summaryrefslogtreecommitdiff
path: root/src/conf_mode/firewall-interface.py
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-01-04 20:11:31 +0100
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-01-05 00:14:31 +0100
commit459c7079bebe7059d90441a5014d948a92d2ee19 (patch)
treedc2c5c0466fb6e138f9f9484c9c3bd26c516cadd /src/conf_mode/firewall-interface.py
parent993b87458456bc6fcbe5aa7fbc7c0c31580032ce (diff)
downloadvyos-1x-459c7079bebe7059d90441a5014d948a92d2ee19.tar.gz
vyos-1x-459c7079bebe7059d90441a5014d948a92d2ee19.zip
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
Diffstat (limited to 'src/conf_mode/firewall-interface.py')
-rwxr-xr-xsrc/conf_mode/firewall-interface.py31
1 files changed, 17 insertions, 14 deletions
diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py
index 516fa6c48..b0df9dff4 100755
--- a/src/conf_mode/firewall-interface.py
+++ b/src/conf_mode/firewall-interface.py
@@ -32,13 +32,13 @@ from vyos import airbag
airbag.enable()
NFT_CHAINS = {
- 'in': 'VYOS_FW_IN',
- 'out': 'VYOS_FW_OUT',
+ 'in': 'VYOS_FW_FORWARD',
+ 'out': 'VYOS_FW_FORWARD',
'local': 'VYOS_FW_LOCAL'
}
NFT6_CHAINS = {
- 'in': 'VYOS_FW6_IN',
- 'out': 'VYOS_FW6_OUT',
+ 'in': 'VYOS_FW6_FORWARD',
+ 'out': 'VYOS_FW6_FORWARD',
'local': 'VYOS_FW6_LOCAL'
}
@@ -91,11 +91,11 @@ def verify(if_firewall):
def generate(if_firewall):
return None
-def cleanup_rule(table, chain, ifname, new_name=None):
+def cleanup_rule(table, chain, prefix, ifname, new_name=None):
results = cmd(f'nft -a list chain {table} {chain}').split("\n")
retval = None
for line in results:
- if f'ifname "{ifname}"' in line:
+ if f'{prefix}ifname "{ifname}"' in line:
if new_name and f'jump {new_name}' in line:
# new_name is used to clear rules for any previously referenced chains
# returns true when rule exists and doesn't need to be created
@@ -108,6 +108,7 @@ def cleanup_rule(table, chain, ifname, new_name=None):
return retval
def state_policy_handle(table, chain):
+ # Find any state-policy rule to ensure interface rules are only inserted afterwards
results = cmd(f'nft -a list chain {table} {chain}').split("\n")
for line in results:
if 'jump VYOS_STATE_POLICY' in line:
@@ -126,11 +127,12 @@ def apply(if_firewall):
name = dict_search_args(if_firewall, direction, 'name')
if name:
- rule_exists = cleanup_rule('ip filter', chain, ifname, name)
- rule_action = 'insert'
- rule_prefix = ''
+ rule_exists = cleanup_rule('ip filter', chain, if_prefix, ifname, name)
if not rule_exists:
+ rule_action = 'insert'
+ rule_prefix = ''
+
handle = state_policy_handle('ip filter', chain)
if handle:
rule_action = 'add'
@@ -138,15 +140,16 @@ def apply(if_firewall):
run(f'nft {rule_action} rule ip filter {chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {name}')
else:
- cleanup_rule('ip filter', chain, ifname)
+ cleanup_rule('ip filter', chain, if_prefix, ifname)
ipv6_name = dict_search_args(if_firewall, direction, 'ipv6_name')
if ipv6_name:
- rule_exists = cleanup_rule('ip6 filter', ipv6_chain, ifname, ipv6_name)
- rule_action = 'insert'
- rule_prefix = ''
+ rule_exists = cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname, ipv6_name)
if not rule_exists:
+ rule_action = 'insert'
+ rule_prefix = ''
+
handle = state_policy_handle('ip filter', chain)
if handle:
rule_action = 'add'
@@ -154,7 +157,7 @@ def apply(if_firewall):
run(f'nft {rule_action} rule ip6 filter {ipv6_chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {ipv6_name}')
else:
- cleanup_rule('ip6 filter', ipv6_chain, ifname)
+ cleanup_rule('ip6 filter', ipv6_chain, if_prefix, ifname)
return None