T6647: firewall. Introduce patch for accepting ARP and DHCP replies on stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.

1 files changed, 7 insertions, 1 deletions

diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 155b7f4d0..034328400 100755
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -376,8 +376,14 @@ table bridge vyos_filter {
 
 {%     if bridge.output is vyos_defined %}
 {%         for prior, conf in bridge.output.items() %}
-    chain VYOS_OUTUT_{{ prior }} {
+    chain VYOS_OUTPUT_{{ prior }} {
         type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.apply_to_bridged_traffic is vyos_defined %}
+{%                 if 'invalid_connections' in global_options.apply_to_bridged_traffic %}
+        ct state invalid udp sport 67 udp dport 68 counter accept
+        ct state invalid ether type arp counter accept
+{%                 endif %}
+{%             endif %}
 {%             if global_options.state_policy is vyos_defined %}
         jump VYOS_STATE_POLICY
 {%             endif %}