Merge pull request #2498 from nicolas-fort/T4072-sagitta

T4072: firewall: backport bridge firewall to sagitta

1 files changed, 13 insertions, 2 deletions

diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 6257b576a..9fcacf677 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,6 +1,7 @@
 #!/usr/sbin/nft -f
 
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
+{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
 {% import 'firewall/nftables-zone.j2' as zone_tmpl %}
 
 flush chain raw FW_CONNTRACK
@@ -147,7 +148,7 @@ table ip vyos_filter {
 {%         endfor %}
 {%     endif %}
 {% endif %}
-{{ group_tmpl.groups(group, False) }}
+{{ group_tmpl.groups(group, False, True) }}
 
 {% if zone is vyos_defined %}
 {{ zone_tmpl.zone_chains(zone, False) }}
@@ -254,10 +255,20 @@ table ip6 vyos_filter {
 {%         endfor %}
 {%     endif %}
 {% endif %}
-{{ group_tmpl.groups(group, True) }}
+{{ group_tmpl.groups(group, True, True) }}
 
 {% if zone is vyos_defined %}
 {{ zone_tmpl.zone_chains(zone, True) }}
 {% endif %}
 
+}
+
+## Bridge Firewall
+{% if first_install is not vyos_defined %}
+delete table bridge vyos_filter
+{% endif %}
+table bridge vyos_filter {
+{{ bridge_tmpl.bridge(bridge) }}
+{{ group_tmpl.groups(group, False, False) }}
+
 }
\ No newline at end of file