diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-09-06 20:25:02 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-06 20:25:02 +0200 |
| commit | e0825b52df4a2a4ce6d137bb8adc553f6e71fc0b (patch) | |
| tree | 997c774d1d77276337d51a7e6431074bbcc28eb4 /data | |
| parent | e208d75edd79f5b8637276c27f23ee21fd423d06 (diff) | |
| parent | be3d2f9f6623396f2e9c6543f67d81161c7ad94b (diff) | |
| download | vyos-1x-e0825b52df4a2a4ce6d137bb8adc553f6e71fc0b.tar.gz vyos-1x-e0825b52df4a2a4ce6d137bb8adc553f6e71fc0b.zip | |
Merge pull request #2208 from sarthurdev/T5550
interface: T5550: Interface source-validation priority over global value
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 25 | ||||
| -rw-r--r-- | data/vyos-firewall-init.conf | 14 |
2 files changed, 30 insertions, 9 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 0fbddfaa9..a82a5537b 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -5,29 +5,36 @@ flush chain raw FW_CONNTRACK flush chain ip6 raw FW_CONNTRACK +flush chain raw vyos_global_rpfilter +flush chain ip6 raw vyos_global_rpfilter + table raw { chain FW_CONNTRACK { {{ ipv4_conntrack_action }} } + + chain vyos_global_rpfilter { +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + return + } } table ip6 raw { chain FW_CONNTRACK { {{ ipv6_conntrack_action }} } -} -{% if first_install is not vyos_defined %} -delete table inet vyos_global_rpfilter -{% endif %} -table inet vyos_global_rpfilter { - chain PREROUTING { - type filter hook prerouting priority -300; policy accept; -{% if global_options.source_validation is vyos_defined('loose') %} + chain vyos_global_rpfilter { +{% if global_options.ipv6_source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop -{% elif global_options.source_validation is vyos_defined('strict') %} +{% elif global_options.ipv6_source_validation is vyos_defined('strict') %} fib saddr . iif oif 0 counter drop {% endif %} + return } } diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index 41e7627f5..b0026fdf3 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -19,6 +19,15 @@ table raw { type filter hook forward priority -300; policy accept; } + chain vyos_global_rpfilter { + return + } + + chain vyos_rpfilter { + type filter hook prerouting priority -300; policy accept; + counter jump vyos_global_rpfilter + } + chain PREROUTING { type filter hook prerouting priority -300; policy accept; counter jump VYOS_CT_IGNORE @@ -82,8 +91,13 @@ table ip6 raw { type filter hook forward priority -300; policy accept; } + chain vyos_global_rpfilter { + return + } + chain vyos_rpfilter { type filter hook prerouting priority -300; policy accept; + counter jump vyos_global_rpfilter } chain PREROUTING { |