diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-03 22:17:08 +0100 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-04 00:26:48 +0100 |
| commit | 84a83ecc4c78bf2e0954658ea539e42b4c015fa2 (patch) | |
| tree | 4d795067c873e50a7471246933a432a12f8ef160 /python | |
| parent | 28b285b4791aece18fe1bbd76f3d555370545006 (diff) | |
| download | vyos-1x-84a83ecc4c78bf2e0954658ea539e42b4c015fa2.tar.gz vyos-1x-84a83ecc4c78bf2e0954658ea539e42b4c015fa2.zip | |
firewall: T4130: Fix firewall state-policy errors
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/template.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py index e20890e25..965bb4ed0 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -493,7 +493,7 @@ def nft_rule(rule_conf, fw_name, rule_id, ip_name='ip'): return parse_rule(rule_conf, fw_name, rule_id, ip_name) @register_filter('nft_state_policy') -def nft_state_policy(conf, state): +def nft_state_policy(conf, state, ipv6=False): out = [f'ct state {state}'] if 'log' in conf and 'enable' in conf['log']: @@ -502,7 +502,11 @@ def nft_state_policy(conf, state): out.append('counter') if 'action' in conf: - out.append(conf['action']) + if conf['action'] == 'accept': + jump_target = 'VYOS_POST_FW6' if ipv6 else 'VYOS_POST_FW' + out.append(f'jump {jump_target}') + else: + out.append(conf['action']) return " ".join(out) |