From 5a8e3089b35e2eca2f896a01410fcdf6ac928278 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sun, 3 Sep 2023 13:08:00 +0200
Subject: conntrack: T4309: T4903: Refactor `system conntrack ignore` rule
 generation, add IPv6 support and firewall groups

---
 data/vyos-firewall-init.conf | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'data/vyos-firewall-init.conf')

diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 41e7627f5..768031c83 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -88,6 +88,8 @@ table ip6 raw {
 
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_PREROUTING_HOOK
         counter jump FW_CONNTRACK
         notrack
@@ -95,11 +97,40 @@ table ip6 raw {
 
     chain OUTPUT {
         type filter hook output priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_OUTPUT_HOOK
         counter jump FW_CONNTRACK
         notrack
     }
 
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+
+    chain VYOS_CT_HELPER {
+        ct helper set "rpc_tcp" tcp dport {111} return
+        ct helper set "rpc_udp" udp dport {111} return
+        ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
+        return
+    }
+
+    chain VYOS_CT_IGNORE {
+        return
+    }
+
+    chain VYOS_CT_TIMEOUT {
+        return
+    }
+
     chain VYOS_CT_PREROUTING_HOOK {
         return
     }
-- 
cgit v1.2.3