summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-01 11:53:18 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-06-11 15:08:45 +0200
commit8ba45cfcc1cc3fba57e1f82fa1299b7c253ba5ea (patch)
tree37068db2932e20ed4aec01329c9e60d16eb769ed /data
parentfe18efba34c5d95d3052c9e6fda69668bbfe63f3 (diff)
downloadvyos-1x-8ba45cfcc1cc3fba57e1f82fa1299b7c253ba5ea.tar.gz
vyos-1x-8ba45cfcc1cc3fba57e1f82fa1299b7c253ba5ea.zip
firewall: T4299: Add support for GeoIP filtering
Diffstat (limited to 'data')
-rw-r--r--data/templates/firewall/nftables-geoip-update.j233
-rw-r--r--data/templates/firewall/nftables.j216
2 files changed, 49 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-geoip-update.j2 b/data/templates/firewall/nftables-geoip-update.j2
new file mode 100644
index 000000000..f9e61a274
--- /dev/null
+++ b/data/templates/firewall/nftables-geoip-update.j2
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+{% if ipv4_sets is vyos_defined %}
+{% for setname, ip_list in ipv4_sets.items() %}
+flush set ip filter {{ setname }}
+{% endfor %}
+
+table ip filter {
+{% for setname, ip_list in ipv4_sets.items() %}
+ set {{ setname }} {
+ type ipv4_addr
+ flags interval
+ elements = { {{ ','.join(ip_list) }} }
+ }
+{% endfor %}
+}
+{% endif %}
+
+{% if ipv6_sets is vyos_defined %}
+{% for setname, ip_list in ipv6_sets.items() %}
+flush set ip6 filter {{ setname }}
+{% endfor %}
+
+table ip6 filter {
+{% for setname, ip_list in ipv6_sets.items() %}
+ set {{ setname }} {
+ type ipv6_addr
+ flags interval
+ elements = { {{ ','.join(ip_list) }} }
+ }
+{% endfor %}
+}
+{% endif %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 1f88ae40c..961b83301 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -60,6 +60,14 @@ table ip filter {
flags dynamic
}
{% endfor %}
+{% if geoip_updated.name is vyos_defined %}
+{% for setname in geoip_updated.name %}
+ set {{ setname }} {
+ type ipv4_addr
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% endif %}
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY {
@@ -121,6 +129,14 @@ table ip6 filter {
flags dynamic
}
{% endfor %}
+{% if geoip_updated.ipv6_name is vyos_defined %}
+{% for setname in geoip_updated.ipv6_name %}
+ set {{ setname }} {
+ type ipv6_addr
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% endif %}
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {