diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-05 15:06:37 +0100 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-05 18:16:15 +0100 |
commit | 79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0 (patch) | |
tree | 8b76bfce0f0200d834cca0d44ef7debd0393763e /src | |
parent | e4b368b10aeed363f9d2b0ba3bed26b2ea346842 (diff) | |
download | vyos-1x-79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0.tar.gz vyos-1x-79f6f7061c0c0a00ce480d93c71fc4bcd06eb3a0.zip |
firewall: zone-policy: T4133: Prevent firewall from trying to clean-up zone-policy chains
* Prevent firewall names from using the reserved VZONE prefix
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/firewall.py | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 6016d94fa..75382034f 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -183,6 +183,9 @@ def verify(firewall): if name_id in preserve_chains: raise ConfigError(f'Firewall name "{name_id}" is reserved for VyOS') + if name_id.startswith("VZONE"): + raise ConfigError(f'Firewall name "{name_id}" uses reserved prefix') + if 'rule' in name_conf: for rule_id, rule_conf in name_conf['rule'].items(): verify_rule(firewall, rule_conf, name == 'ipv6_name') @@ -210,14 +213,13 @@ def cleanup_commands(firewall): continue for item in obj['nftables']: if 'chain' in item: - if item['chain']['name'] in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']: - chain = item['chain']['name'] + chain = item['chain']['name'] + if chain in ['VYOS_STATE_POLICY', 'VYOS_STATE_POLICY6']: if 'state_policy' not in firewall: commands.append(f'delete chain {table} {chain}') else: commands.append(f'flush chain {table} {chain}') - elif item['chain']['name'] not in preserve_chains: - chain = item['chain']['name'] + elif chain not in preserve_chains and not chain.startswith("VZONE"): if table == 'ip filter' and dict_search_args(firewall, 'name', chain): commands.append(f'flush chain {table} {chain}') elif table == 'ip6 filter' and dict_search_args(firewall, 'ipv6_name', chain): |