diff options
author | Christian Breunig <christian@breunig.cc> | 2024-08-02 14:01:35 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-08-02 14:01:35 +0200 |
commit | 5e770b631d4ec3b0fb80e7031284c5ee60498252 (patch) | |
tree | 69583f9df9a184372dbe4110275bb19bac23b289 /src/conf_mode | |
parent | e61a175838f226f49d131783d831f2fab5bd9eaf (diff) | |
parent | 2cbd1c66276cec855ead81a5b7a19a27b90961bb (diff) | |
download | vyos-1x-5e770b631d4ec3b0fb80e7031284c5ee60498252.tar.gz vyos-1x-5e770b631d4ec3b0fb80e7031284c5ee60498252.zip |
Merge pull request #3905 from vyos/mergify/bp/sagitta/pr-3883
vrf: T6603: conntrack ct_iface_map must only contain one entry for iifname/oifname (backport #3883)
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/vrf.py | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index 184725573..72b178c89 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from sys import exit +from jmespath import search from json import loads from vyos.config import Config @@ -70,6 +71,14 @@ def has_rule(af : str, priority : int, table : str=None): return True return False +def is_nft_vrf_zone_rule_setup() -> bool: + """ + Check if an nftables connection tracking rule already exists + """ + tmp = loads(cmd('sudo nft -j list table inet vrf_zones')) + num_rules = len(search("nftables[].rule[].chain", tmp)) + return bool(num_rules) + def vrf_interfaces(c, match): matched = [] old_level = c.get_level() @@ -264,6 +273,7 @@ def apply(vrf): if not has_rule(afi, 2000, 'l3mdev'): call(f'ip {afi} rule add pref 2000 l3mdev unreachable') + nft_vrf_zone_rule_setup = False for name, config in vrf['name'].items(): table = config['table'] if not interface_exists(name): @@ -302,7 +312,12 @@ def apply(vrf): nft_add_element = f'add element inet vrf_zones ct_iface_map {{ "{name}" : {table} }}' cmd(f'nft {nft_add_element}') - if vrf['conntrack']: + # Only call into nftables as long as there is nothing setup to avoid wasting + # CPU time and thus lenghten the commit process + if not nft_vrf_zone_rule_setup: + nft_vrf_zone_rule_setup = is_nft_vrf_zone_rule_setup() + # Install nftables conntrack rules only once + if vrf['conntrack'] and not nft_vrf_zone_rule_setup: for chain, rule in nftables_rules.items(): cmd(f'nft add rule inet vrf_zones {chain} {rule}') |