Merge pull request #3234 from vyos/mergify/bp/sagitta/pr-3230

firewall: nat: policy: vrf: nft call syntax and import cleanup (backport #3230)
vyos · Apr 2, 2024 · 92be9ee · 92be9ee
2 parents 0cb2191 + 33b031c
commit 92be9ee
Show file tree

Hide file tree

Showing 11 changed files with 30 additions and 36 deletions.
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
@@ -66,7 +66,7 @@ def fqdn_config_parse(firewall):
         rule = path[4]
         suffix = path[5][0]
         set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
-            
+
         if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
             firewall['ip_fqdn'][set_name] = domain
         elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
@@ -85,7 +85,7 @@ def fqdn_resolve(fqdn, ipv6=False):
 
 def find_nftables_rule(table, chain, rule_matches=[]):
     # Find rule in table/chain that matches all criteria and return the handle
-    results = cmd(f'sudo nft -a list chain {table} {chain}').split("\n")
+    results = cmd(f'sudo nft --handle list chain {table} {chain}').split("\n")
     for line in results:
         if all(rule_match in line for rule_match in rule_matches):
             handle_search = re.search('handle (\d+)', line)
@@ -655,7 +655,7 @@ def geoip_update(firewall, force=False):
             'ipv6_sets': ipv6_sets
         })
 
-        result = run(f'nft -f {nftables_geoip_conf}')
+        result = run(f'nft --file {nftables_geoip_conf}')
         if result != 0:
             print('Error: GeoIP failed to update firewall')
             return False

diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
@@ -400,7 +400,7 @@ def _set_vrf_ct_zone(self, vrf):
         else:
             nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{self.ifname}" }}'
             # Check if deleting is possible first to avoid raising errors
-            _, err = self._popen(f'nft -c {nft_del_element}')
+            _, err = self._popen(f'nft --check {nft_del_element}')
             if not err:
                 # Remove map element
                 self._cmd(f'nft {nft_del_element}')

diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -18,7 +18,6 @@
 import re
 
 from glob import glob
-from json import loads
 from sys import exit
 
 from vyos.base import Warning
@@ -31,11 +30,9 @@
 from vyos.firewall import fqdn_config_parse
 from vyos.firewall import geoip_update
 from vyos.template import render
-from vyos.utils.process import call
-from vyos.utils.process import cmd
 from vyos.utils.dict import dict_search_args
 from vyos.utils.dict import dict_search_recursive
-from vyos.utils.process import process_named_running
+from vyos.utils.process import call
 from vyos.utils.process import rc_cmd
 from vyos import ConfigError
 from vyos import airbag
@@ -491,7 +488,7 @@ def apply_sysfs(firewall):
                     f.write(value)
 
 def apply(firewall):
-    install_result, output = rc_cmd(f'nft -f {nftables_conf}')
+    install_result, output = rc_cmd(f'nft --file {nftables_conf}')
     if install_result == 1:
         raise ConfigError(f'Failed to apply firewall: {output}')
 

diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
@@ -223,19 +223,19 @@ def generate(nat):
     render(nftables_static_nat_conf, 'firewall/nftables-static-nat.j2', nat)
 
     # dry-run newly generated configuration
-    tmp = run(f'nft -c -f {nftables_nat_config}')
+    tmp = run(f'nft --check --file {nftables_nat_config}')
     if tmp > 0:
         raise ConfigError('Configuration file errors encountered!')
 
-    tmp = run(f'nft -c -f {nftables_static_nat_conf}')
+    tmp = run(f'nft --check --file {nftables_static_nat_conf}')
     if tmp > 0:
         raise ConfigError('Configuration file errors encountered!')
 
     return None
 
 def apply(nat):
-    cmd(f'nft -f {nftables_nat_config}')
-    cmd(f'nft -f {nftables_static_nat_conf}')
+    cmd(f'nft --file {nftables_nat_config}')
+    cmd(f'nft --file {nftables_static_nat_conf}')
 
     if not nat or 'deleted' in nat:
         os.unlink(nftables_nat_config)

diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2023 VyOS maintainers and contributors
+# Copyright (C) 2020-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -14,8 +14,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import jmespath
-import json
 import os
 
 from sys import exit
@@ -106,7 +104,7 @@ def apply(nat):
     if not nat:
         return None
 
