summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
AgeCommit message (Collapse)Author
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-22T5957: fix removal of interface in firewall rules.Nicolas Fort
2023-11-10T5729: firewall: switch to valueless in order to remove unnecessary ↵Nicolas Fort
<enable|disable> commands; log and state moved to new syntax.
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-09-29T5616: firewall: add option to be able to match firewall marks in firewall ↵Nicolas Fort
filter and in policy route.
2023-09-28firewall: T5217: Synproxy bugfix and ct state conflict checkingsarthurdev
2023-09-28Merge pull request #2295 from sever-sever/T5217-synproxyChristian Breunig
T5217: Add firewall synproxy
2023-09-24firewall: T5614: Add support for matching on conntrack helpersarthurdev
2023-09-21T5217: Add firewall synproxyViacheslav Hletenko
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
2023-09-19firewall: T4502: Update to flowtable CLIsarthurdev
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
2023-09-18T5590: firewall log rule: fix order which rule are processed. Log options ↵Nicolas Fort
should be added at the end of the rule, after all matchers and befora action. Also change 2 lines in policy_route smoketest, which suddenly wasn't working as expected
2023-09-07T4072: add firewall bridge filtering. First implementation only applies for ↵Nicolas Fort
forward chain and few matchers. Should be extended in the future.
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewal refactor: fix tabulation for geo-ip parsing code. Typo fix in ↵Nicolas Fort
firewall smoketest
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: new cli structure. Update jinja templates, python ↵Nicolas Fort
scripts and src firewall
2023-07-31T5416: fix ipsec matcherNicolas Fort
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-03-21T5050: fix smoketest policy_route, which was failing after previos commit ↵Nicolas Fort
was merged
2023-03-21T5050: Firewall: Add log optionsNicolas Fort
2023-03-06T5055: Firewall: add packet-type matcher in firewall and route policyNicolas Fort
2023-02-28T5037: Firewall: Add queue action and options to firewallNicolas Fort
2022-12-19T4886: Firewall and route policy: Add connection-mark feature to vyos.Nicolas Fort
2022-12-17Merge pull request #1626 from nicolas-fort/fwall_group_interfaceChristian Poessinger
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
2022-11-24Merge pull request #1641 from Rain/T4612-arbitrary-netmasksChristian Poessinger
firewall: T4612: Support arbitrary netmasks
2022-11-19T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵Nicolas Fort
so this new group can be used in inbound and outbound matcher
2022-11-03nat: T1877: T970: Add firewall groups to NATsarthurdev
2022-11-03firewall: T970: Refactor domain resolver, add firewall source/destination ↵sarthurdev
`fqdn` node
2022-10-08firewall: T4612: Support arbitrary netmasksRain
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically.
2022-09-26T4700: Firewall: add interface matching criteriaNicolas Fort
2022-09-16T4699: Firewall: Add jump action in firewall rulestNicolas Fort
2022-09-13firewall: T4605: Rename filter tables to vyos_filtersarthurdev
2022-09-07T1024: Firewall and Policy route: add option to match dscp value, both on ↵Nicolas Fort
firewall and in policy route
2022-09-03firewall: T4651: re-implement packet-length CLI option to use <multi/>Christian Poessinger
2022-09-01Firewall: T4651: Change proposed cli from ip-length to packet-lengthNicolas Fort
2022-08-27Firewall: T4651: Add options to match packet size on firewall rules.Nicolas Fort
2022-08-18firewall: T4622: Add TCP MSS optionViacheslav Hletenko
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460'
2022-07-04firewall: T4299: Add ability to inverse match country codessarthurdev
2022-06-14firewall: T970: Use set prefix to domain groupssarthurdev
2022-06-14firewall: T4147: Use named sets for firewall groupssarthurdev
* Refactor nftables clean-up code * Adds policy route test for using firewall groups
2022-06-11firewall: T4299: Add support for GeoIP filteringsarthurdev
2022-06-10Firewall:T4458: Add ttl match option in firewallNicolas Fort
2022-06-10Merge pull request #1322 from nicolas-fort/T3907-fwall-logDaniil Baturin
Firewall: T3907: add log-level options in firewall
2022-06-05firewall: T970: Maintain a domain state to fallback if resolution failssarthurdev
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-27Firewall: T3907: Revert migration script 6-to-7 and add new 7-to-8Nicolas Fort
2022-05-11Firewall: T3907: add log-level options in firewallNicolas Fort
2022-04-23Firewall: T990: Modifications for new connection-status cliNicolas Fort