From 9791258d7d5320d3a8bfa45d43b59fd35e8a2131 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Fri, 10 Jun 2022 16:57:21 +0200
Subject: firewall: T478: Add support for nesting groups

---
 data/templates/firewall/nftables-defines.j2 | 32 +++++++++++++++++------------
 1 file changed, 19 insertions(+), 13 deletions(-)

(limited to 'data')

diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 4fa92f2e3..12146879d 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -1,32 +1,38 @@
 {% if group is vyos_defined %}
 {%     if group.address_group is vyos_defined %}
-{%         for group_name, group_conf in group.address_group.items() %}
-define A_{{ group_name }} = { {{ group_conf.address | join(",") }} }
+{%         for group_name, group_conf in group.address_group | sort_nested_groups %}
+{%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+define A_{{ group_name }} = { {{ group_conf.address | nft_nested_group(includes, 'A_') | join(",") }} }
 {%         endfor %}
 {%     endif %}
 {%     if group.ipv6_address_group is vyos_defined %}
-{%         for group_name, group_conf in group.ipv6_address_group.items() %}
-define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} }
+{%         for group_name, group_conf in group.ipv6_address_group | sort_nested_groups %}
+{%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+define A6_{{ group_name }} = { {{ group_conf.address | nft_nested_group(includes, 'A6_') | join(",") }} }
 {%         endfor %}
 {%     endif %}
 {%     if group.mac_group is vyos_defined %}
-{%         for group_name, group_conf in group.mac_group.items() %}
-define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} }
+{%         for group_name, group_conf in group.mac_group | sort_nested_groups %}
+{%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+define M_{{ group_name }} = { {{ group_conf.mac_address | nft_nested_group(includes, 'M_') | join(",") }} }
 {%         endfor %}
 {%     endif %}
 {%     if group.network_group is vyos_defined %}
-{%         for group_name, group_conf in group.network_group.items() %}
-define N_{{ group_name }} = { {{ group_conf.network | join(",") }} }
+{%         for group_name, group_conf in group.network_group | sort_nested_groups %}
+{%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+define N_{{ group_name }} = { {{ group_conf.network | nft_nested_group(includes, 'N_') | join(",") }} }
 {%         endfor %}
 {%     endif %}
 {%     if group.ipv6_network_group is vyos_defined %}
-{%         for group_name, group_conf in group.ipv6_network_group.items() %}
-define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} }
+{%         for group_name, group_conf in group.ipv6_network_group | sort_nested_groups %}
+{%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+define N6_{{ group_name }} = { {{ group_conf.network | nft_nested_group(includes, 'N6_') | join(",") }} }
 {%         endfor %}
 {%     endif %}
 {%     if group.port_group is vyos_defined %}
-{%         for group_name, group_conf in group.port_group.items() %}
-define P_{{ group_name }} = { {{ group_conf.port | join(",") }} }
+{%         for group_name, group_conf in group.port_group | sort_nested_groups %}
+{%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+define P_{{ group_name }} = { {{ group_conf.port | nft_nested_group(includes, 'P_') | join(",") }} }
 {%         endfor %}
 {%     endif %}
-{% endif %}
\ No newline at end of file
+{% endif %}
-- 
cgit v1.2.3