summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-01-10 23:17:32 +0100
committerChristian Poessinger <christian@poessinger.com>2022-01-10 23:17:34 +0100
commit76d912d63ca4d15d9efe118184c405cf8273cbcf (patch)
tree63187ba41cdf880090a3279026ad38feb111dfc7
parent9bc2f5db25c74f7a4c10c10cf0bbdc2f1879c2db (diff)
downloadvyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.tar.gz
vyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.zip
conntrack: T3579: dry-run newly generated config before install
Before installing a new conntrack policy into the OS Kernel, the new policy should be verified by nftables if it can be loaded at all or if it will fail to load. There is no need to load a "bad" configuration if we can pre-test it.
-rwxr-xr-xsrc/conf_mode/conntrack.py7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index b9eb8071d..aabf2bdf5 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -105,6 +105,13 @@ def generate(conntrack):
render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack)
render(nftables_ct_file, 'conntrack/nftables-ct.tmpl', conntrack)
+ # dry-run newly generated configuration
+ tmp = run(f'nft -c -f {nftables_ct_file}')
+ if tmp > 0:
+ if os.path.exists(nftables_ct_file):
+ os.unlink(nftables_ct_file)
+ raise ConfigError('Configuration file errors encountered!')
+
return None
def find_nftables_ct_rule(rule):