summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-vrf-zones.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall/nftables-vrf-zones.j2')
-rw-r--r--data/templates/firewall/nftables-vrf-zones.j217
1 files changed, 17 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2
new file mode 100644
index 000000000..eecf47b78
--- /dev/null
+++ b/data/templates/firewall/nftables-vrf-zones.j2
@@ -0,0 +1,17 @@
+table inet vrf_zones {
+ # Map of interfaces and connections tracking zones
+ map ct_iface_map {
+ typeof iifname : ct zone
+ }
+ # Assign unique zones for each VRF
+ # Chain for inbound traffic
+ chain vrf_zones_ct_in {
+ type filter hook prerouting priority raw; policy accept;
+ counter ct zone set iifname map @ct_iface_map
+ }
+ # Chain for locally-generated traffic
+ chain vrf_zones_ct_out {
+ type filter hook output priority raw; policy accept;
+ counter ct zone set oifname map @ct_iface_map
+ }
+}