diff options
| author | l0crian1 <ryan.claridge13@gmail.com> | 2025-04-16 12:31:34 -0400 |
|---|---|---|
| committer | l0crian1 <ryan.claridge13@gmail.com> | 2025-04-16 14:49:44 -0400 |
| commit | 382c6fc6ffe76d7ce418018f69902572701215a3 (patch) | |
| tree | 137b4193cd6a8e4b31c639740ea1957c7bdf0d94 /data | |
| parent | 9e47c2153be7cc0e5ed21ca8a976336d4bf872d8 (diff) | |
| download | vyos-1x-382c6fc6ffe76d7ce418018f69902572701215a3.tar.gz vyos-1x-382c6fc6ffe76d7ce418018f69902572701215a3.zip | |
firewall: T7358: add offload option to global state policy
Since the jump to the global state chain is inserted before all rules,
it wasn't possible to use offload with the global state policies
This commit adds a new chain for offloaded traffic in the forward
chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
Diffstat (limited to 'data')
| -rwxr-xr-x | data/templates/firewall/nftables.j2 | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 67473da8e..4f2783e6f 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -47,7 +47,7 @@ table ip vyos_filter { chain VYOS_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy accept; {% if global_options.state_policy is vyos_defined %} - jump VYOS_STATE_POLICY + jump VYOS_STATE_POLICY_FORWARD {% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} @@ -181,6 +181,24 @@ table ip vyos_filter { return } {% endif %} + +{% if global_options.state_policy.offload is vyos_defined %} + chain VYOS_STATE_POLICY_FORWARD { +{% if global_options.state_policy.offload is vyos_defined %} + counter flow add @VYOS_FLOWTABLE_{{ global_options.state_policy.offload.offload_target }} +{% endif %} +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} } {% if first_install is not vyos_defined %} @@ -200,7 +218,7 @@ table ip6 vyos_filter { chain VYOS_IPV6_FORWARD_{{ prior }} { type filter hook forward priority {{ prior }}; policy accept; {% if global_options.state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 + jump VYOS_STATE_POLICY6_FORWARD {% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} @@ -332,6 +350,24 @@ table ip6 vyos_filter { return } {% endif %} + +{% if global_options.state_policy.offload is vyos_defined %} + chain VYOS_STATE_POLICY6_FORWARD { +{% if global_options.state_policy.offload is vyos_defined %} + counter flow add @VYOS_FLOWTABLE_{{ global_options.state_policy.offload.offload_target }} +{% endif %} +{% if global_options.state_policy.established is vyos_defined %} + {{ global_options.state_policy.established | nft_state_policy('established') }} +{% endif %} +{% if global_options.state_policy.invalid is vyos_defined %} + {{ global_options.state_policy.invalid | nft_state_policy('invalid') }} +{% endif %} +{% if global_options.state_policy.related is vyos_defined %} + {{ global_options.state_policy.related | nft_state_policy('related') }} +{% endif %} + return + } +{% endif %} } ## Bridge Firewall |