From d83605dca8fdf5c11b113616135fdb77c63ade5f Mon Sep 17 00:00:00 2001 From: nd Date: Sat, 25 Sep 2021 15:58:57 +0200 Subject: [PATCH] move rule merging to python plugin --- filter_plugins/filters.py | 24 ++++++++++++++++++++++++ templates/nftables.conf.j2 | 13 ++----------- 2 files changed, 26 insertions(+), 11 deletions(-) create mode 100755 filter_plugins/filters.py diff --git a/filter_plugins/filters.py b/filter_plugins/filters.py new file mode 100755 index 0000000..fdf1bcb --- /dev/null +++ b/filter_plugins/filters.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python3 +import collections + +class FilterModule(object): + def filters(self): + return { + 'expand_nft_rules': self.expand_nft_rules + } + + def expand_nft_rules(self, input_rules, rule_defaults): + rules = [] + for rule_name in input_rules: + rule = { + 'name': rule_name, + 'comment': rule_name, + } + for override in rule_defaults: + rule.update(override) + if not isinstance(input_rules[rule_name], collections.Mapping): + rule['matches'] = input_rules[rule_name] + else: + rule.update(input_rules[rule_name]) + rules.append(rule) + return rules diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 index b55fb20..2e5d46a 100644 --- a/templates/nftables.conf.j2 +++ b/templates/nftables.conf.j2 @@ -6,17 +6,8 @@ {% endmacro %} {%- macro nftchain(name) -%} - {% set chain_rules = [] %} - {% for i in firewall.chains[name] %} - {% if not firewall.chains[name][i] is mapping %} - {% set tmprule = { 'matches': firewall.chains[name][i] }%} - {% else %} - {% set tmprule = firewall.chains[name][i] %} - {% endif%} - {% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], {'comment': i}, tmprule, recursive=True) %}{{ chain_rules.append(rule) }} - {% endfor %} - {% for rule in chain_rules|sort(attribute='priority') %} - {{ nftrule(rule) }} + {% for rule in firewall.chains[name]|expand_nft_rules([firewall.defaults.all, firewall.defaults[name]])|sort(attribute='priority') %} + {{ nftrule(rule) }} {% endfor %} {% endmacro%}