diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-18 18:45:25 +0100 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-01-18 19:00:02 +0100 |
| commit | a7e14cba820fcb4a0f448c05d4480e00d26130ee (patch) | |
| tree | 0996f0e1bad2413e2be20b6fe360937e971ce75c /data | |
| parent | 385b72da4845e5c247aaeae9469ca04da216a4cb (diff) | |
| download | vyos-1x-a7e14cba820fcb4a0f448c05d4480e00d26130ee.tar.gz vyos-1x-a7e14cba820fcb4a0f448c05d4480e00d26130ee.zip | |
firewall: T4188: Create default conntrack `FW_CONNTRACK` chain
This chain was missing from the XML/Python rewrite thus all traffic fell through to the `notrack` rule.
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/firewall/nftables.tmpl | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl index e8fa4e306..81b2c0b98 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.tmpl @@ -175,6 +175,7 @@ table raw { counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_PREROUTING_HOOK + counter jump FW_CONNTRACK notrack } @@ -183,6 +184,7 @@ table raw { counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_OUTPUT_HOOK + counter jump FW_CONNTRACK notrack } @@ -220,6 +222,10 @@ table raw { chain VYOS_CT_OUTPUT_HOOK { return } + + chain FW_CONNTRACK { + accept + } } table ip6 raw { @@ -230,12 +236,14 @@ table ip6 raw { chain PREROUTING { type filter hook prerouting priority -300; policy accept; counter jump VYOS_CT_PREROUTING_HOOK + counter jump FW_CONNTRACK notrack } chain OUTPUT { type filter hook output priority -300; policy accept; counter jump VYOS_CT_OUTPUT_HOOK + counter jump FW_CONNTRACK notrack } @@ -246,5 +254,9 @@ table ip6 raw { chain VYOS_CT_OUTPUT_HOOK { return } + + chain FW_CONNTRACK { + accept + } } {% endif %} |