diff options
| author | Nataliia Solomko <natalirs1985@gmail.com> | 2025-06-13 12:20:40 +0300 |
|---|---|---|
| committer | Nataliia Solomko <natalirs1985@gmail.com> | 2025-06-17 18:16:51 +0300 |
| commit | 8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f (patch) | |
| tree | 970a4f45190b216eabe7aa581e1faa611d79ab09 /data | |
| parent | 09f63fb975daaefe843641c5ffbec34ddf6b18de (diff) | |
| download | vyos-1x-8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f.tar.gz vyos-1x-8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f.zip | |
firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept
Diffstat (limited to 'data')
| -rwxr-xr-x | data/templates/firewall/nftables.j2 | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index bf051bb57..39ef72059 100755 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -410,15 +410,11 @@ table bridge vyos_filter { {% for prior, conf in bridge.output.items() %} chain VYOS_OUTPUT_{{ prior }} { type filter hook output priority {{ prior }}; policy accept; -{% if global_options.apply_to_bridged_traffic is vyos_defined %} -{% if 'invalid_connections' in global_options.apply_to_bridged_traffic %} - ct state invalid udp sport 67 udp dport 68 counter accept - ct state invalid ether type arp counter accept - ct state invalid ether type 8021q counter accept - ct state invalid ether type 8021ad counter accept - ct state invalid ether type 0x8863 counter accept - ct state invalid ether type 0x8864 counter accept - ct state invalid ether type 0x0842 counter accept +{% if global_options.apply_to_bridged_traffic.accept_invalid is vyos_defined %} +{% if 'ethernet_type' in global_options.apply_to_bridged_traffic.accept_invalid %} +{% for ether_type in global_options.apply_to_bridged_traffic.accept_invalid.ethernet_type %} + {{ ether_type | nft_accept_invalid() }} +{% endfor %} {% endif %} {% endif %} {% if global_options.state_policy is vyos_defined %} |