1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% macro bridge(bridge) %}
{% set ns = namespace(sets=[]) %}
{% if bridge.forward is vyos_defined %}
{% for prior, conf in bridge.forward.items() %}
chain VYOS_FORWARD_{{ prior }} {
type filter hook forward priority {{ prior }}; policy accept;
{% if global_options.state_policy is vyos_defined %}
jump VYOS_STATE_POLICY
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule('FWD-filter', 'bri') }}
}
{% endfor %}
{% endif %}
{% if bridge.input is vyos_defined %}
{% for prior, conf in bridge.input.items() %}
chain VYOS_INPUT_{{ prior }} {
type filter hook input priority {{ prior }}; policy accept;
{% if global_options.state_policy is vyos_defined %}
jump VYOS_STATE_POLICY
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('INP', prior, rule_id, 'bri') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule('INP-filter', 'bri') }}
}
{% endfor %}
{% endif %}
{% if bridge.output is vyos_defined %}
{% for prior, conf in bridge.output.items() %}
chain VYOS_OUTUT_{{ prior }} {
type filter hook output priority {{ prior }}; policy accept;
{% if global_options.state_policy is vyos_defined %}
jump VYOS_STATE_POLICY
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('OUT', prior, rule_id, 'bri') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule('OUT-filter', 'bri') }}
}
{% endfor %}
{% endif %}
{% if bridge.name is vyos_defined %}
{% for name_text, conf in bridge.name.items() %}
chain NAME_{{ name_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text, 'bri') }}
}
{% endfor %}
{% endif %}
{% for set_name in ns.sets %}
set RECENT_{{ set_name }} {
type ipv4_addr
size 65535
flags dynamic
}
{% endfor %}
{% for set_name in ip_fqdn %}
set FQDN_{{ set_name }} {
type ipv4_addr
flags interval
}
{% endfor %}
{% if geoip_updated.name is vyos_defined %}
{% for setname in geoip_updated.name %}
set {{ setname }} {
type ipv4_addr
flags interval
}
{% endfor %}
{% endif %}
{{ group_tmpl.groups(group, False, True) }}
{{ group_tmpl.groups(group, True, True) }}
{% if global_options.state_policy is vyos_defined %}
chain VYOS_STATE_POLICY {
{% if global_options.state_policy.established is vyos_defined %}
{{ global_options.state_policy.established | nft_state_policy('established') }}
{% endif %}
{% if global_options.state_policy.invalid is vyos_defined %}
{{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
{% endif %}
{% if global_options.state_policy.related is vyos_defined %}
{{ global_options.state_policy.related | nft_state_policy('related') }}
{% endif %}
return
}
{% endif %}
{% endmacro %}
|
