Merge pull request #2877 from c-po/vrf-5973

vrf: T5973: multiple bugfixes and improvements

2 files changed, 19 insertions, 17 deletions

diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2
deleted file mode 100644
index 3bce7312d..000000000
--- a/data/templates/firewall/nftables-vrf-zones.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-table inet vrf_zones {
-  # Map of interfaces and connections tracking zones
-  map ct_iface_map {
-    typeof iifname : ct zone
-  }
-  # Assign unique zones for each VRF
-  # Chain for inbound traffic
-  chain vrf_zones_ct_in {
-    type filter hook prerouting priority raw; policy accept;
-    counter ct original zone set iifname map @ct_iface_map
-  }
-  # Chain for locally-generated traffic
-  chain vrf_zones_ct_out {
-    type filter hook output priority raw; policy accept;
-    counter ct original zone set oifname map @ct_iface_map
-  }
-}
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index cd7d5011f..5a4e03015 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -54,3 +54,22 @@ table ip6 raw {
         type filter hook prerouting priority -300; policy accept;
     }
 }
+
+# Required by VRF
+table inet vrf_zones {
+    # Map of interfaces and connections tracking zones
+    map ct_iface_map {
+        typeof iifname : ct zone
+    }
+    # Assign unique zones for each VRF
+    # Chain for inbound traffic
+    chain vrf_zones_ct_in {
+        type filter hook prerouting priority raw; policy accept;
+        counter ct original zone set iifname map @ct_iface_map
+    }
+    # Chain for locally-generated traffic
+    chain vrf_zones_ct_out {
+        type filter hook output priority raw; policy accept;
+        counter ct original zone set oifname map @ct_iface_map
+    }
+}