diff options
Diffstat (limited to 'data/templates/firewall')
-rw-r--r-- | data/templates/firewall/nftables-defines.j2 | 32 | ||||
-rw-r--r-- | data/templates/firewall/nftables-defines.tmpl | 32 | ||||
-rw-r--r-- | data/templates/firewall/nftables-nat.j2 (renamed from data/templates/firewall/nftables-nat.tmpl) | 182 | ||||
-rw-r--r-- | data/templates/firewall/nftables-nat66.j2 (renamed from data/templates/firewall/nftables-nat66.tmpl) | 74 | ||||
-rw-r--r-- | data/templates/firewall/nftables-policy.j2 (renamed from data/templates/firewall/nftables-policy.tmpl) | 30 | ||||
-rw-r--r-- | data/templates/firewall/nftables-vrf-zones.j2 (renamed from data/templates/firewall/nftables-vrf-zones.tmpl) | 0 | ||||
-rw-r--r-- | data/templates/firewall/nftables.j2 (renamed from data/templates/firewall/nftables.tmpl) | 72 | ||||
-rw-r--r-- | data/templates/firewall/upnpd.conf.j2 (renamed from data/templates/firewall/upnpd.conf.tmpl) | 34 |
8 files changed, 228 insertions, 228 deletions
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2 new file mode 100644 index 000000000..4fa92f2e3 --- /dev/null +++ b/data/templates/firewall/nftables-defines.j2 @@ -0,0 +1,32 @@ +{% if group is vyos_defined %} +{% if group.address_group is vyos_defined %} +{% for group_name, group_conf in group.address_group.items() %} +define A_{{ group_name }} = { {{ group_conf.address | join(",") }} } +{% endfor %} +{% endif %} +{% if group.ipv6_address_group is vyos_defined %} +{% for group_name, group_conf in group.ipv6_address_group.items() %} +define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} } +{% endfor %} +{% endif %} +{% if group.mac_group is vyos_defined %} +{% for group_name, group_conf in group.mac_group.items() %} +define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} } +{% endfor %} +{% endif %} +{% if group.network_group is vyos_defined %} +{% for group_name, group_conf in group.network_group.items() %} +define N_{{ group_name }} = { {{ group_conf.network | join(",") }} } +{% endfor %} +{% endif %} +{% if group.ipv6_network_group is vyos_defined %} +{% for group_name, group_conf in group.ipv6_network_group.items() %} +define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} } +{% endfor %} +{% endif %} +{% if group.port_group is vyos_defined %} +{% for group_name, group_conf in group.port_group.items() %} +define P_{{ group_name }} = { {{ group_conf.port | join(",") }} } +{% endfor %} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/firewall/nftables-defines.tmpl b/data/templates/firewall/nftables-defines.tmpl deleted file mode 100644 index 66d31093b..000000000 --- a/data/templates/firewall/nftables-defines.tmpl +++ /dev/null @@ -1,32 +0,0 @@ -{% if group is vyos_defined %} -{% if group.address_group is vyos_defined %} -{% for group_name, group_conf in group.address_group.items() %} -define A_{{ group_name }} = { {{ group_conf.address | join(",") }} } -{% endfor %} -{% endif %} -{% if group.ipv6_address_group is vyos_defined %} -{% for group_name, group_conf in group.ipv6_address_group.items() %} -define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} } -{% endfor %} -{% endif %} -{% if group.mac_group is vyos_defined %} -{% for group_name, group_conf in group.mac_group.items() %} -define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} } -{% endfor %} -{% endif %} -{% if group.network_group is vyos_defined %} -{% for group_name, group_conf in group.network_group.items() %} -define N_{{ group_name }} = { {{ group_conf.network | join(",") }} } -{% endfor %} -{% endif %} -{% if group.ipv6_network_group is vyos_defined %} -{% for group_name, group_conf in group.ipv6_network_group.items() %} -define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} } -{% endfor %} -{% endif %} -{% if group.port_group is vyos_defined %} -{% for group_name, group_conf in group.port_group.items() %} -define P_{{ group_name }} = { {{ group_conf.port | join(",") }} } -{% endfor %} -{% endif %} -{% endif %}
