root/usr/share/firewall4/templates/zone-notrack.uc

   1 {%+
   2         local devs = fw4.filter_loopback_devs(fw4.devices_pos, output),
   3               nets = fw4.filter_loopback_addrs(fw4.subnets_pos, output);
   4
   5         if (!((output && (length(devs) || length(nets))) ||
   6               (!output && (rule.devices_neg || rule.subnets_neg || length(devs) || length(nets)))))
   7             return;
   8 -%}
   9 {%+ if (rule.family): -%}
  10         meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
  11 {%+ if (length(devs)): -%}
  12         iifname {{ fw4.set(devs) }} {%+ endif -%}
  13 {%+ if (rule.devices_neg): -%}
  14         iifname != {{ fw4.set(rule.devices_neg) }} {%+ endif -%}
  15 {%+ if (length(nets)): -%}
  16         {{ fw4.ipproto(rule.family) }} saddr {{ fw4.set(nets) }} {%+ endif -%}
  17 {%+ if (rule.subnets_neg): -%}
  18         {{ fw4.ipproto(rule.family) }} saddr != {{ fw4.set(rule.subnets_neg) }} {%+ endif -%}
  19 jump notrack_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT bypass"