#!/usr/sbin/nft -f {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% if first_install is not vyos_defined %} delete table ip vyos_conntrack {% endif %} table ip vyos_conntrack { chain VYOS_CT_IGNORE { {% if ignore.ipv4.rule is vyos_defined %} {% for rule, rule_config in ignore.ipv4.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} {{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }} {% endfor %} {% endif %} return } chain VYOS_CT_TIMEOUT { {% if timeout.custom.rule is vyos_defined %} {% for rule, rule_config in timeout.custom.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} {% endfor %} {% endif %} return } chain PREROUTING { type filter hook prerouting priority -300; policy accept; {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} counter jump VYOS_CT_HELPER {% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK counter jump WLB_CONNTRACK notrack } chain OUTPUT { type filter hook output priority -300; policy accept; {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %} counter jump VYOS_CT_HELPER {% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK {% if wlb_local_action %} counter jump WLB_CONNTRACK {% endif %} notrack } ct helper rpc_tcp { type "rpc" protocol tcp; } ct helper rpc_udp { type "rpc" protocol udp; } ct helper tns_tcp { type "tns" protocol tcp; } chain VYOS_CT_HELPER { {% for module, module_conf in module_map.items() %} {% if modules[module] is vyos_defined %} {% if 'nftables' in module_conf %} {% for rule in module_conf.nftables %} {{ rule }} {% endfor %} {% endif %} {% endif %} {% endfor %} return } chain FW_CONNTRACK { {{ ipv4_firewall_action }} } chain NAT_CONNTRACK { {{ ipv4_nat_action }} } chain WLB_CONNTRACK { {{ wlb_action }} } {% if firewall.group is vyos_defined %} {{ group_tmpl.groups(firewall.group, False, True) }} {% endif %} } {% if first_install is not vyos_defined %} delete table ip6 vyos_conntrack {% endif %} table ip6 vyos_conntrack { chain VYOS_CT_IGNORE { {% if ignore.ipv6.rule is vyos_defined %} {% for rule, rule_config in ignore.ipv6.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} {{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }} {% endfor %} {% endif %} return } chain VYOS_CT_TIMEOUT { {% if timeout.custom.rule is vyos_defined %} {% for rule, rule_config in timeout.custom.rule.items() %} # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} {% endfor %} {% endif %} return } chain PREROUTING { type filter hook prerouting priority -300; policy accept; {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} counter jump VYOS_CT_HELPER {% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK notrack } chain OUTPUT { type filter hook output priority -300; policy accept; {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %} counter jump VYOS_CT_HELPER {% endif %} counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump FW_CONNTRACK counter jump NAT_CONNTRACK notrack } ct helper rpc_tcp { type "rpc" protocol tcp; } ct helper rpc_udp { type "rpc" protocol udp; } ct helper tns_tcp { type "tns" protocol tcp; } chain VYOS_CT_HELPER { {% for module, module_conf in module_map.items() %} {% if modules[module] is vyos_defined %} {% if 'nftables' in module_conf %} {% for rule in module_conf.nftables %} {{ rule }} {% endfor %} {% endif %} {% endif %} {% endfor %} return } chain FW_CONNTRACK { {{ ipv6_firewall_action }} } chain NAT_CONNTRACK { {{ ipv6_nat_action }} } {% if firewall.group is vyos_defined %} {{ group_tmpl.groups(firewall.group, True, True) }} {% endif %} }