\ No newline at end of file diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.j2 index 63aa48c77..1481e9104 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.j2 @@ -1,141 +1,141 @@ #!/usr/sbin/nft -f {% macro nat_rule(rule, config, chain) %} -{% set comment = '' %} -{% set base_log = '' %} -{% set src_addr = 'ip saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} -{% set dst_addr = 'ip daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} -{# negated port groups need special treatment, move != in front of { } group #} -{% if config.source.port is vyos_defined and config.source.port.startswith('!') %} +{% set comment = '' %} +{% set base_log = '' %} +{% set src_addr = 'ip saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} +{% set dst_addr = 'ip daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} +{# negated port groups need special treatment, move != in front of { } group #} +{% if config.source.port is vyos_defined and config.source.port.startswith('!') %} {% set src_port = 'sport != { ' ~ config.source.port.replace('!','') ~ ' }' %} -{% else %} +{% else %} {% set src_port = 'sport { ' ~ config.source.port ~ ' }' if config.source.port is vyos_defined %} -{% endif %} -{# negated port groups need special treatment, move != in front of { } group #} -{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %} +{% endif %} +{# negated port groups need special treatment, move != in front of { } group #} +{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %} {% set dst_port = 'dport != { ' ~ config.destination.port.replace('!','') ~ ' }' %} -{% else %} +{% else %} {% set dst_port = 'dport { ' ~ config.destination.port ~ ' }' if config.destination.port is vyos_defined %} -{% endif %} -{% if chain is vyos_defined('PREROUTING') %} +{% endif %} +{% if chain is vyos_defined('PREROUTING') %} {% set comment = 'DST-NAT-' ~ rule %} {% set base_log = '[NAT-DST-' ~ rule %} {% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} {% if config.translation.address is vyos_defined %} -{# support 1:1 network translation #} -{% if config.translation.address | is_ip_network %} -{% set trns_addr = 'dnat ip prefix to ip daddr map { ' ~ config.destination.address ~ ' : ' ~ config.translation.address ~ ' }' %} -{# we can now clear out the dst_addr part as it's already covered in aboves map #} -{% set dst_addr = '' %} -{% else %} -{% set trns_addr = 'dnat to ' ~ config.translation.address %} -{% endif %} +{# support 1:1 network translation #} +{% if config.translation.address | is_ip_network %} +{% set trns_addr = 'dnat ip prefix to ip daddr map { ' ~ config.destination.address ~ ' : ' ~ config.translation.address ~ ' }' %} +{# we can now clear out the dst_addr part as it's already covered in aboves map #} +{% set dst_addr = '' %} +{% else %} +{% set trns_addr = 'dnat to ' ~ config.translation.address %} +{% endif %} {% endif %} -{% elif chain is vyos_defined('POSTROUTING') %} +{% elif chain is vyos_defined('POSTROUTING') %} {% set comment = 'SRC-NAT-' ~ rule %} {% set base_log = '[NAT-SRC-' ~ rule %} {% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined and config.outbound_interface is not vyos_defined('any') else '' %} {% if config.translation.address is vyos_defined %} -{% if config.translation.address is vyos_defined('masquerade') %} -{% set trns_addr = config.translation.address %} -{% if config.translation.port is vyos_defined %} -{% set trns_addr = trns_addr ~ ' to ' %} +{% if config.translation.address is vyos_defined('masquerade') %} +{% set trns_addr = config.translation.address %} +{% if