diff options
| author | Andrew Topp <andrewt@telekinetica.net> | 2025-06-27 00:23:13 +1000 |
|---|---|---|
| committer | Andrew Topp <andrewt@telekinetica.net> | 2025-06-27 00:23:13 +1000 |
| commit | c741a290261eb53d5f9ca4849109f19ced8fda9f (patch) | |
| tree | ba9d8a5d034e91006630c79dd737864eb3ccef90 /src/migration-scripts/reverse-proxy | |
| parent | 5c2f70ffd82047740a91be949af5098a6ee39c2c (diff) | |
| download | vyos-1x-c741a290261eb53d5f9ca4849109f19ced8fda9f.tar.gz vyos-1x-c741a290261eb53d5f9ca4849109f19ced8fda9f.zip | |
vrf: T7544: Ensure correct quoting for VRF ifnames in nftables
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
Diffstat (limited to 'src/migration-scripts/reverse-proxy')
0 files changed, 0 insertions, 0 deletions