{% if (length(zone.match_subnets)): %}
define {{ zone.name }}_subnets = {{ fw4.set(zone.match_subnets, true) }}
{% endif %}
-
{% endfor %}
#
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
-
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
{% endif %}
-
{% if (fw4.default_option("synflood_protect")): %}
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
{% endif %}
-
{% for (local rule in fw4.rules("input")): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
-
{% for (local zone in fw4.zones()): for (local rule in zone.match_rules): %}
{%+ include("zone-match.uc", { fw4, zone, rule, direction: "input" }) %}
{% endfor; endfor %}
-
{% if (fw4.input_policy() == "reject"): %}
jump handle_reject
{% endif %}
type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
-
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
{% endif %}
-
{% for (local rule in fw4.rules("forward")): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
-
{% for (local zone in fw4.zones()): for (local rule in zone.match_rules): %}
{%+ include("zone-match.uc", { fw4, zone, rule, direction: "forward" }) %}
{% endfor; endfor %}
-
{% if (fw4.forward_policy() == "reject"): %}
jump handle_reject
{% endif %}
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
-
{% if (fw4.default_option("drop_invalid")): %}
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
{% endif %}
-
{% for (local rule in fw4.rules("output")): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
-
{% for (local zone in fw4.zones()): for (local rule in zone.match_rules): %}
{%+ include("zone-match.uc", { fw4, zone, rule, direction: "output" }) %}
{% endfor; endfor %}
-
{% if (fw4.output_policy() == "reject"): %}
jump handle_reject
{% endif %}
}
{% endif %}
-
{% for (local zone in fw4.zones()): %}
chain input_{{ zone.name }} {
{% for (local rule in fw4.rules("input_"+zone.name)): %}
{% endfor %}
{% endfor %}
-
#
# NAT rules
#
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
-
{% for (let zone in fw4.zones()): %}
{% if (zone.dflags.dnat): %}
{% for (let rule in zone.match_rules): %}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
-
{% for (let redirect in fw4.redirects("srcnat")): %}
{%+ include("redirect.uc", { fw4, redirect }) %}
{% endfor %}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
-
{% for (let target in ["helper", "notrack"]): %}
{% for (let zone in fw4.zones()): %}
{% if (zone.dflags[target]): %}
chain raw_output {
type filter hook output priority raw; policy accept;
-
{% for (let target in ["helper", "notrack"]): %}
{% for (let zone in fw4.zones()): %}
{% if (zone.dflags[target]): %}
{% endfor %}
{% endif %}
{% endfor %}
-
{% for (let target in ["helper", "notrack"]): %}
{% for (let zone in fw4.zones()): %}
{% if (zone.dflags[target]): %}
{% endfor %}
{% endfor %}
-
#
# Mangle rules
#
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
-
{% for (let rule in fw4.rules("mangle_prerouting")): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
chain mangle_output {
type filter hook output priority mangle; policy accept;
-
{% for (let rule in fw4.rules("mangle_output")): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
-
{% for (let zone in fw4.zones()): %}
{% if (zone.mtu_fix): %}
{% for (let rule in zone.match_rules): %}
projects / project / firewall4.git / commitdiff