config.translation.port is vyos_defined %} +{% set trns_addr = trns_addr ~ ' to ' %} +{% endif %} +{# support 1:1 network translation #} +{% elif config.translation.address | is_ip_network %} +{% set trns_addr = 'snat ip prefix to ip saddr map { ' ~ config.source.address ~ ' : ' ~ config.translation.address ~ ' }' %} +{# we can now clear out the src_addr part as it's already covered in aboves map #} +{% set src_addr = '' %} +{% else %} +{% set trns_addr = 'snat to ' ~ config.translation.address %} {% endif %} -{# support 1:1 network translation #} -{% elif config.translation.address | is_ip_network %} -{% set trns_addr = 'snat ip prefix to ip saddr map { ' ~ config.source.address ~ ' : ' ~ config.translation.address ~ ' }' %} -{# we can now clear out the src_addr part as it's already covered in aboves map #} -{% set src_addr = '' %} -{% else %} -{% set trns_addr = 'snat to ' ~ config.translation.address %} -{% endif %} {% endif %} -{% endif %} -{% set trns_port = ':' ~ config.translation.port if config.translation.port is vyos_defined %} -{# protocol has a default value thus it is always present #} -{% if config.protocol is vyos_defined('tcp_udp') %} +{% endif %} +{% set trns_port = ':' ~ config.translation.port if config.translation.port is vyos_defined %} +{# protocol has a default value thus it is always present #} +{% if config.protocol is vyos_defined('tcp_udp') %} {% set protocol = 'tcp' %} {% set comment = comment ~ ' tcp_udp' %} -{% else %} +{% else %} {% set protocol = config.protocol %} -{% endif %} -{% if config.log is vyos_defined %} +{% endif %} +{% if config.log is vyos_defined %} {% if config.exclude is vyos_defined %} -{% set log = base_log ~ '-EXCL]' %} +{% set log = base_log ~ '-EXCL]' %} {% elif config.translation.address is vyos_defined('masquerade') %} -{% set log = base_log +'-MASQ]' %} +{% set log = base_log ~ '-MASQ]' %} {% else %} -{% set log = base_log ~ ']' %} +{% set log = base_log ~ ']' %} {% endif %} -{% endif %} -{% if config.exclude is vyos_defined %} +{% endif %} +{% if config.exclude is vyos_defined %} {# rule has been marked as 'exclude' thus we simply return here #} {% set trns_addr = 'return' %} {% set trns_port = '' %} -{% endif %} -{# T1083: NAT address and port translation options #} -{% if config.translation.options is vyos_defined %} +{% endif %} +{# T1083: NAT address and port translation options #} +{% if config.translation.options is vyos_defined %} {% if config.translation.options.address_mapping is vyos_defined('persistent') %} {% set trns_opts_addr = 'persistent' %} {% endif %} {% if config.translation.options.port_mapping is vyos_defined('random') %} -{% set trns_opts_port = 'random' %} +{% set trns_opts_port = 'random' %} {% elif config.translation.options.port_mapping is vyos_defined('fully-random') %} -{% set trns_opts_port = 'fully-random' %} +{% set trns_opts_port = 'fully-random' %} {% endif %} -{% endif %} -{% if trns_opts_addr is vyos_defined and trns_opts_port is vyos_defined %} +{% endif %} +{% if trns_opts_addr is vyos_defined and trns_opts_port is vyos_defined %} {% set trns_opts = trns_opts_addr ~ ',' ~ trns_opts_port %} -{% elif trns_opts_addr is vyos_defined %} +{% elif trns_opts_addr is vyos_defined %} {% set trns_opts = trns_opts_addr %} -{% elif trns_opts_port is vyos_defined %} +{% elif trns_opts_port is vyos_defined %} {% set trns_opts = trns_opts_port %} -{% endif %} -{% set output = 'add rule ip nat ' ~ chain ~ interface %} -{% if protocol is not vyos_defined('all') %} +{% endif %} +{% set output = 'add rule ip nat ' ~ chain ~ interface %} +{% if protocol is not vyos_defined('all') %} {% set output = output ~ ' ip protocol ' ~ protocol %} -{% endif %} -{% if src_addr is vyos_defined %} +{% endif %} +{% if src_addr is vyos_defined %} {% set