From 72cfb8a2fb9e9a2eb5f2c0365d1034265957d870 Mon Sep 17 00:00:00 2001
From: sskaje <sskaje@gmail.com>
Date: Sun, 9 Feb 2025 13:31:22 +0800
Subject: [PATCH] T7147: Simple op command for nat & policy, not for firewall
 and conntract

---
 .../update-firewall-groups.xml.in             | 13 +++++
 python/vyos/firewall.py                       | 21 ++++++++
 src/helpers/firewall-group-update.py          | 48 +++++++++++++++++++
 3 files changed, 82 insertions(+)
 create mode 100644 op-mode-definitions/update-firewall-groups.xml.in
 create mode 100755 src/helpers/firewall-group-update.py

diff --git a/op-mode-definitions/update-firewall-groups.xml.in b/op-mode-definitions/update-firewall-groups.xml.in
new file mode 100644
index 00000000000..90c158ad188
--- /dev/null
+++ b/op-mode-definitions/update-firewall-groups.xml.in
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="update">
+    <children>
+      <leafNode name="firewall-groups">
+        <properties>
+          <help>Update firewall sets</help>
+        </properties>
+        <command>sudo ${vyos_libexec_dir}/firewall-group-update.py</command>
+      </leafNode>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 314e8dfe3d7..640402822df 100755
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -794,3 +794,24 @@ def geoip_update(firewall, force=False):
             return False
 
         return True
+
+def firewall_group_update(config):
+    nftables_nat_config = '/run/nftables_nat.conf'
+    nftables_policy_config = '/run/nftables_policy.conf'
+
+    if 'nat' in config:
+        render(nftables_nat_config, 'firewall/nftables-nat.j2', config['nat'])
+
+        result = run(f'nft --file {nftables_nat_config}')
+        if result != 0:
+            print('Error: Failed to update nat')
+            return False
+
+    if 'policy' in config:
+        render(nftables_policy_config, 'firewall/nftables-policy.j2', config['policy'])
+        result = run(f'nft --file {nftables_policy_config}')
+        if result != 0:
+            print('Error: Failed to update policy')
+            return False
+
+    return True
diff --git a/src/helpers/firewall-group-update.py b/src/helpers/firewall-group-update.py
new file mode 100755
index 00000000000..8febe04f12d
--- /dev/null
+++ b/src/helpers/firewall-group-update.py
@@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+
+from vyos.configquery import ConfigTreeQuery
+from vyos.firewall import firewall_group_update
+
+def get_config(config=None):
+    if config:
+        conf = config
+    else:
+        conf = ConfigTreeQuery()
+
+    config = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True,
+                                    no_tag_node_value_mangle=True)
+
+    firewall_group = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'),
+                                                             get_first_key=True,
+                                                             no_tag_node_value_mangle=True)
+    if 'nat' in config:
+        config['nat']['firewall_group'] = firewall_group
+
+    if 'policy' in config:
+        config['policy']['firewall_group'] = firewall_group
+
+    return config
+
+
+if __name__ == '__main__':
+
+    config = get_config()
+
+    if not firewall_group_update(config):
+        sys.exit(1)