diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index 66f7e0b1c6..5a2b8912e2 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -12,9 +12,7 @@ oifname { {{ zone_conf.member.interface | quoted_join(',') }} } counter jump VZONE_{{ zone_name }} {% endif %} {% if 'vrf' in zone_conf.member %} -{% for vrf_name in zone_conf.member.vrf %} - oifname { "{{ zone_conf['vrf_interfaces'][vrf_name] }}" } counter jump VZONE_{{ zone_name }} -{% endfor %} + oifname { {{ zone_conf.member.vrf | quoted_join(",") }} } counter jump VZONE_{{ zone_name }} {% endif %} {% endif %} {% endfor %} @@ -69,10 +67,8 @@ oifname { {{ zone[from_zone].member.interface | quoted_join(",") }} } counter return {% endif %} {% if 'vrf' in zone[from_zone].member %} -{% for vrf_name in zone[from_zone].member.vrf %} - oifname { "{{ zone[from_zone]['vrf_interfaces'][vrf_name] }}" } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} - oifname { "{{ zone[from_zone]['vrf_interfaces'][vrf_name] }}" } counter return -{% endfor %} + oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }} + oifname { {{ zone[from_zone].member.vrf | quoted_join(",") }} } counter return {% endif %} {% endfor %} {% endif %} @@ -112,4 +108,4 @@ } {% endif %} {% endfor %} -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index 455c704d0f..2e8b4af103 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -401,9 +401,9 @@ def test_ipv4_mask(self): self.cli_commit() nftables_search = [ - [f'daddr & 0.0.255.255 == 0.0.1.2'], - [f'saddr & 0.0.255.255 != 0.0.3.4'], - [f'saddr & 0.0.255.255 == @A_mask_group'] + ['daddr & 0.0.255.255 == 0.0.1.2'], + ['saddr & 0.0.255.255 != 0.0.3.4'], + ['saddr & 0.0.255.255 == @A_mask_group'] ] self.verify_nftables(nftables_search, 'ip vyos_filter') @@ -1021,9 +1021,9 @@ def test_zone_with_vrf(self): ['chain VYOS_ZONE_FORWARD'], ['type filter hook forward priority filter + 1'], ['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'], - ['oifname "eth0"', 'counter packets', 'jump VZONE_ZONE1'], + ['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'], ['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'], - ['oifname "vti1"', 'counter packets', 'jump VZONE_ZONE2'], + ['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'], ['chain VYOS_ZONE_LOCAL'], ['type filter hook input priority filter + 1'], ['counter packets', 'jump VZONE_LOCAL_IN'], @@ -1056,9 +1056,9 @@ def test_zone_with_vrf(self): ['chain VYOS_ZONE_FORWARD'], ['type filter hook forward priority filter + 1'], ['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'], - ['oifname "eth0"', 'counter packets', 'jump VZONE_ZONE1'], + ['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'], ['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'], - ['oifname "vti1"', 'counter packets', 'jump VZONE_ZONE2'], + ['oifname "VRF-2"', 'counter packets', 'jump VZONE_ZONE2'], ['chain VYOS_ZONE_LOCAL'], ['type filter hook input priority filter + 1'], ['counter packets', 'jump VZONE_LOCAL_IN'], @@ -1069,7 +1069,7 @@ def test_zone_with_vrf(self): ['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'], ['chain VZONE_LOCAL_OUT'], ['oifname "vtun66"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'], - ['oifname "vti1"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'], + ['oifname "VRF-2"', 'counter packets', 'jump NAME6_LOCAL_to_ZONE2_v6'], ['counter packets', 'drop', 'comment "zone_LOCAL default-action drop"'], ['chain VZONE_ZONE1'], ['iifname { "eth1", "eth2" }', 'counter packets', 'return'],