From a7e14cba820fcb4a0f448c05d4480e00d26130ee Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 18 Jan 2022 18:45:25 +0100
Subject: firewall: T4188: Create default conntrack `FW_CONNTRACK` chain

This chain was missing from the XML/Python rewrite thus all traffic fell through to the `notrack` rule.
---
 data/templates/firewall/nftables.tmpl | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'data/templates')

diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl
index e8fa4e306..81b2c0b98 100644
--- a/data/templates/firewall/nftables.tmpl
+++ b/data/templates/firewall/nftables.tmpl
@@ -175,6 +175,7 @@ table raw {
         counter jump VYOS_CT_IGNORE
         counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_PREROUTING_HOOK
+        counter jump FW_CONNTRACK
         notrack
     }
 
@@ -183,6 +184,7 @@ table raw {
         counter jump VYOS_CT_IGNORE
         counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_OUTPUT_HOOK
+        counter jump FW_CONNTRACK
         notrack
     }
 
@@ -220,6 +222,10 @@ table raw {
     chain VYOS_CT_OUTPUT_HOOK {
         return
     }
+
+    chain FW_CONNTRACK {
+        accept
+    }
 }
 
 table ip6 raw {
@@ -230,12 +236,14 @@ table ip6 raw {
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
         counter jump VYOS_CT_PREROUTING_HOOK
+        counter jump FW_CONNTRACK
         notrack
     }
 
     chain OUTPUT {
         type filter hook output priority -300; policy accept;
         counter jump VYOS_CT_OUTPUT_HOOK
+        counter jump FW_CONNTRACK
         notrack
     }
 
@@ -246,5 +254,9 @@ table ip6 raw {
     chain VYOS_CT_OUTPUT_HOOK {
         return
     }
+
+    chain FW_CONNTRACK {
+        accept
+    }
 }
 {% endif %}
-- 
cgit v1.2.3