diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-09-18 21:44:29 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-18 21:44:29 +0300 |
| commit | cf4759be20c475bd34edab9604f7371ff5857723 (patch) | |
| tree | 36fc16b2ca818110bbbe4c144be5380b7bb0fa90 /data/vyos-firewall-init.conf | |
| parent | 404fc9090629a61bc2110af7a2ec80ff30ec3608 (diff) | |
| parent | fb3ef9af5e394aa25692003fb3c185bfedefe3cb (diff) | |
| download | vyos-1x-cf4759be20c475bd34edab9604f7371ff5857723.tar.gz vyos-1x-cf4759be20c475bd34edab9604f7371ff5857723.zip | |
Merge pull request #2276 from sarthurdev/conntrack
conntrack: T5571: Refactor conntrack using vyos.configdep
Diffstat (limited to 'data/vyos-firewall-init.conf')
| -rw-r--r-- | data/vyos-firewall-init.conf | 113 |
1 files changed, 5 insertions, 108 deletions
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index 7e258e6f1..cd7d5011f 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -9,6 +9,7 @@ table ip nat { } table inet mangle { + # Used by system flow-accounting chain FORWARD { type filter hook forward priority -150; policy accept; } @@ -28,61 +29,9 @@ table raw { counter jump vyos_global_rpfilter } - chain PREROUTING { + # Used by system flow-accounting + chain VYOS_PREROUTING_HOOK { type filter hook prerouting priority -300; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -300; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - ct helper rpc_tcp { - type "rpc" protocol tcp; - } - - ct helper rpc_udp { - type "rpc" protocol udp; - } - - ct helper tns_tcp { - type "tns" protocol tcp; - } - - chain VYOS_CT_HELPER { - ct helper set "rpc_tcp" tcp dport {111} return - ct helper set "rpc_udp" udp dport {111} return - ct helper set "tns_tcp" tcp dport {1521,1525,1536} return - return - } - - chain VYOS_CT_IGNORE { - return - } - - chain VYOS_CT_TIMEOUT { - return - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - return } } @@ -100,60 +49,8 @@ table ip6 raw { counter jump vyos_global_rpfilter } - chain PREROUTING { + # Used by system flow-accounting + chain VYOS_PREROUTING_HOOK { type filter hook prerouting priority -300; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_PREROUTING_HOOK - counter jump FW_CONNTRACK - notrack - } - - chain OUTPUT { - type filter hook output priority -300; policy accept; - counter jump VYOS_CT_IGNORE - counter jump VYOS_CT_TIMEOUT - counter jump VYOS_CT_OUTPUT_HOOK - counter jump FW_CONNTRACK - notrack - } - - ct helper rpc_tcp { - type "rpc" protocol tcp; - } - - ct helper rpc_udp { - type "rpc" protocol udp; - } - - ct helper tns_tcp { - type "tns" protocol tcp; - } - - chain VYOS_CT_HELPER { - ct helper set "rpc_tcp" tcp dport {111} return - ct helper set "rpc_udp" udp dport {111} return - ct helper set "tns_tcp" tcp dport {1521,1525,1536} return - return - } - - chain VYOS_CT_IGNORE { - return - } - - chain VYOS_CT_TIMEOUT { - return - } - - chain VYOS_CT_PREROUTING_HOOK { - return - } - - chain VYOS_CT_OUTPUT_HOOK { - return - } - - chain FW_CONNTRACK { - return } } |