summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2025-02-20 19:33:16 +0100
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2025-02-20 19:33:16 +0100
commitac890f5e3ff7d0bb4853199204e4db7c4f1dcc3e (patch)
tree68ccbbfb117d41382ba7c8a3dfa3bf88165255ec /python
parent4d9d45a45acaa506b9cc99dbb86e12b9cb692dd1 (diff)
downloadvyos-1x-ac890f5e3ff7d0bb4853199204e4db7c4f1dcc3e.tar.gz
vyos-1x-ac890f5e3ff7d0bb4853199204e4db7c4f1dcc3e.zip
firewall: T7148: Bridge state-policy uses drop in place of reject
Diffstat (limited to 'python')
-rwxr-xr-xpython/vyos/template.py13
1 files changed, 9 insertions, 4 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 7ba608b32..e75db1a8d 100755
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -612,12 +612,17 @@ def nft_default_rule(fw_conf, fw_name, family):
return " ".join(output)
@register_filter('nft_state_policy')
-def nft_state_policy(conf, state):
+def nft_state_policy(conf, state, bridge=False):
out = [f'ct state {state}']
+ action = conf['action'] if 'action' in conf else None
+
+ if bridge and action == 'reject':
+ action = 'drop' # T7148 - Bridge cannot use reject
+
if 'log' in conf:
log_state = state[:3].upper()
- log_action = (conf['action'] if 'action' in conf else 'accept')[:1].upper()
+ log_action = (action if action else 'accept')[:1].upper()
out.append(f'log prefix "[STATE-POLICY-{log_state}-{log_action}]"')
if 'log_level' in conf:
@@ -626,8 +631,8 @@ def nft_state_policy(conf, state):
out.append('counter')
- if 'action' in conf:
- out.append(conf['action'])
+ if action:
+ out.append(action)
return " ".join(out)
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-03 22:41:26 +0000