From d62f8ed1e3608d82e3e4fb7566817839023aa39c Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 29 Sep 2022 13:59:10 +0200 Subject: firewall: T3509: Add support for IPv6 return path filtering --- data/templates/firewall/nftables.j2 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'data/templates/firewall') diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 10cbc68cb..d889a505d 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -2,6 +2,20 @@ {% import 'firewall/nftables-defines.j2' as group_tmpl %} +{% if first_install is not vyos_defined %} +delete table inet vyos_rpfilter +{% endif %} +table inet vyos_rpfilter { + chain PREROUTING { + type filter hook prerouting priority -300; policy accept; +{% if global_options.source_validation is vyos_defined('loose') %} + fib saddr oif 0 counter drop +{% elif global_options.source_validation is vyos_defined('strict') %} + fib saddr . iif oif 0 counter drop +{% endif %} + } +} + {% if first_install is not vyos_defined %} delete table ip vyos_filter {% endif %} -- cgit v1.2.3