summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-12-05 10:36:14 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2023-12-05 10:44:19 +0000
commit24a1a70596fafdd35d88506159e6cb9cd94e7a66 (patch)
tree7ff0ee8d2bf779ce758ce2b3834d968c987207a8 /python
parent7ec55fca91f2fd606e16325166b96a18dcb3d2c5 (diff)
downloadvyos-1x-24a1a70596fafdd35d88506159e6cb9cd94e7a66.tar.gz
vyos-1x-24a1a70596fafdd35d88506159e6cb9cd94e7a66.zip
T5779: conntrack: Apply fixes to <set system conntrack timeout custom>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.
Diffstat (limited to 'python')
-rw-r--r--python/vyos/template.py29
1 files changed, 23 insertions, 6 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 1e683b605..0e2663258 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -664,8 +664,8 @@ def nat_static_rule(rule_conf, rule_id, nat_type):
from vyos.nat import parse_nat_static_rule
return parse_nat_static_rule(rule_conf, rule_id, nat_type)
-@register_filter('conntrack_ignore_rule')
-def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
+@register_filter('conntrack_rule')
+def conntrack_rule(rule_conf, rule_id, action, ipv6=False):
ip_prefix = 'ip6' if ipv6 else 'ip'
def_suffix = '6' if ipv6 else ''
output = []
@@ -676,11 +676,15 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
output.append(f'iifname {ifname}')
if 'protocol' in rule_conf:
- proto = rule_conf['protocol']
+ if action != 'timeout':
+ proto = rule_conf['protocol']
+ else:
+ for protocol, protocol_config in rule_conf['protocol'].items():
+ proto = protocol
output.append(f'meta l4proto {proto}')
tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
- if tcp_flags:
+ if tcp_flags and action != 'timeout':
from vyos.firewall import parse_tcp_flags
output.append(parse_tcp_flags(tcp_flags))
@@ -743,11 +747,24 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
- output.append('counter notrack')
- output.append(f'comment "ignore-{rule_id}"')
+ if action == 'ignore':
+ output.append('counter notrack')
+ output.append(f'comment "ignore-{rule_id}"')
+ else:
+ output.append(f'counter ct timeout set ct-timeout-{rule_id}')
+ output.append(f'comment "timeout-{rule_id}"')
return " ".join(output)
+@register_filter('conntrack_ct_policy')
+def conntrack_ct_policy(protocol_conf):
+ output = []
+ for item in protocol_conf:
+ item_value = protocol_conf[item]
+ output.append(f'{item}: {item_value}')
+
+ return ", ".join(output)
+
@register_filter('range_to_regex')
def range_to_regex(num_range):
"""Convert range of numbers or list of ranges