From 90a84a0bb1f7293a8df76f3449efcc7da813c425 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 13 Apr 2022 22:52:54 +0200 Subject: firewall: T4333: migrate to new vyos_defined Jinja2 test --- data/templates/firewall/nftables-defines.tmpl | 14 +++++++------- data/templates/firewall/upnpd.conf.tmpl | 24 ++++++++++++------------ data/templates/zone_policy/nftables.tmpl | 26 +++++++++++++------------- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/data/templates/firewall/nftables-defines.tmpl b/data/templates/firewall/nftables-defines.tmpl index d9eb7c199..66d31093b 100644 --- a/data/templates/firewall/nftables-defines.tmpl +++ b/data/templates/firewall/nftables-defines.tmpl @@ -1,30 +1,30 @@ -{% if group is defined %} -{% if group.address_group is defined %} +{% if group is vyos_defined %} +{% if group.address_group is vyos_defined %} {% for group_name, group_conf in group.address_group.items() %} define A_{{ group_name }} = { {{ group_conf.address | join(",") }} } {% endfor %} {% endif %} -{% if group.ipv6_address_group is defined %} +{% if group.ipv6_address_group is vyos_defined %} {% for group_name, group_conf in group.ipv6_address_group.items() %} define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} } {% endfor %} {% endif %} -{% if group.mac_group is defined %} +{% if group.mac_group is vyos_defined %} {% for group_name, group_conf in group.mac_group.items() %} define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} } {% endfor %} {% endif %} -{% if group.network_group is defined %} +{% if group.network_group is vyos_defined %} {% for group_name, group_conf in group.network_group.items() %} define N_{{ group_name }} = { {{ group_conf.network | join(",") }} } {% endfor %} {% endif %} -{% if group.ipv6_network_group is defined %} +{% if group.ipv6_network_group is vyos_defined %} {% for group_name, group_conf in group.ipv6_network_group.items() %} define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} } {% endfor %} {% endif %} -{% if group.port_group is defined %} +{% if group.port_group is vyos_defined %} {% for group_name, group_conf in group.port_group.items() %} define P_{{ group_name }} = { {{ group_conf.port | join(",") }} } {% endfor %} diff --git a/data/templates/firewall/upnpd.conf.tmpl b/data/templates/firewall/upnpd.conf.tmpl index 39cb21373..6e73995fa 100644 --- a/data/templates/firewall/upnpd.conf.tmpl +++ b/data/templates/firewall/upnpd.conf.tmpl @@ -2,7 +2,7 @@ # WAN network interface ext_ifname={{ wan_interface }} -{% if wan_ip is defined %} +{% if wan_ip is vyos_defined %} # If the WAN interface has several IP addresses, you # can specify the one to use below {% for addr in wan_ip %} @@ -11,7 +11,7 @@ ext_ip={{ addr }} {% endif %} # LAN network interfaces IPs / networks -{% if listen is defined %} +{% if listen is vyos_defined %} # There can be multiple listening IPs for SSDP traffic, in that case # use multiple 'listening_ip=...' lines, one for each network interface. # It can be IP address or network interface name (ie. "eth0") @@ -45,7 +45,7 @@ listening_ip={{ addr }} # default is /var/run/minissdpd.sock #minissdpdsocket=/var/run/minissdpd.sock -{% if nat_pmp is defined %} +{% if nat_pmp is vyos_defined %} # Enable NAT-PMP support (default is no) enable_natpmp=yes {% endif %} @@ -53,14 +53,14 @@ enable_natpmp=yes # Enable UPNP support (default is yes) enable_upnp=yes -{% if pcp_lifetime is defined %} +{% if pcp_lifetime is vyos_defined %} # PCP # Configure the minimum and maximum lifetime of a port mapping in seconds # 120s and 86400s (24h) are suggested values from PCP-base -{% if pcp_lifetime.max is defined %} +{% if pcp_lifetime.max is vyos_defined %} max_lifetime={{ pcp_lifetime.max }} {% endif %} -{% if pcp_lifetime.min is defined %} +{% if pcp_lifetime.min is vyos_defined %} min_lifetime={{ pcp_lifetime.min }} {% endif %} {% endif %} @@ -69,7 +69,7 @@ min_lifetime={{ pcp_lifetime.min }} # To enable the next few runtime options, see compile time # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h) -{% if friendly_name is defined %} +{% if friendly_name is vyos_defined %} # Name of this