diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-08-26 14:59:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-26 14:59:10 +0200 |
| commit | 75aa90cf2b234a34565d165697196ac9a304bb66 (patch) | |
| tree | 8a1c07e17cec0333b71ed32c12f403953a762afe /data/templates/firewall/nftables.j2 | |
| parent | 3144b67f1b04e88f5ba928db2eee6f198be04a3a (diff) | |
| parent | 2509a1ab84cdb6d9389b547f93b0904cf329e78a (diff) | |
| download | vyos-1x-75aa90cf2b234a34565d165697196ac9a304bb66.tar.gz vyos-1x-75aa90cf2b234a34565d165697196ac9a304bb66.zip | |
Merge pull request #2163 from sarthurdev/firewall_rpfilter
firewall: T3509: Add support for IPv6 reverse path filtering
Diffstat (limited to 'data/templates/firewall/nftables.j2')
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 10cbc68cb..84af0449a 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -3,6 +3,20 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% if first_install is not vyos_defined %} +delete table inet vyos_global_rpfilter +{% endif %} +table inet vyos_global_rpfilter { + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + } +} + +{% if first_install is not vyos_defined %} delete table ip vyos_filter {% endif %} table ip vyos_filter { |