summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-04-13 22:52:54 +0200
committerChristian Poessinger <christian@poessinger.com>2022-04-13 22:55:46 +0200
commit90a84a0bb1f7293a8df76f3449efcc7da813c425 (patch)
tree32d896d991c56b175ae873063e6e46e92550cac5 /data
parent97ffa1cc71bc6d5dc38a4b26fcaae9c29da24fb5 (diff)
downloadvyos-1x-90a84a0bb1f7293a8df76f3449efcc7da813c425.tar.gz
vyos-1x-90a84a0bb1f7293a8df76f3449efcc7da813c425.zip
firewall: T4333: migrate to new vyos_defined Jinja2 test
Diffstat (limited to 'data')
-rw-r--r--data/templates/firewall/nftables-defines.tmpl14
-rw-r--r--data/templates/firewall/upnpd.conf.tmpl24
-rw-r--r--data/templates/zone_policy/nftables.tmpl26
3 files changed, 32 insertions, 32 deletions
diff --git a/data/templates/firewall/nftables-defines.tmpl b/data/templates/firewall/nftables-defines.tmpl
index d9eb7c199..66d31093b 100644
--- a/data/templates/firewall/nftables-defines.tmpl
+++ b/data/templates/firewall/nftables-defines.tmpl
@@ -1,30 +1,30 @@
-{% if group is defined %}
-{% if group.address_group is defined %}
+{% if group is vyos_defined %}
+{% if group.address_group is vyos_defined %}
{% for group_name, group_conf in group.address_group.items() %}
define A_{{ group_name }} = { {{ group_conf.address | join(",") }} }
{% endfor %}
{% endif %}
-{% if group.ipv6_address_group is defined %}
+{% if group.ipv6_address_group is vyos_defined %}
{% for group_name, group_conf in group.ipv6_address_group.items() %}
define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} }
{% endfor %}
{% endif %}
-{% if group.mac_group is defined %}
+{% if group.mac_group is vyos_defined %}
{% for group_name, group_conf in group.mac_group.items() %}
define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} }
{% endfor %}
{% endif %}
-{% if group.network_group is defined %}
+{% if group.network_group is vyos_defined %}
{% for group_name, group_conf in group.network_group.items() %}
define N_{{ group_name }} = { {{ group_conf.network | join(",") }} }
{% endfor %}
{% endif %}
-{% if group.ipv6_network_group is defined %}
+{% if group.ipv6_network_group is vyos_defined %}
{% for group_name, group_conf in group.ipv6_network_group.items() %}
define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} }
{% endfor %}
{% endif %}
-{% if group.port_group is defined %}
+{% if group.port_group is vyos_defined %}
{% for group_name, group_conf in group.port_group.items() %}
define P_{{ group_name }} = { {{ group_conf.port | join(",") }} }
{% endfor %}
diff --git a/data/templates/firewall/upnpd.conf.tmpl b/data/templates/firewall/upnpd.conf.tmpl
