From 76d912d63ca4d15d9efe118184c405cf8273cbcf Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 10 Jan 2022 23:17:32 +0100
Subject: conntrack: T3579: dry-run newly generated config before install

Before installing a new conntrack policy into the OS Kernel, the new policy
should be verified by nftables if it can be loaded at all or if it will fail
to load. There is no need to load a "bad" configuration if we can pre-test it.
---
 src/conf_mode/conntrack.py | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/conf_mode')

diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py
index b9eb8071d..aabf2bdf5 100755
--- a/src/conf_mode/conntrack.py
+++ b/src/conf_mode/conntrack.py
@@ -105,6 +105,13 @@ def generate(conntrack):
     render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack)
     render(nftables_ct_file, 'conntrack/nftables-ct.tmpl', conntrack)
 
+    # dry-run newly generated configuration
+    tmp = run(f'nft -c -f {nftables_ct_file}')
+    if tmp > 0:
+        if os.path.exists(nftables_ct_file):
+            os.unlink(nftables_ct_file)
+        raise ConfigError('Configuration file errors encountered!')
+
     return None
 
 def find_nftables_ct_rule(rule):
-- 
cgit v1.2.3