conntrack: T3579: dry-run newly generated config before install

Before installing a new conntrack policy into the OS Kernel, the new policy should be verified by nftables if it can be loaded at all or if it will fail to load. There is no need to load a "bad" configuration if we can pre-test it.
author: Christian Poessinger <christian@poessinger.com> 2022-01-10 23:17:32 +0100
committer: Christian Poessinger <christian@poessinger.com> 2022-01-10 23:17:34 +0100
commit: 76d912d63ca4d15d9efe118184c405cf8273cbcf (patch)
tree: 63187ba41cdf880090a3279026ad38feb111dfc7 /src/conf_mode
parent: 9bc2f5db25c74f7a4c10c10cf0bbdc2f1879c2db (diff)
download: vyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.tar.gz
vyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index b9eb8071d..aabf2bdf5 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -105,6 +105,13 @@ def generate(conntrack):
     render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack)
     render(nftables_ct_file, 'conntrack/nftables-ct.tmpl', conntrack)
 
+    # dry-run newly generated configuration
+    tmp = run(f'nft -c -f {nftables_ct_file}')
+    if tmp > 0:
+        if os.path.exists(nftables_ct_file):
+            os.unlink(nftables_ct_file)
+        raise ConfigError('Configuration file errors encountered!')
+
     return None
 
 def find_nftables_ct_rule(rule):
author	Christian Poessinger <christian@poessinger.com>	2022-01-10 23:17:32 +0100
committer	Christian Poessinger <christian@poessinger.com>	2022-01-10 23:17:34 +0100
commit	76d912d63ca4d15d9efe118184c405cf8273cbcf (patch)
tree	63187ba41cdf880090a3279026ad38feb111dfc7 /src/conf_mode
parent	9bc2f5db25c74f7a4c10c10cf0bbdc2f1879c2db (diff)
download	vyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.tar.gz vyos-1x-76d912d63ca4d15d9efe118184c405cf8273cbcf.zip