vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is required

author: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2024-02-27 21:38:24 +0100
committer: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2024-02-27 22:35:11 +0100
commit: 6f7d1e15665655e37e8ca830e28d9650445c1217 (patch)
tree: 726b651ce6862075052515ff9c0b994c9783d44b /python
parent: bc9ccaeda54279022b73a806fa8aa77c523fbecc (diff)
download: vyos-1x-6f7d1e15665655e37e8ca830e28d9650445c1217.tar.gz
vyos-1x-6f7d1e15665655e37e8ca830e28d9650445c1217.zip
1 files changed, 18 insertions, 0 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index eee11bd2d..49e095946 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -34,6 +34,24 @@ from vyos.utils.process import call
 from vyos.utils.process import cmd
 from vyos.utils.process import run
 
+# Conntrack
+
+def conntrack_required(conf):
+    required_nodes = ['nat', 'nat66', 'load-balancing wan']
+
+    for path in required_nodes:
+        if conf.exists(path):
+            return True
+
+    firewall = conf.get_config_dict(['firewall'], key_mangling=('-', '_'),
+                                    no_tag_node_value_mangle=True, get_first_key=True)
+
+    for rules, path in dict_search_recursive(firewall, 'rule'):
+        if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
+            return True
+
+    return False
+
 # Domain Resolver
 
 def fqdn_config_parse(firewall):
author	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2024-02-27 21:38:24 +0100
committer	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2024-02-27 22:35:11 +0100
commit	6f7d1e15665655e37e8ca830e28d9650445c1217 (patch)
tree	726b651ce6862075052515ff9c0b994c9783d44b /python
parent	bc9ccaeda54279022b73a806fa8aa77c523fbecc (diff)
download	vyos-1x-6f7d1e15665655e37e8ca830e28d9650445c1217.tar.gz vyos-1x-6f7d1e15665655e37e8ca830e28d9650445c1217.zip