diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-12-05 10:36:14 +0000 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-12-05 10:44:19 +0000 |
commit | 24a1a70596fafdd35d88506159e6cb9cd94e7a66 (patch) | |
tree | 7ff0ee8d2bf779ce758ce2b3834d968c987207a8 /data | |
parent | 7ec55fca91f2fd606e16325166b96a18dcb3d2c5 (diff) | |
download | vyos-1x-24a1a70596fafdd35d88506159e6cb9cd94e7a66.tar.gz vyos-1x-24a1a70596fafdd35d88506159e6cb9cd94e7a66.zip |
T5779: conntrack: Apply fixes to <set system conntrack timeout custom>. Remove what was not working on 1.3, migrate what was working to new syntax and extend feature for ipv6.
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/conntrack/nftables-ct.j2 | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 index 1e0fc8065..762a6f693 100644 --- a/data/templates/conntrack/nftables-ct.j2 +++ b/data/templates/conntrack/nftables-ct.j2 @@ -11,20 +11,33 @@ table ip vyos_conntrack { {% if ignore.ipv4.rule is vyos_defined %} {% for rule, rule_config in ignore.ipv4.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} - {{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }} {% endfor %} {% endif %} - return + return } chain VYOS_CT_TIMEOUT { -{% if timeout.custom.rule is vyos_defined %} -{% for rule, rule_config in timeout.custom.rule.items() %} +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }} {% endfor %} {% endif %} return } +{% if timeout.custom.ipv4.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv4.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + chain PREROUTING { type filter hook prerouting priority -300; policy accept; {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} @@ -80,20 +93,33 @@ table ip6 vyos_conntrack { {% if ignore.ipv6.rule is vyos_defined %} {% for rule, rule_config in ignore.ipv6.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} - {{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }} + {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }} {% endfor %} {% endif %} return } chain VYOS_CT_TIMEOUT { -{% if timeout.custom.rule is vyos_defined %} -{% for rule, rule_config in timeout.custom.rule.items() %} +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} + {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }} {% endfor %} {% endif %} return } +{% if timeout.custom.ipv6.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.ipv6.rule.items() %} + ct timeout ct-timeout-{{ rule }} { + l3proto ip; +{% for protocol, protocol_config in rule_config.protocol.items() %} + protocol {{ protocol }}; + policy = { {{ protocol_config | conntrack_ct_policy() }} } +{% endfor %} + } +{% endfor %} +{% endif %} + chain PREROUTING { type filter hook prerouting priority -300; policy accept; {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} |