Skip to content

Commit 0a7b633

Browse files
davi2367davi2367
committed
firewall: T8761: Reintroduce VRF-interface names in generated firewall config
1 parent 6fa4967 commit 0a7b633

3 files changed

Lines changed: 19 additions & 4 deletions

File tree

data/templates/firewall/nftables-zone.j2

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@
1212
oifname { {{ zone_conf.member.interface | quoted_join(',') }} } counter jump VZONE_{{ zone_name }}
1313
{% endif %}
1414
{% if 'vrf' in zone_conf.member %}
15+
{% for vrf_name in zone_conf.member.vrf %}
16+
oifname { {{ zone_conf['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter jump VZONE_{{ zone_name }}
17+
{% endfor %}
1518
oifname { {{ zone_conf.member.vrf | quoted_join(",") }} } counter jump VZONE_{{ zone_name }}
1619
{% endif %}
1720
{% endif %}
@@ -71,6 +74,10 @@
7174
oifname { {{ zone[from_zone].member.interface | quoted_join(",") }} } counter return
7275
{% endif %}
7376
{% if 'vrf' in zone[from_zone].member %}
77+
{% for vrf_name in zone[from_zone].member.vrf %}
78+
oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
79+
oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter return
80+
{% endfor %}
7481
oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
7582
oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter return
7683
{% endif %}
@@ -84,10 +91,12 @@
8491
{% endif %}
8592
{% if 'vrf' in zone[from_zone].member %}
8693
{% for vrf_name in zone[from_zone].member.vrf %}
87-
oifname { "{{ zone[from_zone]['vrf_interfaces'][vrf_name] }}" } counter jump NAME{{ suffix }}_{{ from_conf[fw_name] }}
88-
oifname { "{{ zone[from_zone]['vrf_interfaces'][vrf_name] }}" } counter return
94+
oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf[fw_name] }}
95+
oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] | quoted_join(",") }} } counter return
8996
{% endfor %}
9097
{% endif %}
98+
oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
99+
oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter return
91100
{% endfor %}
92101
{% endif %}
93102
{{ zone_conf | nft_default_rule('zone_' + zone_name, family) }}

smoketest/scripts/cli/test_firewall.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1143,7 +1143,8 @@ def test_zone_with_vrf(self):
11431143
self.cli_set(['vrf', 'name', 'VRF-1', 'table', '101'])
11441144
self.cli_set(['vrf', 'name', 'VRF-2', 'table', '102'])
11451145
self.cli_set(['interfaces', 'ethernet', 'eth0', 'vrf', 'VRF-1'])
1146-
self.cli_set(['interfaces', 'vti', 'vti1', 'vrf', 'VRF-2'])
1146+
self.cli_set(['interfaces', 'vti', 'vti1', 'vrf', 'VRF-1'])
1147+
self.cli_set(['interfaces', 'vti', 'vti2', 'vrf', 'VRF-2'])
11471148

11481149
self.cli_commit()
11491150

@@ -1155,8 +1156,10 @@ def test_zone_with_vrf(self):
11551156
['chain VYOS_ZONE_FORWARD'],
11561157
['type filter hook forward priority filter + 1'],
11571158
['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
1159+
['oifname { "eth0", "vti1" }', 'counter packets', 'jump VZONE_ZONE1'],
11581160
['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
11591161
['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
1162+
['oifname "vti2"', 'counter packets', 'jump VZONE_ZONE2'],
11601163
['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'],
11611164
['chain VYOS_ZONE_LOCAL'],
11621165
['type filter hook input priority filter + 1'],
@@ -1190,8 +1193,10 @@ def test_zone_with_vrf(self):
11901193
['chain VYOS_ZONE_FORWARD'],
11911194
['type filter hook forward priority filter + 1'],
11921195
['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
1196+
['oifname { "eth0", "vti1" }', 'counter packets', 'jump VZONE_ZONE1'],
11931197
['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
11941198
['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
1199+
['oifname "vti2"', 'counter packets', 'jump VZONE_ZONE2'],
11951200
['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'],
11961201
['chain VYOS_ZONE_LOCAL'],
11971202
['type filter hook input priority filter + 1'],
@@ -1203,6 +1208,7 @@ def test_zone_with_vrf(self):
12031208
['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'],
12041209
['chain VZONE_LOCAL_OUT'],
12051210
['oifname "vtun66"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
1211+
['oifname "vti2"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
12061212
['oifname "VRF-2"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'],
12071213
['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'],
12081214
['chain VZONE_ZONE1'],

src/conf_mode/firewall.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,7 @@ def get_config(config=None):
138138
if 'vrf' in local_zone_member:
139139
local_zone_conf['vrf_interfaces'] = {}
140140
for vrf_name in local_zone_member['vrf']:
141-
local_zone_conf['vrf_interfaces'][vrf_name] = ','.join(get_vrf_members(vrf_name))
141+
local_zone_conf['vrf_interfaces'][vrf_name] = get_vrf_members(vrf_name)
142142
continue
143143

144144
local_zone_conf['from_local'] = {}

0 commit comments

Comments
 (0)