firewall: T5729: T5681: T5217: backport subsystem from current branch

This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
author: Christian Breunig <christian@breunig.cc> 2024-01-19 21:01:52 +0100
committer: Christian Breunig <christian@breunig.cc> 2024-01-22 07:47:17 +0100
commit: 2ec023752bdd400835eb69a8f1f9d2873cef61fa (patch)
tree: 136e81b7fac983ff74601efdd90dfb4255fb35d6 /data/vyos-firewall-init.conf
parent: 5c6d4b17d90cdfdf1541d81fb081575c54b168a7 (diff)
download: vyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.tar.gz
vyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.zip
1 files changed, 5 insertions, 77 deletions
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index b0026fdf3..cd7d5011f 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -9,6 +9,7 @@ table ip nat {
 }
 
 table inet mangle {
+    # Used by system flow-accounting
     chain FORWARD {
         type filter hook forward priority -150; policy accept;
     }
@@ -28,61 +29,9 @@ table raw {
         counter jump vyos_global_rpfilter
     }
 
-    chain PREROUTING {
+    # Used by system flow-accounting
+    chain VYOS_PREROUTING_HOOK {
         type filter hook prerouting priority -300; policy accept;
-        counter jump VYOS_CT_IGNORE
-        counter jump VYOS_CT_TIMEOUT
-        counter jump VYOS_CT_PREROUTING_HOOK
-        counter jump FW_CONNTRACK
-        notrack
-    }
-
-    chain OUTPUT {
-        type filter hook output priority -300; policy accept;
-        counter jump VYOS_CT_IGNORE
-        counter jump VYOS_CT_TIMEOUT
-        counter jump VYOS_CT_OUTPUT_HOOK
-        counter jump FW_CONNTRACK
-        notrack
-    }
-
-    ct helper rpc_tcp {
-        type "rpc" protocol tcp;
-    }
-
-    ct helper rpc_udp {
-        type "rpc" protocol udp;
-    }
-
-    ct helper tns_tcp {
-        type "tns" protocol tcp;
-    }
-
-    chain VYOS_CT_HELPER {
-        ct helper set "rpc_tcp" tcp dport {111} return
-        ct helper set "rpc_udp" udp dport {111} return
-        ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
-        return
-    }
-
-    chain VYOS_CT_IGNORE {
-        return
-    }
-
-    chain VYOS_CT_TIMEOUT {
-        return
-    }
-
-    chain VYOS_CT_PREROUTING_HOOK {
-        return
-    }
-
-    chain VYOS_CT_OUTPUT_HOOK {
-        return
-    }
-
-    chain FW_CONNTRACK {
-        return
     }
 }
 
@@ -100,29 +49,8 @@ table ip6 raw {
         counter jump vyos_global_rpfilter
     }
 
-    chain PREROUTING {
+    # Used by system flow-accounting
+    chain VYOS_PREROUTING_HOOK {
         type filter hook prerouting priority -300; policy accept;
-        counter jump VYOS_CT_PREROUTING_HOOK
-        counter jump FW_CONNTRACK
-        notrack
-    }
-
-    chain OUTPUT {
-        type filter hook output priority -300; policy accept;
-        counter jump VYOS_CT_OUTPUT_HOOK
-        counter jump FW_CONNTRACK
-        notrack
-    }
-
-    chain VYOS_CT_PREROUTING_HOOK {
-        return
-    }
-
-    chain VYOS_CT_OUTPUT_HOOK {
-        return
-    }
-
-    chain FW_CONNTRACK {
-        return
     }
 }
author	Christian Breunig <christian@breunig.cc>	2024-01-19 21:01:52 +0100
committer	Christian Breunig <christian@breunig.cc>	2024-01-22 07:47:17 +0100
commit	2ec023752bdd400835eb69a8f1f9d2873cef61fa (patch)
tree	136e81b7fac983ff74601efdd90dfb4255fb35d6 /data/vyos-firewall-init.conf
parent	5c6d4b17d90cdfdf1541d81fb081575c54b168a7 (diff)
download	vyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.tar.gz vyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.zip