From f5590b63f2a849ebe63bf453c561930f846598d5 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 22 Jan 2024 20:48:44 +0100 Subject: vrf: T5973: move initial conntrack firewall table to startup There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code. (cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284) --- data/templates/firewall/nftables-vrf-zones.j2 | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 data/templates/firewall/nftables-vrf-zones.j2 (limited to 'data/templates') diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2 deleted file mode 100644 index 3bce7312d..000000000 --- a/data/templates/firewall/nftables-vrf-zones.j2 +++ /dev/null @@ -1,17 +0,0 @@ -table inet vrf_zones { - # Map of interfaces and connections tracking zones - map ct_iface_map { - typeof iifname : ct zone - } - # Assign unique zones for each VRF - # Chain for inbound traffic - chain vrf_zones_ct_in { - type filter hook prerouting priority raw; policy accept; - counter ct original zone set iifname map @ct_iface_map - } - # Chain for locally-generated traffic - chain vrf_zones_ct_out { - type filter hook output priority raw; policy accept; - counter ct original zone set oifname map @ct_iface_map - } -} -- cgit v1.2.3