output = output ~ ' ' ~ src_addr %} -{% endif %} -{% if src_port is vyos_defined %} +{% endif %} +{% if src_port is vyos_defined %} {% set output = output ~ ' ' ~ protocol ~ ' ' ~ src_port %} -{% endif %} -{% if dst_addr is vyos_defined %} +{% endif %} +{% if dst_addr is vyos_defined %} {% set output = output ~ ' ' ~ dst_addr %} -{% endif %} -{% if dst_port is vyos_defined %} +{% endif %} +{% if dst_port is vyos_defined %} {% set output = output ~ ' ' ~ protocol ~ ' ' ~ dst_port %} -{% endif %} -{# Count packets #} -{% set output = output ~ ' counter' %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential #} -{% if log is vyos_defined %} +{% endif %} +{# Count packets #} +{% set output = output ~ ' counter' %} +{# Special handling of log option, we must repeat the entire rule before the #} +{# NAT translation options are added, this is essential #} +{% if log is vyos_defined %} {% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} -{% endif %} -{% if trns_addr is vyos_defined %} +{% endif %} +{% if trns_addr is vyos_defined %} {% set output = output ~ ' ' ~ trns_addr %} -{% endif %} -{% if trns_port is vyos_defined %} +{% endif %} +{% if trns_port is vyos_defined %} {# Do not add a whitespace here, translation port must be directly added after IP address #} {# e.g. 192.0.2.10:3389 #} {% set output = output ~ trns_port %} -{% endif %} -{% if trns_opts is vyos_defined %} +{% endif %} +{% if trns_opts is vyos_defined %} {% set output = output ~ ' ' ~ trns_opts %} -{% endif %} -{% if comment is vyos_defined %} +{% endif %} +{% if comment is vyos_defined %} {% set output = output ~ ' comment "' ~ comment ~ '"' %} -{% endif %} -{{ log_output if log_output is vyos_defined}} +{% endif %} +{{ log_output if log_output is vyos_defined }} {{ output }} -{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} -{% if config.protocol is vyos_defined('tcp_udp') %} +{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} +{% if config.protocol is vyos_defined('tcp_udp') %} {# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #} {{ log_output | replace('tcp ', 'udp ') if log_output is vyos_defined }} {{ output | replace('tcp ', 'udp ') }} -{% endif %} +{% endif %} {% endmacro %} # Start with clean SNAT and DNAT chains @@ -143,7 +143,7 @@ flush chain ip nat PREROUTING flush chain ip nat POSTROUTING {% if helper_functions is vyos_defined('remove') %} {# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = 'delete rule ip raw' %} +{% set base_command = 'delete rule ip raw' %} {{ base_command }} PREROUTING handle {{ pre_ct_ignore }} {{ base_command }} OUTPUT handle {{ out_ct_ignore }} {{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} @@ -155,7 +155,7 @@ delete chain ip raw NAT_CONNTRACK {# NAT if enabled - add targets to nftables #} add chain ip raw NAT_CONNTRACK add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = 'add rule ip raw' %} +{% set base_command = 'add rule ip raw' %} {{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYOS_CT_HELPER {{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYOS_CT_HELPER {{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK @@ -167,16 +167,16 @@ add rule ip raw NAT_CONNTRACK counter accept # add rule ip nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK {% if destination.rule is vyos_defined %} -{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} +{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} {{ nat_rule(rule, config, 'PREROUTING') }} -{% endfor %} +{% endfor %} {% endif %} # # Source NAT rules build up here # add rule ip nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK {% if source.rule is vyos_defined %} -{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} {{ nat_rule(rule, config, 'POSTROUTING') }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.j2 index ed98b888a..003b138b2 100644 --- a/data/templates/firewall/nftables-nat66.tmpl +++ b/data/templates/firewall/nftables-nat66.j2 @@ -1,22 +1,22 @@ #!