From 5cf503955377d138c626b2c8157eab71b1fa8fad Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Mon, 3 Jul 2023 11:34:10 +0000 Subject: T5333: Set prefix UD for PBR generated user-defined chain names We cannot use some specific names like POSTROUTING/PREROUTING as for PBR they overlaps with VyOS defined chains Chains aftoconfigured by VyOS itself: chain VYOS_PBR_PREROUTING chain VYOS_PBR_POSTROUTING If we try to use chain name "POSTROUTING" it generates 2 chains with the same name "chain VYOS_PBR_POSTROUTING" one is autoconfigured and the second defined by user set policy route POSTROUTING rule 100 Add the user-defined (UD) prefix to separate user defined names That allows to use any user-defined names --- data/templates/firewall/nftables-policy.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 index 7a89d29e4..1c9bda64f 100644 --- a/data/templates/firewall/nftables-policy.j2 +++ b/data/templates/firewall/nftables-policy.j2 @@ -11,7 +11,7 @@ table ip vyos_mangle { type filter hook prerouting priority -150; policy accept; {% if route is vyos_defined %} {% for route_text, conf in route.items() if conf.interface is vyos_defined %} - iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_{{ route_text }} + iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_UD_{{ route_text }} {% endfor %} {% endif %} } @@ -22,7 +22,7 @@ table ip vyos_mangle { {% if route is vyos_defined %} {% for route_text, conf in route.items() %} - chain VYOS_PBR_{{ route_text }} { + chain VYOS_PBR_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} @@ -40,7 +40,7 @@ table ip6 vyos_mangle { type filter hook prerouting priority -150; policy accept; {% if route6 is vyos_defined %} {% for route_text, conf in route6.items() if conf.interface is vyos_defined %} - iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_{{ route_text }} + iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_UD_{{ route_text }} {% endfor %} {% endif %} } @@ -51,7 +51,7 @@ table ip6 vyos_mangle { {% if route6 is vyos_defined %} {% for route_text, conf in route6.items() %} - chain VYOS_PBR6_{{ route_text }} { + chain VYOS_PBR6_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }} -- cgit v1.2.3