From 8ba45cfcc1cc3fba57e1f82fa1299b7c253ba5ea Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Wed, 1 Jun 2022 11:53:18 +0200
Subject: firewall: T4299: Add support for GeoIP filtering

---
 data/templates/firewall/nftables-geoip-update.j2 | 33 ++++++++++++++++++++++++
 data/templates/firewall/nftables.j2              | 16 ++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 data/templates/firewall/nftables-geoip-update.j2

(limited to 'data')

diff --git a/data/templates/firewall/nftables-geoip-update.j2 b/data/templates/firewall/nftables-geoip-update.j2
new file mode 100644
index 000000000..f9e61a274
--- /dev/null
+++ b/data/templates/firewall/nftables-geoip-update.j2
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+{% if ipv4_sets is vyos_defined %}
+{%     for setname, ip_list in ipv4_sets.items() %}
+flush set ip filter {{ setname }}
+{%     endfor %}
+
+table ip filter {
+{%     for setname, ip_list in ipv4_sets.items() %}
+    set {{ setname }} {
+        type ipv4_addr
+        flags interval
+        elements = { {{ ','.join(ip_list) }} }
+    }
+{%     endfor %}
+}
+{% endif %}
+
+{% if ipv6_sets is vyos_defined %}
+{%     for setname, ip_list in ipv6_sets.items() %}
+flush set ip6 filter {{ setname }}
+{%     endfor %}
+
+table ip6 filter {
+{%     for setname, ip_list in ipv6_sets.items() %}
+    set {{ setname }} {
+        type ipv6_addr
+        flags interval
+        elements = { {{ ','.join(ip_list) }} }
+    }
+{%     endfor %}
+}
+{% endif %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 1f88ae40c..961b83301 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -60,6 +60,14 @@ table ip filter {
         flags dynamic
     }
 {%     endfor %}
+{%     if geoip_updated.name is vyos_defined %}
+{%         for setname in geoip_updated.name %}
+    set {{ setname }} {
+        type ipv4_addr
+        flags interval
+    }
+{%         endfor %}
+{%     endif %}
 {% endif %}
 {% if state_policy is vyos_defined %}
     chain VYOS_STATE_POLICY {
@@ -121,6 +129,14 @@ table ip6 filter {
         flags dynamic
     }
 {%     endfor %}
+{%     if geoip_updated.ipv6_name is vyos_defined %}
+{%         for setname in geoip_updated.ipv6_name %}
+    set {{ setname }} {
+        type ipv6_addr
+        flags interval
+    }
+{%         endfor %}
+{%     endif %}
 {% endif %}
 {% if state_policy is vyos_defined %}
     chain VYOS_STATE_POLICY6 {
-- 
cgit v1.2.3