From 082cdd1f0c0ccbfac3fb5dc4d19dcef66a0af1ef Mon Sep 17 00:00:00 2001
From: Marek Isalski <maz@from-this-height.tenebrae.faelix.org>
Date: Fri, 2 Aug 2019 07:02:50 +0100
Subject: [PATCH] add VYATTA_CT_PREROUTING_HOOK for flow statistics

---
 bcp38.iptables.v4 | 5 +++++
 bcp38.iptables.v6 | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/bcp38.iptables.v4 b/bcp38.iptables.v4
index a9c8edd..9045858 100644
--- a/bcp38.iptables.v4
+++ b/bcp38.iptables.v4
@@ -9,7 +9,12 @@ COMMIT
 *raw
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+:VYATTA_CT_PREROUTING_HOOK - [0:0]
 -A PREROUTING -j NOTRACK
+{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
+-A PREROUTING -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+-A VYATTA_CT_PREROUTING_HOOK -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+{% endif %}{% endfor %}
 COMMIT
 
 *nat
diff --git a/bcp38.iptables.v6 b/bcp38.iptables.v6
index c045bc6..8db76d9 100644
--- a/bcp38.iptables.v6
+++ b/bcp38.iptables.v6
@@ -9,7 +9,12 @@ COMMIT
 *raw
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+:VYATTA_CT_PREROUTING_HOOK - [0:0]
 -A PREROUTING -j NOTRACK
+{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':netflow') %}
+-A PREROUTING -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+-A VYATTA_CT_PREROUTING_HOOK -i {{ iface_name }} -j NFLOG --nflog-group 2 --nflog-range 64 --nflog-threshold 10
+{% endif %}{% endfor %}
 COMMIT
 
 *nat