diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-01-05 01:23:06 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-05 01:23:06 +0100 |
| commit | 7eadd337bed031334629cfb29a6b5f69f88efe32 (patch) | |
| tree | 77721249f1546d2a7face3913a76384bea5b6ab1 /src/conf_mode/firewall.py | |
| parent | f809139c04e5c18299a3b5929eb1c712a20a5535 (diff) | |
| parent | 459c7079bebe7059d90441a5014d948a92d2ee19 (diff) | |
| download | vyos-1x-7eadd337bed031334629cfb29a6b5f69f88efe32.tar.gz vyos-1x-7eadd337bed031334629cfb29a6b5f69f88efe32.zip | |
Merge pull request #1134 from sarthurdev/firewall
firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and zone-policy
Diffstat (limited to 'src/conf_mode/firewall.py')
| -rwxr-xr-x | src/conf_mode/firewall.py | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 8e037c679..6016d94fa 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -53,14 +53,12 @@ preserve_chains = [ 'INPUT', 'FORWARD', 'OUTPUT', - 'VYOS_FW_IN', - 'VYOS_FW_OUT', + 'VYOS_FW_FORWARD', 'VYOS_FW_LOCAL', 'VYOS_FW_OUTPUT', 'VYOS_POST_FW', 'VYOS_FRAG_MARK', - 'VYOS_FW6_IN', - 'VYOS_FW6_OUT', + 'VYOS_FW6_FORWARD', 'VYOS_FW6_LOCAL', 'VYOS_FW6_OUTPUT', 'VYOS_POST_FW6', @@ -228,7 +226,7 @@ def cleanup_commands(firewall): commands.append(f'delete chain {table} {chain}') elif 'rule' in item: rule = item['rule'] - if rule['chain'] in ['VYOS_FW_IN', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL', 'VYOS_FW6_IN', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: + if rule['chain'] in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL', 'VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: if 'expr' in rule and any([True for expr in rule['expr'] if dict_search_args(expr, 'jump', 'target') == state_chain]): if 'state_policy' not in firewall: chain = rule['chain'] @@ -303,7 +301,7 @@ def post_apply_trap(firewall): def state_policy_rule_exists(): # Determine if state policy rules already exist in nft - search_str = cmd(f'nft list chain ip filter VYOS_FW_IN') + search_str = cmd(f'nft list chain ip filter VYOS_FW_FORWARD') return 'VYOS_STATE_POLICY' in search_str def apply(firewall): @@ -317,10 +315,10 @@ def apply(firewall): raise ConfigError('Failed to apply firewall') if 'state_policy' in firewall and not state_policy_rule_exists(): - for chain in ['VYOS_FW_IN', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL']: + for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL']: cmd(f'nft insert rule ip filter {chain} jump VYOS_STATE_POLICY') - for chain in ['VYOS_FW6_IN', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: + for chain in ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL']: cmd(f'nft insert rule ip6 filter {chain} jump VYOS_STATE_POLICY6') apply_sysfs(firewall) |