diff options
| author | Andrew Topp <andrewt@telekinetica.net> | 2025-06-27 00:23:13 +1000 |
|---|---|---|
| committer | Andrew Topp <andrewt@telekinetica.net> | 2025-06-27 00:23:13 +1000 |
| commit | c741a290261eb53d5f9ca4849109f19ced8fda9f (patch) | |
| tree | ba9d8a5d034e91006630c79dd737864eb3ccef90 /src | |
| parent | 5c2f70ffd82047740a91be949af5098a6ee39c2c (diff) | |
| download | vyos-1x-c741a290261eb53d5f9ca4849109f19ced8fda9f.tar.gz vyos-1x-c741a290261eb53d5f9ca4849109f19ced8fda9f.zip | |
vrf: T7544: Ensure correct quoting for VRF ifnames in nftables
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/vrf.py | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index 6e9d4147a..00a202df4 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -240,7 +240,7 @@ def apply(vrf): vrf_iface.set_dhcpv6(False) # Remove nftables conntrack zone map item - nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{tmp}" }}' + nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ \'"{tmp}"\' }}' # Check if deleting is possible first to avoid raising errors _, err = popen(f'nft --check {nft_del_element}') if not err: @@ -320,7 +320,7 @@ def apply(vrf): state = 'down' if 'disable' in config else 'up' vrf_if.set_admin_state(state) # Add nftables conntrack zone map item - nft_add_element = f'add element inet vrf_zones ct_iface_map {{ "{name}" : {table} }}' + nft_add_element = f'add element inet vrf_zones ct_iface_map {{ \'"{name}"\' : {table} }}' cmd(f'nft {nft_add_element}') # Only call into nftables as long as there is nothing setup to avoid wasting |