Age | Commit message (Collapse) | Author | |
---|---|---|---|
2024-05-02 | T6269: policy: ensure correct rule parsing when using, and when not using ↵ | Nicolas Fort | |
<set table> option in policy route. (cherry picked from commit d518386d74ab09c7e75fdbf7f67e14839180f24b) | |||
2024-04-17 | T6191: do not append action to firewall and policy route|route6 when its not ↵ | Nicolas Fort | |
specified, in order to ensure same behavior as in Equuleus (cherry picked from commit 5ab8f9ac47d9d8d198f5ace0ffc4a0b26af098df) | |||
2024-04-05 | T6204: cleanup shebang lines | khramshinr | |
2024-04-03 | T6199: drop unused Python imports | Christian Breunig | |
found using "git ls-files *.py | xargs pylint | grep W0611" (cherry picked from commit 274b2da242acd1f1f64ff1dee471e34295137c5f) | |||
2024-04-02 | firewall: T2199: always use full nft command name (e.g. --file over -f) | Christian Breunig | |
(cherry picked from commit 6e0fdbcbba39691461f791c7a68a2c6c5091d2c1) | |||
2024-03-06 | T6061: fix rule parsing when connection-status is used | Nicolas Fort | |
(cherry picked from commit 8f2534e9654b61b7db45788bb52ac6cf8017b054) | |||
2024-02-28 | vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is ↵ | sarthurdev | |
required (cherry picked from commit 6f7d1e15665655e37e8ca830e28d9650445c1217) | |||
2024-02-01 | T4839: firewall: Add dynamic address group in firewall configuration, and ↵ | Nicolas Fort | |
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122) | |||
2024-01-22 | T5957: fix removal of interface in firewall rules. | Nicolas Fort | |
(cherry picked from commit 0a436e1fce66391311799bc970f05f6f4ba880ad) | |||
2024-01-22 | firewall: T5729: T5681: T5217: backport subsystem from current branch | Christian Breunig | |
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch. | |||
2023-11-21 | T5419: firewall: backport firewall flowtable to Sagitta. | Nicolas Fort | |
2023-11-16 | T4072: firewall: backport bridge firewall to sagitta | Nicolas Fort | |
2023-11-14 | T5729: T5590: T5616: backport to sagita fwall marks, fix on firewall logs ↵ | Nicolas Fort | |
parsing, and migration to valueless node for log and state matchers | |||
2023-11-01 | T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵ | Nicolas Fort | |
firewal, nat and nat66. (cherry picked from commit 51abbc0f1b2ccf4785cf7f29f1fe6f4af6007ee6) | |||
2023-10-23 | T5637: Firewall: add new rule at the end of base chains for default-actions. ↵ | Nicolas Fort | |
This enables logs capabilities for default-action in base chains. | |||
2023-09-28 | firewall: T5614: Add support for matching on conntrack helper | sarthurdev | |
(cherry picked from commit 81dee963a9ca3224ddbd54767a36efae5851a001) | |||
2023-08-23 | T5450: update smoketest and interface definition in order to work with new ↵ | Nicolas Fort | |
firewall cli | |||
2023-08-11 | T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵ | Nicolas Fort | |
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip. | |||
2023-08-11 | T5160: firewal refactor: fix tabulation for geo-ip parsing code. Typo fix in ↵ | Nicolas Fort | |
firewall smoketest | |||
2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: new cli structure. Update jinja templates, python ↵ | Nicolas Fort | |
scripts and src firewall | |||
2023-07-31 | T5416: fix ipsec matcher | Nicolas Fort | |
2023-07-14 | T5195: vyos.util -> vyos.utils package refactoring (#2093) | Christian Breunig | |
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io | |||
2023-03-21 | T5050: fix smoketest policy_route, which was failing after previos commit ↵ | Nicolas Fort | |
was merged | |||
2023-03-21 | T5050: Firewall: Add log options | Nicolas Fort | |
2023-03-06 | T5055: Firewall: add packet-type matcher in firewall and route policy | Nicolas Fort | |
2023-02-28 | T5037: Firewall: Add queue action and options to firewall | Nicolas Fort | |
2022-12-19 | T4886: Firewall and route policy: Add connection-mark feature to vyos. | Nicolas Fort | |
2022-12-17 | Merge pull request #1626 from nicolas-fort/fwall_group_interface | Christian Poessinger | |
T4780: Firewall: add firewall groups in firewall. Extend matching cri… | |||
2022-11-24 | Merge pull request #1641 from Rain/T4612-arbitrary-netmasks | Christian Poessinger | |
firewall: T4612: Support arbitrary netmasks | |||
2022-11-19 | T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵ | Nicolas Fort | |
so this new group can be used in inbound and outbound matcher | |||
2022-11-03 | nat: T1877: T970: Add firewall groups to NAT | sarthurdev | |
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-10-08 | firewall: T4612: Support arbitrary netmasks | Rain | |
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically. | |||
2022-09-26 | T4700: Firewall: add interface matching criteria | Nicolas Fort | |
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-13 | firewall: T4605: Rename filter tables to vyos_filter | sarthurdev | |
2022-09-07 | T1024: Firewall and Policy route: add option to match dscp value, both on ↵ | Nicolas Fort | |
firewall and in policy route | |||
2022-09-03 | firewall: T4651: re-implement packet-length CLI option to use <multi/> | Christian Poessinger | |
2022-09-01 | Firewall: T4651: Change proposed cli from ip-length to packet-length | Nicolas Fort | |
2022-08-27 | Firewall: T4651: Add options to match packet size on firewall rules. | Nicolas Fort | |
2022-08-18 | firewall: T4622: Add TCP MSS option | Viacheslav Hletenko | |
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460' | |||
2022-07-04 | firewall: T4299: Add ability to inverse match country codes | sarthurdev | |
2022-06-14 | firewall: T970: Use set prefix to domain groups | sarthurdev | |
2022-06-14 | firewall: T4147: Use named sets for firewall groups | sarthurdev | |
* Refactor nftables clean-up code * Adds policy route test for using firewall groups | |||
2022-06-11 | firewall: T4299: Add support for GeoIP filtering | sarthurdev | |
2022-06-10 | Firewall:T4458: Add ttl match option in firewall | Nicolas Fort | |
2022-06-10 | Merge pull request #1322 from nicolas-fort/T3907-fwall-log | Daniil Baturin | |
Firewall: T3907: add log-level options in firewall | |||
2022-06-05 | firewall: T970: Maintain a domain state to fallback if resolution fails | sarthurdev | |
2022-05-28 | firewall: T970: Add firewall group domain-group | Viacheslav Hletenko | |
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } } |