We have default table names like
table ip filter table ip6 filter table ip nat table ip6 nat table inet mangle table ip raw table ip6 raw table ip mangle table ip6 mangle
I propose to change names to vyos_xxx:
table ip vyos_filter table ip6 vyos_filter table ip vyos_nat table ip6 vyos_nat table inet vyos_mangle table ip vyos_raw table ip6 vyos_raw table ip vyos_mangle table ip6 vyos_mangle
It can prevent overlap with some customer rules or some custom apps which can affect the firewall configuration
Just one example, tailscale by default can add its own firewall rules to filter and nat
vyos@r14# sudo nft list table filter
table ip filter {
chain VYOS_FW_FORWARD {
type filter hook forward priority filter; policy accept;
jump VYOS_POST_FW
}
chain VYOS_FW_LOCAL {
type filter hook input priority filter; policy accept;
jump VYOS_POST_FW
}
...
chain ts-input {
iifname "lo" ip saddr 100.116.x.88 counter packets 0 bytes 0 accept
iifname != "tailscale0" ip saddr 100.115.x.0/23 counter packets 0 bytes 0 return
iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
}
chain ts-forward {
iifname "tailscale0" counter packets 0 bytes 0 meta mark set 0x40000
mark 0x40000 counter packets 0 bytes 0 accept
oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
oifname "tailscale0" counter packets 0 bytes 0 accept
}
}
[edit]
vyos@r14#
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 195 bytes 19483 jump VYOS_PRE_DNAT_HOOK
}
...
chain ts-postrouting {
mark 0x40000 counter packets 0 bytes 0 masqueradeIt will cause a commit error:
vyos@r14# compare
+firewall {
+ name FOO {
+ default-action drop
+ rule 10 {
+ action accept
+ }
+ }
+}
[edit]
vyos@r14# commit
[ firewall ]
Failed to apply firewall
[[firewall]] failed
Commit failed
[edit]
vyos@r14#Rename tables to vyos_xxx can prevent such issues in the future.