summaryrefslogtreecommitdiff
path: root/data/vyos-firewall-init.conf
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-14 03:01:56 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2023-09-16 13:20:10 +0200
commit734d84f696944419a2d6f11bc16dda03900add34 (patch)
treec87f245e4c9dafd9941438831e62197518e8a46a /data/vyos-firewall-init.conf
parent27ad9f5ba6437d66178450b37c7a5bf79bc3d67a (diff)
downloadvyos-1x-734d84f696944419a2d6f11bc16dda03900add34.tar.gz
vyos-1x-734d84f696944419a2d6f11bc16dda03900add34.zip
conntrack: T5571: Refactor conntrack to be independent conf script from firewall, nat, nat66
Diffstat (limited to 'data/vyos-firewall-init.conf')
-rw-r--r--data/vyos-firewall-init.conf113
1 files changed, 5 insertions, 108 deletions
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 7e258e6f1..cd7d5011f 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -9,6 +9,7 @@ table ip nat {
}
table inet mangle {
+ # Used by system flow-accounting
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
@@ -28,61 +29,9 @@ table raw {
counter jump vyos_global_rpfilter
}
- chain PREROUTING {
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
- ct helper set "rpc_tcp" tcp dport {111} return
- ct helper set "rpc_udp" udp dport {111} return
- ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
- return
- }
-
- chain VYOS_CT_IGNORE {
- return
- }
-
- chain VYOS_CT_TIMEOUT {
- return
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- return
}
}
@@ -100,60 +49,8 @@ table ip6 raw {
counter jump vyos_global_rpfilter
}
- chain PREROUTING {
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
- ct helper set "rpc_tcp" tcp dport {111} return
- ct helper set "rpc_udp" udp dport {111} return
- ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
- return
- }
-
- chain VYOS_CT_IGNORE {
- return
- }
-
- chain VYOS_CT_TIMEOUT {
- return
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- return
}
}