summaryrefslogtreecommitdiff
path: root/data/templates/conntrack/nftables-ct.j2
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-02-22 12:01:03 +0100
committerGitHub <noreply@github.com>2024-02-22 12:01:03 +0100
commit72e597d5c258b1730d59d9f8cd08331338cee5b5 (patch)
treea07df1c201b0c08b7763543d935186a783b1d0a9 /data/templates/conntrack/nftables-ct.j2
parent8191ff673d317c09eea69fd521e4a2af931ddc91 (diff)
parent538aeeccc46d31ab54647b67c8a2ba442d61cc46 (diff)
downloadvyos-1x-72e597d5c258b1730d59d9f8cd08331338cee5b5.tar.gz
vyos-1x-72e597d5c258b1730d59d9f8cd08331338cee5b5.zip
Merge pull request #3037 from sarthurdev/T5376
conntrack: T5376: Fix priority for CT helpers
Diffstat (limited to 'data/templates/conntrack/nftables-ct.j2')
-rw-r--r--data/templates/conntrack/nftables-ct.j236
1 files changed, 26 insertions, 10 deletions
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 762a6f693..c753e6bcb 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -40,9 +40,6 @@ table ip vyos_conntrack {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
-{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
- counter jump VYOS_CT_HELPER
-{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
@@ -51,11 +48,15 @@ table ip vyos_conntrack {
notrack
}
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
+ chain PREROUTING_HELPER {
+ type filter hook prerouting priority -5; policy accept;
counter jump VYOS_CT_HELPER
+ }
{% endif %}
+
+ chain OUTPUT {
+ type filter hook output priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
@@ -66,6 +67,13 @@ table ip vyos_conntrack {
notrack
}
+{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
+ chain OUTPUT_HELPER {
+ type filter hook output priority -5; policy accept;
+ counter jump VYOS_CT_HELPER
+ }
+{% endif %}
+
{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}
chain FW_CONNTRACK {
@@ -122,9 +130,6 @@ table ip6 vyos_conntrack {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
-{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
- counter jump VYOS_CT_HELPER
-{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
@@ -132,11 +137,15 @@ table ip6 vyos_conntrack {
notrack
}
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
+ chain PREROUTING_HELPER {
+ type filter hook prerouting priority -5; policy accept;
counter jump VYOS_CT_HELPER
+ }
{% endif %}
+
+ chain OUTPUT {
+ type filter hook output priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
@@ -144,6 +153,13 @@ table ip6 vyos_conntrack {
notrack
}
+{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
+ chain OUTPUT_HELPER {
+ type filter hook output priority -5; policy accept;
+ counter jump VYOS_CT_HELPER
+ }
+{% endif %}
+
{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}
chain FW_CONNTRACK {