diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-12-05 10:36:14 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-12-05 10:44:19 +0000 |
commit | 24a1a70596fafdd35d88506159e6cb9cd94e7a66 (patch) | |
tree | 7ff0ee8d2bf779ce758ce2b3834d968c987207a8 /python | |
parent | 7ec55fca91f2fd606e16325166b96a18dcb3d2c5 (diff) | |
download | vyos-1x-24a1a70596fafdd35d88506159e6cb9cd94e7a66.tar.gz vyos-1x-24a1a70596fafdd35d88506159e6cb9cd94e7a66.zip |
T5779: conntrack: Apply fixes to <set system conntrack timeout custom>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.
Diffstat (limited to 'python')
-rw-r--r-- | python/vyos/template.py | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py index 1e683b605..0e2663258 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -664,8 +664,8 @@ def nat_static_rule(rule_conf, rule_id, nat_type): from vyos.nat import parse_nat_static_rule return parse_nat_static_rule(rule_conf, rule_id, nat_type) -@register_filter('conntrack_ignore_rule') -def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False): +@register_filter('conntrack_rule') +def conntrack_rule(rule_conf, rule_id, action, ipv6=False): ip_prefix = 'ip6' if ipv6 else 'ip' def_suffix = '6' if ipv6 else '' output = [] @@ -676,11 +676,15 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False): output.append(f'iifname {ifname}') if 'protocol' in rule_conf: - proto = rule_conf['protocol'] + if action != 'timeout': + proto = rule_conf['protocol'] + else: + for protocol, protocol_config in rule_conf['protocol'].items(): + proto = protocol output.append(f'meta l4proto {proto}') tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags') - if tcp_flags: + if tcp_flags and action != 'timeout': from vyos.firewall import parse_tcp_flags output.append(parse_tcp_flags(tcp_flags)) @@ -743,11 +747,24 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False): output.append(f'{proto} {prefix}port {operator} @P_{group_name}') - output.append('counter notrack') - output.append(f'comment "ignore-{rule_id}"') + if action == 'ignore': + output.append('counter notrack') + output.append(f'comment "ignore-{rule_id}"') + else: + output.append(f'counter ct timeout set ct-timeout-{rule_id}') + output.append(f'comment "timeout-{rule_id}"') return " ".join(output) +@register_filter('conntrack_ct_policy') +def conntrack_ct_policy(protocol_conf): + output = [] + for item in protocol_conf: + item_value = protocol_conf[item] + output.append(f'{item}: {item_value}') + + return ", ".join(output) + @register_filter('range_to_regex') def range_to_regex(num_range): """Convert range of numbers or list of ranges |