From cdbe969308c1f540050d288ffc6b55abbefa7534 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 19 Sep 2023 21:06:35 +0200
Subject: conntrack: firewall: T4502: Update conntrack check for new flowtable
 CLI

Also updates flowtable smoketest to verify conntrack enabled
---
 smoketest/scripts/cli/test_firewall.py |  4 ++++
 src/conf_mode/conntrack.py             | 24 ++++++------------------
 2 files changed, 10 insertions(+), 18 deletions(-)

diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 72e04847a..676be5305 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -637,5 +637,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.verify_nftables(nftables_search, 'ip vyos_filter')
         self.verify_nftables(nftables_search, 'ip6 vyos_filter')
 
+        # Check conntrack
+        self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
+        self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index 21a20ea8d..50089508a 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -90,14 +90,6 @@ def get_config(config=None):
                                                  get_first_key=True,
                                                  no_tag_node_value_mangle=True)
 
-    conntrack['flowtable_enabled'] = False
-    flow_offload = dict_search_args(conntrack['firewall'], 'global_options', 'flow_offload')
-    if flow_offload and 'disable' not in flow_offload:
-        for offload_type in ('software', 'hardware'):
-            if dict_search_args(flow_offload, offload_type, 'interface'):
-                conntrack['flowtable_enabled'] = True
-                break
-
     conntrack['ipv4_nat_action'] = 'accept' if conf.exists(['nat']) else 'return'
     conntrack['ipv6_nat_action'] = 'accept' if conf.exists(['nat66']) else 'return'
     conntrack['wlb_action'] = 'accept' if conf.exists(['load-balancing', 'wan']) else 'return'
@@ -170,16 +162,12 @@ def generate(conntrack):
     conntrack['ipv4_firewall_action'] = 'return'
     conntrack['ipv6_firewall_action'] = 'return'
 
-    if conntrack['flowtable_enabled']:
-        conntrack['ipv4_firewall_action'] = 'accept'
-        conntrack['ipv6_firewall_action'] = 'accept'
-    else:
-        for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
-            if any(('state' in rule_conf or 'connection_status' in rule_conf) for rule_conf in rules.values()):
-                if path[0] == 'ipv4':
-                    conntrack['ipv4_firewall_action'] = 'accept'
-                elif path[0] == 'ipv6':
-                    conntrack['ipv6_firewall_action'] = 'accept'
+    for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
+        if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
+            if path[0] == 'ipv4':
+                conntrack['ipv4_firewall_action'] = 'accept'
+            elif path[0] == 'ipv6':
+                conntrack['ipv6_firewall_action'] = 'accept'
 
     render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
     render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)
-- 
cgit v1.2.3