data/templates/firewall/nftables-vrf-zones.j2


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

table inet vrf_zones {
  # Map of interfaces and connections tracking zones
  map ct_iface_map {
    typeof iifname : ct zone
  }
  # Assign unique zones for each VRF
  # Chain for inbound traffic
  chain vrf_zones_ct_in {
    type filter hook prerouting priority raw; policy accept;
    counter ct original zone set iifname map @ct_iface_map
  }
  # Chain for locally-generated traffic
  chain vrf_zones_ct_out {
    type filter hook output priority raw; policy accept;
    counter ct original zone set oifname map @ct_iface_map
  }
}