diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-04 20:11:31 +0100 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-05 00:14:31 +0100 |
commit | 459c7079bebe7059d90441a5014d948a92d2ee19 (patch) | |
tree | dc2c5c0466fb6e138f9f9484c9c3bd26c516cadd /src/conf_mode/firewall.py | |
parent | 993b87458456bc6fcbe5aa7fbc7c0c31580032ce (diff) | |
download | vyos-1x-459c7079bebe7059d90441a5014d948a92d2ee19.tar.gz vyos-1x-459c7079bebe7059d90441a5014d948a92d2ee19.zip |
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
Diffstat (limited to 'src/conf_mode/firewall.py')
-rwxr-xr-x | src/conf_mode/firewall.py | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 8e037c679..6016d94fa 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -53,14 +53,12 @@ preserve_chains = [ 'INPUT', 'FORWARD', 'OUTPUT', - 'VYOS_FW_IN', - 'VYOS_FW_OUT', + 'VYOS_FW_FORWARD', 'VYOS_FW_LOCAL', 'VYOS_FW_OUTPUT', 'VYOS_POST_FW', 'VYOS_FRAG_MARK', - 'VYOS_FW6_IN', - 'VYOS_FW6_OUT', + 'VYOS_FW6_FORWARD', 'VYOS_FW6_LOCAL', 'VYOS_FW6_OUTPUT', 'VYOS_POST_FW6', @@ -228,7 +226,7 @@ def cleanup_commands(firewall): commands.append(f'delete chain {table} {chain}') elif 'rule' in item: rule = item['rule'] - if rule['chain'] in ['VYOS_FW_IN', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL', 'VYOS_FW6_IN', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: + if rule['chain'] in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL', 'VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: if 'expr' in rule and any([True for expr in rule['expr'] if dict_search_args(expr, 'jump', 'target') == state_chain]): if 'state_policy' not in firewall: chain = rule['chain'] @@ -303,7 +301,7 @@ def post_apply_trap(firewall): def state_policy_rule_exists(): # Determine if state policy rules already exist in nft - search_str = cmd(f'nft list chain ip filter VYOS_FW_IN') + search_str = cmd(f'nft list chain ip filter VYOS_FW_FORWARD') return 'VYOS_STATE_POLICY' in search_str def apply(firewall): @@ -317,10 +315,10 @@ def apply(firewall): raise ConfigError('Failed to apply firewall') if 'state_policy' in firewall and not state_policy_rule_exists(): - for chain in ['VYOS_FW_IN', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL']: + for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL']: cmd(f'nft insert rule ip filter {chain} jump VYOS_STATE_POLICY') - for chain in ['VYOS_FW6_IN', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: + for chain in ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: cmd(f'nft insert rule ip6 filter {chain} jump VYOS_STATE_POLICY6') apply_sysfs(firewall) |