From fb3ef9af5e394aa25692003fb3c185bfedefe3cb Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 18 Sep 2023 20:24:22 +0200
Subject: conntrack: T5217: Add tcp flag matching to `system conntrack ignore`

- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i`
- Update smoketest to verify TCP flag matching
---
 python/vyos/template.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'python')

diff --git a/python/vyos/template.py b/python/vyos/template.py
index add4d3ce5..3be486cc4 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -678,6 +678,11 @@ def conntrack_ignore_rule(rule_conf, rule_id, ipv6=False):
         proto = rule_conf['protocol']
         output.append(f'meta l4proto {proto}')
 
+    tcp_flags = dict_search_args(rule_conf, 'tcp', 'flags')
+    if tcp_flags:
+        from vyos.firewall import parse_tcp_flags
+        output.append(parse_tcp_flags(tcp_flags))
+
     for side in ['source', 'destination']:
         if side in rule_conf:
             side_conf = rule_conf[side]
-- 
cgit v1.2.3