diff options
Diffstat (limited to 'data/templates/firewall/nftables.j2')
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 59 |
1 files changed, 39 insertions, 20 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 0fbddfaa9..75800ee3d 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -1,33 +1,31 @@ #!/usr/sbin/nft -f {% import 'firewall/nftables-defines.j2' as group_tmpl %} +{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %} +{% import 'firewall/nftables-offload.j2' as offload_tmpl %} -flush chain raw FW_CONNTRACK -flush chain ip6 raw FW_CONNTRACK +flush chain raw vyos_global_rpfilter +flush chain ip6 raw vyos_global_rpfilter table raw { - chain FW_CONNTRACK { - {{ ipv4_conntrack_action }} + chain vyos_global_rpfilter { +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + return } } table ip6 raw { - chain FW_CONNTRACK { - {{ ipv6_conntrack_action }} - } -} - -{% if first_install is not vyos_defined %} -delete table inet vyos_global_rpfilter -{% endif %} -table inet vyos_global_rpfilter { - chain PREROUTING { - type filter hook prerouting priority -300; policy accept; -{% if global_options.source_validation is vyos_defined('loose') %} + chain vyos_global_rpfilter { +{% if global_options.ipv6_source_validation is vyos_defined('loose') %} fib saddr oif 0 counter drop -{% elif global_options.source_validation is vyos_defined('strict') %} +{% elif global_options.ipv6_source_validation is vyos_defined('strict') %} fib saddr . iif oif 0 counter drop {% endif %} + return } } @@ -36,6 +34,12 @@ delete table ip vyos_filter {% endif %} table ip vyos_filter { {% if ipv4 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv4.forward is vyos_defined %} {% for prior, conf in ipv4.forward.items() %} @@ -147,7 +151,7 @@ table ip vyos_filter { {% endfor %} {% endif %} {% endif %} -{{ group_tmpl.groups(group, False) }} +{{ group_tmpl.groups(group, False, True) }} } {% if first_install is not vyos_defined %} @@ -155,6 +159,12 @@ delete table ip6 vyos_filter {% endif %} table ip6 vyos_filter { {% if ipv6 is vyos_defined %} +{% if flowtable is vyos_defined %} +{% for name, flowtable_conf in flowtable.items() %} +{{ offload_tmpl.flowtable(name, flowtable_conf) }} +{% endfor %} +{% endif %} + {% set ns = namespace(sets=[]) %} {% if ipv6.forward is vyos_defined %} {% for prior, conf in ipv6.forward.items() %} @@ -250,5 +260,14 @@ table ip6 vyos_filter { {% endfor %} {% endif %} {% endif %} -{{ group_tmpl.groups(group, True) }} -}
\ No newline at end of file +{{ group_tmpl.groups(group, True, True) }} +} + +## Bridge Firewall +{% if first_install is not vyos_defined %} +delete table bridge vyos_filter +{% endif %} +table bridge vyos_filter { +{{ bridge_tmpl.bridge(bridge) }} +{{ group_tmpl.groups(group, False, False) }} +} |