Skip to content

Commit

Permalink
conntrack: T6147: Enable conntrack when firewall state-policy is defined
Browse files Browse the repository at this point in the history 
* Move global state-policy smoketest to it's own test, verify conntrack
  • Loading branch information
@sarthurdev
sarthurdev committed Mar 20, 2024
1 parent a33aacf commit 62bda3b
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 16 deletions.
31 changes: 21 additions & 10 deletions smoketest/scripts/cli/test_firewall.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -598,14 +598,30 @@ def test_ipv6_dynamic_groups(self):

self.verify_nftables(nftables_search, 'ip6 vyos_filter')

def test_ipv4_state_and_status_rules(self):
name = 'smoketest-state'
interface = 'eth0'

def test_ipv4_global_state(self):
self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])

self.cli_commit()

nftables_search = [
['jump VYOS_STATE_POLICY'],
['chain VYOS_STATE_POLICY'],
['ct state established', 'accept'],
['ct state invalid', 'drop'],
['ct state related', 'accept']
]

self.verify_nftables(nftables_search, 'ip vyos_filter')

# Check conntrack is enabled from state-policy
self.verify_nftables_chain([['accept']], 'ip vyos_conntrack', 'FW_CONNTRACK')
self.verify_nftables_chain([['accept']], 'ip6 vyos_conntrack', 'FW_CONNTRACK')

def test_ipv4_state_and_status_rules(self):
name = 'smoketest-state'

self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established'])
Expand All @@ -632,12 +648,7 @@ def test_ipv4_state_and_status_rules(self):
['ct state new', 'ct status dnat', 'accept'],
['ct state { established, new }', 'ct status snat', 'accept'],
['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
['drop', f'comment "{name} default-action drop"'],
['jump VYOS_STATE_POLICY'],
['chain VYOS_STATE_POLICY'],
['ct state established', 'accept'],
['ct state invalid', 'drop'],
['ct state related', 'accept']
['drop', f'comment "{name} default-action drop"']
]

self.verify_nftables(nftables_search, 'ip vyos_filter')
Expand Down
16 changes: 10 additions & 6 deletions src/conf_mode/system_conntrack.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,12 +185,16 @@ def generate(conntrack):
conntrack['ipv4_firewall_action'] = 'return'
conntrack['ipv6_firewall_action'] = 'return'

for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
if path[0] == 'ipv4':
conntrack['ipv4_firewall_action'] = 'accept'
elif path[0] == 'ipv6':
conntrack['ipv6_firewall_action'] = 'accept'
if dict_search_args(conntrack['firewall'], 'global_options', 'state_policy') != None:
conntrack['ipv4_firewall_action'] = 'accept'
conntrack['ipv6_firewall_action'] = 'accept'
else:
for rules, path in dict_search_recursive(conntrack['firewall'], 'rule'):
if any(('state' in rule_conf or 'connection_status' in rule_conf or 'offload_target' in rule_conf) for rule_conf in rules.values()):
if path[0] == 'ipv4':
conntrack['ipv4_firewall_action'] = 'accept'
elif path[0] == 'ipv6':
conntrack['ipv6_firewall_action'] = 'accept'

render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack)
render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack)
Expand Down

0 comments on commit 62bda3b

Please sign in to comment.