diff options
| author | John Estabrook <jestabro@vyos.io> | 2023-09-28 09:52:22 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-28 09:52:22 -0500 |
| commit | 6aa3679187243a9d1eaa16e6e81237f00dde0c63 (patch) | |
| tree | 6012703b1be01e3fa7506ad3914dc820cb0ed355 /python | |
| parent | 8ffe4a8cdd937ce3002ed95283b10acbfb9d6351 (diff) | |
| parent | 81dee963a9ca3224ddbd54767a36efae5851a001 (diff) | |
| download | vyos-1x-6aa3679187243a9d1eaa16e6e81237f00dde0c63.tar.gz vyos-1x-6aa3679187243a9d1eaa16e6e81237f00dde0c63.zip | |
Merge pull request #2306 from sarthurdev/fw_helper
firewall: T5614: Add support for matching on conntrack helper
Diffstat (limited to 'python')
| -rw-r--r-- | python/vyos/firewall.py | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py index 3ca7a25b9..7e43b815a 100644 --- a/python/vyos/firewall.py +++ b/python/vyos/firewall.py @@ -102,6 +102,20 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name): if states: output.append(f'ct state {{{states}}}') + if 'conntrack_helper' in rule_conf: + helper_map = {'h323': ['RAS', 'Q.931'], 'nfs': ['rpc'], 'sqlnet': ['tns']} + helper_out = [] + + for helper in rule_conf['conntrack_helper']: + if helper in helper_map: + helper_out.extend(helper_map[helper]) + else: + helper_out.append(helper) + + if helper_out: + helper_str = ','.join(f'"{s}"' for s in helper_out) + output.append(f'ct helper {{{helper_str}}}') + if 'connection_status' in rule_conf and rule_conf['connection_status']: status = rule_conf['connection_status'] if status['nat'] == 'destination': |