Age | Commit message (Collapse) | Author | |
---|---|---|---|
2023-09-29 | T5616: firewall: add option to be able to match firewall marks in firewall ↵ | Nicolas Fort | |
filter and in policy route. | |||
2023-09-28 | Merge pull request #2295 from sever-sever/T5217-synproxy | Christian Breunig | |
T5217: Add firewall synproxy | |||
2023-09-24 | firewall: T5614: Add support for matching on conntrack helper | sarthurdev | |
2023-09-21 | T5217: Add firewall synproxy | Viacheslav Hletenko | |
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' | |||
2023-09-19 | conntrack: firewall: T4502: Update conntrack check for new flowtable CLI | sarthurdev | |
Also updates flowtable smoketest to verify conntrack enabled | |||
2023-09-19 | firewall: ethernet: T4502: Add interface offload node and verify interface ↵ | sarthurdev | |
supports HW flowtable offload - Add required offload setting for interfaces + flowtable offload (hw-tc-offload) - Verification of interface support for hardware offloaded flowtables | |||
2023-09-19 | firewall: T4502: Update to flowtable CLI | sarthurdev | |
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>` | |||
2023-09-16 | conntrack: T5571: Refactor conntrack to be independent conf script from ↵ | sarthurdev | |
firewall, nat, nat66 | |||
2023-09-09 | T4502: firewall: Add software flow offload using flowtable | Yuxiang Zhu | |
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath | |||
2023-09-08 | Merge pull request #2222 from nicolas-fort/T4072-fwall-bridge | Christian Breunig | |
T4072: add firewall bridge filtering. | |||
2023-09-07 | T4072: add firewall bridge filtering. First implementation only applies for ↵ | Nicolas Fort | |
forward chain and few matchers. Should be extended in the future. | |||
2023-09-05 | firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfaces | sarthurdev | |
2023-08-26 | firewall: T5080: Disable conntrack unless required by rules | sarthurdev | |
2023-08-25 | firewall: T3509: Add support for IPv6 return path filtering | sarthurdev | |
2023-08-23 | T5450: update smoketest and interface definition in order to work with new ↵ | Nicolas Fort | |
firewall cli | |||
2023-08-11 | T5160: firewall refactor: change default value for <default-action> from ↵ | Nicolas Fort | |
<drop> to <accept> if default-action is not specified in base chains | |||
2023-08-11 | T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵ | Nicolas Fort | |
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip. | |||
2023-08-11 | T5160: firewal refactor: fix tabulation for geo-ip parsing code. Typo fix in ↵ | Nicolas Fort | |
firewall smoketest | |||
2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: re-add missing code in template.py which was ↵ | Nicolas Fort | |
accidentaly removed. Update smokestest: remove zone test and fix test_sysfs test | |||
2023-08-11 | T5160: firewall refactor: new cli structure. Add migration script and update ↵ | Nicolas Fort | |
smoketest | |||
2023-07-14 | T5195: vyos.util -> vyos.utils package refactoring (#2093) | Christian Breunig | |
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io | |||
2023-03-31 | T5128: Add contraint for firewall interface. Also update smoketest to ↵ | Nicolas Fort | |
include at least one wildcarded interface | |||
2023-03-21 | T5050: Firewall: Add log options | Nicolas Fort | |
2023-03-06 | T5055: Firewall: add packet-type matcher in firewall and route policy | Nicolas Fort | |
2023-02-28 | T5037: Firewall: Add queue action and options to firewall | Nicolas Fort | |
2022-12-19 | T4886: Firewall and route policy: Add connection-mark feature to vyos. | Nicolas Fort | |
2022-12-17 | Merge pull request #1626 from nicolas-fort/fwall_group_interface | Christian Poessinger | |
T4780: Firewall: add firewall groups in firewall. Extend matching cri… | |||
2022-11-24 | Merge pull request #1641 from Rain/T4612-arbitrary-netmasks | Christian Poessinger | |
firewall: T4612: Support arbitrary netmasks | |||
2022-11-19 | T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵ | Nicolas Fort | |
so this new group can be used in inbound and outbound matcher | |||
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-10-08 | firewall: T4612: Support arbitrary netmasks | Rain | |
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically. | |||
2022-09-26 | T4700: Firewall: add interface matching criteria | Nicolas Fort | |
2022-09-21 | T4699: Firewall: Add return action, since jump action was added recently | Nicolas Fort | |
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-14 | firewall: nat66: policy: T2199: Fix smoketests for nftables updated output | sarthurdev | |
2022-09-13 | zone-policy: T2199: Migrate zone-policy to firewall node | sarthurdev | |
2022-09-13 | firewall: T4605: Rename filter tables to vyos_filter | sarthurdev | |
2022-09-13 | firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵ | sarthurdev | |
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script | |||
2022-09-07 | T1024: Firewall and Policy route: add option to match dscp value, both on ↵ | Nicolas Fort | |
firewall and in policy route | |||
2022-09-03 | firewall: T4651: re-implement packet-length CLI option to use <multi/> | Christian Poessinger | |
2022-09-03 | smoketest: firewall: add re-usable variables when running testcases | Christian Poessinger | |
2022-09-01 | Firewall: T4651: Change proposed cli from ip-length to packet-length | Nicolas Fort | |
2022-08-27 | Firewall: T4651: Add options to match packet size on firewall rules. | Nicolas Fort | |
2022-08-18 | firewall: T4622: Add TCP MSS option | Viacheslav Hletenko | |
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460' | |||
2022-07-04 | firewall: T4299: Add ability to inverse match country codes | sarthurdev | |
2022-06-14 | firewall: T970: Use set prefix to domain groups | sarthurdev | |
2022-06-14 | firewall: T4147: Use named sets for firewall groups | sarthurdev | |
* Refactor nftables clean-up code * Adds policy route test for using firewall groups | |||
2022-06-10 | Merge pull request #1356 from sarthurdev/nested_groups | Christian Poessinger | |
firewall: T478: Add support for nesting groups | |||
2022-06-10 | firewall: T478: Add support for nesting groups | sarthurdev | |