diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-02-22 13:31:41 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-22 13:31:41 +0100 |
| commit | 29a15608caf38abd2466b1ccaae80eddaa4e49e9 (patch) | |
| tree | a1366b33fd9c7b98233a6a5a8801a8ceda157217 | |
| parent | ec87b4c823f88a20e2a72bfd6b7426097dc1574c (diff) | |
| parent | 9e65bc9dfcc2dc73b31d1a039859686bd11b476c (diff) | |
| download | vyos-1x-29a15608caf38abd2466b1ccaae80eddaa4e49e9.tar.gz vyos-1x-29a15608caf38abd2466b1ccaae80eddaa4e49e9.zip | |
Merge pull request #3038 from vyos/mergify/bp/sagitta/pr-3037
conntrack: T5376: Fix priority for CT helpers (backport #3037)
| -rw-r--r-- | data/templates/conntrack/nftables-ct.j2 | 36 |
1 files changed, 26 insertions, 10 deletions
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 index 762a6f693..c753e6bcb 100644 --- a/data/templates/conntrack/nftables-ct.j2 +++ b/data/templates/conntrack/nftables-ct.j2 @@ -40,9 +40,6 @@ table ip vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -51,11 +48,15 @@ table ip vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -66,6 +67,13 @@ table ip vyos_conntrack { notrack } +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }} chain FW_CONNTRACK { @@ -122,9 +130,6 @@ table ip6 vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -132,11 +137,15 @@ table ip6 vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -144,6 +153,13 @@ table ip6 vyos_conntrack { notrack } +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }} chain FW_CONNTRACK { |