nhrp: T2199: Use separate table in nftables for NHRP rules

author: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-09-12 22:49:34 +0200
committer: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-09-14 12:56:09 +0200
commit: 31cd47594aa54f6d04500e16c67e723d548df8d6 (patch)
tree: df30571e0f6c6422c80557ed568ad210e5a3c3ea /data/templates/nhrp/nftables.conf.j2
parent: 30945f39d6d1f0fdba34ce1c2d887a1a6823ecbe (diff)
download: vyos-1x-31cd47594aa54f6d04500e16c67e723d548df8d6.tar.gz
vyos-1x-31cd47594aa54f6d04500e16c67e723d548df8d6.zip
1 files changed, 17 insertions, 0 deletions
diff --git a/data/templates/nhrp/nftables.conf.j2 b/data/templates/nhrp/nftables.conf.j2
new file mode 100644
index 000000000..a0d1f6d4c
--- /dev/null
+++ b/data/templates/nhrp/nftables.conf.j2
@@ -0,0 +1,17 @@
+#!/usr/sbin/nft -f
+
+{% if first_install is not vyos_defined %}
+delete table ip vyos_nhrp_filter
+{% endif %}
+table ip vyos_nhrp_filter {
+    chain VYOS_NHRP_OUTPUT {
+        type filter hook output priority 10; policy accept;
+{% if tunnel is vyos_defined %}
+{%     for tun, tunnel_conf in tunnel.items() %}
+{%         if if_tunnel[tun].source_address is vyos_defined %}
+        ip protocol gre ip saddr {{ if_tunnel[tun].source_address }} ip daddr 224.0.0.0/4 counter drop comment "VYOS_NHRP_{{ tun }}"
+{%         endif %}
+{%     endfor %}
+{% endif %}
+    }
+}
author	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-09-12 22:49:34 +0200
committer	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-09-14 12:56:09 +0200
commit	31cd47594aa54f6d04500e16c67e723d548df8d6 (patch)
tree	df30571e0f6c6422c80557ed568ad210e5a3c3ea /data/templates/nhrp/nftables.conf.j2
parent	30945f39d6d1f0fdba34ce1c2d887a1a6823ecbe (diff)
download	vyos-1x-31cd47594aa54f6d04500e16c67e723d548df8d6.tar.gz vyos-1x-31cd47594aa54f6d04500e16c67e723d548df8d6.zip