T5333: Set prefix UD for PBR generated user-defined chain names

We cannot use some specific names like POSTROUTING/PREROUTING as for PBR they overlaps with VyOS defined chains Chains aftoconfigured by VyOS itself: chain VYOS_PBR_PREROUTING chain VYOS_PBR_POSTROUTING If we try to use chain name "POSTROUTING" it generates 2 chains with the same name "chain VYOS_PBR_POSTROUTING" one is autoconfigured and the second defined by user set policy route POSTROUTING rule 100 Add the user-defined (UD) prefix to separate user defined names That allows to use any user-defined names
vyos · Jul 3, 2023 · 5cf5039 · 5cf5039
1 parent 4599a9e
commit 5cf5039
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 12 deletions.
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
@@ -11,7 +11,7 @@ table ip vyos_mangle {
         type filter hook prerouting priority -150; policy accept;
 {% if route is vyos_defined %}
 {%     for route_text, conf in route.items() if conf.interface is vyos_defined %}
-        iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_{{ route_text }}
+        iifname { {{ conf.interface | join(",") }} } counter jump VYOS_PBR_UD_{{ route_text }}
 {%     endfor %}
 {% endif %}
     }
@@ -22,7 +22,7 @@ table ip vyos_mangle {
 
 {% if route is vyos_defined %}
 {%     for route_text, conf in route.items() %}
-    chain VYOS_PBR_{{ route_text }} {
+    chain VYOS_PBR_UD_{{ route_text }} {
 {%         if conf.rule is vyos_defined %}
 {%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }}
@@ -40,7 +40,7 @@ table ip6 vyos_mangle {
         type filter hook prerouting priority -150; policy accept;
 {% if route6 is vyos_defined %}
 {%     for route_text, conf in route6.items() if conf.interface is vyos_defined %}
-        iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_{{ route_text }}
+        iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_UD_{{ route_text }}
 {%     endfor %}
 {% endif %}
     }
@@ -51,7 +51,7 @@ table ip6 vyos_mangle {
 
 {% if route6 is vyos_defined %}
 {%     for route_text, conf in route6.items() %}
-    chain VYOS_PBR6_{{ route_text }} {
+    chain VYOS_PBR6_UD_{{ route_text }} {
 {%         if conf.rule is vyos_defined %}
 {%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }}

diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -100,7 +100,7 @@ def test_pbr_group(self):
         self.cli_commit()
 
         nftables_search = [
-            [f'iifname "{interface}"','jump VYOS_PBR_smoketest'],
+            [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'],
             ['ip daddr @N_smoketest_network1', 'ip saddr @N_smoketest_network'],
         ]
 
@@ -119,7 +119,7 @@ def test_pbr_mark(self):
         mark_hex = "{0:#010x}".format(int(mark))
 
         nftables_search = [
-            [f'iifname "{interface}"','jump VYOS_PBR_smoketest'],
+            [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'],
             ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'meta mark set ' + mark_hex],
         ]
 
@@ -138,7 +138,7 @@ def test_pbr_mark_connection(self):
         mark_hex_set = "{0:#010x}".format(int(conn_mark_set))
 
         nftables_search = [
-            [f'iifname "{interface}"','jump VYOS_PBR_smoketest'],
+            [f'iifname "{interface}"','jump VYOS_PBR_UD_smoketest'],
             ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'ct mark ' + mark_hex, 'ct mark set ' + mark_hex_set],
         ]
 
@@ -164,7 +164,7 @@ def test_pbr_table(self):
         # IPv4
 
         nftables_search = [
-            [f'iifname "{interface}"', 'jump VYOS_PBR_smoketest'],
+            [f'iifname "{interface}"', 'jump VYOS_PBR_UD_smoketest'],
             ['tcp flags syn / syn,ack', 'tcp dport 8888', 'meta mark set ' + mark_hex]
         ]
 
@@ -173,7 +173,7 @@ def test_pbr_table(self):
         # IPv6
 
         nftables6_search = [
-            [f'iifname "{interface}"', 'jump VYOS_PBR6_smoketest'],
+            [f'iifname "{interface}"', 'jump VYOS_PBR6_UD_smoketest'],
             ['meta l4proto { tcp, udp }', 'th dport 8888', 'meta mark set ' + mark_hex]
         ]
 
@@ -246,7 +246,7 @@ def test_pbr_matching_criteria(self):
 
         # IPv4
         nftables_search = [
-            ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_smoketest'],
+            ['iifname { "' + interface + '", "' + interface_wc + '" }', 'jump VYOS_PBR_UD_smoketest'],
             ['meta l4proto udp', 'drop'],
             ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],
             ['ct state new', 'tcp dport 22', 'ip saddr 198.51.100.0/24', 'ip ttl > 2', 'meta mark set ' + mark_hex],
@@ -258,7 +258,7 @@ def test_pbr_matching_criteria(self):
 
         # IPv6
         nftables6_search = [
-            [f'iifname "{interface_wc}"', 'jump VYOS_PBR6_smoketest'],
+            [f'iifname "{interface_wc}"', 'jump VYOS_PBR6_UD_smoketest'],
             ['meta l4proto udp', 'drop'],
             ['tcp flags syn / syn,ack', 'meta mark set ' + mark_hex],
             ['ct state new', 'tcp dport 22', 'ip6 saddr 2001:db8::/64', 'ip6 hoplimit > 2', 'meta mark set ' + mark_hex],