Merge pull request #2905 from vyos/mergify/bp/sagitta/pr-2877

vrf: T5973: multiple bugfixes and improvements (backport #2877)

1 files changed, 19 insertions, 0 deletions

diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index cd7d5011f..5a4e03015 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -54,3 +54,22 @@ table ip6 raw {
         type filter hook prerouting priority -300; policy accept;
     }
 }
+
+# Required by VRF
+table inet vrf_zones {
+    # Map of interfaces and connections tracking zones
+    map ct_iface_map {
+        typeof iifname : ct zone
+    }
+    # Assign unique zones for each VRF
+    # Chain for inbound traffic
+    chain vrf_zones_ct_in {
+        type filter hook prerouting priority raw; policy accept;
+        counter ct original zone set iifname map @ct_iface_map
+    }
+    # Chain for locally-generated traffic
+    chain vrf_zones_ct_out {
+        type filter hook output priority raw; policy accept;
+        counter ct original zone set oifname map @ct_iface_map
+    }
+}