/usr/sbin/nft -f {% macro nptv6_rule(rule,config, chain) %} -{% set comment = '' %} -{% set base_log = '' %} -{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix if config.source.prefix is vyos_defined %} -{% set dest_address = 'ip6 daddr ' ~ config.destination.address if config.destination.address is vyos_defined %} -{% if chain is vyos_defined('PREROUTING') %} +{% set comment = '' %} +{% set base_log = '' %} +{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix if config.source.prefix is vyos_defined %} +{% set dest_address = 'ip6 daddr ' ~ config.destination.address if config.destination.address is vyos_defined %} +{% if chain is vyos_defined('PREROUTING') %} {% set comment = 'DST-NAT66-' ~ rule %} {% set base_log = '[NAT66-DST-' ~ rule %} {% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} {% if config.translation.address | is_ip_network %} -{# support 1:1 network translation #} -{% set dnat_type = 'dnat prefix to ' %} +{# support 1:1 network translation #} +{% set dnat_type = 'dnat prefix to ' %} {% else %} -{% set dnat_type = 'dnat to ' %} +{% set dnat_type = 'dnat to ' %} {% endif %} {% set trns_address = dnat_type ~ config.translation.address if config.translation.address is vyos_defined %} -{% elif chain is vyos_defined('POSTROUTING') %} +{% elif chain is vyos_defined('POSTROUTING') %} {% set comment = 'SRC-NAT66-' ~ rule %} {% set base_log = '[NAT66-SRC-' ~ rule %} {% if config.translation.address is vyos_defined %} @@ -33,34 +33,34 @@ {% endif %} {% endif %} {% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined else '' %} -{% endif %} -{% if config.log is vyos_defined %} +{% endif %} +{% if config.log is vyos_defined %} {% if config.translation.address is vyos_defined('masquerade') %} -{% set log = base_log +'-MASQ]' %} +{% set log = base_log ~ '-MASQ]' %} {% else %} -{% set log = base_log ~ ']' %} +{% set log = base_log ~ ']' %} {% endif %} -{% endif %} -{% set output = 'add rule ip6 nat ' ~ chain ~ interface %} -{# Count packets #} -{% set output = output ~ ' counter' %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential #} -{% if log is vyos_defined %} +{% endif %} +{% set output = 'add rule ip6 nat ' ~ chain ~ interface %} +{# Count packets #} +{% set output = output ~ ' counter' %} +{# Special handling of log option, we must repeat the entire rule before the #} +{# NAT translation options are added, this is essential #} +{% if log is vyos_defined %} {% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} -{% endif %} -{% if src_prefix is vyos_defined %} +{% endif %} +{% if src_prefix is vyos_defined %} {% set output = output ~ ' ' ~ src_prefix %} -{% endif %} -{% if dest_address is vyos_defined %} +{% endif %} +{% if dest_address is vyos_defined %} {% set output = output ~ ' ' ~ dest_address %} -{% endif %} -{% if trns_address is vyos_defined %} +{% endif %} +{% if trns_address is vyos_defined %} {% set output = output ~ ' ' ~ trns_address %} -{% endif %} -{% if comment is vyos_defined %} +{% endif %} +{% if comment is vyos_defined %} {% set output = output ~ ' comment "' ~ comment ~ '"' %} -{% endif %} +{% endif %} {{ log_output if log_output is vyos_defined }} {{ output }} {% endmacro %} @@ -69,9 +69,9 @@ flush table ip6 nat {% if helper_functions is vyos_defined('remove') %} {# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = 'delete rule ip6 raw' %} -{{base_command}} PREROUTING handle {{ pre_ct_conntrack }} -{{base_command}} OUTPUT handle {{ out_ct_conntrack }} +{% set base_command = 'delete rule ip6 raw' %} +{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} +{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} delete