diff options
| author | Nataliia Solomko <natalirs1985@gmail.com> | 2025-06-13 12:20:40 +0300 |
|---|---|---|
| committer | Nataliia Solomko <natalirs1985@gmail.com> | 2025-06-17 18:16:51 +0300 |
| commit | 8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f (patch) | |
| tree | 970a4f45190b216eabe7aa581e1faa611d79ab09 /python | |
| parent | 09f63fb975daaefe843641c5ffbec34ddf6b18de (diff) | |
| download | vyos-1x-8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f.tar.gz vyos-1x-8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f.zip | |
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
Diffstat (limited to 'python')
| -rwxr-xr-x | python/vyos/template.py | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py index bf7928914..bf2f13183 100755 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -674,6 +674,29 @@ def nft_nested_group(out_list, includes, groups, key): add_includes(name) return out_list +@register_filter('nft_accept_invalid') +def nft_accept_invalid(ether_type): + ether_type_mapping = { + 'dhcp': 'udp sport 67 udp dport 68', + 'arp': 'arp', + 'pppoe-discovery': '0x8863', + 'pppoe': '0x8864', + '802.1q': '8021q', + '802.1ad': '8021ad', + 'wol': '0x0842', + } + if ether_type not in ether_type_mapping: + raise RuntimeError(f'Ethernet type "{ether_type}" not found in ' \ + 'available ethernet types!') + out = 'ct state invalid ' + + if ether_type != 'dhcp': + out += 'ether type ' + + out += f'{ether_type_mapping[ether_type]} counter accept' + + return out + @register_filter('nat_rule') def nat_rule(rule_conf, rule_id, nat_type, ipv6=False): from vyos.nat import parse_nat_rule |