From b730015945dcac62db4373ebfa8072d7bc1acff1 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Tue, 12 Sep 2023 15:35:38 +0000
Subject: T4309: Conntrack ignore fix to handle interface any

Interface 'any' not expected in nft rules, it means that option
iifname shouldn't exist at all

set system conntrack ignore ipv4 rule 10 inbound-interface 'any'

table ip raw {
	chain VYOS_CT_IGNORE {
		iifname "any" counter packets 0 bytes 0 notrack comment "ignore-10"
		return
	}
}

Fix it
---
 python/vyos/template.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/vyos/template.py b/python/vyos/template.py
index c1b57b883..add4d3ce5 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -671,7 +671,8 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
 
     if 'inbound_interface' in rule_conf:
         ifname = rule_conf['inbound_interface']
-        output.append(f'iifname {ifname}')
+        if ifname != 'any':
+            output.append(f'iifname {ifname}')
 
     if 'protocol' in rule_conf:
         proto = rule_conf['protocol']
-- 
cgit v1.2.3