summaryrefslogtreecommitdiff
path: root/data/vyos-firewall-init.conf
diff options
context:
space:
mode:
Diffstat (limited to 'data/vyos-firewall-init.conf')
-rw-r--r--data/vyos-firewall-init.conf73
1 files changed, 73 insertions, 0 deletions
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
new file mode 100644
index 0000000..3929edf
--- /dev/null
+++ b/data/vyos-firewall-init.conf
@@ -0,0 +1,73 @@
+#!/usr/sbin/nft -f
+
+# Required by wanloadbalance
+table ip nat {
+ chain VYOS_PRE_SNAT_HOOK {
+ type nat hook postrouting priority 99; policy accept;
+ return
+ }
+}
+
+table inet mangle {
+ # Used by system flow-accounting
+ chain FORWARD {
+ type filter hook forward priority -150; policy accept;
+ }
+}
+
+table raw {
+ chain VYOS_TCP_MSS {
+ type filter hook forward priority -300; policy accept;
+ }
+
+ chain vyos_global_rpfilter {
+ return
+ }
+
+ chain vyos_rpfilter {
+ type filter hook prerouting priority -300; policy accept;
+ counter jump vyos_global_rpfilter
+ }
+
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
+ type filter hook prerouting priority -300; policy accept;
+ }
+}
+
+table ip6 raw {
+ chain VYOS_TCP_MSS {
+ type filter hook forward priority -300; policy accept;
+ }
+
+ chain vyos_global_rpfilter {
+ return
+ }
+
+ chain vyos_rpfilter {
+ type filter hook prerouting priority -300; policy accept;
+ counter jump vyos_global_rpfilter
+ }
+
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
+ type filter hook prerouting priority -300; policy accept;
+ }
+}
+
+# Required by VRF
+table inet vrf_zones {
+ # Map of interfaces and connections tracking zones
+ map ct_iface_map {
+ typeof iifname : ct zone
+ }
+ # Assign unique zones for each VRF
+ # Chain for inbound traffic
+ chain vrf_zones_ct_in {
+ type filter hook prerouting priority raw; policy accept;
+ }
+ # Chain for locally-generated traffic
+ chain vrf_zones_ct_out {
+ type filter hook output priority raw; policy accept;
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 05:54:10 +0000