2 files changed, 46 insertions, 19 deletions

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 903cc8535..4aa509fe2 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -41,14 +41,19 @@ def fqdn_config_parse(firewall):
     firewall['ip6_fqdn'] = {}
 
     for domain, path in dict_search_recursive(firewall, 'fqdn'):
-        fw_name = path[1] # name/ipv6-name
-        rule = path[3] # rule id
-        suffix = path[4][0] # source/destination (1 char)
-        set_name = f'{fw_name}_{rule}_{suffix}'
-
-        if path[0] == 'name':
+        hook_name = path[1]
+        priority = path[2]
+
+        fw_name = path[2]
+        rule = path[4]
+        suffix = path[5][0]
+        set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
+            
+        if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
             firewall['ip_fqdn'][set_name] = domain
-        elif path[0] == 'ipv6_name':
+        elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+            if path[1] == 'name':
+                set_name = f'name6_{priority}_{rule}_{suffix}'
             firewall['ip6_fqdn'][set_name] = domain
 
 def fqdn_resolve(fqdn, ipv6=False):
@@ -80,7 +85,7 @@ def nft_action(vyos_action):
         return 'return'
     return vyos_action
 
-def parse_rule(rule_conf, fw_name, rule_id, ip_name):
+def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
     output = []
     def_suffix = '6' if ip_name == 'ip6' else ''
 
@@ -129,16 +134,34 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
 
             if 'fqdn' in side_conf:
                 fqdn = side_conf['fqdn']
+                hook_name = ''
                 operator = ''
                 if fqdn[0] == '!':
                     operator = '!='
-                output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{fw_name}_{rule_id}_{prefix}')
+                if hook == 'FWD':
+                    hook_name = 'forward'
+                if hook == 'INP':
+                    hook_name = 'input'
+                if hook == 'OUT':
+                    hook_name = 'output'
+                if hook == 'NAM':
+                    hook_name = f'name{def_suffix}'
+                output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{hook_name}_{fw_name}_{rule_id}_{prefix}')
 
             if dict_search_args(side_conf, 'geoip', 'country_code'):
                 operator = ''
+                hook_name = ''
                 if dict_search_args(side_conf, 'geoip', 'inverse_match') != None:
                     operator = '!='
-                output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC_{fw_name}_{rule_id}')
+                if hook == 'FWD':
+                    hook_name = 'forward'
+                if hook == 'INP':
+                    hook_name = 'input'
+                if hook == 'OUT':
+                    hook_name = 'output'
+                if hook == 'NAM':
+                    hook_name = f'name'
+                output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC{def_suffix}_{hook_name}_{fw_name}_{rule_id}')
 
             if 'mac_address' in side_conf:
                 suffix = side_conf["mac_address"]
@@ -324,7 +347,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
     if 'recent' in rule_conf:
         count = rule_conf['recent']['count']
         time = rule_conf['recent']['time']
-        output.append(f'add @RECENT{def_suffix}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}')
+        output.append(f'add @RECENT{def_suffix}_{hook}_{fw_name}_{rule_id} {{ {ip_name} saddr limit rate over {count}/{time} burst {count} packets }}')
 
     if 'time' in rule_conf:
         output.append(parse_time(rule_conf['time']))
@@ -348,7 +371,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
         output.append(parse_policy_set(rule_conf['set'], def_suffix))
 
     if 'action' in rule_conf:
-        output.append(nft_action(rule_conf['action']))
+        # Change action=return to action=action
+        # #output.append(nft_action(rule_conf['action']))
+        output.append(f'{rule_conf["action"]}')
         if 'jump' in rule_conf['action']:
             target = rule_conf['jump_target']
             output.append(f'NAME{def_suffix}_{target}')
@@ -365,7 +390,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
     else:
         output.append('return')
 
-    output.append(f'comment "{fw_name}-{rule_id}"')
+    output.append(f'comment "{hook}-{fw_name}-{rule_id}"')
     return " ".join(output)
 
 def parse_tcp_flags(flags):
@@ -493,11 +518,12 @@ def geoip_update(firewall, force=False):
 
         # Map country codes to set names
         for codes, path in dict_search_recursive(firewall, 'country_code'):
-            set_name = f'GEOIP_CC_{path[1]}_{path[3]}'
-            if path[0] == 'name':
+            set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
+            if ( path[0] == 'ipv4'):
                 for code in codes:
                     ipv4_codes.setdefault(code, []).append(set_name)
-            elif path[0] == 'ipv6_name':
+            elif ( path[0] == 'ipv6' ):
+                set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}'
                 for code in codes:
                     ipv6_codes.setdefault(code, []).append(set_name)
 
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 6469623fd..e167488c6 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -574,9 +574,9 @@ def nft_action(vyos_action):
     return vyos_action
 
 @register_filter('nft_rule')
-def nft_rule(rule_conf, fw_name, rule_id, ip_name='ip'):
+def nft_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name='ip'):
     from vyos.firewall import parse_rule
-    return parse_rule(rule_conf, fw_name, rule_id, ip_name)
+    return parse_rule(rule_conf, fw_hook, fw_name, rule_id, ip_name)
 
 @register_filter('nft_default_rule')
 def nft_default_rule(fw_conf, fw_name, ipv6=False):
@@ -587,7 +587,8 @@ def nft_default_rule(fw_conf, fw_name, ipv6=False):
         action_suffix = default_action[:1].upper()
         output.append(f'log prefix "[{fw_name[:19]}-default-{action_suffix}]"')
 
-    output.append(nft_action(default_action))
+    #output.append(nft_action(default_action))
+    output.append(f'{default_action}')
     if 'default_jump_target' in fw_conf:
         target = fw_conf['default_jump_target']
         def_suffix = '6' if ipv6 else ''