From fcedc85e2b4d3d6663b0c78c3fb3bd93db91fcc2 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Fri, 24 Nov 2023 10:24:48 +0000
Subject: T5775: firewall: re-add state-policy to firewall. These commands are
 now included in <set firewall global-options state-policy> node.

---
 data/templates/firewall/nftables-zone.j2 | 22 +++++++++++++
 data/templates/firewall/nftables.j2      | 54 ++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)

(limited to 'data')

diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
index ee468c6c1..298e6750e 100644
--- a/data/templates/firewall/nftables-zone.j2
+++ b/data/templates/firewall/nftables-zone.j2
@@ -1,8 +1,24 @@
+<<<<<<< HEAD
 {% macro zone_chains(zone, ipv6=False) %}
 {% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
 {% set suffix = '6' if ipv6 else '' %}
+=======
+
+{% macro zone_chains(zone, family, state_policy=False) %}
+{% if family == 'ipv6' %}
+{%     set fw_name = 'ipv6_name' %}
+{%     set suffix = '6' %}
+{% else %}
+{%     set fw_name = 'name' %}
+{%     set suffix = '' %}
+{% endif %}
+
+>>>>>>> 64ee13cf9 (T5775: firewall: re-add state-policy to firewall. These commands are now included in <set firewall global-options state-policy> node.)
     chain VYOS_ZONE_FORWARD {
         type filter hook forward priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
 {% for zone_name, zone_conf in zone.items() %}
 {%     if 'local_zone' not in zone_conf %}
         oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
@@ -11,6 +27,9 @@
     }
     chain VYOS_ZONE_LOCAL {
         type filter hook input priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
 {% for zone_name, zone_conf in zone.items() %}
 {%     if 'local_zone' in zone_conf %}
         counter jump VZONE_{{ zone_name }}_IN
@@ -19,6 +38,9 @@
     }
     chain VYOS_ZONE_OUTPUT {
         type filter hook output priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
 {% for zone_name, zone_conf in zone.items() %}
 {%     if 'local_zone' in zone_conf %}
         counter jump VZONE_{{ zone_name }}_OUT
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 91c4d0788..133835d54 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -50,6 +50,9 @@ table ip vyos_filter {
 {%         for prior, conf in ipv4.forward.items() %}
     chain VYOS_FORWARD_{{ prior }} {
         type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id) }}
@@ -67,6 +70,9 @@ table ip vyos_filter {
 {%         for prior, conf in ipv4.input.items() %}
     chain VYOS_INPUT_{{ prior }} {
         type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP',prior, rule_id) }}
@@ -84,6 +90,9 @@ table ip vyos_filter {
 {%         for prior, conf in ipv4.output.items() %}
     chain VYOS_OUTPUT_{{ prior }} {
         type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id) }}
@@ -158,7 +167,25 @@ table ip vyos_filter {
 {{ group_tmpl.groups(group, False, True) }}
 
 {% if zone is vyos_defined %}
+<<<<<<< HEAD
 {{ zone_tmpl.zone_chains(zone, False) }}
+=======
+{{ zone_tmpl.zone_chains(zone, 'ipv4', global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+>>>>>>> 64ee13cf9 (T5775: firewall: re-add state-policy to firewall. These commands are now included in <set firewall global-options state-policy> node.)
 {% endif %}
 }
 
@@ -178,6 +205,9 @@ table ip6 vyos_filter {
 {%         for prior, conf in ipv6.forward.items() %}
     chain VYOS_IPV6_FORWARD_{{ prior }} {
         type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
@@ -195,6 +225,9 @@ table ip6 vyos_filter {
 {%         for prior, conf in ipv6.input.items() %}
     chain VYOS_IPV6_INPUT_{{ prior }} {
         type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
@@ -212,6 +245,9 @@ table ip6 vyos_filter {
 {%         for prior, conf in ipv6.output.items() %}
     chain VYOS_IPV6_OUTPUT_{{ prior }} {
         type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
@@ -271,7 +307,25 @@ table ip6 vyos_filter {
 {{ group_tmpl.groups(group, True, True) }}
 
