From f5590b63f2a849ebe63bf453c561930f846598d5 Mon Sep 17 00:00:00 2001 From: Christian Breunig <christian@breunig.cc> Date: Mon, 22 Jan 2024 20:48:44 +0100 Subject: vrf: T5973: move initial conntrack firewall table to startup There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code. (cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284) --- data/vyos-firewall-init.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'data/vyos-firewall-init.conf') diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index cd7d5011f..5a4e03015 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -54,3 +54,22 @@ table ip6 raw { type filter hook prerouting priority -300; policy accept; } } + +# Required by VRF +table inet vrf_zones { + # Map of interfaces and connections tracking zones + map ct_iface_map { + typeof iifname : ct zone + } + # Assign unique zones for each VRF + # Chain for inbound traffic + chain vrf_zones_ct_in { + type filter hook prerouting priority raw; policy accept; + counter ct original zone set iifname map @ct_iface_map + } + # Chain for locally-generated traffic + chain vrf_zones_ct_out { + type filter hook output priority raw; policy accept; + counter ct original zone set oifname map @ct_iface_map + } +} -- cgit v1.2.3