ -160,6 +161,16 @@ def verify(policy): return None +def cleanup_rule(table, jump_chain): + commands = [] + results = cmd(f'nft -a list table {table}').split("\n") + for line in results: + if f'jump {jump_chain}' in line: + handle_search = re.search('handle (\d+)', line) + if handle_search: + commands.append(f'delete rule {table} {chain} handle {handle_search[1]}') + return commands + def cleanup_commands(policy): commands = [] for table in ['ip mangle', 'ip6 mangle']: @@ -178,6 +189,7 @@ def cleanup_commands(policy): elif table == 'ip6 mangle' and dict_search_args(policy, 'route6', chain.replace("VYOS_PBR6_", "", 1)): commands.append(f'flush chain {table} {chain}') else: + commands += cleanup_rule(table, chain) commands.append(f'delete chain {table} {chain}') return commands |