blob: 7e258e6f150b694ae9b719b38e62a2b0922747e3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/usr/sbin/nft -f
# Required by wanloadbalance
table ip nat {
chain VYOS_PRE_SNAT_HOOK {
type nat hook postrouting priority 99; policy accept;
return
}
}
table inet mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
}
table raw {
chain VYOS_TCP_MSS {
type filter hook forward priority -300; policy accept;
}
chain vyos_global_rpfilter {
return
}
chain vyos_rpfilter {
type filter hook prerouting priority -300; policy accept;
counter jump vyos_global_rpfilter
}
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_PREROUTING_HOOK
counter jump FW_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_OUTPUT_HOOK
counter jump FW_CONNTRACK
notrack
}
ct helper rpc_tcp {
type "rpc" protocol tcp;
}
ct helper rpc_udp {
type "rpc" protocol udp;
}
ct helper tns_tcp {
type "tns" protocol tcp;
}
chain VYOS_CT_HELPER {
ct helper set "rpc_tcp" tcp dport {111} return
ct helper set "rpc_udp" udp dport {111} return
ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
return
}
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain VYOS_CT_PREROUTING_HOOK {
return
}
chain VYOS_CT_OUTPUT_HOOK {
return
}
chain FW_CONNTRACK {
return
}
}
table ip6 raw {
chain VYOS_TCP_MSS {
type filter hook forward priority -300; policy accept;
}
chain vyos_global_rpfilter {
return
}
chain vyos_rpfilter {
type filter hook prerouting priority -300; policy accept;
counter jump vyos_global_rpfilter
}
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_PREROUTING_HOOK
counter jump FW_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_OUTPUT_HOOK
counter jump FW_CONNTRACK
notrack
}
ct helper rpc_tcp {
type "rpc" protocol tcp;
}
ct helper rpc_udp {
type "rpc" protocol udp;
}
ct helper tns_tcp {
type "tns" protocol tcp;
}
chain VYOS_CT_HELPER {
ct helper set "rpc_tcp" tcp dport {111} return
ct helper set "rpc_udp" udp dport {111} return
ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
return
}
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain VYOS_CT_PREROUTING_HOOK {
return
}
chain VYOS_CT_OUTPUT_HOOK {
return
}
chain FW_CONNTRACK {
return
}
}
|