summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-05 14:51:16 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-05 20:27:49 +0200
commit0de3de1e0a78eb35b666b8f613d3e54fd3ad54e4 (patch)
tree65634cc41a39f87eed6542e583649cca68dfb403 /data/templates
parent0c8823c0021d45a791ef95eaca1516b900d8cb68 (diff)
downloadvyos-1x-0de3de1e0a78eb35b666b8f613d3e54fd3ad54e4.tar.gz
vyos-1x-0de3de1e0a78eb35b666b8f613d3e54fd3ad54e4.zip
interface: T5550: Interface source-validation priority over global value
- Migrate IPv4 source-validation to nftables - Interface source-validation value takes priority, fallback to global value
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/firewall/nftables.j221
1 files changed, 14 insertions, 7 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 0fbddfaa9..d7660c37b 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -5,29 +5,36 @@
flush chain raw FW_CONNTRACK
flush chain ip6 raw FW_CONNTRACK
+flush chain raw vyos_global_rpfilter
+flush chain ip6 raw vyos_global_rpfilter
+
table raw {
chain FW_CONNTRACK {
{{ ipv4_conntrack_action }}
}
+
+ chain vyos_global_rpfilter {
+{% if global_options.source_validation is vyos_defined('loose') %}
+ fib saddr oif 0 counter drop
+{% elif global_options.source_validation is vyos_defined('strict') %}
+ fib saddr . iif oif 0 counter drop
+{% endif %}
+ return
+ }
}
table ip6 raw {
chain FW_CONNTRACK {
{{ ipv6_conntrack_action }}
}
-}
-{% if first_install is not vyos_defined %}
-delete table inet vyos_global_rpfilter
-{% endif %}
-table inet vyos_global_rpfilter {
- chain PREROUTING {
- type filter hook prerouting priority -300; policy accept;
+ chain vyos_global_rpfilter {
{% if global_options.source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
{% elif global_options.source_validation is vyos_defined('strict') %}
fib saddr . iif oif 0 counter drop
{% endif %}
+ return
}
}