diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-02-05 19:57:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-02-05 19:57:51 +0100 |
| commit | 9077c834b3dea1e984e3153a245e4ac715f0bcb2 (patch) | |
| tree | 10a815acb24511ec700e802c2e3ec0fc7ea6a844 /data/templates/firewall/nftables.tmpl | |
| parent | 568c33e3773ca946470005c105446f40700f6844 (diff) | |
| parent | 22f0794a9f195e69e277d48f031fe934febe9408 (diff) | |
| download | vyos-1x-9077c834b3dea1e984e3153a245e4ac715f0bcb2.tar.gz vyos-1x-9077c834b3dea1e984e3153a245e4ac715f0bcb2.zip | |
Merge pull request #1206 from sarthurdev/T4209
firewall: T4209: Fix support for rule `recent` matches
Diffstat (limited to 'data/templates/firewall/nftables.tmpl')
| -rw-r--r-- | data/templates/firewall/nftables.tmpl | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl index 468a5a32f..0cc977cf9 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.tmpl @@ -31,16 +31,27 @@ table ip filter { } {% endif %} {% if name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in name.items() %} chain NAME_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text) }} } {% endfor %} +{% for set_name in ns.sets %} + set RECENT_{{ set_name }} { + type ipv4_addr + size 65535 + flags dynamic + } +{% endfor %} {% endif %} {% if state_policy is defined %} chain VYOS_STATE_POLICY { @@ -81,16 +92,27 @@ table ip6 filter { } {% endif %} {% if ipv6_name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in ipv6_name.items() %} chain NAME6_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text) }} } {% endfor %} +{% for set_name in ns.sets %} + set RECENT6_{{ set_name }} { + type ipv6_addr + size 65535 + flags dynamic + } +{% endfor %} {% endif %} {% if state_policy is defined %} chain VYOS_STATE_POLICY6 { |