diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-05 14:51:16 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2023-09-05 20:27:49 +0200 |
commit | 0de3de1e0a78eb35b666b8f613d3e54fd3ad54e4 (patch) | |
tree | 65634cc41a39f87eed6542e583649cca68dfb403 /data/templates | |
parent | 0c8823c0021d45a791ef95eaca1516b900d8cb68 (diff) | |
download | vyos-1x-0de3de1e0a78eb35b666b8f613d3e54fd3ad54e4.tar.gz vyos-1x-0de3de1e0a78eb35b666b8f613d3e54fd3ad54e4.zip |
interface: T5550: Interface source-validation priority over global value
- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
Diffstat (limited to 'data/templates')
-rw-r--r-- | data/templates/firewall/nftables.j2 | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 0fbddfaa9..d7660c37b 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -5,29 +5,36 @@ flush chain raw FW_CONNTRACK flush chain ip6 raw FW_CONNTRACK +flush chain raw vyos_global_rpfilter +flush chain ip6 raw vyos_global_rpfilter + table raw { chain FW_CONNTRACK { {{ ipv4_conntrack_action }} } + + chain vyos_global_rpfilter { +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + return + } } table ip6 raw { chain FW_CONNTRACK { {{ ipv6_conntrack_action }} } -} -{% if first_install is not vyos_defined %} -delete table inet vyos_global_rpfilter -{% endif %} -table inet vyos_global_rpfilter { - chain PREROUTING { - type filter hook prerouting priority -300; policy accept; + chain vyos_global_rpfilter { {% if global_options.source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop {% elif global_options.source_validation is vyos_defined('strict') %} fib saddr . iif oif 0 counter drop {% endif %} + return } } |