1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
|
#!/usr/sbin/nft -f
{% if cleanup_commands is vyos_defined %}
{% for command in cleanup_commands %}
{{ command }}
{% endfor %}
{% endif %}
include "/run/nftables_defines.conf"
table ip filter {
{% if first_install is vyos_defined %}
chain VYOS_FW_FORWARD {
type filter hook forward priority 0; policy accept;
jump VYOS_POST_FW
}
chain VYOS_FW_LOCAL {
type filter hook input priority 0; policy accept;
jump VYOS_POST_FW
}
chain VYOS_FW_OUTPUT {
type filter hook output priority 0; policy accept;
jump VYOS_POST_FW
}
chain VYOS_POST_FW {
return
}
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
}
{% endif %}
{% if name is vyos_defined %}
{% set ns = namespace(sets=[]) %}
{% for name_text, conf in name.items() %}
chain NAME_{{ name_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule(name_text, rule_id) }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
{% if group is vyos_defined and group.domain_group is vyos_defined %}
{% for name, name_config in group.domain_group.items() %}
set {{ name }} {
type ipv4_addr
flags interval
}
{% endfor %}
{% endif %}
{% for set_name in ns.sets %}
set RECENT_{{ set_name }} {
type ipv4_addr
size 65535
flags dynamic
}
{% endfor %}
{% if geoip_updated.name is vyos_defined %}
{% for setname in geoip_updated.name %}
set {{ setname }} {
type ipv4_addr
flags interval
}
{% endfor %}
{% endif %}
{% endif %}
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY {
{% if state_policy.established is vyos_defined %}
{{ state_policy.established | nft_state_policy('established') }}
{% endif %}
{% if state_policy.invalid is vyos_defined %}
{{ state_policy.invalid | nft_state_policy('invalid') }}
{% endif %}
{% if state_policy.related is vyos_defined %}
{{ state_policy.related | nft_state_policy('related') }}
{% endif %}
return
}
{% endif %}
}
table ip6 filter {
{% if first_install is vyos_defined %}
chain VYOS_FW6_FORWARD {
type filter hook forward priority 0; policy accept;
jump VYOS_POST_FW6
}
chain VYOS_FW6_LOCAL {
type filter hook input priority 0; policy accept;
jump VYOS_POST_FW6
}
chain VYOS_FW6_OUTPUT {
type filter hook output priority 0; policy accept;
jump VYOS_POST_FW6
}
chain VYOS_POST_FW6 {
return
}
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0xffff1 return
}
{% endif %}
{% if ipv6_name is vyos_defined %}
{% set ns = namespace(sets=[]) %}
{% for name_text, conf in ipv6_name.items() %}
chain NAME6_{{ name_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
{{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
{% for set_name in ns.sets %}
set RECENT6_{{ set_name }} {
type ipv6_addr
size 65535
flags dynamic
}
{% endfor %}
{% if geoip_updated.ipv6_name is vyos_defined %}
{% for setname in geoip_updated.ipv6_name %}
set {{ setname }} {
type ipv6_addr
flags interval
}
{% endfor %}
{% endif %}
{% endif %}
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {
{% if state_policy.established is vyos_defined %}
{{ state_policy.established | nft_state_policy('established', ipv6=True) }}
{% endif %}
{% if state_policy.invalid is vyos_defined %}
{{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }}
{% endif %}
{% if state_policy.related is vyos_defined %}
{{ state_policy.related | nft_state_policy('related', ipv6=True) }}
{% endif %}
return
}
{% endif %}
}
{% if first_install is vyos_defined %}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
counter jump VYOS_PRE_DNAT_HOOK
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
counter jump VYOS_PRE_SNAT_HOOK
}
chain VYOS_PRE_DNAT_HOOK {
return
}
chain VYOS_PRE_SNAT_HOOK {
return
}
}
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
counter jump VYOS_DNPT_HOOK
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
counter jump VYOS_SNPT_HOOK
}
chain VYOS_DNPT_HOOK {
return
}
chain VYOS_SNPT_HOOK {
return
}
}
table inet mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
}
table raw {
chain VYOS_TCP_MSS {
type filter hook forward priority -300; policy accept;
}
chain PREROUTING {
type filter hook prerouting priority -200; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_PREROUTING_HOOK
counter jump FW_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -200; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_OUTPUT_HOOK
counter jump FW_CONNTRACK
notrack
}
ct helper rpc_tcp {
type "rpc" protocol tcp;
}
ct helper rpc_udp {
type "rpc" protocol udp;
}
ct helper tns_tcp {
type "tns" protocol tcp;
}
chain VYOS_CT_HELPER {
ct helper set "rpc_tcp" tcp dport {111} return
ct helper set "rpc_udp" udp dport {111} return
ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
return
}
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain VYOS_CT_PREROUTING_HOOK {
return
}
chain VYOS_CT_OUTPUT_HOOK {
return
}
chain FW_CONNTRACK {
accept
}
}
table ip6 raw {
chain VYOS_TCP_MSS {
type filter hook forward priority -300; policy accept;
}
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
counter jump VYOS_CT_PREROUTING_HOOK
counter jump FW_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
counter jump VYOS_CT_OUTPUT_HOOK
counter jump FW_CONNTRACK
notrack
}
chain VYOS_CT_PREROUTING_HOOK {
return
}
chain VYOS_CT_OUTPUT_HOOK {
return
}
chain FW_CONNTRACK {
accept
}
}
{% endif %}
|
