Age | Commit message (Collapse) | Author |
|
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
|
|
Backport of the conntrack system from current branch.
(cherry picked from commit fd0bcaf12)
(cherry picked from commit 5acf5aced)
(cherry picked from commit 42ff4d8a7)
(cherry picked from commit 24a1a7059)
|
|
Rename chain level defaults log option from `enable-default-log` to
`default-log` for consistency.
(cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992)
|
|
The subnet router anycast address is predefined. Its format is as follows:
| n bits | 128-n bits |
+------------------------------------------------+----------------+
| subnet prefix | 00000000000000 |
+------------------------------------------------+----------------+
The "subnet prefix" in an anycast address is the prefix that identifies a
specific link. This anycast address is syntactically the same as a unicast
address for an interface on the link with the interface identifier set to zero.
Packets sent to the Subnet-Router anycast address will be delivered to one
router on the subnet. All routers are required to support the Subnet-Router
anycast addresses for the subnets to which they have interfaces.
The Subnet-Router anycast address is intended to be used for applications where
a node needs to communicate with any one of the set of routers.
Our code as of now returns the subnet router anycast address as the
first_host_address().
(cherry picked from commit cc4ce81ece57faca8ce111b8f3748389ecb40202)
|
|
included in <set firewall global-options state-policy> node.
|
|
This enables logs capabilities for default-action in base chains.
|
|
accidentaly removed. Update smokestest: remove zone test and fix test_sysfs test
|
|
scripts and src firewall
|
|
Multiple scripts use the same hardcoded path for DHCP client leases in
different direcotries - this can't be worse.
|
|
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
|
|
Values of the list for the 'range_to_regex' could be not only range
values as ['10-20', '22-30'] but also and not range values like
['10-20', '30', '80']
Fix if we args is list and non range values are exists in ths list
% range_to_regex(['10-20', '80'])
'(1\\d|20|80)'
|
|
Extend template filter 'range_to_regex'
Allow list of ranges as argument
% range_to_regex(['11-12', '14-15'])
'(1[1-2]|1[4-5])'
|
|
|
|
T4916: Rewrite IPsec peer authentication and psk migration
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
Added the possibility to configure Pseudo-Random Functions (PRF)
in IKE group
set vpn ipsec ike-group <Ike-grp> proposal <number> prf <PRF>
|
|
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
The initial Accel-PPP PPPoE implementation used:
set service pppoe-server interface <name> vlan-id <id>
set service pppoe-server interface <name> vlan-range <start-stop>
This is actually a duplicated CLI node.
|
|
|
|
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
|
|
For some reason after firewall rewriting we are having default
action 'accept' for 1.4 and default action 'drop' for 1.3
Fix this issue, set default action 'drop'
|
|
* Refactor nftables clean-up code
* Adds policy route test for using firewall groups
|
|
|
|
|
|
|
|
not none
We have a lot of boiler plate template code like
{% if config.interface is defined and config.interface.remote_as is defined
and config.interface.remote_as is not none %}
...
{% endif %}
This can be stripped down using a custom test to:
{% if config.interface.remote_as is vyos_defined %}
...
{% endif %}
In addition the new vyos_defined test supports comparison
{% if foo.bar.baz is vyos_defined('zoo') %}
...
{% endif %}
So the above will only evaluate to true if the variable foo.bar.baz is defined
and its content is zoo
This is inspired from https://github.com/aristanetworks/ansible-avd/ which make
heavy use of it.
All new templates should be written in this new style.
|
|
firewall: T4218: T4216: Add prefix to user defined chains, support negated groups, fixes
|
|
|
|
|
|
Example syslog: [FWNAME-default-D] ...
* Also clean-up firewall default-action
|
|
zone-policy
|
|
firewall: T4130: Fix firewall state-policy errors
|
|
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
|
|
* 'firewall' of https://github.com/sarthurdev/vyos-1x:
zone_policy: T3873: Implement intra-zone-filtering
policy: T2199: Migrate policy route op-mode to XML/Python
policy: T2199: Migrate policy route to XML/Python
zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
zone-policy: T2199: Migrate zone-policy to XML/Python
firewall: T2199: Migrate firewall op-mode to XML/Python
firewall: T2199: Migrate firewall to XML/Python
|
|
|
|
Peer name must not contain dots and colons, otherwise
swanct can't generate correct configuration for swanctl.conf
This is used in connection names and child SA names
Add filter 'dot_colon_to_dash' which replace dots and colons
|
|
|
|
|
|
|
|
|
|
... there was a type setting ecp512 instead of ecp521.
|
|
|
|
|
|
generate ipsec mac-ios-profile <connection> remote <ip|fqdn>
will generate a matching IPSec profile which can be loaded on an iOS device.
|
|
|