diff options
Diffstat (limited to 'data/templates/firewall')
| -rw-r--r-- | data/templates/firewall/nftables-nat.j2 | 21 | ||||
| -rw-r--r-- | data/templates/firewall/nftables-nat66.j2 | 17 | ||||
| -rw-r--r-- | data/templates/firewall/nftables-offload.j2 | 9 | ||||
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 26 |
4 files changed, 22 insertions, 51 deletions
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2 index dcf28da88..4254f6a0e 100644 --- a/data/templates/firewall/nftables-nat.j2 +++ b/data/templates/firewall/nftables-nat.j2 @@ -2,27 +2,6 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} -{% if helper_functions is vyos_defined('remove') %} -{# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = 'delete rule ip raw' %} -{{ base_command }} PREROUTING handle {{ pre_ct_ignore }} -{{ base_command }} OUTPUT handle {{ out_ct_ignore }} -{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} -{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} - -delete chain ip raw NAT_CONNTRACK - -{% elif helper_functions is vyos_defined('add') %} -{# NAT if enabled - add targets to nftables #} -add chain ip raw NAT_CONNTRACK -add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = 'add rule ip raw' %} -{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYOS_CT_HELPER -{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYOS_CT_HELPER -{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} - {% if first_install is not vyos_defined %} delete table ip vyos_nat {% endif %} diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2 index 27b3eec88..67eb2c109 100644 --- a/data/templates/firewall/nftables-nat66.j2 +++ b/data/templates/firewall/nftables-nat66.j2 @@ -1,22 +1,5 @@ #!/usr/sbin/nft -f -{% if helper_functions is vyos_defined('remove') %} -{# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = 'delete rule ip6 raw' %} -{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} -{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} - -delete chain ip6 raw NAT_CONNTRACK - -{% elif helper_functions is vyos_defined('add') %} -{# NAT if enabled - add targets to nftables #} -add chain ip6 raw NAT_CONNTRACK -add rule ip6 raw NAT_CONNTRACK counter accept -{% set base_command = 'add rule ip6 raw' %} -{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} - {% if first_install is not vyos_defined %} delete table ip6 vyos_nat {% endif %} diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2 new file mode 100644 index 000000000..a893e05b2 --- /dev/null +++ b/data/templates/firewall/nftables-offload.j2 @@ -0,0 +1,9 @@ +{% macro flowtable(name, config) %} + flowtable VYOS_FLOWTABLE_{{ name }} { + hook ingress priority 0; devices = { {{ config.interface | join(', ') }} }; +{% if config.offload is vyos_defined('hardware') %} + flags offload; +{% endif %} + counter + } +{% endmacro %} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 87630940b..75800ee3d 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -2,18 +2,12 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% import 'firewall/nftables-bridge.j2' as bridge_tmpl %} - -flush chain raw FW_CONNTRACK -flush chain ip6 raw FW_CONNTRACK +{% import 'firewall/nftables-offload.j2' as offload_tmpl %} flush chain raw vyos_global_rpfilter flush chain ip6 raw vyos_global_rpfilter table raw { - chain FW_CONNTRACK { - {{ ipv4_conntrack_action }} - } - chain vyos_global_rpfilter { {% if global_options.source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop @@ -25,10 +19,6 @@ table raw { } table ip6 raw { - chain FW_CONNTRACK { - {{ ipv6_conntrack_action }} - } - chain vyos_global_rpfilter { {% if global_options.ipv6_source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop @@ -44,6 +34,12 @@ delete table ip vyos_filter {% endif %} table ip vyos_filter { {% if ipv4 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv4.forward is vyos_defined %} {% for prior, conf in ipv4.forward.items() %} @@ -163,6 +159,12 @@ delete table ip6 vyos_filter {% endif %} table ip6 vyos_filter { {% if ipv6 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv6.forward is vyos_defined %} {% for prior, conf in ipv6.forward.items() %} @@ -265,9 +267,7 @@ table ip6 vyos_filter { {% if first_install is not vyos_defined %} delete table bridge vyos_filter {% endif %} -{% if bridge is vyos_defined %} table bridge vyos_filter { {{ bridge_tmpl.bridge(bridge) }} {{ group_tmpl.groups(group, False, False) }} } -{% endif %} |