summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-22 20:48:44 +0100
committerChristian Breunig <christian@breunig.cc>2024-01-22 20:48:44 +0100
commit89f0d347bfe5e468355817a617dc71823a58c284 (patch)
tree5a6fbcab6ad5ba4365bab27e12dd4fb4af80ced1 /src
parenta821b8c603999665ce8a77acb0e44a743811992a (diff)
downloadvyos-1x-89f0d347bfe5e468355817a617dc71823a58c284.tar.gz
vyos-1x-89f0d347bfe5e468355817a617dc71823a58c284.zip
vrf: T5973: move initial conntrack firewall table to startup
There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code.
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vrf.py21
1 files changed, 0 insertions, 21 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index aac9b0616..1db4e99f2 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -33,8 +33,6 @@ from vyos.utils.network import get_vrf_members
from vyos.utils.network import interface_exists
from vyos.utils.process import call
from vyos.utils.process import cmd
-from vyos.utils.process import popen
-from vyos.utils.process import run
from vyos.utils.system import sysctl_write
from vyos import ConfigError
from vyos import frr
@@ -42,8 +40,6 @@ from vyos import airbag
airbag.enable()
config_file = '/etc/iproute2/rt_tables.d/vyos-vrf.conf'
-nft_vrf_config = '/tmp/nftables-vrf-zones'
-
k_mod = ['vrf']
def has_rule(af : str, priority : int, table : str):
@@ -176,8 +172,6 @@ def verify(vrf):
def generate(vrf):
# Render iproute2 VR helper names
render(config_file, 'iproute2/vrf.conf.j2', vrf)
- # Render nftables zones config
- render(nft_vrf_config, 'firewall/nftables-vrf-zones.j2', vrf)
# Render VRF Kernel/Zebra route-map filters
vrf['frr_zebra_config'] = render_to_string('frr/zebra.vrf.route-map.frr.j2', vrf)
@@ -230,14 +224,6 @@ def apply(vrf):
sysctl_write('net.vrf.strict_mode', strict_mode)
if 'name' in vrf:
- # Separate VRFs in conntrack table
- # check if table already exists
- _, err = popen('nft list table inet vrf_zones')
- # If not, create a table
- if err and os.path.exists(nft_vrf_config):
- cmd(f'nft -f {nft_vrf_config}')
- os.unlink(nft_vrf_config)
-
# Linux routing uses rules to find tables - routing targets are then
# looked up in those tables. If the lookup got a matching route, the
# process ends.
@@ -321,13 +307,6 @@ def apply(vrf):
frr_cfg.add_before(frr.default_add_before, vrf['frr_zebra_config'])
frr_cfg.commit_configuration(zebra_daemon)
- # return to default lookup preference when no VRF is configured
- if 'name' not in vrf:
- # Remove VRF zones table from nftables
- tmp = run('nft list table inet vrf_zones')
- if tmp == 0:
- cmd('nft delete table inet vrf_zones')
-
return None
if __name__ == '__main__':