Age | Commit message (Collapse) | Author | |
---|---|---|---|
2024-01-22 | firewall: T5729: T5681: T5217: backport subsystem from current branch | Christian Breunig | |
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch. | |||
2024-01-18 | conntrack: T5376: T5779: backport from current | Christian Breunig | |
Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059) | |||
2024-01-11 | Merge pull request #2793 from sarthurdev/T5550_sagitta | Christian Breunig | |
interface: T5550: Interface source-validation priority over global value (backport) | |||
2024-01-08 | T5896: firewall: backport interface validator for firewall rules. | Nicolas Fort | |
2023-12-30 | firewall: T5834: Improve log message and simplify log-option include | Indrajit Raychaudhuri | |
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`. (cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242) | |||
2023-12-30 | firewall: T5834: Remove vestigial include file | Indrajit Raychaudhuri | |
This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions. (cherry picked from commit f8f382b2195da8db8b730f107ffba16e67dac822) | |||
2023-12-30 | firewall: T5834: Rename 'enable-default-log' to 'default-log' | Indrajit Raychaudhuri | |
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency. (cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992) | |||
2023-12-15 | T5775: firewall: re-add state-policy to firewall. These commands are now ↵ | Nicolas Fort | |
included in <set firewall global-options state-policy> node. | |||
2023-12-15 | firewall: T4502: add offload to firewall table actions | Bjarke Istrup Pedersen | |
2023-11-21 | T5419: firewall: backport firewall flowtable to Sagitta. | Nicolas Fort | |
2023-11-16 | T4072: firewall: backport bridge firewall to sagitta | Nicolas Fort | |
2023-11-14 | T5729: T5590: T5616: backport to sagita fwall marks, fix on firewall logs ↵ | Nicolas Fort | |
parsing, and migration to valueless node for log and state matchers | |||
2023-11-01 | T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵ | Nicolas Fort | |
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6) | |||
2023-10-23 | T5637: Firewall: add new rule at the end of base chains for default-actions. ↵ | Nicolas Fort | |
This enables logs capabilities for default-action in base chains. | |||
2023-09-28 | firewall: T5614: Add support for matching on conntrack helper | sarthurdev | |
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001) | |||
2023-09-06 | firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfaces | sarthurdev | |
2023-08-23 | T5450: update smoketest and interface definition in order to work with new ↵ | Nicolas Fort | |
firewall cli | |||
2023-08-11 | T5460: remove config-trap from firewall | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: fix regexep for connection-status. Create new file ↵ | Nicolas Fort | |
with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers | |||
2023-08-11 | T5160: firewall refactor: change default value for <default-action> from ↵ | Nicolas Fort | |
<drop> to <accept> if default-action is not specified in base chains | |||
2023-08-11 | T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵ | Nicolas Fort | |
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip. | |||
2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: new cli structure. Update only all xml | Nicolas Fort | |
2023-07-31 | T5014: fix conflicts. Add code for redirection, which is causing conflicts. ↵ | Nicolas Fort | |
Change code for new syntax | |||
2023-07-31 | T5014: nat: add source and destination nat options for configuring load ↵ | Nicolas Fort | |
balance within a single rule. | |||
2023-03-21 | T5050: Firewall: Add log options | Nicolas Fort | |
2023-03-10 | Merge pull request #1871 from nicolas-fort/T5055 | Christian Breunig | |
T5055: Firewall: add packet-type matcher in firewall and route policy | |||
2023-03-09 | xml: T4952: improve interface completion helper CLI experience | Christian Breunig | |
2023-03-06 | T5055: Firewall: add packet-type matcher in firewall and route policy | Nicolas Fort | |
2023-02-28 | T5037: Firewall: Add queue action and options to firewall | Nicolas Fort | |
2023-02-18 | T4886: allow connection-mark 0 value, which is acceptable | Nicolas Fort | |
2023-01-02 | T4904: keepalived virtual-server allow multiple ports with fwmark | Viacheslav Hletenko | |
Allow multiple ports for high-availability virtual-server The current implementation allows balance only one "virtual" address and port between between several "real servers" Allow matching "fwmark" to set traffic which should be balanced Allow to set port 0 (all traffic) if we use "fwmark" Add health-check script set high-availability virtual-server 203.0.113.1 fwmark '111' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0' | |||
2022-12-23 | firewall: T2199: Fix typo in `rule-log-level.xml.i` header | sarthurdev | |
2022-12-23 | firewall: T2199: Add mac-address match to `destination` side | sarthurdev | |
2022-12-19 | T4886: Firewall and route policy: Add connection-mark feature to vyos. | Nicolas Fort | |
2022-12-17 | Merge pull request #1626 from nicolas-fort/fwall_group_interface | Christian Poessinger | |
T4780: Firewall: add firewall groups in firewall. Extend matching cri… | |||
2022-12-15 | firewall: T4882: add missing ICMPv6 type names | initramfs | |
2022-11-24 | Merge pull request #1641 from Rain/T4612-arbitrary-netmasks | Christian Poessinger | |
firewall: T4612: Support arbitrary netmasks | |||
2022-11-19 | T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵ | Nicolas Fort | |
so this new group can be used in inbound and outbound matcher | |||
2022-11-03 | Merge pull request #1633 from sarthurdev/fqdn | Christian Poessinger | |
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT | |||
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-11-03 | validators: T4795: migrate mac-address python validator to validate-value | Christian Poessinger | |
Instead of spawning the Python interpreter for every mac-address to validate, rather use the base validate-value OCaml implementation which is much faster. This removes redundant code and also makes the CLI more responsive. Validator is moved out to a dedicated file instead of using XML inlined <regex> for the reason of re-usability. So if that regex needs to be touched again - it can all happen in one single file. | |||
2022-11-03 | xml: T4795: provide common and re-usable XML definitions for policy | Christian Poessinger | |
Remove duplicated code and move to single-source of truth. | |||
2022-10-08 | firewall: T4612: Support arbitrary netmasks | Rain | |
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically. | |||
2022-09-26 | T4700: Firewall: add interface matching criteria | Nicolas Fort | |
2022-09-22 | xml: T4698: validating a range must be explicitly enabled in the validator | Christian Poessinger | |
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and replace it with numeric"). The first version allowed both a range and discrete numbers to be validated by the numeric validator. This had a flaw as both 22 and 22-30 were valid at the same time. The generic "port-number.xml.i" building block only allows a discrete number. Now if a user set port 22-30 for e.g. SSH the daemon did no longer start. This is why range validation must be explicitly enabled. | |||
2022-09-21 | T4699: Firewall: Add return action, since jump action was added recently | Nicolas Fort | |
2022-09-17 | Merge pull request #1546 from nicolas-fort/fwall-jump | Christian Poessinger | |
T4699: Firewall: Add jump action in firewall ruleset | |||
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-16 | xml: T4698: drop validator name="range" and replace it with numeric | Christian Poessinger | |
After T4669 added support for range validation to the OCaml validator there is no need to keep the slow Python validator in place. Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/> with <validator name="numeric" argument="--range 1-65535"/>. |