firewall: T7452: update rule generation for Zone-based firewall

David Vølker · David Vølker · commit ce3614fde23a · 2025-06-16T13:32:37.000+02:00
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
@@ -12,9 +12,7 @@
         oifname { {{ zone_conf.member.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
 {%         endif %}
 {%         if 'vrf' in zone_conf.member %}
-{%             for vrf_name in zone_conf.member.vrf %}
-        oifname { {{ zone_conf['vrf_interfaces'][vrf_name] }} } counter jump VZONE_{{ zone_name }}
-{%             endfor %}
+        oifname { {{ zone_conf.member.vrf | join(",") }} } counter jump VZONE_{{ zone_name }}
 {%         endif %}
 {%     endif %}
 {% endfor %}
@@ -69,10 +67,8 @@
         oifname { {{ zone[from_zone].member.interface | join(",") }} } counter return
 {%                 endif %}
 {%                 if 'vrf' in zone[from_zone].member %}
-{%                     for vrf_name in zone[from_zone].member.vrf %}
-        oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
-        oifname { {{ zone[from_zone]['vrf_interfaces'][vrf_name] }} } counter return
-{%                     endfor %}
+        oifname { {{ zone[from_zone].member.vrf | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        oifname { {{ zone[from_zone].member.vrf | join(",") }} } counter return
 {%                 endif %}
 {%             endfor %}
 {%         endif %}
@@ -112,4 +108,4 @@
     }
 {%     endif %}
 {% endfor %}
-{% endmacro %}
+{% endmacro %}
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
@@ -1015,7 +1015,7 @@ def test_zone_with_vrf(self):
             ['chain VYOS_ZONE_FORWARD'],
             ['type filter hook forward priority filter + 1'],
             ['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
-            ['oifname "eth0"', 'counter packets', 'jump VZONE_ZONE1'],
+            ['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
             ['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
             ['oifname "vti1"', 'counter packets', 'jump VZONE_ZONE2'],
             ['chain VYOS_ZONE_LOCAL'],
@@ -1050,7 +1050,7 @@ def test_zone_with_vrf(self):
             ['chain VYOS_ZONE_FORWARD'],
             ['type filter hook forward priority filter + 1'],
             ['oifname { "eth1", "eth2" }', 'counter packets', 'jump VZONE_ZONE1'],
-            ['oifname "eth0"', 'counter packets', 'jump VZONE_ZONE1'],
+            ['oifname "VRF-1"', 'counter packets', 'jump VZONE_ZONE1'],
             ['oifname "vtun66"', 'counter packets', 'jump VZONE_ZONE2'],
             ['oifname "vti1"', 'counter packets', 'jump VZONE_ZONE2'],
             ['chain VYOS_ZONE_LOCAL'],
