summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall
AgeCommit message (Collapse)Author
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos (cherry picked from commit 76dcecafca977b640dd16d8e68c4a050ca1af4fb)
2024-03-05xml: T5738: use generic-disable-node building block for "disable" CLI nodesChristian Breunig
Make the code more uniform and maintainable. (cherry picked from commit 21b0bf0168697fdbe514ae49a4a28b39a91ec777)
2024-02-01T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
2024-02-01T5977: firewall: remove ipsec options in output chain rule definitions, ↵Nicolas Fort
since it's not supported. (cherry picked from commit 9d490ecf616eb9d019beee37a3802705c4109d9d)
2024-01-22firewall: T5729: T5681: T5217: backport subsystem from current branchChristian Breunig
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
2024-01-18conntrack: T5376: T5779: backport from currentChristian Breunig
Backport of the conntrack system from current branch. (cherry picked from commit fd0bcaf12) (cherry picked from commit 5acf5aced) (cherry picked from commit 42ff4d8a7) (cherry picked from commit 24a1a7059)
2024-01-11Merge pull request #2793 from sarthurdev/T5550_sagittaChristian Breunig
interface: T5550: Interface source-validation priority over global value (backport)
2024-01-08T5896: firewall: backport interface validator for firewall rules.Nicolas Fort
2023-12-30firewall: T5834: Improve log message and simplify log-option includeIndrajit Raychaudhuri
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`. (cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242)
2023-12-30firewall: T5834: Remove vestigial include fileIndrajit Raychaudhuri
This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions. (cherry picked from commit f8f382b2195da8db8b730f107ffba16e67dac822)
2023-12-30firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency. (cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992)
2023-12-15T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-12-15firewall: T4502: add offload to firewall table actionsBjarke Istrup Pedersen
2023-11-21T5419: firewall: backport firewall flowtable to Sagitta.Nicolas Fort
2023-11-16T4072: firewall: backport bridge firewall to sagittaNicolas Fort
2023-11-14T5729: T5590: T5616: backport to sagita fwall marks, fix on firewall logs ↵Nicolas Fort
parsing, and migration to valueless node for log and state matchers
2023-11-01T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6)
2023-10-23T5637: Firewall: add new rule at the end of base chains for default-actions. ↵Nicolas Fort
This enables logs capabilities for default-action in base chains.
2023-09-28firewall: T5614: Add support for matching on conntrack helpersarthurdev
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001)
2023-09-06firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfacessarthurdev
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-11T5460: remove config-trap from firewallNicolas Fort
2023-08-11T5160: firewall refactor: fix regexep for connection-status. Create new file ↵Nicolas Fort
with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers
2023-08-11T5160: firewall refactor: change default value for <default-action> from ↵Nicolas Fort
<drop> to <accept> if default-action is not specified in base chains
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: new cli structure. Update only all xmlNicolas Fort
2023-07-31T5014: fix conflicts. Add code for redirection, which is causing conflicts. ↵Nicolas Fort
Change code for new syntax
2023-07-31T5014: nat: add source and destination nat options for configuring load ↵Nicolas Fort
balance within a single rule.
2023-03-21T5050: Firewall: Add log optionsNicolas Fort
2023-03-10Merge pull request #1871 from nicolas-fort/T5055Christian Breunig
T5055: Firewall: add packet-type matcher in firewall and route policy
2023-03-09xml: T4952: improve interface completion helper CLI experienceChristian Breunig
2023-03-06T5055: Firewall: add packet-type matcher in firewall and route policyNicolas Fort
2023-02-28T5037: Firewall: Add queue action and options to firewallNicolas Fort
2023-02-18T4886: allow connection-mark 0 value, which is acceptableNicolas Fort
2023-01-02T4904: keepalived virtual-server allow multiple ports with fwmarkViacheslav Hletenko
Allow multiple ports for high-availability virtual-server The current implementation allows balance only one "virtual" address and port between between several "real servers" Allow matching "fwmark" to set traffic which should be balanced Allow to set port 0 (all traffic) if we use "fwmark" Add health-check script set high-availability virtual-server 203.0.113.1 fwmark '111' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
2022-12-23firewall: T2199: Fix typo in `rule-log-level.xml.i` headersarthurdev
2022-12-23firewall: T2199: Add mac-address match to `destination` sidesarthurdev
2022-12-19T4886: Firewall and route policy: Add connection-mark feature to vyos.Nicolas Fort
2022-12-17Merge pull request #1626 from nicolas-fort/fwall_group_interfaceChristian Poessinger
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
2022-12-15firewall: T4882: add missing ICMPv6 type namesinitramfs
2022-11-24Merge pull request #1641 from Rain/T4612-arbitrary-netmasksChristian Poessinger
firewall: T4612: Support arbitrary netmasks
2022-11-19T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵Nicolas Fort
so this new group can be used in inbound and outbound matcher
2022-11-03Merge pull request #1633 from sarthurdev/fqdnChristian Poessinger
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
2022-11-03firewall: T970: Refactor domain resolver, add firewall source/destination ↵sarthurdev
`fqdn` node
2022-11-03validators: T4795: migrate mac-address python validator to validate-valueChristian Poessinger
Instead of spawning the Python interpreter for every mac-address to validate, rather use the base validate-value OCaml implementation which is much faster. This removes redundant code and also makes the CLI more responsive. Validator is moved out to a dedicated file instead of using XML inlined <regex> for the reason of re-usability. So if that regex needs to be touched again - it can all happen in one single file.
2022-11-03xml: T4795: provide common and re-usable XML definitions for policyChristian Poessinger
Remove duplicated code and move to single-source of truth.
2022-10-08firewall: T4612: Support arbitrary netmasksRain
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically.
2022-09-26T4700: Firewall: add interface matching criteriaNicolas Fort
2022-09-22xml: T4698: validating a range must be explicitly enabled in the validatorChristian Poessinger
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and replace it with numeric"). The first version allowed both a range and discrete numbers to be validated by the numeric validator. This had a flaw as both 22 and 22-30 were valid at the same time. The generic "port-number.xml.i" building block only allows a discrete number. Now if a user set port 22-30 for e.g. SSH the daemon did no longer start. This is why range validation must be explicitly enabled.