chain ip6 raw NAT_CONNTRACK @@ -79,7 +79,7 @@ delete chain ip6 raw NAT_CONNTRACK {# NAT if enabled - add targets to nftables #} add chain ip6 raw NAT_CONNTRACK add rule ip6 raw NAT_CONNTRACK counter accept -{% set base_command = 'add rule ip6 raw' %} +{% set base_command = 'add rule ip6 raw' %} {{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK {{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK {% endif %} @@ -88,15 +88,15 @@ add rule ip6 raw NAT_CONNTRACK counter accept # Destination NAT66 rules build up here # {% if destination.rule is vyos_defined %} -{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} +{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} {{ nptv6_rule(rule, config, 'PREROUTING') }} -{% endfor %} +{% endfor %} {% endif %} # # Source NAT66 rules build up here # {% if source.rule is vyos_defined %} -{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} {{ nptv6_rule(rule, config, 'POSTROUTING') }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/firewall/nftables-policy.tmpl b/data/templates/firewall/nftables-policy.j2 index d1b0fa56e..0154c9f7e 100644 --- a/data/templates/firewall/nftables-policy.tmpl +++ b/data/templates/firewall/nftables-policy.j2 @@ -1,9 +1,9 @@ #!/usr/sbin/nft -f {% if cleanup_commands is vyos_defined %} -{% for command in cleanup_commands %} +{% for command in cleanup_commands %} {{ command }} -{% endfor %} +{% endfor %} {% endif %} include "/run/nftables_defines.conf" @@ -18,17 +18,17 @@ table ip mangle { } {% endif %} {% if route is vyos_defined %} -{% for route_text, conf in route.items() %} +{% for route_text, conf in route.items() %} chain VYOS_PBR_{{ route_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(route_text) }} } -{% endfor %} -{%- endif %} +{% endfor %} +{% endif %} } table ip6 mangle { @@ -41,15 +41,15 @@ table ip6 mangle { } {% endif %} {% if route6 is vyos_defined %} -{% for route_text, conf in route6.items() %} +{% for route_text, conf in route6.items() %} chain VYOS_PBR6_{{ route_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(route_text) }} } -{% endfor %} +{% endfor %} {% endif %} } diff --git a/data/templates/firewall/nftables-vrf-zones.tmpl b/data/templates/firewall/nftables-vrf-zones.j2 index eecf47b78..eecf47b78 100644 --- a/data/templates/firewall/nftables-vrf-zones.tmpl +++ b/data/templates/firewall/nftables-vrf-zones.j2 diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.j2 index 3a3f2e04c..fac3fad03 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.j2 @@ -1,9 +1,9 @@ #!/usr/sbin/nft -f {% if cleanup_commands is vyos_defined %} -{% for command in cleanup_commands %} +{% for command in cleanup_commands %} {{ command }} -{% endfor %} +{% endfor %} {% endif %} include "/run/nftables_defines.conf" @@ -31,39 +31,39 @@ table ip filter { } {% endif %} {% if name is vyos_defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in name.items() %} +{% set ns = namespace(sets=[]) %} +{% for name_text, conf in name.items() %} chain NAME_{{ name_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} -{% if rule_conf.recent is vyos_defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} {{ conf | nft_default_rule(name_text) }} } -{% endfor %} -{% for set_name in ns.sets %} +{% endfor %} +{% for set_name in ns.sets %} set RECENT_{{ set_name }} { type ipv4_addr size 65535 flags dynamic } -{% endfor %} +{% endfor %} {% endif %} {% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY { -{% if state_policy.established is vyos_defined %} +{% if state_policy.established is vyos_defined %} {{ state_policy.established | nft_state_policy('established') }} -{% endif %} -{% if state_policy.invalid is vyos_defined %} +{% endif %} +{% if state_policy.invalid is