diff options
Diffstat (limited to 'data/templates/firewall/nftables.tmpl')
| -rw-r--r-- | data/templates/firewall/nftables.tmpl | 90 |
1 files changed, 39 insertions, 51 deletions
diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl index 68e83de64..0cc977cf9 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.tmpl @@ -6,43 +6,7 @@ {% endfor %} {% endif %} -{% if group is defined %} -{% if group.address_group is defined %} -{% for group_name, group_conf in group.address_group.items() %} -define A_{{ group_name }} = { - {{ group_conf.address | join(",") }} -} -{% endfor %} -{% endif %} -{% if group.ipv6_address_group is defined %} -{% for group_name, group_conf in group.ipv6_address_group.items() %} -define A6_{{ group_name }} = { - {{ group_conf.address | join(",") }} -} -{% endfor %} -{% endif %} -{% if group.network_group is defined %} -{% for group_name, group_conf in group.network_group.items() %} -define N_{{ group_name }} = { - {{ group_conf.network | join(",") }} -} -{% endfor %} -{% endif %} -{% if group.ipv6_network_group is defined %} -{% for group_name, group_conf in group.ipv6_network_group.items() %} -define N6_{{ group_name }} = { - {{ group_conf.network | join(",") }} -} -{% endfor %} -{% endif %} -{% if group.port_group is defined %} -{% for group_name, group_conf in group.port_group.items() %} -define P_{{ group_name }} = { - {{ group_conf.port | join(",") }} -} -{% endfor %} -{% endif %} -{% endif %} +include "/run/nftables_defines.conf" table ip filter { {% if first_install is defined %} @@ -67,19 +31,25 @@ table ip filter { } {% endif %} {% if name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in name.items() %} -{% set default_log = 'log' if 'enable_default_log' in conf else '' %} - chain {{ name_text }} { + chain NAME_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} -{% if conf.default_action is defined %} - counter {{ default_log }} {{ conf.default_action | nft_action }} comment "{{ name_text }} default-action {{ conf.default_action }}" -{% else %} - return -{% endif %} + {{ conf | nft_default_rule(name_text) }} + } +{% endfor %} +{% for set_name in ns.sets %} + set RECENT_{{ set_name }} { + type ipv4_addr + size 65535 + flags dynamic } {% endfor %} {% endif %} @@ -122,19 +92,25 @@ table ip6 filter { } {% endif %} {% if ipv6_name is defined %} +{% set ns = namespace(sets=[]) %} {% for name_text, conf in ipv6_name.items() %} -{% set default_log = 'log' if 'enable_default_log' in conf else '' %} - chain {{ name_text }} { + chain NAME6_{{ name_text }} { {% if conf.rule is defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} +{% if rule_conf.recent is defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} {% endfor %} {% endif %} -{% if conf.default_action is defined %} - counter {{ default_log }} {{ conf.default_action | nft_action }} comment "{{ name_text }} default-action {{ conf.default_action }}" -{% else %} - return -{% endif %} + {{ conf | nft_default_rule(name_text) }} + } +{% endfor %} +{% for set_name in ns.sets %} + set RECENT6_{{ set_name }} { + type ipv6_addr + size 65535 + flags dynamic } {% endfor %} {% endif %} @@ -211,6 +187,7 @@ table raw { counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_PREROUTING_HOOK + counter jump FW_CONNTRACK notrack } @@ -219,6 +196,7 @@ table raw { counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_OUTPUT_HOOK + counter jump FW_CONNTRACK notrack } @@ -256,6 +234,10 @@ table raw { chain VYOS_CT_OUTPUT_HOOK { return } + + chain FW_CONNTRACK { + accept + } } table ip6 raw { @@ -266,12 +248,14 @@ table ip6 raw { chain PREROUTING { type filter hook prerouting priority -300; policy accept; counter jump VYOS_CT_PREROUTING_HOOK + counter jump FW_CONNTRACK notrack } chain OUTPUT { type filter hook output priority -300; policy accept; counter jump VYOS_CT_OUTPUT_HOOK + counter jump FW_CONNTRACK notrack } @@ -282,5 +266,9 @@ table ip6 raw { chain VYOS_CT_OUTPUT_HOOK { return } + + chain FW_CONNTRACK { + accept + } } {% endif %} |