Skip to content

Commit cd24e4b

Browse files
author
David Vølker
committed
firewall: T7452: update rule generation for Zone-based firewall
1 parent 22c6a81 commit cd24e4b

File tree

2 files changed

+9
-13
lines changed

2 files changed

+9
-13
lines changed

data/templates/firewall/nftables-zone.j2

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,7 @@
1212
oifname { {{ zone_conf.member.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
1313
{% endif %}
1414
{% if 'vrf' in zone_conf.member %}
15-
{% for vrf_name in zone_conf.member.vrf %}
16-
oifname { {{ zone_conf['vrf_interfaces'][vrf_name] }} } counter jump VZONE_{{ zone_name }}
17-
{% endfor %}
15+
oifname { {{ zone_conf.member.vrf | join(",") }} } counter jump VZONE_{{ zone_name }}
1816
{% endif %}
1917
{% endif %}
2018
{% endfor %}
@@ -69,10 +67,8 @@
6967
oifname { {{ zone[from_zone].member.interface | join(",") }} } counter return
7068
{% endif %}
7169
{% if 'vrf' in zone[from_zone].member %}
72-
{% for vrf_name in zone[from_zone].member.vrf %}
73-
oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
74-
oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] }} } counter return
75-
{% endfor %}
70+
oifname { {{ zone[from_zone].member.vrf | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
71+
oifname { {{ zone[from_zone].member.vrf | join(",") }} } counter return
7672
{% endif %}
7773
{% endfor %}
7874
{% endif %}
@@ -112,4 +108,4 @@
112108
}
113109
{% endif %}
114110
{% endfor %}
115-
{% endmacro %}
111+
{% endmacro %}

smoketest/scripts/cli/test_firewall.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1021,9 +1021,9 @@ def test_zone_with_vrf(self):
10211021
['chain VYOS_ZONE_FORWARD'],
10221022
['type filter hook forward priority filter + 1'],
10231023
['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
1024-
['oifname "eth0"', 'counter packets', 'jump VZONE_ZONE1'],
1024+
['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
10251025
['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
1026-
['oifname "vti1"', 'counter packets', 'jump VZONE_ZONE2'],
1026+
['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'],
10271027
['chain VYOS_ZONE_LOCAL'],
10281028
['type filter hook input priority filter + 1'],
10291029
['counter packets', 'jump VZONE_LOCAL_IN'],
@@ -1056,9 +1056,9 @@ def test_zone_with_vrf(self):
10561056
['chain VYOS_ZONE_FORWARD'],
10571057
['type filter hook forward priority filter + 1'],
10581058
['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
1059-
['oifname "eth0"', 'counter packets', 'jump VZONE_ZONE1'],
1059+
['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
10601060
['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
1061-
['oifname "vti1"', 'counter packets', 'jump VZONE_ZONE2'],
1061+
['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'],
10621062
['chain VYOS_ZONE_LOCAL'],
10631063
['type filter hook input priority filter + 1'],
10641064
['counter packets', 'jump VZONE_LOCAL_IN'],
@@ -1069,7 +1069,7 @@ def test_zone_with_vrf(self):
10691069
['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'],
10701070
['chain VZONE_LOCAL_OUT'],
10711071
['oifname "vtun66"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
1072-
['oifname "vti1"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
1072+
['oifname "VRF-2"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
10731073
['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'],
10741074
['chain VZONE_ZONE1'],
10751075
['iifname { "eth1", "eth2" }', 'counter packets', 'return'],

0 commit comments

Comments
 (0)