summaryrefslogtreecommitdiff
path: root/src/op_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-04-09 13:43:58 +0200
committerGitHub <noreply@github.com>2021-04-09 13:43:58 +0200
commit9056f329844cfdd07c2c6f4324a72602aced9f75 (patch)
tree4ad60f2bef0408c60607834fcc4ca19e9e249fa1 /src/op_mode
parent616379793c6510ff69fb5707e7481953eac2ef2b (diff)
parentc0ace670de5fc68b8865390690c8f8773f614aa5 (diff)
downloadvyos-1x-9056f329844cfdd07c2c6f4324a72602aced9f75.tar.gz
vyos-1x-9056f329844cfdd07c2c6f4324a72602aced9f75.zip
Merge pull request #791 from jack9603301/T3435
nat: op-mode: T3435: Filter extra rules that should not be processed
Diffstat (limited to 'src/op_mode')
-rwxr-xr-xsrc/op_mode/show_nat66_rules.py25
-rwxr-xr-xsrc/op_mode/show_nat_rules.py20
2 files changed, 42 insertions, 3 deletions
diff --git a/src/op_mode/show_nat66_rules.py b/src/op_mode/show_nat66_rules.py
index fe5113015..a25e146a7 100755
--- a/src/op_mode/show_nat66_rules.py
+++ b/src/op_mode/show_nat66_rules.py
@@ -36,16 +36,35 @@ if args.source or args.destination:
format_nat66_rule = '{0: <10} {1: <50} {2: <50} {3: <10}'
print(format_nat66_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface"))
print(format_nat66_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------"))
-
+
data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp)
for idx in range(0, len(data_json)):
data = data_json[idx]
- # If there is no index 3, we don't think this is the record we need to check
- if len(data['expr']) <= 3:
+ # The following key values must exist
+ # When the rule JSON does not have some keys, this is not a rule we can work with
+ continue_rule = False
+ for key in ['comment', 'chain', 'expr']:
+ if key not in data:
+ continue_rule = True
+ continue
+ if continue_rule:
continue
comment = data['comment']
+
+ # Check the annotation to see if the annotation format is created by VYOS
+ continue_rule = True
+ for comment_prefix in ['SRC-NAT66-', 'DST-NAT66-']:
+ if comment_prefix in comment:
+ continue_rule = False
+ if continue_rule:
+ continue
+
+ # When log is detected from the second index of expr, then this rule should be ignored
+ if 'log' in data['expr'][2]:
+ continue
+
rule = comment.replace('SRC-NAT66-','')
rule = rule.replace('DST-NAT66-','')
chain = data['chain']
diff --git a/src/op_mode/show_nat_rules.py b/src/op_mode/show_nat_rules.py
index a98fbef8c..68cff61c8 100755
--- a/src/op_mode/show_nat_rules.py
+++ b/src/op_mode/show_nat_rules.py
@@ -40,7 +40,27 @@ if args.source or args.destination:
data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp)
for idx in range(0, len(data_json)):
data = data_json[idx]
+
+ # The following key values must exist
+ # When the rule JSON does not have some keys, this is not a rule we can work with
+ continue_rule = False
+ for key in ['comment', 'chain', 'expr']:
+ if key not in data:
+ continue_rule = True
+ continue
+ if continue_rule:
+ continue
+
comment = data['comment']
+
+ # Check the annotation to see if the annotation format is created by VYOS
+ continue_rule = True
+ for comment_prefix in ['SRC-NAT-', 'DST-NAT-']:
+ if comment_prefix in comment:
+ continue_rule = False
+ if continue_rule:
+ continue
+
rule = int(''.join(list(filter(str.isdigit, comment))))
chain = data['chain']
if not (args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING'):