#!/usr/sbin/nft -f # Required by wanloadbalance table ip nat { chain VYOS_PRE_SNAT_HOOK { type nat hook postrouting priority 99; policy accept; return } } table inet mangle { chain FORWARD { type filter hook forward priority -150; policy accept; } } table raw { chain VYOS_TCP_MSS { type filter hook forward priority -300; policy accept; } chain PREROUTING { type filter hook prerouting priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_PREROUTING_HOOK counter jump FW_CONNTRACK notrack } chain OUTPUT { type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_OUTPUT_HOOK counter jump FW_CONNTRACK notrack } ct helper rpc_tcp { type "rpc" protocol tcp; } ct helper rpc_udp { type "rpc" protocol udp; } ct helper tns_tcp { type "tns" protocol tcp; } chain VYOS_CT_HELPER { ct helper set "rpc_tcp" tcp dport {111} return ct helper set "rpc_udp" udp dport {111} return ct helper set "tns_tcp" tcp dport {1521,1525,1536} return return } chain VYOS_CT_IGNORE { return } chain VYOS_CT_TIMEOUT { return } chain VYOS_CT_PREROUTING_HOOK { return } chain VYOS_CT_OUTPUT_HOOK { return } chain FW_CONNTRACK { return } } table ip6 raw { chain VYOS_TCP_MSS { type filter hook forward priority -300; policy accept; } chain vyos_rpfilter { type filter hook prerouting priority -300; policy accept; } chain PREROUTING { type filter hook prerouting priority -300; policy accept; counter jump VYOS_CT_PREROUTING_HOOK counter jump FW_CONNTRACK notrack } chain OUTPUT { type filter hook output priority -300; policy accept; counter jump VYOS_CT_OUTPUT_HOOK counter jump FW_CONNTRACK notrack } chain VYOS_CT_PREROUTING_HOOK { return } chain VYOS_CT_OUTPUT_HOOK { return } chain FW_CONNTRACK { return } }