Merge pull request #927 from zdc/T3655-sagitta

VRF: T3655: proper connection tracking for VRFs
author: Christian Poessinger <christian@poessinger.com> 2021-07-17 22:33:09 +0200
committer: GitHub <noreply@github.com> 2021-07-17 22:33:09 +0200
commit: 76466a4b974a0c7808bf7ab4f621a32f04daad3a (patch)
tree: 8fff16af04de6751f5334695d6b130c90b2915a7 /data
parent: 94531412e7309740a92e8099f62e61a6f7d739cb (diff)
parent: 22791e26f444766dc9f9e1729b72893208f58079 (diff)
download: vyos-1x-76466a4b974a0c7808bf7ab4f621a32f04daad3a.tar.gz
vyos-1x-76466a4b974a0c7808bf7ab4f621a32f04daad3a.zip
1 files changed, 17 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-vrf-zones.tmpl b/data/templates/firewall/nftables-vrf-zones.tmpl
new file mode 100644
index 000000000..eecf47b78
--- /dev/null
+++ b/data/templates/firewall/nftables-vrf-zones.tmpl
@@ -0,0 +1,17 @@
+table inet vrf_zones {
+  # Map of interfaces and connections tracking zones
+  map ct_iface_map {
+    typeof iifname : ct zone
+  }
+  # Assign unique zones for each VRF
+  # Chain for inbound traffic
+  chain vrf_zones_ct_in {
+    type filter hook prerouting priority raw; policy accept;
+    counter ct zone set iifname map @ct_iface_map
+  }
+  # Chain for locally-generated traffic
+  chain vrf_zones_ct_out {
+    type filter hook output priority raw; policy accept;
+    counter ct zone set oifname map @ct_iface_map
+  }
+}
author	Christian Poessinger <christian@poessinger.com>	2021-07-17 22:33:09 +0200
committer	GitHub <noreply@github.com>	2021-07-17 22:33:09 +0200
commit	76466a4b974a0c7808bf7ab4f621a32f04daad3a (patch)
tree	8fff16af04de6751f5334695d6b130c90b2915a7 /data
parent	94531412e7309740a92e8099f62e61a6f7d739cb (diff)
parent	22791e26f444766dc9f9e1729b72893208f58079 (diff)
download	vyos-1x-76466a4b974a0c7808bf7ab4f621a32f04daad3a.tar.gz vyos-1x-76466a4b974a0c7808bf7ab4f621a32f04daad3a.zip