Age | Commit message (Collapse) | Author | |
---|---|---|---|
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-09-26 | T4700: Firewall: add interface matching criteria | Nicolas Fort | |
2022-09-22 | xml: T4698: validating a range must be explicitly enabled in the validator | Christian Poessinger | |
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and replace it with numeric"). The first version allowed both a range and discrete numbers to be validated by the numeric validator. This had a flaw as both 22 and 22-30 were valid at the same time. The generic "port-number.xml.i" building block only allows a discrete number. Now if a user set port 22-30 for e.g. SSH the daemon did no longer start. This is why range validation must be explicitly enabled. | |||
2022-09-21 | T4699: Firewall: Add return action, since jump action was added recently | Nicolas Fort | |
2022-09-17 | Merge pull request #1546 from nicolas-fort/fwall-jump | Christian Poessinger | |
T4699: Firewall: Add jump action in firewall ruleset | |||
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-16 | xml: T4698: drop validator name="range" and replace it with numeric | Christian Poessinger | |
After T4669 added support for range validation to the OCaml validator there is no need to keep the slow Python validator in place. Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/> with <validator name="numeric" argument="--range 1-65535"/>. | |||
2022-09-13 | firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵ | sarthurdev | |
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script | |||
2022-09-07 | T1024: Firewall and Policy route: add option to match dscp value, both on ↵ | Nicolas Fort | |
firewall and in policy route | |||
2022-09-06 | T4670: policy route: extend matching criteria for policy route and route6. ↵ | Nicolas Fort | |
Matching criteria added: ttl/hoplimit and packet-length | |||
2022-09-03 | firewall: T4651: re-implement packet-length CLI option to use <multi/> | Christian Poessinger | |
2022-09-03 | firewall: T3568: improve default-action help string | Christian Poessinger | |
2022-09-03 | firewall: T3568: add XML include block for eq,gt,lt options | Christian Poessinger | |
2022-09-02 | Merge branch 'T4651' of https://github.com/nicolas-fort/vyos-1x into firewall | Christian Poessinger | |
* 'T4651' of https://github.com/nicolas-fort/vyos-1x: Firewall: T4651: Change proposed cli from ip-length to packet-length Firewall: T4651: Add options to match packet size on firewall rules. | |||
2022-09-01 | Firewall: T4651: Change proposed cli from ip-length to packet-length | Nicolas Fort | |
2022-08-30 | firewall: T4655: implement XML defaultValue for name and ipv6-name | Christian Poessinger | |
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix default action 'drop' for the firewall") in a way that we can now also use the XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This is a much cleaner approach which also adds the default value automatically to the CLIs completion helper ("?"). | |||
2022-08-30 | firewall: T3568: rename XML building blocks to match CLI node name | Christian Poessinger | |
2022-08-18 | firewall: T4622: Add TCP MSS option | Viacheslav Hletenko | |
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460' | |||
2022-07-04 | firewall: T4299: Add ability to inverse match country codes | sarthurdev | |
2022-06-11 | firewall: T4299: Add support for GeoIP filtering | sarthurdev | |
2022-06-10 | xml: drop not always applicable REQUIRED suffix from completion help string | Christian Poessinger | |
If a parameter is required is determined from the Python string on commit. This "indicator" is not used consistently and sometimes missing, or added where it is not required anymore due to Python script improvement/rewrite. | |||
2022-06-10 | Merge pull request #1322 from nicolas-fort/T3907-fwall-log | Daniil Baturin | |
Firewall: T3907: add log-level options in firewall | |||
2022-05-28 | firewall: T970: Add firewall group domain-group | Viacheslav Hletenko | |
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } } | |||
2022-05-27 | Firewall: T3907: Revert migration script 6-to-7 and add new 7-to-8 | Nicolas Fort | |
2022-05-11 | Firewall: T3907: add log-level options in firewall | Nicolas Fort | |
2022-05-09 | Merge pull request #1279 from nicolas-fort/T990 | Christian Poessinger | |
Firewall: T990: Add snat and dnat connection status on firewall | |||
2022-04-29 | xml: T4047: use full string match in the regex validator | Christian Poessinger | |
2022-04-23 | Firewall: T990: Modifications for new connection-status cli | Nicolas Fort | |
2022-04-11 | Firewall: T990: Add snat and dst connection status on firewall | Nicolas Fort | |
2022-04-08 | Firewall: T990: Add snat and dnat connection status on firewall | Nicolas Fort | |
2022-04-06 | firewall: T4345: Fix incorrect rule limit rate syntax | sarthurdev | |
2022-02-24 | scripts: T4269: node.def generator should automatically add default values | Christian Poessinger | |
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help. | |||
2022-02-04 | firewall: T4209: Fix support for rule `recent` matches | sarthurdev | |
2022-01-21 | Firewall: T4186: Adding icmpv6 corrections, in corcondancy of what was done ↵ | Nicolas Fort | |
for icmp | |||
2022-01-21 | Firewall: T4186: typo correction on address-mask-reply description | Nicolas Fort | |
2022-01-21 | Firewall: T4186: Correct icmp type-name options for firewall rules | Nicolas Fort | |
2022-01-18 | firewall: T3560: Add support for MAC address groups | sarthurdev | |
2022-01-17 | firewall: policy: T4178: Migrate and refactor tcp flags | sarthurdev | |
* Add support for ECN and CWR flags | |||
2022-01-14 | firewall: T4178: Use lowercase for TCP flags and add an validator | sarthurdev | |
2022-01-10 | firewall: validators: T2199: Improve port validation | sarthurdev | |
2022-01-07 | xml: firewall: T4130: add protocol completion helper all and tcp_udp | Christian Poessinger | |
2022-01-04 | firewall: T4134: Fix completion help for protocols | Viacheslav | |
2021-12-06 | firewall: T2199: Migrate firewall to XML/Python | sarthurdev | |
2021-08-29 | xml: add missing "u32:" value declarator on integer ranges | Christian Poessinger | |
2021-07-02 | xml: provide building block for a generic description node | Christian Poessinger | |
2021-05-25 | firewall: T3568: add XML definitions for firewall | Viacheslav Hletenko | |
Add XML for configuration mode firewall. Used for future rewriting it to Python style. |