summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-vrf-zones.j2
blob: eecf47b78135cedefbc257c62bf2bf831d0ae63c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
table inet vrf_zones {
  # Map of interfaces and connections tracking zones
  map ct_iface_map {
    typeof iifname : ct zone
  }
  # Assign unique zones for each VRF
  # Chain for inbound traffic
  chain vrf_zones_ct_in {
    type filter hook prerouting priority raw; policy accept;
    counter ct zone set iifname map @ct_iface_map
  }
  # Chain for locally-generated traffic
  chain vrf_zones_ct_out {
    type filter hook output priority raw; policy accept;
    counter ct zone set oifname map @ct_iface_map
  }
}