diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-09-12 22:49:34 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-09-14 12:56:09 +0200 |
commit | 31cd47594aa54f6d04500e16c67e723d548df8d6 (patch) | |
tree | df30571e0f6c6422c80557ed568ad210e5a3c3ea /data | |
parent | 30945f39d6d1f0fdba34ce1c2d887a1a6823ecbe (diff) | |
download | vyos-1x-31cd47594aa54f6d04500e16c67e723d548df8d6.tar.gz vyos-1x-31cd47594aa54f6d04500e16c67e723d548df8d6.zip |
nhrp: T2199: Use separate table in nftables for NHRP rules
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/nhrp/nftables.conf.j2 | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/data/templates/nhrp/nftables.conf.j2 b/data/templates/nhrp/nftables.conf.j2 new file mode 100644 index 000000000..a0d1f6d4c --- /dev/null +++ b/data/templates/nhrp/nftables.conf.j2 @@ -0,0 +1,17 @@ +#!/usr/sbin/nft -f + +{% if first_install is not vyos_defined %} +delete table ip vyos_nhrp_filter +{% endif %} +table ip vyos_nhrp_filter { + chain VYOS_NHRP_OUTPUT { + type filter hook output priority 10; policy accept; +{% if tunnel is vyos_defined %} +{% for tun, tunnel_conf in tunnel.items() %} +{% if if_tunnel[tun].source_address is vyos_defined %} + ip protocol gre ip saddr {{ if_tunnel[tun].source_address }} ip daddr 224.0.0.0/4 counter drop comment "VYOS_NHRP_{{ tun }}" +{% endif %} +{% endfor %} +{% endif %} + } +} |