diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-07-30 11:47:23 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-30 11:47:23 +0200 |
| commit | 0dc8b5899e05231850fee3461545305bd7ba3862 (patch) | |
| tree | 8f18aea528d20cb814f8dc66a907aad102e1ef3c /src/conf_mode | |
| parent | 7db9c020e27289ec307cb821ac651af4dcef3cec (diff) | |
| parent | ebac16ea3f242c0a5a35d38b65e549130db7b763 (diff) | |
| download | vyos-1x-0dc8b5899e05231850fee3461545305bd7ba3862.tar.gz vyos-1x-0dc8b5899e05231850fee3461545305bd7ba3862.zip | |
Merge pull request #3904 from vyos/mergify/bp/circinus/pr-3883
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname (backport #3883)
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/vrf.py | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index 184725573..72b178c89 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from sys import exit +from jmespath import search from json import loads from vyos.config import Config @@ -70,6 +71,14 @@ def has_rule(af : str, priority : int, table : str=None): return True return False +def is_nft_vrf_zone_rule_setup() -> bool: + """ + Check if an nftables connection tracking rule already exists + """ + tmp = loads(cmd('sudo nft -j list table inet vrf_zones')) + num_rules = len(search("nftables[].rule[].chain", tmp)) + return bool(num_rules) + def vrf_interfaces(c, match): matched = [] old_level = c.get_level() @@ -264,6 +273,7 @@ def apply(vrf): if not has_rule(afi, 2000, 'l3mdev'): call(f'ip {afi} rule add pref 2000 l3mdev unreachable') + nft_vrf_zone_rule_setup = False for name, config in vrf['name'].items(): table = config['table'] if not interface_exists(name): @@ -302,7 +312,12 @@ def apply(vrf): nft_add_element = f'add element inet vrf_zones ct_iface_map {{ "{name}" : {table} }}' cmd(f'nft {nft_add_element}') - if vrf['conntrack']: + # Only call into nftables as long as there is nothing setup to avoid wasting + # CPU time and thus lenghten the commit process + if not nft_vrf_zone_rule_setup: + nft_vrf_zone_rule_setup = is_nft_vrf_zone_rule_setup() + # Install nftables conntrack rules only once + if vrf['conntrack'] and not nft_vrf_zone_rule_setup: for chain, rule in nftables_rules.items(): cmd(f'nft add rule inet vrf_zones {chain} {rule}') |