Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
Allow multiple ports for high-availability virtual-server
The current implementation allows balance only one "virtual" address
and port between between several "real servers"
Allow matching "fwmark" to set traffic which should be balanced
Allow to set port 0 (all traffic) if we use "fwmark"
Add health-check script
set high-availability virtual-server 203.0.113.1 fwmark '111'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
|
|
|
|
|
|
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
|
|
firewall: T4612: Support arbitrary netmasks
|
|
so this new group can be used in inbound and outbound matcher
|
|
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
|
|
`fqdn` node
|
|
Instead of spawning the Python interpreter for every mac-address to
validate, rather use the base validate-value OCaml implementation which
is much faster.
This removes redundant code and also makes the CLI more responsive.
Validator is moved out to a dedicated file instead of using XML inlined <regex>
for the reason of re-usability. So if that regex needs to be touched again - it
can all happen in one single file.
|
|
Remove duplicated code and move to single-source of truth.
|
|
Add support for arbitrary netmasks on source/destination addresses in
firewall rules. This is particularly useful with DHCPv6-PD when the
delegated prefix changes periodically.
|
|
|
|
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and
replace it with numeric"). The first version allowed both a range and discrete
numbers to be validated by the numeric validator.
This had a flaw as both 22 and 22-30 were valid at the same time. The generic
"port-number.xml.i" building block only allows a discrete number. Now if a user
set port 22-30 for e.g. SSH the daemon did no longer start. This is why range
validation must be explicitly enabled.
|
|
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
firewall and in policy route
|
|
Matching criteria added: ttl/hoplimit and packet-length
|
|
|
|
|
|
|
|
* 'T4651' of https://github.com/nicolas-fort/vyos-1x:
Firewall: T4651: Change proposed cli from ip-length to packet-length
Firewall: T4651: Add options to match packet size on firewall rules.
|
|
|
|
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
|
|
|
|
Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
|
|
|
|
|
|
If a parameter is required is determined from the Python string on commit.
This "indicator" is not used consistently and sometimes missing, or added where
it is not required anymore due to Python script improvement/rewrite.
|
|
Firewall: T3907: add log-level options in firewall
|
|
Domain group allows to filter addresses by domain main
Resolved addresses as elements are stored to named "nft set"
that used in the nftables rules
Also added a dynamic "resolver" systemd daemon
vyos-domain-group-resolve.service which starts python script
for the domain-group addresses resolving by timeout 300 sec
set firewall group domain-group DOMAINS address 'example.com'
set firewall group domain-group DOMAINS address 'example.org'
set firewall name FOO rule 10 action 'drop'
set firewall name FOO rule 10 source group domain-group 'DOMAINS'
set interfaces ethernet eth0 firewall local name 'FOO'
nft list table ip filter
table ip filter {
set DOMAINS {
type ipv4_addr
flags interval
elements = { 192.0.2.1, 192.0.2.85,
203.0.113.55, 203.0.113.58 }
}
chain NAME_FOO {
ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10"
counter packets 0 bytes 0 return comment "FOO default-action accept"
}
}
|
|
|
|
|
|
Firewall: T990: Add snat and dnat connection status on firewall
|
|
|
|
|
|
|
|
|
|
|
|
Since introducing the XML <defaultValue> node it was common, but redundant,
practice to also add a help string indicating which value would be used as
default if the node is unset.
This makes no sense b/c it's duplicated code/value/characters and prone to
error. The node.def scripts should be extended to automatically render the
appropriate default value into the CLI help string.
For e.g. SSH the current PoC renders:
$ cat templates-cfg/service/ssh/port/node.def
multi:
type: txt
help: Port for SSH service (default: 22)
val_help: u32:1-65535; Numeric IP port
...
Not all subsystems are already migrated to get_config_dict() and make use of
the defaults() call - those subsystems need to be migrated, first before the new
default is added to the CLI help.
|
|
|
|
for icmp
|