summaryrefslogtreecommitdiff
path: root/data/templates/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall')
-rw-r--r--data/templates/firewall/nftables-defines.j28
-rw-r--r--data/templates/firewall/nftables-nat.j222
-rw-r--r--data/templates/firewall/nftables-policy.j231
-rw-r--r--data/templates/firewall/nftables-static-nat.j218
-rw-r--r--data/templates/firewall/nftables-zone.j222
-rw-r--r--data/templates/firewall/nftables.j220
6 files changed, 78 insertions, 43 deletions
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 5336f7ee6..dd06dee28 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -27,6 +27,14 @@
}
{% endfor %}
{% endif %}
+{% if group.domain_group is vyos_defined %}
+{% for name, name_config in group.domain_group.items() %}
+ set D_{{ name }} {
+ type {{ ip_type }}
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% if group.mac_group is vyos_defined %}
{% for group_name, group_conf in group.mac_group.items() %}
{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index 55fe6024b..f0be3cf5d 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -1,5 +1,7 @@
#!/usr/sbin/nft -f
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
{% if helper_functions is vyos_defined('remove') %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
{% set base_command = 'delete rule ip raw' %}
@@ -24,6 +26,7 @@ add rule ip raw NAT_CONNTRACK counter accept
{% if first_install is not vyos_defined %}
delete table ip vyos_nat
{% endif %}
+{% if deleted is not vyos_defined %}
table ip vyos_nat {
#
# Destination NAT rules build up here
@@ -31,11 +34,11 @@ table ip vyos_nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
counter jump VYOS_PRE_DNAT_HOOK
-{% if destination.rule is vyos_defined %}
-{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
+{% if destination.rule is vyos_defined %}
+{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_rule(rule, 'destination') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
#
@@ -44,11 +47,11 @@ table ip vyos_nat {
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
counter jump VYOS_PRE_SNAT_HOOK
-{% if source.rule is vyos_defined %}
-{% for rule, config in source.rule.items() if config.disable is not vyos_defined %}
+{% if source.rule is vyos_defined %}
+{% for rule, config in source.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_rule(rule, 'source') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
chain VYOS_PRE_DNAT_HOOK {
@@ -58,4 +61,7 @@ table ip vyos_nat {
chain VYOS_PRE_SNAT_HOOK {
return
}
+
+{{ group_tmpl.groups(firewall_group, False) }}
}
+{% endif %}
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 40118930b..6cb3b2f95 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -2,21 +2,24 @@
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% if cleanup_commands is vyos_defined %}
-{% for command in cleanup_commands %}
-{{ command }}
-{% endfor %}
+{% if first_install is not vyos_defined %}
+delete table ip vyos_mangle
+delete table ip6 vyos_mangle
{% endif %}
-
-table ip mangle {
-{% if first_install is vyos_defined %}
+table ip vyos_mangle {
chain VYOS_PBR_PREROUTING {
type filter hook prerouting priority -150; policy accept;
+{% if route is vyos_defined %}
+{% for route_text, conf in route.items() if conf.interface is vyos_defined %}
+ iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR_{{ route_text }}
+{% endfor %}
+{% endif %}
}
+
chain VYOS_PBR_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
-{% endif %}
+
{% if route is vyos_defined %}
{% for route_text, conf in route.items() %}
chain VYOS_PBR_{{ route_text }} {
@@ -32,15 +35,20 @@ table ip mangle {
{{ group_tmpl.groups(firewall_group, False) }}
}
-table ip6 mangle {
-{% if first_install is vyos_defined %}
+table ip6 vyos_mangle {
chain VYOS_PBR6_PREROUTING {
type filter hook prerouting priority -150; policy accept;
+{% if route6 is vyos_defined %}
+{% for route_text, conf in route6.items() if conf.interface is vyos_defined %}
+ iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_{{ route_text }}
+{% endfor %}
+{% endif %}
}
+
chain VYOS_PBR6_POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
-{% endif %}
+
{% if route6 is vyos_defined %}
{% for route_text, conf in route6.items() %}
chain VYOS_PBR6_{{ route_text }} {
@@ -52,5 +60,6 @@ table ip6 mangle {
}
{% endfor %}