 {% if zone is vyos_defined %}
+<<<<<<< HEAD
 {{ zone_tmpl.zone_chains(zone, True) }}
+=======
+{{ zone_tmpl.zone_chains(zone, 'ipv6', global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY6 {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+>>>>>>> 64ee13cf9 (T5775: firewall: re-add state-policy to firewall. These commands are now included in <set firewall global-options state-policy> node.)
 {% endif %}
 
 }
-- 
cgit v1.2.3


From 601616c022d938d39eeeab26673f01a6f7238bf3 Mon Sep 17 00:00:00 2001
From: Bjarke Istrup Pedersen <gurli@gurlinet.dk>
Date: Sat, 9 Dec 2023 17:22:16 +0100
Subject: T5775: Fix collisions and adjust for 1.4

---
 data/templates/firewall/nftables-zone.j2 | 15 +--------------
 data/templates/firewall/nftables.j2      | 12 ++----------
 2 files changed, 3 insertions(+), 24 deletions(-)

(limited to 'data')

diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
index 298e6750e..506ad815e 100644
--- a/data/templates/firewall/nftables-zone.j2
+++ b/data/templates/firewall/nftables-zone.j2
@@ -1,19 +1,6 @@
-<<<<<<< HEAD
-{% macro zone_chains(zone, ipv6=False) %}
+{% macro zone_chains(zone, ipv6=False, state_policy=False) %}
 {% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
 {% set suffix = '6' if ipv6 else '' %}
-=======
-
-{% macro zone_chains(zone, family, state_policy=False) %}
-{% if family == 'ipv6' %}
-{%     set fw_name = 'ipv6_name' %}
-{%     set suffix = '6' %}
-{% else %}
-{%     set fw_name = 'name' %}
-{%     set suffix = '' %}
-{% endif %}
-
->>>>>>> 64ee13cf9 (T5775: firewall: re-add state-policy to firewall. These commands are now included in <set firewall global-options state-policy> node.)
     chain VYOS_ZONE_FORWARD {
         type filter hook forward priority 1; policy accept;
 {% if state_policy %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 133835d54..3f7906628 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -167,10 +167,7 @@ table ip vyos_filter {
 {{ group_tmpl.groups(group, False, True) }}
 
 {% if zone is vyos_defined %}
-<<<<<<< HEAD
-{{ zone_tmpl.zone_chains(zone, False) }}
-=======
-{{ zone_tmpl.zone_chains(zone, 'ipv4', global_options.state_policy is vyos_defined) }}
+{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }}
 {% endif %}
 {% if global_options.state_policy is vyos_defined %}
     chain VYOS_STATE_POLICY {
@@ -185,7 +182,6 @@ table ip vyos_filter {
 {%     endif %}
         return
     }
->>>>>>> 64ee13cf9 (T5775: firewall: re-add state-policy to firewall. These commands are now included in <set firewall global-options state-policy> node.)
 {% endif %}
 }
 
@@ -307,10 +303,7 @@ table ip6 vyos_filter {
 {{ group_tmpl.groups(group, True, True) }}
 
 {% if zone is vyos_defined %}
-<<<<<<< HEAD
-{{ zone_tmpl.zone_chains(zone, True) }}
-=======
-{{ zone_tmpl.zone_chains(zone, 'ipv6', global_options.state_policy is vyos_defined) }}
+{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
 {% endif %}
 {% if global_options.state_policy is vyos_defined %}
     chain VYOS_STATE_POLICY6 {
@@ -325,7 +318,6 @@ table ip6 vyos_filter {
 {%     endif %}
         return
     }
->>>>>>> 64ee13cf9 (T5775: firewall: re-add state-policy to firewall. These commands are now included in <set firewall global-options state-policy> node.)
 {% endif %}
 
 }
-- 
cgit v1.2.3