diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-09-29 13:59:10 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-08-25 15:53:30 +0200 |
| commit | d62f8ed1e3608d82e3e4fb7566817839023aa39c (patch) | |
| tree | 4613bd1c9b5fc983c7cc1031d3e64677d528329c /data/templates/firewall | |
| parent | 5ea0428a08ae9e85fe2ebb6bb85dca07c5eb694f (diff) | |
| download | vyos-1x-d62f8ed1e3608d82e3e4fb7566817839023aa39c.tar.gz vyos-1x-d62f8ed1e3608d82e3e4fb7566817839023aa39c.zip | |
firewall: T3509: Add support for IPv6 return path filtering
Diffstat (limited to 'data/templates/firewall')
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 10cbc68cb..d889a505d 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -3,6 +3,20 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% if first_install is not vyos_defined %} +delete table inet vyos_rpfilter +{% endif %} +table inet vyos_rpfilter { + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + } +} + +{% if first_install is not vyos_defined %} delete table ip vyos_filter {% endif %} table ip vyos_filter { |