diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-01-19 18:06:22 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-19 18:06:22 +0100 |
| commit | 10a740096edb5879ed79dd20db1a5f5bfaae6154 (patch) | |
| tree | cfc7f5d79a2f93e6fae51fcb74b8eaada27c1894 /src/conf_mode/policy-route.py | |
| parent | 258dd07904bee68e5445848c106a8bacbd7d2977 (diff) | |
| parent | f96a4fcd5d0cc4e43dd8163a81dd7ca66355c6b4 (diff) | |
| download | vyos-1x-10a740096edb5879ed79dd20db1a5f5bfaae6154.tar.gz vyos-1x-10a740096edb5879ed79dd20db1a5f5bfaae6154.zip | |
Merge pull request #1176 from sarthurdev/firewall
firewall: T1292: T2199: Cleanup rules used by chain to be deleted, check if chain in use by zone-policy
Diffstat (limited to 'src/conf_mode/policy-route.py')
| -rwxr-xr-x | src/conf_mode/policy-route.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py index eb13788dd..ee5197af0 100755 --- a/src/conf_mode/policy-route.py +++ b/src/conf_mode/policy-route.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import os +import re from json import loads from sys import exit @@ -160,6 +161,16 @@ def verify(policy): return None +def cleanup_rule(table, jump_chain): + commands = [] + results = cmd(f'nft -a list table {table}').split("\n") + for line in results: + if f'jump {jump_chain}' in line: + handle_search = re.search('handle (\d+)', line) + if handle_search: + commands.append(f'delete rule {table} {chain} handle {handle_search[1]}') + return commands + def cleanup_commands(policy): commands = [] for table in ['ip mangle', 'ip6 mangle']: @@ -178,6 +189,7 @@ def cleanup_commands(policy): elif table == 'ip6 mangle' and dict_search_args(policy, 'route6', chain.replace("VYOS_PBR6_", "", 1)): commands.append(f'flush chain {table} {chain}') else: + commands += cleanup_rule(table, chain) commands.append(f'delete chain {table} {chain}') return commands |