#!/usr/sbin/nft -f {% import 'firewall/nftables-defines.j2' as group_tmpl %} {% import 'firewall/nftables-zone.j2' as zone_tmpl %} {% if first_install is not vyos_defined %} delete table ip vyos_filter {% endif %} table ip vyos_filter { chain VYOS_FW_FORWARD { type filter hook forward priority 0; policy accept; {% if state_policy is vyos_defined %} jump VYOS_STATE_POLICY {% endif %} {% if interface is vyos_defined %} {% for ifname, ifconf in interface.items() %} {% if ifconf.in is vyos_defined and ifconf.in.name is vyos_defined %} iifname {{ ifname }} counter jump NAME_{{ ifconf.in.name }} {% endif %} {% if ifconf.out is vyos_defined and ifconf.out.name is vyos_defined %} oifname {{ ifname }} counter jump NAME_{{ ifconf.out.name }} {% endif %} {% endfor %} {% endif %} jump VYOS_POST_FW } chain VYOS_FW_LOCAL { type filter hook input priority 0; policy accept; {% if state_policy is vyos_defined %} jump VYOS_STATE_POLICY {% endif %} {% if interface is vyos_defined %} {% for ifname, ifconf in interface.items() %} {% if ifconf.local is vyos_defined and ifconf.local.name is vyos_defined %} iifname {{ ifname }} counter jump NAME_{{ ifconf.local.name }} {% endif %} {% endfor %} {% endif %} jump VYOS_POST_FW } chain VYOS_FW_OUTPUT { type filter hook output priority 0; policy accept; {% if state_policy is vyos_defined %} jump VYOS_STATE_POLICY {% endif %} jump VYOS_POST_FW } chain VYOS_POST_FW { return } chain VYOS_FRAG_MARK { type filter hook prerouting priority -450; policy accept; ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return } {% if name is vyos_defined %} {% set ns = namespace(sets=[]) %} {% for name_text, conf in name.items() %} chain NAME_{{ name_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} {% if rule_conf.recent is vyos_defined %} {% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} {% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text) }} } {% endfor %} {% for set_name in ip_fqdn %} set FQDN_{{ set_name }} { type ipv4_addr flags interval } {% endfor %} {% for set_name in ns.sets %} set RECENT_{{ set_name }} { type ipv4_addr size 65535 flags dynamic } {% endfor %} {% if geoip_updated.name is vyos_defined %} {% for setname in geoip_updated.name %} set {{ setname }} { type ipv4_addr flags interval } {% endfor %} {% endif %} {% endif %} {{ group_tmpl.groups(group, False) }} {% if zone is vyos_defined %} {{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }} {% endif %} {% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY { {% if state_policy.established is vyos_defined %} {{ state_policy.established | nft_state_policy('established') }} {% endif %} {% if state_policy.invalid is vyos_defined %} {{ state_policy.invalid | nft_state_policy('invalid') }} {% endif %} {% if state_policy.related is vyos_defined %} {{ state_policy.related | nft_state_policy('related') }} {% endif %} return } {% endif %} } {% if first_install is not vyos_defined %} delete table ip6 vyos_filter {% endif %} table ip6 vyos_filter { chain VYOS_FW6_FORWARD { type filter hook forward priority 0; policy accept; {% if state_policy is vyos_defined %} jump VYOS_STATE_POLICY6 {% endif %} {% if interface is vyos_defined %} {% for ifname, ifconf in interface.items() %} {% if ifconf.in is vyos_defined and ifconf.in.ipv6_name is vyos_defined %} iifname {{ ifname }} counter jump NAME6_{{ ifconf.in.ipv6_name }} {% endif %} {% if ifconf.out is vyos_defined and ifconf.out.ipv6_name is vyos_defined %} oifname {{ ifname }} counter jump NAME6_{{ ifconf.out.ipv6_name }} {% endif %} {% endfor %} {% endif %} jump VYOS_POST_FW6 } chain VYOS_FW6_LOCAL { type filter hook input priority 0; policy accept; {% if state_policy is vyos_defined %} jump VYOS_STATE_POLICY6 {% endif %} {% if interface is vyos_defined %} {% for ifname, ifconf in interface.items() %} {% if ifconf.local is vyos_defined and ifconf.local.ipv6_name is vyos_defined %} iifname {{ ifname }} counter jump NAME6_{{ ifconf.local.ipv6_name }} {% endif %} {% endfor %} {% endif %} jump VYOS_POST_FW6 } chain VYOS_FW6_OUTPUT { type filter hook output priority 0; policy accept; {% if state_policy is vyos_defined %} jump VYOS_STATE_POLICY6 {% endif %} jump VYOS_POST_FW6 } chain VYOS_POST_FW6 { return } chain VYOS_FRAG6_MARK { type filter hook prerouting priority -450; policy accept; exthdr frag exists meta mark set 0xffff1 return } {% if ipv6_name is vyos_defined %} {% set ns = namespace(sets=[]) %} {% for name_text, conf in ipv6_name.items() %} chain NAME6_{{ name_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} {% if rule_conf.recent is vyos_defined %} {% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} {% endif %} {% endfor %} {% endif %} {{ conf | nft_default_rule(name_text, ipv6=True) }} } {% endfor %} {% for set_name in ip6_fqdn %} set FQDN_{{ set_name }} { type ipv6_addr flags interval } {% endfor %} {% for set_name in ns.sets %} set RECENT6_{{ set_name }} { type ipv6_addr size 65535 flags dynamic } {% endfor %} {% if geoip_updated.ipv6_name is vyos_defined %} {% for setname in geoip_updated.ipv6_name %} set {{ setname }} { type ipv6_addr flags interval } {% endfor %} {% endif %} {% endif %} {{ group_tmpl.groups(group, True) }} {% if zone is vyos_defined %} {{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }} {% endif %} {% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY6 { {% if state_policy.established is vyos_defined %} {{ state_policy.established | nft_state_policy('established') }} {% endif %} {% if state_policy.invalid is vyos_defined %} {{ state_policy.invalid | nft_state_policy('invalid') }} {% endif %} {% if state_policy.related is vyos_defined %} {{ state_policy.related | nft_state_policy('related') }} {% endif %} return } {% endif %} }