nftable: fix renderer to generate rules targeted only for nftables pl…

…atform

PiperOrigin-RevId: 673312878

capirca/lib/nftables.py

@@ -753,6 +753,14 @@ def _TranslatePolicy(self, pol, exp_info):
                 'WARNING: Term %s in policy %s is expired and '
                 'will not be rendered.', term.name, nf_af)
             continue
+        # Only generate the term if it's for the appropriate platform
+        if term.platform:
+          if self._PLATFORM not in term.platform:
+            continue
+        if term.platform_exclude:
+          if self._PLATFORM in term.platform_exclude:
+            continue
+
         # Handle address excludes before building nft address book dict.
         for i in term.source_address_exclude:
           term.source_address = nacaddr.RemoveAddressFromList(

policies/pol/sample_nftables.pol

@@ -186,3 +186,21 @@ term high-ports {
   destination-port:: HIGH_PORTS
   action:: accept
 }
+
+term nftables-platform {
+  comment:: "Term just for nftables platform example"
+  action:: accept
+  platform:: nftables
+}
+
+term different-platform {
+  comment:: "Platform is not for nftables, so this should be not rendered"
+  action:: accept
+  platform:: no_such_platform
+}
+
+term excludeed-platform {
+  comment:: "nftables platform is excluded, so this should be not rendered"
+  action:: accept
+  platform-exclude:: nftables
+}

tests/lib/nftables_test.py

@@ -202,6 +202,51 @@ def __init__(self, in_dict: dict):
 }
 """
 
+NFTABLES_ONLY_PLATFORM_TERM = """
+term src-interface-term {
+  source-interface:: eth123
+  protocol:: tcp
+  action:: accept
+  platform:: nftables
+}
+"""
+
+NFTABLES_IN_PLATFORM_TERM = """
+term src-interface-term {
+  source-interface:: eth123
+  protocol:: tcp
+  action:: accept
+  platform:: another_platform1 nftables another_platform2
+}
+"""
+
+DIFFERENT_PLATFORM_EXCLUDED_TERM = """
+term src-interface-term {
+  source-interface:: eth123
+  protocol:: tcp
+  action:: accept
+  platform-exclude:: another_platform1
+}
+"""
+
+DIFFERENT_PLATFORM_TERM = """
+term src-interface-term {
+  source-interface:: eth123
+  protocol:: tcp
+  action:: accept
+  platform:: another_platform1 another_platform2
+}
+"""
+
+EXCLUDE_NFTABLES_PLATFORM_TERM = """
+term src-interface-term {
+  source-interface:: eth123
+  protocol:: tcp
+  action:: accept
+  platform-exclude:: nftables
+}
+"""
+
 # Output interface name test term.
 DESTINATION_INTERFACE_TERM = """
 term dst-interface-term {
@@ -947,6 +992,21 @@ def testRulesetGeneratorAF(self, policy_data: str, expected_inet: str):
           TEST_IPS,
           'icmpv6 type nd-router-solicit',
       ),
+      (
+          GOOD_HEADER_1 + NFTABLES_ONLY_PLATFORM_TERM,
+          TEST_IPS,
+          '    iifname eth123 meta l4proto',
+      ),
+      (
+          GOOD_HEADER_1 + NFTABLES_IN_PLATFORM_TERM,
+          TEST_IPS,
+          '    iifname eth123 meta l4proto',
+      ),
+      (
+          GOOD_HEADER_1 + DIFFERENT_PLATFORM_EXCLUDED_TERM,
+          TEST_IPS,
+          '    iifname eth123 meta l4proto',
+      ),
   )
   def testRulesetGenerator(self, policy_data: str, IPs, contains: str):
     self.naming.GetNetAddr.return_value = IPs
@@ -957,6 +1017,26 @@ def testRulesetGenerator(self, policy_data: str, IPs, contains: str):
     )
     self.assertIn(contains, nft)
 
+  @parameterized.parameters(
+      (
+          GOOD_HEADER_1 + DIFFERENT_PLATFORM_TERM,
+          'eth123',
+      ),
+      (
+          GOOD_HEADER_1 + EXCLUDE_NFTABLES_PLATFORM_TERM,
+          'eth123',
+      ),
+  )
+  def testRulesetGeneratorSkippedPlatform(
+      self, policy_data: str, does_not_contain: str
+  ):
+    self.naming.GetNetAddr.return_value = TEST_IPS
+    nft = str(
+        nftables.Nftables(
+            policy.ParsePolicy(policy_data, self.naming), EXP_INFO
+        )
+    )
+    self.assertNotIn(does_not_contain, nft)
 
 if __name__ == '__main__':
   absltest.main()