Age | Commit message (Collapse) | Author | |
---|---|---|---|
2024-01-11 | Merge pull request #2793 from sarthurdev/T5550_sagitta | Christian Breunig | |
interface: T5550: Interface source-validation priority over global value (backport) | |||
2023-12-15 | T5775: Fix collisions and adjust for 1.4 | Bjarke Istrup Pedersen | |
2023-12-15 | T5775: firewall: re-add state-policy to firewall. These commands are now ↵ | Nicolas Fort | |
included in <set firewall global-options state-policy> node. | |||
2023-11-21 | T5419: firewall: backport firewall flowtable to Sagitta. | Nicolas Fort | |
2023-11-16 | T4072: firewall: backport bridge firewall to sagitta | Nicolas Fort | |
2023-10-23 | T5637: Firewall: add new rule at the end of base chains for default-actions. ↵ | Nicolas Fort | |
This enables logs capabilities for default-action in base chains. | |||
2023-10-20 | T5541: firewall: re-add zone-based firewall. | Nicolas Fort | |
2023-09-06 | firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfaces | sarthurdev | |
2023-09-06 | interface: T5550: Interface source-validation priority over global value | sarthurdev | |
- Migrate IPv4 source-validation to nftables - Interface source-validation value takes priority, fallback to global value | |||
2023-08-26 | firewall: T5080: Disable conntrack unless required by rules | sarthurdev | |
2023-08-25 | interface: T3509: Add per-interface IPv6 source validation | sarthurdev | |
2023-08-25 | firewall: T3509: Add support for IPv6 return path filtering | sarthurdev | |
2023-08-11 | T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵ | Nicolas Fort | |
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip. | |||
2023-08-11 | T5160: firewall refactor: fix firewall template for correct rule parsing ↵ | Nicolas Fort | |
that contains fqnd and/or geo-ip in base chains. Fix mig script | |||
2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: new cli structure. Update jinja templates, python ↵ | Nicolas Fort | |
scripts and src firewall | |||
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-10-09 | firewall: T3907: Fix firewall state-policy logging | sarthurdev | |
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling. | |||
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-13 | zone-policy: T2199: Migrate zone-policy to firewall node | sarthurdev | |
2022-09-13 | firewall: T4605: Rename filter tables to vyos_filter | sarthurdev | |
2022-09-13 | firewall: T2199: Move initial firewall tables to data | sarthurdev | |
2022-09-13 | firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵ | sarthurdev | |
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script | |||
2022-08-17 | nat: T538: Add static NAT one-to-one | Viacheslav Hletenko | |
Ability to set static NAT (one-to-one) in one rule set nat static rule 10 destination address '203.0.113.0/24' set nat static rule 10 inbound-interface 'eth0' set nat static rule 10 translation address '192.0.2.0/24' It will be enough for PREROUTING and POSTROUTING rules Use a separate table 'vyos_static_nat' as SRC/DST rules and STATIC rules can have the same rule number | |||
2022-06-14 | firewall: T970: Use set prefix to domain groups | sarthurdev | |
2022-06-14 | firewall: T4147: Use named sets for firewall groups | sarthurdev | |
* Refactor nftables clean-up code * Adds policy route test for using firewall groups | |||
2022-06-11 | firewall: T4299: Add support for GeoIP filtering | sarthurdev | |
2022-05-28 | firewall: T970: Add firewall group domain-group | Viacheslav Hletenko | |
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } } | |||
2022-05-01 | firewall: T4353: fix Jinja2 linting errors | Christian Poessinger | |