From 64ee13cf9374d6e726570a8d0083c2e7a386a873 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Fri, 24 Nov 2023 10:24:48 +0000
Subject: T5775: firewall: re-add state-policy to firewall. These commands are
 now included in <set firewall global-options state-policy> node.

---
 data/templates/firewall/nftables-zone.j2 | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'data/templates/firewall/nftables-zone.j2')

diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
index beb14ff00..5e55099ca 100644
--- a/data/templates/firewall/nftables-zone.j2
+++ b/data/templates/firewall/nftables-zone.j2
@@ -1,5 +1,5 @@
 
-{% macro zone_chains(zone, family) %}
+{% macro zone_chains(zone, family, state_policy=False) %}
 {% if family == 'ipv6' %}
 {%     set fw_name = 'ipv6_name' %}
 {%     set suffix = '6' %}
@@ -10,6 +10,9 @@
 
     chain VYOS_ZONE_FORWARD {
         type filter hook forward priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
 {% for zone_name, zone_conf in zone.items() %}
 {%     if 'local_zone' not in zone_conf %}
         oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
@@ -18,6 +21,9 @@
     }
     chain VYOS_ZONE_LOCAL {
         type filter hook input priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
 {% for zone_name, zone_conf in zone.items() %}
 {%     if 'local_zone' in zone_conf %}
         counter jump VZONE_{{ zone_name }}_IN
@@ -26,6 +32,9 @@
     }
     chain VYOS_ZONE_OUTPUT {
         type filter hook output priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
 {% for zone_name, zone_conf in zone.items() %}
 {%     if 'local_zone' in zone_conf %}
         counter jump VZONE_{{ zone_name }}_OUT
-- 
cgit v1.2.3