summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
AgeCommit message (Collapse)Author
2022-06-14firewall: T970: Use set prefix to domain groupssarthurdev
2022-06-14firewall: T4147: Use named sets for firewall groupssarthurdev
* Refactor nftables clean-up code * Adds policy route test for using firewall groups
2022-06-11firewall: T4299: Add support for GeoIP filteringsarthurdev
2022-06-10Firewall:T4458: Add ttl match option in firewallNicolas Fort
2022-06-10Merge pull request #1322 from nicolas-fort/T3907-fwall-logDaniil Baturin
Firewall: T3907: add log-level options in firewall
2022-06-05firewall: T970: Maintain a domain state to fallback if resolution failssarthurdev
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-27Firewall: T3907: Revert migration script 6-to-7 and add new 7-to-8Nicolas Fort
2022-05-11Firewall: T3907: add log-level options in firewallNicolas Fort
2022-04-23Firewall: T990: Modifications for new connection-status cliNicolas Fort
2022-04-11Firewall: T990: Add snat and dst connection status on firewallNicolas Fort
2022-04-08Firewall: T990: Add snat and dnat connection status on firewallNicolas Fort
2022-04-06firewall: T4345: Fix incorrect rule limit rate syntaxsarthurdev
2022-02-04firewall: T4209: Fix support for rule `recent` matchessarthurdev
2022-02-03firewall: T4178: Fix only inverse matching on tcp flagssarthurdev
2022-01-29firewall: T4216: Add support for negated firewall groupssarthurdev
2022-01-29firewall: T4178: Fix dict_keys issue with tcp flagssarthurdev
2022-01-27firewall: T4178: Fix tcp flags output when `not` isn't usedsarthurdev
2022-01-20firewall: T2199: Add log prefix to match legacy perl behavioursarthurdev
Example syslog: [FWNAME-default-D] ... * Also clean-up firewall default-action
2022-01-18firewall: T3560: Add support for MAC address groupssarthurdev
2022-01-17firewall: policy: T4178: Migrate and refactor tcp flagssarthurdev
* Add support for ECN and CWR flags
2022-01-14firewall: T4178: Use lowercase for TCP flags and add an validatorsarthurdev
2022-01-12firewall: T4160: Fix support for inverse matchessarthurdev
2022-01-09policy: T4155: Fix using incorrect table variablesarthurdev
2021-12-06policy: T2199: Migrate policy route to XML/Pythonsarthurdev
2021-12-06firewall: T2199: Migrate firewall to XML/Pythonsarthurdev