summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-01-05 15:06:37 +0100
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-01-05 18:16:15 +0100
commit79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0 (patch)
tree8b76bfce0f0200d834cca0d44ef7debd0393763e /src
parente4b368b10aeed363f9d2b0ba3bed26b2ea346842 (diff)
downloadvyos-1x-79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0.tar.gz
vyos-1x-79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0.zip
firewall: zone-policy: T4133: Prevent firewall from trying to clean-up zone-policy chains
* Prevent firewall names from using the reserved VZONE prefix
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/firewall.py10
1 files changed, 6 insertions, 4 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 6016d94fa..75382034f 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -183,6 +183,9 @@ def verify(firewall):
if name_id in preserve_chains:
raise ConfigError(f'Firewall name "{name_id}" is reserved for VyOS')
+ if name_id.startswith("VZONE"):
+ raise ConfigError(f'Firewall name "{name_id}" uses reserved prefix')
+
if 'rule' in name_conf:
for rule_id, rule_conf in name_conf['rule'].items():
verify_rule(firewall, rule_conf, name == 'ipv6_name')
@@ -210,14 +213,13 @@ def cleanup_commands(firewall):
continue
for item in obj['nftables']:
if 'chain' in item:
- if item['chain']['name'] in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']:
- chain = item['chain']['name']
+ chain = item['chain']['name']
+ if chain in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']:
if 'state_policy' not in firewall:
commands.append(f'delete chain {table} {chain}')
else:
commands.append(f'flush chain {table} {chain}')
- elif item['chain']['name'] not in preserve_chains:
- chain = item['chain']['name']
+ elif chain not in preserve_chains and not chain.startswith("VZONE"):
if table == 'ip filter' and dict_search_args(firewall, 'name', chain):
commands.append(f'flush chain {table} {chain}')
elif table == 'ip6 filter' and dict_search_args(firewall, 'ipv6_name', chain):