diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-01-10 23:17:32 +0100 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2022-01-10 23:17:34 +0100 |
| commit | 76d912d63ca4d15d9efe118184c405cf8273cbcf (patch) | |
| tree | 63187ba41cdf880090a3279026ad38feb111dfc7 /src/conf_mode/conntrack.py | |
| parent | 9bc2f5db25c74f7a4c10c10cf0bbdc2f1879c2db (diff) | |
| download | vyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.tar.gz vyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.zip | |
conntrack: T3579: dry-run newly generated config before install
Before installing a new conntrack policy into the OS Kernel, the new policy
should be verified by nftables if it can be loaded at all or if it will fail
to load. There is no need to load a "bad" configuration if we can pre-test it.
Diffstat (limited to 'src/conf_mode/conntrack.py')
| -rwxr-xr-x | src/conf_mode/conntrack.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index b9eb8071d..aabf2bdf5 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -105,6 +105,13 @@ def generate(conntrack): render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack) render(nftables_ct_file, 'conntrack/nftables-ct.tmpl', conntrack) + # dry-run newly generated configuration + tmp = run(f'nft -c -f {nftables_ct_file}') + if tmp > 0: + if os.path.exists(nftables_ct_file): + os.unlink(nftables_ct_file) + raise ConfigError('Configuration file errors encountered!') + return None def find_nftables_ct_rule(rule): |