diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2024-02-21 16:03:07 +0100 |
---|---|---|
committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-02-22 11:02:01 +0000 |
commit | 9e65bc9dfcc2dc73b31d1a039859686bd11b476c (patch) | |
tree | a1366b33fd9c7b98233a6a5a8801a8ceda157217 /data/templates/conntrack/nftables-ct.j2 | |
parent | ec87b4c823f88a20e2a72bfd6b7426097dc1574c (diff) | |
download | vyos-1x-9e65bc9dfcc2dc73b31d1a039859686bd11b476c.tar.gz vyos-1x-9e65bc9dfcc2dc73b31d1a039859686bd11b476c.zip |
conntrack: T5376: Fix priority for CT helpers
Ref: https://www.spinics.net/lists/netfilter/msg59549.html
(cherry picked from commit 538aeeccc46d31ab54647b67c8a2ba442d61cc46)
Diffstat (limited to 'data/templates/conntrack/nftables-ct.j2')
-rw-r--r-- | data/templates/conntrack/nftables-ct.j2 | 36 |
1 files changed, 26 insertions, 10 deletions
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 index 762a6f693..c753e6bcb 100644 --- a/data/templates/conntrack/nftables-ct.j2 +++ b/data/templates/conntrack/nftables-ct.j2 @@ -40,9 +40,6 @@ table ip vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -51,11 +48,15 @@ table ip vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -66,6 +67,13 @@ table ip vyos_conntrack { notrack } +{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }} chain FW_CONNTRACK { @@ -122,9 +130,6 @@ table ip6 vyos_conntrack { chain PREROUTING { type filter hook prerouting priority -300; policy accept; -{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} - counter jump VYOS_CT_HELPER -{% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -132,11 +137,15 @@ table ip6 vyos_conntrack { notrack } - chain OUTPUT { - type filter hook output priority -300; policy accept; {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain PREROUTING_HELPER { + type filter hook prerouting priority -5; policy accept; counter jump VYOS_CT_HELPER + } {% endif %} + + chain OUTPUT { + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK @@ -144,6 +153,13 @@ table ip6 vyos_conntrack { notrack } +{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} + chain OUTPUT_HELPER { + type filter hook output priority -5; policy accept; + counter jump VYOS_CT_HELPER + } +{% endif %} + {{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }} chain FW_CONNTRACK { |