From cdbe969308c1f540050d288ffc6b55abbefa7534 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Tue, 19 Sep 2023 21:06:35 +0200 Subject: conntrack: firewall: T4502: Update conntrack check for new flowtable CLI Also updates flowtable smoketest to verify conntrack enabled --- smoketest/scripts/cli/test_firewall.py | 4 ++++ src/conf_mode/conntrack.py | 24 ++++++------------------ 2 files changed, 10 insertions(+), 18 deletions(-) diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 72e04847a..676be5305 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -637,5 +637,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip vyos_filter') self.verify_nftables(nftables_search, 'ip6 vyos_filter') + # Check conntrack + self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK') + self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK') + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index 21a20ea8d..50089508a 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -90,14 +90,6 @@ def get_config(config=None): get_first_key=True, no_tag_node_value_mangle=True) - conntrack['flowtable_enabled'] = False - flow_offload = dict_search_args(conntrack['firewall'], 'global_options', 'flow_offload') - if flow_offload and 'disable' not in flow_offload: - for offload_type in ('software', 'hardware'): - if dict_search_args(flow_offload, offload_type, 'interface'): - conntrack['flowtable_enabled'] = True - break - conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return' conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return' conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return' @@ -170,16 +162,12 @@ def generate(conntrack): conntrack['ipv4_firewall_action'] = 'return' conntrack['ipv6_firewall_action'] = 'return' - if conntrack['flowtable_enabled']: - conntrack['ipv4_firewall_action'] = 'accept' - conntrack['ipv6_firewall_action'] = 'accept' - else: - for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): - if any(('state' in rule_conf or 'connection_status' in rule_conf) for rule_conf in rules.values()): - if path[0] == 'ipv4': - conntrack['ipv4_firewall_action'] = 'accept' - elif path[0] == 'ipv6': - conntrack['ipv6_firewall_action'] = 'accept' + for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'): + if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()): + if path[0] == 'ipv4': + conntrack['ipv4_firewall_action'] = 'accept' + elif path[0] == 'ipv6': + conntrack['ipv6_firewall_action'] = 'accept' render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) -- cgit v1.2.3