Merge pull request #4113 from vyos/mergify/bp/circinus/pr-4024

T6687: add fqdn support to nat rules. (backport #4024)
author: Christian Breunig <christian@breunig.cc> 2024-09-30 17:27:17 +0200
committer: GitHub <noreply@github.com> 2024-09-30 17:27:17 +0200
commit: e663fc49edc3043d63b648b482b633c1ff233ac4 (patch)
tree: df2ba35456a772222de1dd475d8ff21faf883571 /src/conf_mode/firewall.py
parent: 2cd0baa50e244529462e3aed064b923c6cbab859 (diff)
parent: 8dcb042bb2352717395ba3c17bc5437534c83af5 (diff)
download: vyos-1x-e663fc49edc3043d63b648b482b633c1ff233ac4.tar.gz
vyos-1x-e663fc49edc3043d63b648b482b633c1ff233ac4.zip
1 files changed, 14 insertions, 7 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 9974a1466..f575843f3 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -36,10 +36,14 @@ from vyos.utils.process import cmd
 from vyos.utils.process import rc_cmd
 from vyos import ConfigError
 from vyos import airbag
+from pathlib import Path
 
 airbag.enable()
 
 nftables_conf = '/run/nftables.conf'
+domain_resolver_usage = '/run/use-vyos-domain-resolver-firewall'
+domain_resolver_usage_nat = '/run/use-vyos-domain-resolver-nat'
+
 sysctl_file = r'/run/sysctl/10-vyos-firewall.conf'
 
 valid_groups = [
@@ -122,7 +126,7 @@ def get_config(config=None):
 
     firewall['geoip_updated'] = geoip_updated(conf, firewall)
 
-    fqdn_config_parse(firewall)
+    fqdn_config_parse(firewall, 'firewall')
 
     set_dependents('conntrack', conf)
 
@@ -467,12 +471,15 @@ def apply(firewall):
 
     call_dependents()
 
-    # T970 Enable a resolver (systemd daemon) that checks
-    # domain-group/fqdn addresses and update entries for domains by timeout
-    # If router loaded without internet connection or for synchronization
-    domain_action = 'stop'
-    if dict_search_args(firewall, 'group', 'domain_group') or firewall['ip_fqdn'] or firewall['ip6_fqdn']:
-        domain_action = 'restart'
+    ## DOMAIN RESOLVER
+    domain_action = 'restart'
+    if dict_search_args(firewall, 'group', 'domain_group') or firewall['ip_fqdn'].items() or firewall['ip6_fqdn'].items():
+        text = f'# Automatically generated by firewall.py\nThis file indicates that vyos-domain-resolver service is used by the firewall.\n'
+        Path(domain_resolver_usage).write_text(text)
+    else:
+        Path(domain_resolver_usage).unlink(missing_ok=True)
+        if not Path('/run').glob('use-vyos-domain-resolver*'):
+            domain_action = 'stop'
     call(f'systemctl {domain_action} vyos-domain-resolver.service')
 
     if firewall['geoip_updated']:
author	Christian Breunig <christian@breunig.cc>	2024-09-30 17:27:17 +0200
committer	GitHub <noreply@github.com>	2024-09-30 17:27:17 +0200
commit	e663fc49edc3043d63b648b482b633c1ff233ac4 (patch)
tree	df2ba35456a772222de1dd475d8ff21faf883571 /src/conf_mode/firewall.py
parent	2cd0baa50e244529462e3aed064b923c6cbab859 (diff)
parent	8dcb042bb2352717395ba3c17bc5437534c83af5 (diff)
download	vyos-1x-e663fc49edc3043d63b648b482b633c1ff233ac4.tar.gz vyos-1x-e663fc49edc3043d63b648b482b633c1ff233ac4.zip