summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall/nftables.j2')
-rwxr-xr-x[-rw-r--r--]data/templates/firewall/nftables.j2160
1 files changed, 141 insertions, 19 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 833df3a67..67473da8e 100644..100755
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -57,7 +57,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('FWD-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('FWD-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -77,7 +77,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('INP-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('INP-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -86,7 +86,7 @@ table ip vyos_filter {
{% for prior, conf in ipv4.output.items() %}
chain VYOS_OUTPUT_{{ prior }} {
type filter hook output priority {{ prior }}; policy accept;
-{% if global_options.state_policy is vyos_defined %}
+{% if global_options.state_policy is vyos_defined and prior == 'filter' %}
jump VYOS_STATE_POLICY
{% endif %}
{% if conf.rule is vyos_defined %}
@@ -97,14 +97,11 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('OUT-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('OUT-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
- chain VYOS_FRAG_MARK {
- type filter hook prerouting priority -450; policy accept;
- ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
- }
+
{% if ipv4.prerouting is vyos_defined %}
{% for prior, conf in ipv4.prerouting.items() %}
chain VYOS_PREROUTING_{{ prior }} {
@@ -117,11 +114,16 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('PRE-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('PRE-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
+ chain VYOS_FRAG_MARK {
+ type filter hook prerouting priority -450; policy accept;
+ ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
+ }
+
{% if ipv4.name is vyos_defined %}
{% for name_text, conf in ipv4.name.items() %}
chain NAME_{{ name_text }} {
@@ -133,7 +135,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule(name_text, 'ipv4') }}
+ {{ conf | nft_default_rule('NAM-' + name_text, 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -202,13 +204,13 @@ table ip6 vyos_filter {
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('FWD-filter', 'ipv6') }}
+ {{ conf | nft_default_rule('FWD-' + prior, 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -222,13 +224,13 @@ table ip6 vyos_filter {
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
+ {{ rule_conf | nft_rule('INP', prior, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('INP-filter', 'ipv6') }}
+ {{ conf | nft_default_rule('INP-' + prior, 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -237,22 +239,38 @@ table ip6 vyos_filter {
{% for prior, conf in ipv6.output.items() %}
chain VYOS_IPV6_OUTPUT_{{ prior }} {
type filter hook output priority {{ prior }}; policy accept;
-{% if global_options.state_policy is vyos_defined %}
+{% if global_options.state_policy is vyos_defined and prior == 'filter' %}
jump VYOS_STATE_POLICY6
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
+ {{ rule_conf | nft_rule('OUT', prior, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('OUT-filter', 'ipv6') }}
+ {{ conf | nft_default_rule('OUT-' + prior, 'ipv6') }}
}
{% endfor %}
{% endif %}
+{% if ipv6.prerouting is vyos_defined %}
+{% for prior, conf in ipv6.prerouting.items() %}
+ chain VYOS_IPV6_PREROUTING_{{ prior }} {
+ type filter hook prerouting priority {{ prior }}; policy accept;
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('PRE', prior, rule_id, 'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule('PRE-' + prior, 'ipv6') }}
+ }
+{% endfor %}
+{% endif %}
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0xffff1 return
@@ -269,7 +287,7 @@ table ip6 vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule(name_text, 'ipv6') }}
+ {{ conf | nft_default_rule('NAM-' + name_text, 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -321,7 +339,111 @@ table ip6 vyos_filter {
delete table bridge vyos_filter
{% endif %}
table bridge vyos_filter {
-{{ bridge_tmpl.bridge(bridge) }}
+{% if bridge is vyos_defined %}
+{% if bridge.forward is vyos_defined %}
+{% for prior, conf in bridge.forward.items() %}
+ chain VYOS_FORWARD_{{ prior }} {
+ type filter hook forward priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY
+{% endif %}
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule('FWD-' + prior, 'bri') }}
+ }
+{% endfor %}
+{% endif %}
+
+{% if bridge.input is vyos_defined %}
+{% for prior, conf in bridge.input.items() %}
+ chain VYOS_INPUT_{{ prior }} {
+ type filter hook input priority {{ prior }}; policy accept;
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY
+{% endif %}
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('INP', prior, rule_id, 'bri') }}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule('INP-' + prior, 'bri') }}
+ }
+{% endfor %}
+{% endif %}
+
+{% if bridge.output is vyos_defined %}
+{% for prior, conf in bridge.output.items() %}
+ chain VYOS_OUTPUT_{{ prior }} {
+ type filter hook output priority {{ prior }}; policy accept;
+{% if global_options.apply_to_bridged_traffic is vyos_defined %}
+{% if 'invalid_connections' in global_options.apply_to_bridged_traffic %}
+ ct state invalid udp sport 67 udp dport 68 counter accept
+ ct state invalid ether type arp counter accept
+ ct state invalid ether type 0x8864 counter accept
+{% endif %}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+ jump VYOS_STATE_POLICY
+{% endif %}
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('OUT', prior, rule_id, 'bri') }}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule('OUT-' + prior, 'bri') }}
+ }
+{% endfor %}
+{% endif %}
+
+{% if bridge.prerouting is vyos_defined %}
+{% for prior, conf in bridge.prerouting.items() %}
+ chain VYOS_PREROUTING_{{ prior }} {
+ type filter hook prerouting priority {{ prior }}; policy accept;
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('PRE', prior, rule_id, 'bri') }}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule('PRE-' + prior, 'bri') }}
+ }
+{% endfor %}
+{% endif %}
+
+{% if bridge.name is vyos_defined %}
+{% for name_text, conf in bridge.name.items() %}
+ chain NAME_{{ name_text }} {
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule('NAM-' + name_text, 'bri') }}
+ }
+{% endfor %}
+{% endif %}
+
+{% endif %}
{{ group_tmpl.groups(group, False, False) }}
+{{ group_tmpl.groups(group, True, False) }}
+{% if global_options.state_policy is vyos_defined %}
+ chain VYOS_STATE_POLICY {
+{% if global_options.state_policy.established is vyos_defined %}
+ {{ global_options.state_policy.established | nft_state_policy('established', bridge=True) }}
+{% endif %}
+{% if global_options.state_policy.invalid is vyos_defined %}
+ {{ global_options.state_policy.invalid | nft_state_policy('invalid', bridge=True) }}
+{% endif %}
+{% if global_options.state_policy.related is vyos_defined %}
+ {{ global_options.state_policy.related | nft_state_policy('related', bridge=True) }}
+{% endif %}
+ return
+ }
+{% endif %}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-16 23:44:51 +0000