{% endif %}
+
{{ group_tmpl.groups(firewall_group, True) }}
}
diff --git a/data/templates/firewall/nftables-static-nat.j2 b/data/templates/firewall/nftables-static-nat.j2
index 790c33ce9..e5e3da867 100644
--- a/data/templates/firewall/nftables-static-nat.j2
+++ b/data/templates/firewall/nftables-static-nat.j2
@@ -3,6 +3,7 @@
{% if first_install is not vyos_defined %}
delete table ip vyos_static_nat
{% endif %}
+{% if deleted is not vyos_defined %}
table ip vyos_static_nat {
#
# Destination NAT rules build up here
@@ -10,11 +11,11 @@ table ip vyos_static_nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
-{% if static.rule is vyos_defined %}
-{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
+{% if static.rule is vyos_defined %}
+{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_static_rule(rule, 'destination') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
#
@@ -22,10 +23,11 @@ table ip vyos_static_nat {
#
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
-{% if static.rule is vyos_defined %}
-{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
+{% if static.rule is vyos_defined %}
+{% for rule, config in static.rule.items() if config.disable is not vyos_defined %}
{{ config | nat_static_rule(rule, 'source') }}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endif %}
}
}
+{% endif %}
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
index 919881e19..17ef5101d 100644
--- a/data/templates/firewall/nftables-zone.j2
+++ b/data/templates/firewall/nftables-zone.j2
@@ -39,18 +39,22 @@
{% if zone_conf.local_zone is vyos_defined %}
chain VZONE_{{ zone_name }}_IN {
iifname lo counter return
-{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+{% if zone_conf.from is vyos_defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
-{% endfor %}
+{% endfor %}
+{% endif %}
{{ zone_conf | nft_default_rule('zone_' + zone_name) }}
}
chain VZONE_{{ zone_name }}_OUT {
oifname lo counter return
-{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %}
+{% if zone_conf.from_local is vyos_defined %}
+{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %}
oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
-{% endfor %}
+{% endfor %}
+{% endif %}
{{ zone_conf | nft_default_rule('zone_' + zone_name) }}
}
{% else %}
@@ -59,12 +63,14 @@
{% if zone_conf.intra_zone_filtering is vyos_defined %}
iifname { {{ zone_conf.interface | join(",") }} } counter return
{% endif %}
-{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
-{% if zone[from_zone].local_zone is not defined %}
+{% if zone_conf.from is vyos_defined %}
+{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+{% if zone[from_zone].local_zone is not defined %}
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
-{% endif %}
-{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
{{ zone_conf | nft_default_rule('zone_' + zone_name) }}
}
{% endif %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 9d609f73f..2c7115134 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -67,14 +67,12 @@ table ip vyos_filter {
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
-{% if group is vyos_defined and group.domain_group is vyos_defined %}
-{% for name, name_config in group.domain_group.items() %}
- set D_{{ name }} {
+{% for set_name in ip_fqdn %}
+ set FQDN_{{ set_name }} {
type ipv4_addr
flags interval
}
-{% endfor %}
-{% endif %}
+{% endfor %}
{% for set_name in ns.sets %}
set RECENT_{{ set_name }} {
type ipv4_addr
@@ -178,6 +176,12 @@ table ip6 vyos_filter {
{{ conf | nft_default_rule(name_text, ipv6=True) }}
}
{% endfor %}
+{% for set_name in ip6_fqdn %}
+ set FQDN_{{ set_name }} {
+ type ipv6_addr
+ flags interval
+ }
+{% endfor %}
{% for set_name in ns.sets %}
set RECENT6_{{ set_name }} {
type ipv6_addr
@@ -204,13 +208,13 @@ table ip6 vyos_filter {
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {
{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established', ipv6=True) }}
+ {{ state_policy.established | nft_state_policy('established') }}
{% endif %}
{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }}
+ {{ state_policy.invalid | nft_state_policy('invalid') }}
{% endif %}
{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related', ipv6=True) }}
+ {{ state_policy.related | nft_state_policy('related') }}
{% endif %}
return
}