vyos_defined %} {{ state_policy.invalid | nft_state_policy('invalid') }} -{% endif %} -{% if state_policy.related is vyos_defined %} +{% endif %} +{% if state_policy.related is vyos_defined %} {{ state_policy.related | nft_state_policy('related') }} -{% endif %} +{% endif %} return } {% endif %} @@ -92,39 +92,39 @@ table ip6 filter { } {% endif %} {% if ipv6_name is vyos_defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in ipv6_name.items() %} +{% set ns = namespace(sets=[]) %} +{% for name_text, conf in ipv6_name.items() %} chain NAME6_{{ name_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} -{% if rule_conf.recent is vyos_defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} {{ conf | nft_default_rule(name_text) }} } -{% endfor %} -{% for set_name in ns.sets %} +{% endfor %} +{% for set_name in ns.sets %} set RECENT6_{{ set_name }} { type ipv6_addr size 65535 flags dynamic } -{% endfor %} +{% endfor %} {% endif %} {% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY6 { -{% if state_policy.established is vyos_defined %} +{% if state_policy.established is vyos_defined %} {{ state_policy.established | nft_state_policy('established', ipv6=True) }} -{% endif %} -{% if state_policy.invalid is vyos_defined %} +{% endif %} +{% if state_policy.invalid is vyos_defined %} {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }} -{% endif %} -{% if state_policy.related is vyos_defined %} +{% endif %} +{% if state_policy.related is vyos_defined %} {{ state_policy.related | nft_state_policy('related', ipv6=True) }} -{% endif %} +{% endif %} return } {% endif %} diff --git a/data/templates/firewall/upnpd.conf.tmpl b/data/templates/firewall/upnpd.conf.j2 index 6e73995fa..27573cbf9 100644 --- a/data/templates/firewall/upnpd.conf.tmpl +++ b/data/templates/firewall/upnpd.conf.j2 @@ -5,9 +5,9 @@ ext_ifname={{ wan_interface }} {% if wan_ip is vyos_defined %} # If the WAN interface has several IP addresses, you # can specify the one to use below -{% for addr in wan_ip %} +{% for addr in wan_ip %} ext_ip={{ addr }} -{% endfor %} +{% endfor %} {% endif %} # LAN network interfaces IPs / networks @@ -20,15 +20,15 @@ ext_ip={{ addr }} # When MULTIPLE_EXTERNAL_IP is enabled, the external IP # address associated with the subnet follows. For example: # listening_ip=192.168.0.1/24 88.22.44.13 -{% for addr in listen %} -{% if addr | is_ipv4 %} +{% for addr in listen %} +{% if addr | is_ipv4 %} listening_ip={{ addr }} -{% elif addr | is_ipv6 %} +{% elif addr | is_ipv6 %} ipv6_listening_ip={{ addr }} -{% else %} +{% else %} listening_ip={{ addr }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} # CAUTION: mixing up WAN and LAN interfaces may introduce security risks! @@ -57,12 +57,12 @@ enable_upnp=yes # PCP # Configure the minimum and maximum lifetime of a port mapping in seconds # 120s and 86400s (24h) are suggested values from PCP-base -{% if pcp_lifetime.max is vyos_defined %} +{% if pcp_lifetime.max is vyos_defined %} max_lifetime={{ pcp_lifetime.max }} -{% endif %} -{% if pcp_lifetime.min is vyos_defined %} +{% endif %} +{% if pcp_lifetime.min is vyos_defined %} min_lifetime={{ pcp_lifetime.min }} -{% endif %} +{% endif %} {% endif %} @@ -142,11 +142,11 @@ lease_file=/config/upnp.leases # modify the IP ranges to match their own internal networks, and # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! -{% for rule, config in rules.items() %} -{% if config.disable is vyos_defined %} -{{ config.action}} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} -{% endif %} -{% endfor %} +{% for rule, config in rules.items() %} +{% if config.disable is vyos_defined %} +{{ config.action }} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} +{% endif %} +{% endfor %} {% endif %} {% if stun is vyos_defined %} |