service, default is "`uname -s` router" friendly_name= {{ friendly_name }} {% endif %} @@ -89,7 +89,7 @@ model_description=Vyos open source enterprise router/firewall operating system # Model URL, default is URL of OS vendor model_url=https://vyos.io/ -{% if secure_mode is defined %} +{% if secure_mode is vyos_defined %} # Secure Mode, UPnP clients can only add mappings to their own IP secure_mode=yes {% else %} @@ -97,7 +97,7 @@ secure_mode=yes secure_mode=no {% endif %} -{% if presentation_url is defined %} +{% if presentation_url is vyos_defined %} # Default presentation URL is HTTP address on port 80 # If set to an empty string, no presentationURL element will appear # in the XML description of the device, which prevents MS Windows @@ -129,7 +129,7 @@ lease_file=/config/upnp.leases #serial=12345678 #model_number=1 -{% if rules is defined %} +{% if rules is vyos_defined %} # UPnP permission rules # (allow|deny) (external port range) IP/mask (internal port range) # A port range is - or if there is only @@ -143,13 +143,13 @@ lease_file=/config/upnp.leases # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! {% for rule, config in rules.items() %} -{% if config.disable is defined %} +{% if config.disable is vyos_defined %} {{ config.action}} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} {% endif %} {% endfor %} {% endif %} -{% if stun is defined %} +{% if stun is vyos_defined %} # WAN interface must have public IP address. Otherwise it is behind NAT # and port forwarding is impossible. In some cases WAN interface can be # behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl index 4a6bd2772..9e532b79e 100644 --- a/data/templates/zone_policy/nftables.tmpl +++ b/data/templates/zone_policy/nftables.tmpl @@ -1,18 +1,18 @@ #!/usr/sbin/nft -f -{% if cleanup_commands is defined %} +{% if cleanup_commands is vyos_defined %} {% for command in cleanup_commands %} {{ command }} {% endfor %} {% endif %} -{% if zone is defined %} +{% if zone is vyos_defined %} table ip filter { {% for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %} -{% if zone_conf.local_zone is defined %} +{% if zone_conf.local_zone is vyos_defined %} chain VZONE_{{ zone_name }}_IN { iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -20,7 +20,7 @@ table ip filter { } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -29,10 +29,10 @@ table ip filter { {% else %} chain VZONE_{{ zone_name }} { iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=False) }} -{% if zone_conf.intra_zone_filtering is defined %} +{% if zone_conf.intra_zone_filtering is vyos_defined %} iifname { {{ zone_conf.interface | join(",") }} } counter return {% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} {% if zone[from_zone].local_zone is not defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return @@ -46,10 +46,10 @@ table ip filter { table ip6 filter { {% for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %} -{% if zone_conf.local_zone is defined %} +{% if zone_conf.local_zone is vyos_defined %} chain VZONE6_{{ zone_name }}_IN { iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -57,7 +57,7 @@ table ip6 filter { } chain VZONE6_{{ zone_name }}_OUT { oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -66,10 +66,10 @@ table ip6 filter { {% else %} chain VZONE6_{{ zone_name }} { iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=True) }} -{% if zone_conf.intra_zone_filtering is defined %} +{% if zone_conf.intra_zone_filtering is vyos_defined %} iifname { {{ zone_conf.interface | join(",") }} } counter return {% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} {% if zone[from_zone].local_zone is not defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return @@ -101,7 +101,7 @@ insert rule ip6 filter VYOS_FW6_FORWARD oifname { {{ zone_conf.interface | join( {% endfor %} {# Ensure that state-policy rule is first in the chain #} -{% if firewall.state_policy is defined %} +{% if firewall.state_policy is vyos_defined %} {% for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'] %} insert rule ip filter {{ chain }} jump VYOS_STATE_POLICY {% endfor %} -- cgit v1.2.3