firewall: T4353: fix Jinja2 linting errors

1 files changed, 274 insertions, 0 deletions

diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
new file mode 100644
index 000000000..fac3fad03
--- /dev/null
+++ b/data/templates/firewall/nftables.j2
@@ -0,0 +1,274 @@
+#!/usr/sbin/nft -f
+
+{% if cleanup_commands is vyos_defined %}
+{%     for command in cleanup_commands %}
+{{ command }}
+{%     endfor %}
+{% endif %}
+
+include "/run/nftables_defines.conf"
+
+table ip filter {
+{% if first_install is vyos_defined %}
+    chain VYOS_FW_FORWARD {
+        type filter hook forward priority 0; policy accept;
+        jump VYOS_POST_FW
+    }
+    chain VYOS_FW_LOCAL {
+        type filter hook input priority 0; policy accept;
+        jump VYOS_POST_FW
+    }
+    chain VYOS_FW_OUTPUT {
+        type filter hook output priority 0; policy accept;
+        jump VYOS_POST_FW
+    }
+    chain VYOS_POST_FW {
+        return
+    }
+    chain VYOS_FRAG_MARK {
+        type filter hook prerouting priority -450; policy accept;
+        ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
+    }
+{% endif %}
+{% if name is vyos_defined %}
+{%     set ns = namespace(sets=[]) %}
+{%     for name_text, conf in name.items() %}
+    chain NAME_{{ name_text }} {
+{%         if conf.rule is vyos_defined %}
+{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+        {{ rule_conf | nft_rule(name_text, rule_id) }}
+{%                 if rule_conf.recent is vyos_defined %}
+{%                     set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+        {{ conf | nft_default_rule(name_text) }}
+    }
+{%     endfor %}
+{%     for set_name in ns.sets %}
+    set RECENT_{{ set_name }} {
+        type ipv4_addr
+        size 65535
+        flags dynamic
+    }
+{%     endfor %}
+{% endif %}
+{% if state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY {
+{%     if state_policy.established is vyos_defined %}
+        {{ state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if state_policy.invalid is vyos_defined %}
+        {{ state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if state_policy.related is vyos_defined %}
+        {{ state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+{% endif %}
+}
+
+table ip6 filter {
+{% if first_install is vyos_defined %}
+    chain VYOS_FW6_FORWARD {
+        type filter hook forward priority 0; policy accept;
+        jump VYOS_POST_FW6
+    }
+    chain VYOS_FW6_LOCAL {
+        type filter hook input priority 0; policy accept;
+        jump VYOS_POST_FW6
+    }
+    chain VYOS_FW6_OUTPUT {
+        type filter hook output priority 0; policy accept;
+        jump VYOS_POST_FW6
+    }
+    chain VYOS_POST_FW6 {
+        return
+    }
+    chain VYOS_FRAG6_MARK {
+        type filter hook prerouting priority -450; policy accept;
+        exthdr frag exists meta mark set 0xffff1 return
+    }
+{% endif %}
+{% if ipv6_name is vyos_defined %}
+{%     set ns = namespace(sets=[]) %}
+{%     for name_text, conf in ipv6_name.items() %}
+    chain NAME6_{{ name_text }} {
+{%         if conf.rule is vyos_defined %}
+{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+        {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
+{%                 if rule_conf.recent is vyos_defined %}
+{%                     set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+        {{ conf | nft_default_rule(name_text) }}
+    }
+{%     endfor %}
+{%     for set_name in ns.sets %}
+    set RECENT6_{{ set_name }} {
+        type ipv6_addr
+        size 65535
+        flags dynamic
+    }
+{%     endfor %}
+{% endif %}
+{% if state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY6 {
+{%     if state_policy.established is vyos_defined %}
+        {{ state_policy.established | nft_state_policy('established', ipv6=True) }}
+{%     endif %}
+{%     if state_policy.invalid is vyos_defined %}
+        {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }}
+{%     endif %}
+{%     if state_policy.related is vyos_defined %}
+        {{ state_policy.related | nft_state_policy('related', ipv6=True) }}
+{%     endif %}
+        return
+    }
+{% endif %}
+}
+
+{% if first_install is vyos_defined %}
+table ip nat {
+    chain PREROUTING {
+        type nat hook prerouting priority -100; policy accept;
+        counter jump VYOS_PRE_DNAT_HOOK
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority 100; policy accept;
+        counter jump VYOS_PRE_SNAT_HOOK
+    }
+
+    chain VYOS_PRE_DNAT_HOOK {
+        return
+    }
+
+    chain VYOS_PRE_SNAT_HOOK {
+        return
+    }
+}
+
+table ip6 nat {
+    chain PREROUTING {
+        type nat hook prerouting priority -100; policy accept;
+        counter jump VYOS_DNPT_HOOK
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority 100; policy accept;
+        counter jump VYOS_SNPT_HOOK
+    }
+
+    chain VYOS_DNPT_HOOK {
+        return
+    }
+
+    chain VYOS_SNPT_HOOK {
+        return
+    }
+}
+
+table inet mangle {
+    chain FORWARD {
+        type filter hook forward priority -150; policy accept;
+    }
+}
+
+table raw {
+    chain VYOS_TCP_MSS {
+        type filter hook forward priority -300; policy accept;
+    }
+
+    chain PREROUTING {
+        type filter hook prerouting priority -200; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
+        counter jump VYOS_CT_PREROUTING_HOOK
+        counter jump FW_CONNTRACK
+        notrack
+    }
+
+    chain OUTPUT {
+        type filter hook output priority -200; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
+        counter jump VYOS_CT_OUTPUT_HOOK
+        counter jump FW_CONNTRACK
+        notrack
+    }
+
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+
+    chain VYOS_CT_HELPER {
+        ct helper set "rpc_tcp" tcp dport {111} return
+        ct helper set "rpc_udp" udp dport {111} return
+        ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
+        return
+    }
+
+    chain VYOS_CT_IGNORE {
+        return
+    }
+
+    chain VYOS_CT_TIMEOUT {
+        return
+    }
+
+    chain VYOS_CT_PREROUTING_HOOK {
+        return
+    }
+
+    chain VYOS_CT_OUTPUT_HOOK {
+        return
+    }
+
+    chain FW_CONNTRACK {
+        accept
+    }
+}
+
+table ip6 raw {
+    chain VYOS_TCP_MSS {
+        type filter hook forward priority -300; policy accept;
+    }
+
+    chain PREROUTING {
+        type filter hook prerouting priority -300; policy accept;
+        counter jump VYOS_CT_PREROUTING_HOOK
+        counter jump FW_CONNTRACK
+        notrack
+    }
+
+    chain OUTPUT {
+        type filter hook output priority -300; policy accept;
+        counter jump VYOS_CT_OUTPUT_HOOK
+        counter jump FW_CONNTRACK
+        notrack
+    }
+
+    chain VYOS_CT_PREROUTING_HOOK {
+        return
+    }
+
+    chain VYOS_CT_OUTPUT_HOOK {
+        return
+    }
+
+    chain FW_CONNTRACK {
+        accept
+    }
+}
+{% endif %}