index 39cb21373..6e73995fa 100644
--- a/data/templates/firewall/upnpd.conf.tmpl
+++ b/data/templates/firewall/upnpd.conf.tmpl
@@ -2,7 +2,7 @@
# WAN network interface
ext_ifname={{ wan_interface }}
-{% if wan_ip is defined %}
+{% if wan_ip is vyos_defined %}
# If the WAN interface has several IP addresses, you
# can specify the one to use below
{% for addr in wan_ip %}
@@ -11,7 +11,7 @@ ext_ip={{ addr }}
{% endif %}
# LAN network interfaces IPs / networks
-{% if listen is defined %}
+{% if listen is vyos_defined %}
# There can be multiple listening IPs for SSDP traffic, in that case
# use multiple 'listening_ip=...' lines, one for each network interface.
# It can be IP address or network interface name (ie. "eth0")
@@ -45,7 +45,7 @@ listening_ip={{ addr }}
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
-{% if nat_pmp is defined %}
+{% if nat_pmp is vyos_defined %}
# Enable NAT-PMP support (default is no)
enable_natpmp=yes
{% endif %}
@@ -53,14 +53,14 @@ enable_natpmp=yes
# Enable UPNP support (default is yes)
enable_upnp=yes
-{% if pcp_lifetime is defined %}
+{% if pcp_lifetime is vyos_defined %}
# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
-{% if pcp_lifetime.max is defined %}
+{% if pcp_lifetime.max is vyos_defined %}
max_lifetime={{ pcp_lifetime.max }}
{% endif %}
-{% if pcp_lifetime.min is defined %}
+{% if pcp_lifetime.min is vyos_defined %}
min_lifetime={{ pcp_lifetime.min }}
{% endif %}
{% endif %}
@@ -69,7 +69,7 @@ min_lifetime={{ pcp_lifetime.min }}
# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
-{% if friendly_name is defined %}
+{% if friendly_name is vyos_defined %}
# Name of this service, default is "`uname -s` router"
friendly_name= {{ friendly_name }}
{% endif %}
@@ -89,7 +89,7 @@ model_description=Vyos open source enterprise router/firewall operating system
# Model URL, default is URL of OS vendor
model_url=https://vyos.io/
-{% if secure_mode is defined %}
+{% if secure_mode is vyos_defined %}
# Secure Mode, UPnP clients can only add mappings to their own IP
secure_mode=yes
{% else %}
@@ -97,7 +97,7 @@ secure_mode=yes
secure_mode=no
{% endif %}
-{% if presentation_url is defined %}
+{% if presentation_url is vyos_defined %}
# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
@@ -129,7 +129,7 @@ lease_file=/config/upnp.leases
#serial=12345678
#model_number=1
-{% if rules is defined %}
+{% if rules is vyos_defined %}
# UPnP permission rules
# (allow|deny) (external port range) IP/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
@@ -143,13 +143,13 @@ lease_file=/config/upnp.leases
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
{% for rule, config in rules.items() %}
-{% if config.disable is defined %}
+{% if config.disable is vyos_defined %}
{{ config.action}} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }}
{% endif %}
{% endfor %}
{% endif %}
-{% if stun is defined %}
+{% if stun is vyos_defined %}
# WAN interface must have public IP address. Otherwise it is behind NAT
# and port forwarding is impossible. In some cases WAN interface can be
# behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and
diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl
index 4a6bd2772..9e532b79e 100644
--- a/data/templates/zone_policy/nftables.tmpl
+++ b/data/templates/zone_policy/nftables.tmpl
@@ -1,18 +1,18 @@
#!/usr/sbin/nft -f
-{% if cleanup_commands is defined %}
+{% if cleanup_commands is vyos_defined %}
{% for command in cleanup_commands %}
{{ command }}
{% endfor %}
{% endif %}
-{% if zone is defined %}
+{% if zone is vyos_defined %}
table ip filter {
{% for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %}
-{% if zone_conf.local_zone is defined %}
+{% if zone_conf.local_zone is vyos_defined %}
chain VZONE_{{ zone_name }}_IN {
iifname lo counter return
-{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %}
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
@@ -20,7 +20,7 @@ table ip filter {
}
chain VZONE_{{ zone_name }}_OUT {
oifname lo counter return
-{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %}
+{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is vyos_defined %}
oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
@@ -29,10 +29,10 @@ table ip filter {
{% else %}
chain VZONE_{{ zone_name }} {
iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=False) }}
-{% if zone_conf.intra_zone_filtering is defined %}
+{% if zone_conf.intra_zone_filtering is vyos_defined %}
iifname { {{ zone_conf.interface | join(",") }} } counter return
{% endif %}
-{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %}
{% if zone[from_zone].local_zone is not defined %}
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
@@ -46,10 +46,10 @@ table ip filter {
table ip6 filter {
{% for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %}
-{% if zone_conf.local_zone is defined %}
+{% if zone_conf.local_zone is vyos_defined %}
chain VZONE6_{{ zone_name }}_IN {
iifname lo counter return
-{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %}
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
@@ -57,7 +57,7 @@ table ip6 filter {
}
chain VZONE6_{{ zone_name }}_OUT {
oifname lo counter return
-{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %}
+{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is vyos_defined %}
oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
@@ -66,10 +66,10 @@ table ip6 filter {
{% else %}
chain VZONE6_{{ zone_name }} {
iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=True) }}
-{% if zone_conf.intra_zone_filtering is defined %}
+{% if zone_conf.intra_zone_filtering is vyos_defined %}
iifname { {{ zone_conf.interface | join(",") }} } counter return
{% endif %}
-{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %}
{% if zone[from_zone].local_zone is not defined %}
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
@@ -101,7 +101,7 @@ insert rule ip6 filter VYOS_FW6_FORWARD oifname { {{ zone_conf.interface | join(
{% endfor %}
{# Ensure that state-policy rule is first in the chain #}
-{% if firewall.state_policy is defined %}
+{% if firewall.state_policy is vyos_defined %}
{% for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'] %}
insert rule ip filter {{ chain }} jump VYOS_STATE_POLICY
{% endfor %}