diff options
| author | Christian Poessinger <christian.poessinger@rohde-schwarz.com> | 2022-01-04 05:11:52 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-04 05:11:52 +0100 |
| commit | 993b87458456bc6fcbe5aa7fbc7c0c31580032ce (patch) | |
| tree | c9ee8b805606ea2b57d7cb6ce13d884d91df2799 /src/conf_mode/firewall-interface.py | |
| parent | 5a73c946000902f6e445b0803ca090f7fc6e0954 (diff) | |
| parent | 9213d9cc7bcd731baaf606fcdc956764482f45e9 (diff) | |
| download | vyos-1x-993b87458456bc6fcbe5aa7fbc7c0c31580032ce.tar.gz vyos-1x-993b87458456bc6fcbe5aa7fbc7c0c31580032ce.zip | |
Merge pull request #1130 from sarthurdev/firewall
firewall: T4130: Fix firewall state-policy errors
Diffstat (limited to 'src/conf_mode/firewall-interface.py')
| -rwxr-xr-x | src/conf_mode/firewall-interface.py | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/src/conf_mode/firewall-interface.py b/src/conf_mode/firewall-interface.py index 3a17dc5a4..516fa6c48 100755 --- a/src/conf_mode/firewall-interface.py +++ b/src/conf_mode/firewall-interface.py @@ -107,6 +107,15 @@ def cleanup_rule(table, chain, ifname, new_name=None): run(f'nft delete rule {table} {chain} handle {handle_search[1]}') return retval +def state_policy_handle(table, chain): + results = cmd(f'nft -a list chain {table} {chain}').split("\n") + for line in results: + if 'jump VYOS_STATE_POLICY' in line: + handle_search = re.search('handle (\d+)', line) + if handle_search: + return handle_search[1] + return None + def apply(if_firewall): ifname = if_firewall['ifname'] @@ -118,18 +127,32 @@ def apply(if_firewall): name = dict_search_args(if_firewall, direction, 'name') if name: rule_exists = cleanup_rule('ip filter', chain, ifname, name) + rule_action = 'insert' + rule_prefix = '' if not rule_exists: - run(f'nft insert rule ip filter {chain} {if_prefix}ifname {ifname} counter jump {name}') + handle = state_policy_handle('ip filter', chain) + if handle: + rule_action = 'add' + rule_prefix = f'position {handle}' + + run(f'nft {rule_action} rule ip filter {chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {name}') else: cleanup_rule('ip filter', chain, ifname) ipv6_name = dict_search_args(if_firewall, direction, 'ipv6_name') if ipv6_name: rule_exists = cleanup_rule('ip6 filter', ipv6_chain, ifname, ipv6_name) + rule_action = 'insert' + rule_prefix = '' if not rule_exists: - run(f'nft insert rule ip6 filter {ipv6_chain} {if_prefix}ifname {ifname} counter jump {ipv6_name}') + handle = state_policy_handle('ip filter', chain) + if handle: + rule_action = 'add' + rule_prefix = f'position {handle}' + + run(f'nft {rule_action} rule ip6 filter {ipv6_chain} {rule_prefix} {if_prefix}ifname {ifname} counter jump {ipv6_name}') else: cleanup_rule('ip6 filter', ipv6_chain, ifname) |