summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2023-12-05 19:55:57 +0000
committerGitHub <noreply@github.com>2023-12-05 19:55:57 +0000
commit99c674cdf6147a69fd57b4151886ff42917caeec (patch)
tree143e2d3ccbd75fd44bbee2133639f905cfcca961 /python
parent24b9ceb04049694a13d1fe23c76e267e335b948e (diff)
parent24a1a70596fafdd35d88506159e6cb9cd94e7a66 (diff)
downloadvyos-1x-99c674cdf6147a69fd57b4151886ff42917caeec.tar.gz
vyos-1x-99c674cdf6147a69fd57b4151886ff42917caeec.zip
Merge pull request #2574 from nicolas-fort/T5779
T5779: conntrack: Apply fixes to <set system conntrack timeout custom>
Diffstat (limited to 'python')
-rw-r--r--python/vyos/template.py29
1 files changed, 23 insertions, 6 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 1e683b605..0e2663258 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -664,8 +664,8 @@ def nat_static_rule(rule_conf, rule_id, nat_type):
from vyos.nat import parse_nat_static_rule
return parse_nat_static_rule(rule_conf, rule_id, nat_type)
-@register_filter('conntrack_ignore_rule')
-def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
+@register_filter('conntrack_rule')
+def conntrack_rule(rule_conf, rule_id, action, ipv6=False):
ip_prefix = 'ip6' if ipv6 else 'ip'
def_suffix = '6' if ipv6 else ''
output = []
@@ -676,11 +676,15 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
output.append(f'iifname {ifname}')
if 'protocol' in rule_conf:
- proto = rule_conf['protocol']
+ if action != 'timeout':
+ proto = rule_conf['protocol']
+ else:
+ for protocol, protocol_config in rule_conf['protocol'].items():
+ proto = protocol
output.append(f'meta l4proto {proto}')
tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
- if tcp_flags:
+ if tcp_flags and action != 'timeout':
from vyos.firewall import parse_tcp_flags
output.append(parse_tcp_flags(tcp_flags))
@@ -743,11 +747,24 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
- output.append('counter notrack')
- output.append(f'comment "ignore-{rule_id}"')
+ if action == 'ignore':
+ output.append('counter notrack')
+ output.append(f'comment "ignore-{rule_id}"')
+ else:
+ output.append(f'counter ct timeout set ct-timeout-{rule_id}')
+ output.append(f'comment "timeout-{rule_id}"')
return " ".join(output)
+@register_filter('conntrack_ct_policy')
+def conntrack_ct_policy(protocol_conf):
+ output = []
+ for item in protocol_conf:
+ item_value = protocol_conf[item]
+ output.append(f'{item}: {item_value}')
+
+ return ", ".join(output)
+
@register_filter('range_to_regex')
def range_to_regex(num_range):
"""Convert range of numbers or list of ranges