-    cmd(f'nft -f {nftables_nat66_config}')
+    cmd(f'nft --file {nftables_nat66_config}')
     call_dependents()
 
     return None

diff --git a/src/conf_mode/policy_route.py b/src/conf_mode/policy_route.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -177,7 +177,7 @@ def cleanup_table_marks():
                 cmd(f'{cmd_str} rule del fwmark {fwmark} table {table}')
 
 def apply(policy):
-    install_result = run(f'nft -f {nftables_conf}')
+    install_result = run(f'nft --file {nftables_conf}')
     if install_result == 1:
         raise ConfigError('Failed to apply policy based routing')
 

diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -93,7 +93,7 @@ def generate(nhrp):
     return None
 
 def apply(nhrp):
-    nft_rc = run(f'nft -f {nhrp_nftables_conf}')
+    nft_rc = run(f'nft --file {nhrp_nftables_conf}')
     if nft_rc != 0:
         raise ConfigError('Failed to apply NHRP tunnel firewall rules')
 

diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -15,19 +15,16 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import re
 
 from sys import exit
 
 from vyos.config import Config
 from vyos.configdep import set_dependents, call_dependents
-from vyos.utils.process import process_named_running
 from vyos.utils.dict import dict_search
 from vyos.utils.dict import dict_search_args
 from vyos.utils.dict import dict_search_recursive
 from vyos.utils.process import cmd
 from vyos.utils.process import rc_cmd
-from vyos.utils.process import run
 from vyos.template import render
 from vyos import ConfigError
 from vyos import airbag
@@ -218,7 +215,7 @@ def apply(conntrack):
         cmd(f'modprobe -a {module_str}')
 
     # Load new nftables ruleset
-    install_result, output = rc_cmd(f'nft -f {nftables_ct_file}')
+    install_result, output = rc_cmd(f'nft --file {nftables_ct_file}')
     if install_result == 1:
         raise ConfigError(f'Failed to apply configuration: {output}')
 

diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
@@ -14,8 +14,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
-
 from sys import exit
 from json import loads
 
@@ -33,6 +31,7 @@
 from vyos.utils.network import interface_exists
 from vyos.utils.process import call
 from vyos.utils.process import cmd
+from vyos.utils.process import popen
 from vyos.utils.system import sysctl_write
 from vyos import ConfigError
 from vyos import frr
@@ -227,7 +226,11 @@ def apply(vrf):
 
             # Remove nftables conntrack zone map item
             nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{tmp}" }}'
-            cmd(f'nft {nft_del_element}')
+            # Check if deleting is possible first to avoid raising errors
+            _, err = popen(f'nft --check {nft_del_element}')
+            if not err:
+                # Remove map element
+                cmd(f'nft {nft_del_element}')
 
             # Delete the VRF Kernel interface
             call(f'ip link delete dev {tmp}')
@@ -307,7 +310,7 @@ def apply(vrf):
         if vrf['conntrack']:
             for chain, rule in nftables_rules.items():
                 cmd(f'nft add rule inet vrf_zones {chain} {rule}')
-    
+
     if 'name' not in vrf or not vrf['conntrack']:
         for chain, rule in nftables_rules.items():
             cmd(f'nft flush chain inet vrf_zones {chain}')

diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2022-2023 VyOS maintainers and contributors
+# Copyright (C) 2022-2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -15,7 +15,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import json
-import os
 import time
 
 from vyos.configdict import dict_merge
@@ -93,7 +92,7 @@ def nft_output(table, set_name, ip_list):
 def nft_valid_sets():
     try:
         valid_sets = []
-        sets_json = cmd('nft -j list sets')
+        sets_json = cmd('nft --json list sets')
         sets_obj = json.loads(sets_json)
 
         for obj in sets_obj['nftables']:
@@ -153,7 +152,7 @@ def update(firewall):
         count += 1
 
     nft_conf_str = "\n".join(conf_lines) + "\n"
-    code = run(f'nft -f -', input=nft_conf_str)
+    code = run(f'nft --file -', input=nft_conf_str)
 
     print(f'Updated {count} sets - result: {code}')
 

diff --git a/src/init/vyos-router b/src/init/vyos-router
@@ -367,7 +367,7 @@ start ()
     nfct helper add rpc inet6 tcp
     nfct helper add rpc inet6 udp
     nfct helper add tns inet6 tcp
-    nft -f /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
+    nft --file /usr/share/vyos/vyos-firewall-init.conf || log_failure_msg "could not initiate firewall rules"
 
     # As VyOS does not execute commands that are not present in the CLI we call
     # the script by hand to have a single source for the login banner and MOTD