summaryrefslogtreecommitdiff
path: root/data/templates/firewall
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-11 18:58:05 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-16 15:30:26 +0200
commit1c6ae6f7e7cf30d9598d2886bb3d2c34685a2c8c (patch)
treecaa41f12fb793bb6fa0b7e6a8c45e2318484d911 /data/templates/firewall
parenta927192af24079e6d392e5cae0340441490c0091 (diff)
downloadvyos-1x-1c6ae6f7e7cf30d9598d2886bb3d2c34685a2c8c.tar.gz
vyos-1x-1c6ae6f7e7cf30d9598d2886bb3d2c34685a2c8c.zip
nat: T2198: automatically determine handler numbers
When instantiating NAT it is required to isntall some nftable jump targets. The targets need to be added after a specific other target thus we need to dynamically query the handler number. This is done by get_handler() which could be moved to vyos.util at a later point in time so it can be reused for a firewall rewrite.
Diffstat (limited to 'data/templates/firewall')
-rw-r--r--data/templates/firewall/nftables-nat.tmpl19
1 files changed, 15 insertions, 4 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 340ab3678..343807e79 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -3,11 +3,22 @@
# Start with a "clean" NAT table
flush table nat
+{% for rule in init_deinit -%}
+# Add or remove conntrack helper rules for NAT operation-
+{{ rule }}
+{% endfor %}
+
add chain ip raw NAT_CONNTRACK
-add rule ip raw PREROUTING position 25 counter jump VYATTA_CT_HELPER
-add rule ip raw PREROUTING position 17 counter jump NAT_CONNTRACK
-add rule ip raw OUTPUT position 26 counter jump VYATTA_CT_HELPER
-add rule ip raw OUTPUT position 21 counter jump NAT_CONNTRACK
+
+# insert rule after VYATTA_CT_IGNORE
+add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
+# insert rule after VYATTA_CT_PREROUTING_HOOK
+add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
+# insert rule after VYATTA_CT_IGNORE
+add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
+# insert rule after VYATTA_CT_PREROUTING_HOOK
+add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
+
add rule ip raw NAT_CONNTRACK counter accept