From f5590b63f2a849ebe63bf453c561930f846598d5 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Mon, 22 Jan 2024 20:48:44 +0100
Subject: vrf: T5973: move initial conntrack firewall table to startup

There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.

(cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284)
---
 data/vyos-firewall-init.conf | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'data/vyos-firewall-init.conf')

diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index cd7d5011f..5a4e03015 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -54,3 +54,22 @@ table ip6 raw {
         type filter hook prerouting priority -300; policy accept;
     }
 }
+
+# Required by VRF
+table inet vrf_zones {
+    # Map of interfaces and connections tracking zones
+    map ct_iface_map {
+        typeof iifname : ct zone
+    }
+    # Assign unique zones for each VRF
+    # Chain for inbound traffic
+    chain vrf_zones_ct_in {
+        type filter hook prerouting priority raw; policy accept;
+        counter ct original zone set iifname map @ct_iface_map
+    }
+    # Chain for locally-generated traffic
+    chain vrf_zones_ct_out {
+        type filter hook output priority raw; policy accept;
+        counter ct original zone set oifname map @ct_iface_map
+    }
+}
-- 
cgit v1.2.3