diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-01-11 06:41:17 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-11 06:41:17 +0100 |
| commit | 68bacdc20c10566671ce809e9668ca27666bca22 (patch) | |
| tree | 105a4f0cb3570f3e70770d3859f93ec6ea1c8e4e /data/templates/firewall | |
| parent | 942f4cf77dbacc09393b577c2122e403fd788194 (diff) | |
| parent | e8070a2e36e9101d52d7db4025f7ff37a00625e8 (diff) | |
| download | vyos-1x-68bacdc20c10566671ce809e9668ca27666bca22.tar.gz vyos-1x-68bacdc20c10566671ce809e9668ca27666bca22.zip | |
Merge pull request #2793 from sarthurdev/T5550_sagitta
interface: T5550: Interface source-validation priority over global value (backport)
Diffstat (limited to 'data/templates/firewall')
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 3f7906628..4851e3a05 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -8,29 +8,36 @@ flush chain raw FW_CONNTRACK flush chain ip6 raw FW_CONNTRACK +flush chain raw vyos_global_rpfilter +flush chain ip6 raw vyos_global_rpfilter + table raw { chain FW_CONNTRACK { {{ ipv4_conntrack_action }} } + + chain vyos_global_rpfilter { +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + return + } } table ip6 raw { chain FW_CONNTRACK { {{ ipv6_conntrack_action }} } -} -{% if first_install is not vyos_defined %} -delete table inet vyos_global_rpfilter -{% endif %} -table inet vyos_global_rpfilter { - chain PREROUTING { - type filter hook prerouting priority -300; policy accept; -{% if global_options.source_validation is vyos_defined('loose') %} + chain vyos_global_rpfilter { +{% if global_options.ipv6_source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop -{% elif global_options.source_validation is vyos_defined('strict') %} +{% elif global_options.ipv6_source_validation is vyos_defined('strict') %} fib saddr . iif oif 0 counter drop {% endif %} + return } } |