diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-19 21:06:35 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-19 21:14:20 +0200 |
| commit | cdbe969308c1f540050d288ffc6b55abbefa7534 (patch) | |
| tree | b107aa08bacdf34ed1fb12672a7a579d7a94913e /src | |
| parent | db53c8e77cd93d5d7f16036b4d7b783083caf32e (diff) | |
| download | vyos-1x-cdbe969308c1f540050d288ffc6b55abbefa7534.tar.gz vyos-1x-cdbe969308c1f540050d288ffc6b55abbefa7534.zip | |
conntrack: firewall: T4502: Update conntrack check for new flowtable CLI
Also updates flowtable smoketest to verify conntrack enabled
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/conntrack.py | 24 |
1 files changed, 6 insertions, 18 deletions
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index 21a20ea8d..50089508a 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -90,14 +90,6 @@ def get_config(config=None): get_first_key=True, no_tag_node_value_mangle=True) - conntrack['flowtable_enabled'] = False - flow_offload = dict_search_args(conntrack['firewall'], 'global_options', 'flow_offload') - if flow_offload and 'disable' not in flow_offload: - for offload_type in ('software', 'hardware'): - if dict_search_args(flow_offload, offload_type, 'interface'): - conntrack['flowtable_enabled'] = True - break - conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return' conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return' conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return' @@ -170,16 +162,12 @@ def generate(conntrack): conntrack['ipv4_firewall_action'] = 'return' conntrack['ipv6_firewall_action'] = 'return' - if conntrack['flowtable_enabled']: - conntrack['ipv4_firewall_action'] = 'accept' - conntrack['ipv6_firewall_action'] = 'accept' - else: - for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): - if any(('state' in rule_conf or 'connection_status' in rule_conf) for rule_conf in rules.values()): - if path[0] == 'ipv4': - conntrack['ipv4_firewall_action'] = 'accept' - elif path[0] == 'ipv6': - conntrack['ipv6_firewall_action'] = 'accept' + for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): + if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()): + if path[0] == 'ipv4': + conntrack['ipv4_firewall_action'] = 'accept' + elif path[0] == 'ipv6': + conntrack['ipv6_firewall_action'] = 'accept' render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) |