From 0de3de1e0a78eb35b666b8f613d3e54fd3ad54e4 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Tue, 5 Sep 2023 14:51:16 +0200
Subject: interface: T5550: Interface source-validation priority over global
 value

- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
---
 data/vyos-firewall-init.conf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'data/vyos-firewall-init.conf')

diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 41e7627f5..b0026fdf3 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -19,6 +19,15 @@ table raw {
         type filter hook forward priority -300; policy accept;
     }
 
+    chain vyos_global_rpfilter {
+        return
+    }
+
+    chain vyos_rpfilter {
+        type filter hook prerouting priority -300; policy accept;
+        counter jump vyos_global_rpfilter
+    }
+
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
         counter jump VYOS_CT_IGNORE
@@ -82,8 +91,13 @@ table ip6 raw {
         type filter hook forward priority -300; policy accept;
     }
 
+    chain vyos_global_rpfilter {
+        return
+    }
+
     chain vyos_rpfilter {
         type filter hook prerouting priority -300; policy accept;
+        counter jump vyos_global_rpfilter
     }
 
     chain PREROUTING {
-- 
cgit v1.2.3