From 84a83ecc4c78bf2e0954658ea539e42b4c015fa2 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 3 Jan 2022 22:17:08 +0100
Subject: firewall: T4130: Fix firewall state-policy errors

Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
---
 python/vyos/template.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'python')

diff --git a/python/vyos/template.py b/python/vyos/template.py
index e20890e25..965bb4ed0 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -493,7 +493,7 @@ def nft_rule(rule_conf, fw_name, rule_id, ip_name='ip'):
     return parse_rule(rule_conf, fw_name, rule_id, ip_name)
 
 @register_filter('nft_state_policy')
-def nft_state_policy(conf, state):
+def nft_state_policy(conf, state, ipv6=False):
     out = [f'ct state {state}']
 
     if 'log' in conf and 'enable' in conf['log']:
@@ -502,7 +502,11 @@ def nft_state_policy(conf, state):
     out.append('counter')
 
     if 'action' in conf:
-        out.append(conf['action'])
+        if conf['action'] == 'accept':
+            jump_target = 'VYOS_POST_FW6' if ipv6 else 'VYOS_POST_FW'
+            out.append(f'jump {jump_target}')
+        else:
+            out.append(conf['action'])
 
     return " ".join(out)
 
-- 
cgit v1.2.3