summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-22 20:48:44 +0100
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-01-30 11:12:53 +0000
commitf5590b63f2a849ebe63bf453c561930f846598d5 (patch)
tree0f56d8fea74e116d150494667bbda77b3b16c9e3 /src
parent4d3df44028571c49bdc590778a7c6214373c7297 (diff)
downloadvyos-1x-f5590b63f2a849ebe63bf453c561930f846598d5.tar.gz
vyos-1x-f5590b63f2a849ebe63bf453c561930f846598d5.zip
vrf: T5973: move initial conntrack firewall table to startup
There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code. (cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284)
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vrf.py21
1 files changed, 0 insertions, 21 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index aac9b0616..1db4e99f2 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -33,8 +33,6 @@ from vyos.utils.network import get_vrf_members
from vyos.utils.network import interface_exists
from vyos.utils.process import call
from vyos.utils.process import cmd
-from vyos.utils.process import popen
-from vyos.utils.process import run
from vyos.utils.system import sysctl_write
from vyos import ConfigError
from vyos import frr
@@ -42,8 +40,6 @@ from vyos import airbag
airbag.enable()
config_file = '/etc/iproute2/rt_tables.d/vyos-vrf.conf'
-nft_vrf_config = '/tmp/nftables-vrf-zones'
-
k_mod = ['vrf']
def has_rule(af : str, priority : int, table : str):
@@ -176,8 +172,6 @@ def verify(vrf):
def generate(vrf):
# Render iproute2 VR helper names
render(config_file, 'iproute2/vrf.conf.j2', vrf)
- # Render nftables zones config
- render(nft_vrf_config, 'firewall/nftables-vrf-zones.j2', vrf)
# Render VRF Kernel/Zebra route-map filters
vrf['frr_zebra_config'] = render_to_string('frr/zebra.vrf.route-map.frr.j2', vrf)
@@ -230,14 +224,6 @@ def apply(vrf):
sysctl_write('net.vrf.strict_mode', strict_mode)
if 'name' in vrf:
- # Separate VRFs in conntrack table
- # check if table already exists
- _, err = popen('nft list table inet vrf_zones')
- # If not, create a table
- if err and os.path.exists(nft_vrf_config):
- cmd(f'nft -f {nft_vrf_config}')
- os.unlink(nft_vrf_config)
-
# Linux routing uses rules to find tables - routing targets are then
# looked up in those tables. If the lookup got a matching route, the
# process ends.
@@ -321,13 +307,6 @@ def apply(vrf):
frr_cfg.add_before(frr.default_add_before, vrf['frr_zebra_config'])
frr_cfg.commit_configuration(zebra_daemon)
- # return to default lookup preference when no VRF is configured
- if 'name' not in vrf:
- # Remove VRF zones table from nftables
- tmp = run('nft list table inet vrf_zones')
- if tmp == 0:
- cmd('nft delete table inet vrf_zones')
-
return None
if __name__ == '__main__':