summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--interface-definitions/include/firewall/default-action.xml.i1
-rw-r--r--python/vyos/template.py2
-rwxr-xr-xsrc/conf_mode/firewall.py30
3 files changed, 28 insertions, 5 deletions
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
index b11dfd2e8..92a2fcaaf 100644
--- a/interface-definitions/include/firewall/default-action.xml.i
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -21,5 +21,6 @@
<regex>(drop|reject|accept)</regex>
</constraint>
</properties>
+ <defaultValue>drop</defaultValue>
</leafNode>
<!-- include end -->
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 62303bd55..9804308c1 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -550,7 +550,7 @@ def nft_rule(rule_conf, fw_name, rule_id, ip_name='ip'):
@register_filter('nft_default_rule')
def nft_default_rule(fw_conf, fw_name):
output = ['counter']
- default_action = fw_conf.get('default_action', 'drop')
+ default_action = fw_conf['default_action']
if 'enable_default_log' in fw_conf:
action_suffix = default_action[:1].upper()
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 07eca722f..f0ea1a1e5 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -206,9 +206,31 @@ def get_config(config=None):
firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
no_tag_node_value_mangle=True)
+ # We have gathered the dict representation of the CLI, but there are
+ # default options which we need to update into the dictionary retrived.
+ # XXX: T2665: we currently have no nice way for defaults under tag
+ # nodes, thus we load the defaults "by hand"
default_values = defaults(base)
+ for tmp in ['name', 'ipv6_name']:
+ if tmp in default_values:
+ del default_values[tmp]
+
firewall = dict_merge(default_values, firewall)
+ # Merge in defaults for IPv4 ruleset
+ if 'name' in firewall:
+ default_values = defaults(base + ['name'])
+ for name in firewall['name']:
+ firewall['name'][name] = dict_merge(default_values,
+ firewall['name'][name])
+
+ # Merge in defaults for IPv6 ruleset
+ if 'ipv6_name' in firewall:
+ default_values = defaults(base + ['ipv6-name'])
+ for ipv6_name in firewall['ipv6_name']:
+ firewall['ipv6_name'][ipv6_name] = dict_merge(default_values,
+ firewall['ipv6_name'][ipv6_name])
+
firewall['policy_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
firewall['interfaces'] = get_firewall_interfaces(conf)
firewall['zone_policy'] = get_firewall_zones(conf)
@@ -315,7 +337,7 @@ def verify_nested_group(group_name, group, groups, seen):
if g in seen:
raise ConfigError(f'Group "{group_name}" has a circular reference')
-
+
seen.append(g)
if 'include' in groups[g]:
@@ -378,7 +400,7 @@ def cleanup_commands(firewall):
if firewall['geoip_updated']:
geoip_key = 'deleted_ipv6_name' if table == 'ip6 filter' else 'deleted_name'
geoip_list = dict_search_args(firewall, 'geoip_updated', geoip_key) or []
-
+
json_str = cmd(f'nft -t -j list table {table}')
obj = loads(json_str)
@@ -420,7 +442,7 @@ def cleanup_commands(firewall):
if set_name.startswith('GEOIP_CC_') and set_name in geoip_list:
commands_sets.append(f'delete set {table} {set_name}')
continue
-
+
if set_name.startswith("RECENT_"):
commands_sets.append(f'delete set {table} {set_name}')
continue
@@ -520,7 +542,7 @@ def apply(firewall):
if install_result == 1:
raise ConfigError('Failed to apply firewall')
- # set fireall group domain-group xxx
+ # set firewall group domain-group xxx
if 'group' in firewall:
if 'domain_group' in firewall['group']:
# T970 Enable a resolver (systemd daemon) that checks