diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-14 03:01:56 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-16 13:20:10 +0200 |
| commit | 734d84f696944419a2d6f11bc16dda03900add34 (patch) | |
| tree | c87f245e4c9dafd9941438831e62197518e8a46a /src/conf_mode/firewall.py | |
| parent | 27ad9f5ba6437d66178450b37c7a5bf79bc3d67a (diff) | |
| download | vyos-1x-734d84f696944419a2d6f11bc16dda03900add34.tar.gz vyos-1x-734d84f696944419a2d6f11bc16dda03900add34.zip | |
conntrack: T5571: Refactor conntrack to be independent conf script from firewall, nat, nat66
Diffstat (limited to 'src/conf_mode/firewall.py')
| -rwxr-xr-x | src/conf_mode/firewall.py | 24 |
1 files changed, 2 insertions, 22 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 769cc598f..d999b2a64 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -141,13 +141,7 @@ def get_config(config=None): fqdn_config_parse(firewall) - firewall['flowtable_enabled'] = False - flow_offload = dict_search_args(firewall, 'global_options', 'flow_offload') - if flow_offload and 'disable' not in flow_offload: - for offload_type in ('software', 'hardware'): - if dict_search_args(flow_offload, offload_type, 'interface'): - firewall['flowtable_enabled'] = True - break + set_dependents('conntrack', conf) return firewall @@ -350,19 +344,6 @@ def generate(firewall): if not os.path.exists(nftables_conf): firewall['first_install'] = True - # Determine if conntrack is needed - firewall['ipv4_conntrack_action'] = 'return' - firewall['ipv6_conntrack_action'] = 'return' - if firewall['flowtable_enabled']: # Netfilter's flowtable offload requires conntrack - firewall['ipv4_conntrack_action'] = 'accept' - firewall['ipv6_conntrack_action'] = 'accept' - else: # Check if conntrack is needed by firewall rules - for proto in ('ipv4', 'ipv6'): - for rules, _ in dict_search_recursive(firewall.get(proto, {}), 'rule'): - if any(('state' in rule_conf or 'connection_status' in rule_conf) for rule_conf in rules.values()): - firewall[f'{proto}_conntrack_action'] = 'accept' - break - render(nftables_conf, 'firewall/nftables.j2', firewall) return None @@ -392,8 +373,7 @@ def apply(firewall): apply_sysfs(firewall) - if firewall['group_resync']: - call_dependents() + call_dependents() # T970 Enable a resolver (systemd daemon) that checks # domain-group/fqdn addresses and update entries for domains by timeout |