Merge pull request #2199 from sarthurdev/T4309

conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups

1 files changed, 31 insertions, 0 deletions

diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index b0026fdf3..7e258e6f1 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -102,6 +102,8 @@ table ip6 raw {
 
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_PREROUTING_HOOK
         counter jump FW_CONNTRACK
         notrack
@@ -109,11 +111,40 @@ table ip6 raw {
 
     chain OUTPUT {
         type filter hook output priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_OUTPUT_HOOK
         counter jump FW_CONNTRACK
         notrack
     }
 
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+
+    chain VYOS_CT_HELPER {
+        ct helper set "rpc_tcp" tcp dport {111} return
+        ct helper set "rpc_udp" udp dport {111} return
+        ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
+        return
+    }
+
+    chain VYOS_CT_IGNORE {
+        return
+    }
+
+    chain VYOS_CT_TIMEOUT {
+        return
+    }
+
     chain VYOS_CT_PREROUTING_HOOK {
         return
     }