summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables.tmpl
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall/nftables.tmpl')
-rw-r--r--data/templates/firewall/nftables.tmpl274
1 files changed, 0 insertions, 274 deletions
diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl
deleted file mode 100644
index 3a3f2e04c..000000000
--- a/data/templates/firewall/nftables.tmpl
+++ /dev/null
@@ -1,274 +0,0 @@
-#!/usr/sbin/nft -f
-
-{% if cleanup_commands is vyos_defined %}
-{% for command in cleanup_commands %}
-{{ command }}
-{% endfor %}
-{% endif %}
-
-include "/run/nftables_defines.conf"
-
-table ip filter {
-{% if first_install is vyos_defined %}
- chain VYOS_FW_FORWARD {
- type filter hook forward priority 0; policy accept;
- jump VYOS_POST_FW
- }
- chain VYOS_FW_LOCAL {
- type filter hook input priority 0; policy accept;
- jump VYOS_POST_FW
- }
- chain VYOS_FW_OUTPUT {
- type filter hook output priority 0; policy accept;
- jump VYOS_POST_FW
- }
- chain VYOS_POST_FW {
- return
- }
- chain VYOS_FRAG_MARK {
- type filter hook prerouting priority -450; policy accept;
- ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
- }
-{% endif %}
-{% if name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
-{% for name_text, conf in name.items() %}
- chain NAME_{{ name_text }} {
-{% if conf.rule is vyos_defined %}
-{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(name_text, rule_id) }}
-{% if rule_conf.recent is vyos_defined %}
-{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
-{% endif %}
-{% endfor %}
-{% endif %}
- {{ conf | nft_default_rule(name_text) }}
- }
-{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT_{{ set_name }} {
- type ipv4_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
-{% endif %}
-{% if state_policy is vyos_defined %}
- chain VYOS_STATE_POLICY {
-{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established') }}
-{% endif %}
-{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid') }}
-{% endif %}
-{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related') }}
-{% endif %}
- return
- }
-{% endif %}
-}
-
-table ip6 filter {
-{% if first_install is vyos_defined %}
- chain VYOS_FW6_FORWARD {
- type filter hook forward priority 0; policy accept;
- jump VYOS_POST_FW6
- }
- chain VYOS_FW6_LOCAL {
- type filter hook input priority 0; policy accept;
- jump VYOS_POST_FW6
- }
- chain VYOS_FW6_OUTPUT {
- type filter hook output priority 0; policy accept;
- jump VYOS_POST_FW6
- }
- chain VYOS_POST_FW6 {
- return
- }
- chain VYOS_FRAG6_MARK {
- type filter hook prerouting priority -450; policy accept;
- exthdr frag exists meta mark set 0xffff1 return
- }
-{% endif %}
-{% if ipv6_name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
-{% for name_text, conf in ipv6_name.items() %}
- chain NAME6_{{ name_text }} {
-{% if conf.rule is vyos_defined %}
-{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
-{% if rule_conf.recent is vyos_defined %}
-{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
-{% endif %}
-{% endfor %}
-{% endif %}
- {{ conf | nft_default_rule(name_text) }}
- }
-{% endfor %}
-{% for set_name in ns.sets %}
- set RECENT6_{{ set_name }} {
- type ipv6_addr
- size 65535
- flags dynamic
- }
-{% endfor %}
-{% endif %}
-{% if state_policy is vyos_defined %}
- chain VYOS_STATE_POLICY6 {
-{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established', ipv6=True) }}
-{% endif %}
-{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }}
-{% endif %}
-{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related', ipv6=True) }}
-{% endif %}
- return
- }
-{% endif %}
-}
-
-{% if first_install is vyos_defined %}
-table ip nat {
- chain PREROUTING {
- type nat hook prerouting priority -100; policy accept;
- counter jump VYOS_PRE_DNAT_HOOK
- }
-
- chain POSTROUTING {
- type nat hook postrouting priority 100; policy accept;
- counter jump VYOS_PRE_SNAT_HOOK
- }
-
- chain VYOS_PRE_DNAT_HOOK {
- return
- }
-
- chain VYOS_PRE_SNAT_HOOK {
- return
- }
-}
-
-table ip6 nat {
- chain PREROUTING {
- type nat hook prerouting priority -100; policy accept;
- counter jump VYOS_DNPT_HOOK
- }
-
- chain POSTROUTING {
- type nat hook postrouting priority 100; policy accept;
- counter jump VYOS_SNPT_HOOK
- }
-
- chain VYOS_DNPT_HOOK {
- return
- }
-
- chain VYOS_SNPT_HOOK {
- return
- }
-}
-
-table inet mangle {
- chain FORWARD {
- type filter hook forward priority -150; policy accept;
- }
-}
-
-table raw {
- chain VYOS_TCP_MSS {
- type filter hook forward priority -300; policy accept;
- }
-
- chain PREROUTING {
- type filter hook prerouting priority -200; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -200; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
- ct helper set "rpc_tcp" tcp dport {111} return
- ct helper set "rpc_udp" udp dport {111} return
- ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
- return
- }
-
- chain VYOS_CT_IGNORE {
- return
- }
-
- chain VYOS_CT_TIMEOUT {
- return
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- accept
- }
-}
-
-table ip6 raw {
- chain VYOS_TCP_MSS {
- type filter hook forward priority -300; policy accept;
- }
-
- chain PREROUTING {
- type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- accept
- }
-}
-{% endif %}