#!/usr/sbin/nft -f
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% if first_install is not vyos_defined %}
delete table ip vyos_conntrack
{% endif %}
table ip vyos_conntrack {
chain VYOS_CT_IGNORE {
{% if ignore.ipv4.rule is vyos_defined %}
{% for rule, rule_config in ignore.ipv4.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }}
{% endfor %}
{% endif %}
return
}
chain VYOS_CT_TIMEOUT {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{% endfor %}
{% endif %}
return
}
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
counter jump WLB_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
{% if wlb_local_action %}
counter jump WLB_CONNTRACK
{% endif %}
notrack
}
ct helper rpc_tcp {
type "rpc" protocol tcp;
}
ct helper rpc_udp {
type "rpc" protocol udp;
}
ct helper tns_tcp {
type "tns" protocol tcp;
}
chain VYOS_CT_HELPER {
{% for module, module_conf in module_map.items() %}
{% if modules[module] is vyos_defined %}
{% if 'nftables' in module_conf %}
{% for rule in module_conf.nftables %}
{{ rule }}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
return
}
chain FW_CONNTRACK {
{{ ipv4_firewall_action }}
}
chain NAT_CONNTRACK {
{{ ipv4_nat_action }}
}
chain WLB_CONNTRACK {
{{ wlb_action }}
}
{% if firewall.group is vyos_defined %}
{{ group_tmpl.groups(firewall.group, False, True) }}
{% endif %}
}
{% if first_install is not vyos_defined %}
delete table ip6 vyos_conntrack
{% endif %}
table ip6 vyos_conntrack {
chain VYOS_CT_IGNORE {
{% if ignore.ipv6.rule is vyos_defined %}
{% for rule, rule_config in ignore.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }}
{% endfor %}
{% endif %}
return
}
chain VYOS_CT_TIMEOUT {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
{% endfor %}
{% endif %}
return
}
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
counter jump VYOS_CT_HELPER
{% endif %}
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump FW_CONNTRACK
counter jump NAT_CONNTRACK
notrack
}
ct helper rpc_tcp {
type "rpc" protocol tcp;
}
ct helper rpc_udp {
type "rpc" protocol udp;
}
ct helper tns_tcp {
type "tns" protocol tcp;
}
chain VYOS_CT_HELPER {
{% for module, module_conf in module_map.items() %}
{% if modules[module] is vyos_defined %}
{% if 'nftables' in module_conf %}
{% for rule in module_conf.nftables %}
{{ rule }}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
return
}
chain FW_CONNTRACK {
{{ ipv6_firewall_action }}
}
chain NAT_CONNTRACK {
{{ ipv6_nat_action }}
}
{% if firewall.group is vyos_defined %}
{{ group_tmpl.groups(firewall.group, True, True) }}
{% endif %}
}