diff options
| author | Daniil Baturin <daniil@vyos.io> | 2024-09-02 12:01:50 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-02 12:01:50 +0100 |
| commit | c78c5bd7e65b19e0e50ef6944dc74fb33660ff71 (patch) | |
| tree | 8662a3ade15426575ed0280902b566c2b4c204a2 /data/templates | |
| parent | 497863bb45cf9a20ce9e055c8b09f31c75754941 (diff) | |
| parent | 8e0e1a99e5510c7575ab8a09145d6b4354692d55 (diff) | |
| download | vyos-1x-c78c5bd7e65b19e0e50ef6944dc74fb33660ff71.tar.gz vyos-1x-c78c5bd7e65b19e0e50ef6944dc74fb33660ff71.zip | |
Merge pull request #4018 from nicolas-fort/T6647
T6647: firewall. Introduce patch for accepting invalid ARP and DHCP
Diffstat (limited to 'data/templates')
| -rwxr-xr-x | data/templates/firewall/nftables.j2 | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 155b7f4d0..034328400 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -376,8 +376,14 @@ table bridge vyos_filter { {% if bridge.output is vyos_defined %} {% for prior, conf in bridge.output.items() %} - chain VYOS_OUTUT_{{ prior }} { + chain VYOS_OUTPUT_{{ prior }} { type filter hook output priority {{ prior }}; policy accept; +{% if global_options.apply_to_bridged_traffic is vyos_defined %} +{% if 'invalid_connections' in global_options.apply_to_bridged_traffic %} + ct state invalid udp sport 67 udp dport 68 counter accept + ct state invalid ether type arp counter accept +{% endif %} +{% endif %} {% if global_options.state_policy is vyos_defined %} jump VYOS_STATE_POLICY {% endif %} |