Skip to content

Commit 6587714

Browse files
author
Capirca Team
committed
nftables: Add support for representing ACLs in nftables as regular chains.
PiperOrigin-RevId: 667514971
1 parent 0d98688 commit 6587714

File tree

2 files changed

+18
-11
lines changed

2 files changed

+18
-11
lines changed

capirca/lib/nftables.py

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -707,7 +707,8 @@ def _TranslatePolicy(self, pol, exp_info):
707707
filter_policy_default_action,
708708
verbose,
709709
base_chain_name,
710-
table_name
710+
table_name,
711+
as_regular_chain,
711712
) = self._ProcessHeader(filter_options)
712713

713714
# Base chain determine name based on iteration of header.
@@ -767,7 +768,8 @@ def _TranslatePolicy(self, pol, exp_info):
767768
pol_counter += 1
768769
self.nftables_policies.append(
769770
(header, base_chain_name, nf_af, nf_hook, nf_priority,
770-
filter_policy_default_action, verbose, child_chains, table_name))
771+
filter_policy_default_action, verbose,
772+
child_chains, table_name, as_regular_chain))
771773

772774
def _ProcessHeader(self, header_options):
773775
"""Capirca policy header processing.
@@ -824,6 +826,7 @@ def _ProcessHeader(self, header_options):
824826
base_chain_name = option.split('=')[1].strip()
825827
if option.startswith('table_name='):
826828
table_name = option.split('=')[1].strip()
829+
as_regular_chain = True if 'as_regular_chain' in header_options else False
827830
return (
828831
netfilter_family,
829832
netfilter_hook,
@@ -832,6 +835,7 @@ def _ProcessHeader(self, header_options):
832835
verbose,
833836
base_chain_name,
834837
table_name,
838+
as_regular_chain,
835839
)
836840

837841
def _ConfigurationDictionary(self, nft_pol):
@@ -857,6 +861,7 @@ def _ConfigurationDictionary(self, nft_pol):
857861
verbose,
858862
child_chains,
859863
table_name,
864+
as_regular_chain,
860865
) in nft_pol:
861866
base_chain_comment = ''
862867
# TODO: If child_chain ruleset is empty don't store term.
@@ -870,6 +875,7 @@ def _ConfigurationDictionary(self, nft_pol):
870875
'priority': nf_priority,
871876
'policy': filter_policy_default_action,
872877
'rules': child_chains,
878+
'as_regular_chain': as_regular_chain,
873879
}
874880
return nftables
875881

@@ -898,12 +904,13 @@ def __str__(self):
898904
# First time we comment it out so .nft file is human-readable.
899905
nft_config.append(
900906
TabSpacer(8, '#' + ' '.join(base_chain_dict[item]['comment'])))
901-
nft_config.append(
902-
TabSpacer(
903-
8, 'type filter hook %s priority %s; policy %s;' %
904-
(base_chain_dict[item]['hook'],
905-
base_chain_dict[item]['priority'],
906-
base_chain_dict[item]['policy'])))
907+
if not base_chain_dict[item]['as_regular_chain']:
908+
nft_config.append(
909+
TabSpacer(
910+
8, 'type filter hook %s priority %s; policy %s;' %
911+
(base_chain_dict[item]['hook'],
912+
base_chain_dict[item]['priority'],
913+
base_chain_dict[item]['policy'])))
907914
# Add policy header comment after stateful firewall rule.
908915
if base_chain_dict[item]['comment']:
909916
nft_config.append(TabSpacer(8, 'ct state established,related accept'

tests/lib/nftables_test.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -593,7 +593,7 @@ def testBadHeader(self, case):
593593
def testVerboseHeader(self, header_to_use, expected_output):
594594
pol = policy.ParsePolicy(header_to_use + GOOD_TERM_1, self.naming)
595595
data = nftables.Nftables(pol, EXP_INFO)
596-
for _, _, _, _, _, _, verbose, _, _ in data.nftables_policies:
596+
for _, _, _, _, _, _, verbose, _, _, _ in data.nftables_policies:
597597
result = verbose
598598
self.assertEqual(result, expected_output)
599599

@@ -667,7 +667,7 @@ def testOverridePolicyHeader(self):
667667
HEAD_OVERRIDE_DEFAULT_ACTION + GOOD_TERM_1, self.naming
668668
)
669669
data = nftables.Nftables(pol, EXP_INFO)
670-
for _, _, _, _, _, default_policy, _, _, _ in data.nftables_policies:
670+
for _, _, _, _, _, default_policy, _, _, _, _ in data.nftables_policies:
671671
result = default_policy
672672
self.assertEqual(result, expected_output)
673673

@@ -887,7 +887,7 @@ def testRulesetGeneratorAF(self, policy_data: str, expected_inet: str):
887887
)
888888
for header, terms in nft.policy.filters:
889889
filter_options = header.FilterOptions('nftables')
890-
nf_af, nf_hook, _, _, verbose, _, _ = nft._ProcessHeader(filter_options)
890+
nf_af, nf_hook, _, _, verbose, _, _, _ = nft._ProcessHeader(filter_options)
891891
for term in terms:
892892
term_object = nftables.Term(term, nf_af, nf_hook, verbose)
893893

0 commit comments

Comments
 (0)