diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-11-16 15:37:56 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-11-16 21:14:55 +0000 |
commit | 2dc2df575bc4de60759a272f5e6880326501a7ef (patch) | |
tree | bddfd01ad32d64a00af56ee1b77799ee38494ec1 /data/templates/firewall/nftables-bridge.j2 | |
parent | c1754c4c0610824d54d03b5408ade26112bd643f (diff) | |
download | vyos-1x-2dc2df575bc4de60759a272f5e6880326501a7ef.tar.gz vyos-1x-2dc2df575bc4de60759a272f5e6880326501a7ef.zip |
T4072: firewall: backport bridge firewall to sagitta
Diffstat (limited to 'data/templates/firewall/nftables-bridge.j2')
-rw-r--r-- | data/templates/firewall/nftables-bridge.j2 | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2 new file mode 100644 index 000000000..1a4ad2ed9 --- /dev/null +++ b/data/templates/firewall/nftables-bridge.j2 @@ -0,0 +1,35 @@ +{% macro bridge(bridge) %} +{% set ns = namespace(sets=[]) %} +{% if bridge.forward is vyos_defined %} +{% for prior, conf in bridge.forward.items() %} +{% set def_action = conf.default_action %} + chain VYOS_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + } +{% endfor %} +{% endif %} + +{% if bridge.name is vyos_defined %} +{% for name_text, conf in bridge.name.items() %} + chain NAME_{{ name_text }} { +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule(name_text) }} + } +{% endfor %} +{% endif %} +{% endmacro %}
\ No newline at end of file |