summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-06-12 09:32:27 +0200
committerGitHub <noreply@github.com>2022-06-12 09:32:27 +0200
commit59526a8adca2922f42778d7563bc0ddc32cfdda8 (patch)
tree37068db2932e20ed4aec01329c9e60d16eb769ed /data
parentfe18efba34c5d95d3052c9e6fda69668bbfe63f3 (diff)
parent8ba45cfcc1cc3fba57e1f82fa1299b7c253ba5ea (diff)
downloadvyos-1x-59526a8adca2922f42778d7563bc0ddc32cfdda8.tar.gz
vyos-1x-59526a8adca2922f42778d7563bc0ddc32cfdda8.zip
Merge pull request #1357 from sarthurdev/geoip
firewall: T4299: Add support for GeoIP filtering
Diffstat (limited to 'data')
-rw-r--r--data/templates/firewall/nftables-geoip-update.j233
-rw-r--r--data/templates/firewall/nftables.j216
2 files changed, 49 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-geoip-update.j2 b/data/templates/firewall/nftables-geoip-update.j2
new file mode 100644
index 000000000..f9e61a274
--- /dev/null
+++ b/data/templates/firewall/nftables-geoip-update.j2
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+{% if ipv4_sets is vyos_defined %}
+{% for setname, ip_list in ipv4_sets.items() %}
+flush set ip filter {{ setname }}
+{% endfor %}
+
+table ip filter {
+{% for setname, ip_list in ipv4_sets.items() %}
+ set {{ setname }} {
+ type ipv4_addr
+ flags interval
+ elements = { {{ ','.join(ip_list) }} }
+ }
+{% endfor %}
+}
+{% endif %}
+
+{% if ipv6_sets is vyos_defined %}
+{% for setname, ip_list in ipv6_sets.items() %}
+flush set ip6 filter {{ setname }}
+{% endfor %}
+
+table ip6 filter {
+{% for setname, ip_list in ipv6_sets.items() %}
+ set {{ setname }} {
+ type ipv6_addr
+ flags interval
+ elements = { {{ ','.join(ip_list) }} }
+ }
+{% endfor %}
+}
+{% endif %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 1f88ae40c..961b83301 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -60,6 +60,14 @@ table ip filter {
flags dynamic
}
{% endfor %}
+{% if geoip_updated.name is vyos_defined %}
+{% for setname in geoip_updated.name %}
+ set {{ setname }} {
+ type ipv4_addr
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% endif %}
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY {
@@ -121,6 +129,14 @@ table ip6 filter {
flags dynamic
}
{% endfor %}
+{% if geoip_updated.ipv6_name is vyos_defined %}
+{% for setname in geoip_updated.ipv6_name %}
+ set {{ setname }} {
+ type ipv6_addr
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% endif %}
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {