diff options
-rw-r--r-- | data/templates/firewall/nftables-zone.j2 | 13 | ||||
-rw-r--r-- | data/templates/firewall/nftables.j2 | 4 | ||||
-rw-r--r-- | data/templates/grub/grub_common.j2 | 4 | ||||
-rw-r--r-- | data/templates/grub/grub_vyos_version.j2 | 11 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 34 | ||||
-rwxr-xr-x | src/op_mode/image_installer.py | 1 | ||||
-rw-r--r-- | src/system/grub_update.py | 3 |
7 files changed, 43 insertions, 27 deletions
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index 5e55099ca..e78725079 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -1,13 +1,6 @@ - -{% macro zone_chains(zone, family, state_policy=False) %} -{% if family == 'ipv6' %} -{% set fw_name = 'ipv6_name' %} -{% set suffix = '6' %} -{% else %} -{% set fw_name = 'name' %} -{% set suffix = '' %} -{% endif %} - +{% macro zone_chains(zone, ipv6=False, state_policy=False) %} +{% set fw_name = 'ipv6_name' if ipv6 else 'name' %} +{% set suffix = '6' if ipv6 else '' %} chain VYOS_ZONE_FORWARD { type filter hook forward priority 1; policy accept; {% if state_policy %} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index e0ad0e00a..833df3a67 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -163,7 +163,7 @@ table ip vyos_filter { {{ group_tmpl.groups(group, False, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, 'ipv4', global_options.state_policy is vyos_defined) }} +{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }} {% endif %} {% if global_options.state_policy is vyos_defined %} chain VYOS_STATE_POLICY { @@ -298,7 +298,7 @@ table ip6 vyos_filter { {% endif %} {{ group_tmpl.groups(group, True, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, 'ipv6', global_options.state_policy is vyos_defined) }} +{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }} {% endif %} {% if global_options.state_policy is vyos_defined %} chain VYOS_STATE_POLICY6 { diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2 index 278ffbf2c..29c2ab879 100644 --- a/data/templates/grub/grub_common.j2 +++ b/data/templates/grub/grub_common.j2 @@ -8,9 +8,9 @@ fi function setup_serial { # initialize the first serial port by default if [ "${console_type}" == "ttyS" ]; then - serial --unit=${console_num} + serial --unit=${console_num} --speed=${console_speed} else - serial --unit=0 + serial --unit=0 --speed=${console_speed} fi terminal_output --append serial console terminal_input --append serial console diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2 index 97fbe8473..62688e68b 100644 --- a/data/templates/grub/grub_vyos_version.j2 +++ b/data/templates/grub/grub_vyos_version.j2 @@ -6,16 +6,21 @@ {% endif %} menuentry "{{ version_name }}" --id {{ version_uuid }} { set boot_opts="{{ boot_opts_rendered }}" + if [ "${console_type}" == "ttyS" ]; then + set console_opts="console=${console_type}${console_num},${console_speed}" + else + set console_opts="console=${console_type}${console_num}" + fi # load rootfs to RAM if [ "${boot_toram}" == "yes" ]; then set boot_opts="${boot_opts} toram" fi if [ "${bootmode}" == "pw_reset" ]; then - set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset" + set boot_opts="${boot_opts} ${console_opts} init=/usr/libexec/vyos/system/standalone_root_pw_reset" elif [ "${bootmode}" == "recovery" ]; then - set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init" + set boot_opts="${boot_opts} ${console_opts} init=/usr/bin/busybox init" else - set boot_opts="${boot_opts} console=${console_type}${console_num}" + set boot_opts="${boot_opts} ${console_opts}" fi linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts} initrd "/boot/{{ version_name }}/initrd.img" diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 2be616da1..72fbdb37d 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -671,8 +671,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ### Zone def test_zone_basic(self): self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'default-action', 'drop']) + self.cli_set(['firewall', 'ipv6', 'name', 'smoketestv6', 'default-action', 'drop']) self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'interface', 'eth0']) self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest']) + self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'intra-zone-filtering', 'firewall', 'ipv6-name', 'smoketestv6']) self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone']) self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest']) self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept']) @@ -704,16 +706,30 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['ct state related', 'accept'] ] - nftables_output = cmd('sudo nft list table ip vyos_filter') - - for search in nftables_search: - matched = False - for line in nftables_output.split("\n"): - if all(item in line for item in search): - matched = True - break - self.assertTrue(matched) + nftables_search_v6 = [ + ['chain VYOS_ZONE_FORWARD'], + ['type filter hook forward priority filter + 1'], + ['chain VYOS_ZONE_OUTPUT'], + ['type filter hook output priority filter + 1'], + ['chain VYOS_ZONE_LOCAL'], + ['type filter hook input priority filter + 1'], + ['chain VZONE_smoketest-eth0'], + ['chain VZONE_smoketest-local_IN'], + ['chain VZONE_smoketest-local_OUT'], + ['oifname "eth0"', 'jump VZONE_smoketest-eth0'], + ['jump VZONE_smoketest-local_IN'], + ['jump VZONE_smoketest-local_OUT'], + ['iifname "eth0"', 'jump NAME6_smoketestv6'], + ['jump VYOS_STATE_POLICY6'], + ['chain VYOS_STATE_POLICY6'], + ['ct state established', 'log prefix "[STATE-POLICY-EST-A]"', 'accept'], + ['ct state invalid', 'drop'], + ['ct state related', 'accept'] + ] + nftables_output = cmd('sudo nft list table ip vyos_filter') + self.verify_nftables(nftables_search, 'ip vyos_filter') + self.verify_nftables(nftables_search_v6, 'ip6 vyos_filter') def test_flow_offload(self): self.cli_set(['firewall', 'flowtable', 'smoketest', 'interface', 'eth0']) diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py index 791d76718..fad6face7 100755 --- a/src/op_mode/image_installer.py +++ b/src/op_mode/image_installer.py @@ -93,6 +93,7 @@ DEFAULT_BOOT_VARS: dict[str, str] = { 'timeout': '5', 'console_type': 'tty', 'console_num': '0', + 'console_speed': '115200', 'bootmode': 'normal' } diff --git a/src/system/grub_update.py b/src/system/grub_update.py index 3c851f0e0..4d5e0b6ae 100644 --- a/src/system/grub_update.py +++ b/src/system/grub_update.py @@ -68,7 +68,8 @@ if __name__ == '__main__': 'default': grub.gen_version_uuid(default_entry['version']), 'bootmode': default_entry['bootmode'], 'console_type': default_entry['console_type'], - 'console_num': default_entry['console_num'] + 'console_num': default_entry['console_num'], + 'console_speed': '115200' } vars.update(default_settings) |