summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_firewall.py
AgeCommit message (Collapse)Author
2023-09-08Merge pull request #2222 from nicolas-fort/T4072-fwall-bridgeChristian Breunig
T4072: add firewall bridge filtering.
2023-09-07T4072: add firewall bridge filtering. First implementation only applies for ↵Nicolas Fort
forward chain and few matchers. Should be extended in the future.
2023-09-05firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfacessarthurdev
2023-08-26firewall: T5080: Disable conntrack unless required by rulessarthurdev
2023-08-25firewall: T3509: Add support for IPv6 return path filteringsarthurdev
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-11T5160: firewall refactor: change default value for <default-action> from ↵Nicolas Fort
<drop> to <accept> if default-action is not specified in base chains
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewal refactor: fix tabulation for geo-ip parsing code. Typo fix in ↵Nicolas Fort
firewall smoketest
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: re-add missing code in template.py which was ↵Nicolas Fort
accidentaly removed. Update smokestest: remove zone test and fix test_sysfs test
2023-08-11T5160: firewall refactor: new cli structure. Add migration script and update ↵Nicolas Fort
smoketest
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-03-31T5128: Add contraint for firewall interface. Also update smoketest to ↵Nicolas Fort
include at least one wildcarded interface
2023-03-21T5050: Firewall: Add log optionsNicolas Fort
2023-03-06T5055: Firewall: add packet-type matcher in firewall and route policyNicolas Fort
2023-02-28T5037: Firewall: Add queue action and options to firewallNicolas Fort
2022-12-19T4886: Firewall and route policy: Add connection-mark feature to vyos.Nicolas Fort
2022-12-17Merge pull request #1626 from nicolas-fort/fwall_group_interfaceChristian Poessinger
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
2022-11-24Merge pull request #1641 from Rain/T4612-arbitrary-netmasksChristian Poessinger
firewall: T4612: Support arbitrary netmasks
2022-11-19T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵Nicolas Fort
so this new group can be used in inbound and outbound matcher
2022-11-03firewall: T970: Refactor domain resolver, add firewall source/destination ↵sarthurdev
`fqdn` node
2022-10-08firewall: T4612: Support arbitrary netmasksRain
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically.
2022-09-26T4700: Firewall: add interface matching criteriaNicolas Fort
2022-09-21T4699: Firewall: Add return action, since jump action was added recentlyNicolas Fort
2022-09-16T4699: Firewall: Add jump action in firewall rulestNicolas Fort
2022-09-14firewall: nat66: policy: T2199: Fix smoketests for nftables updated outputsarthurdev
2022-09-13zone-policy: T2199: Migrate zone-policy to firewall nodesarthurdev
2022-09-13firewall: T4605: Rename filter tables to vyos_filtersarthurdev
2022-09-13firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵sarthurdev
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script
2022-09-07T1024: Firewall and Policy route: add option to match dscp value, both on ↵Nicolas Fort
firewall and in policy route
2022-09-03firewall: T4651: re-implement packet-length CLI option to use <multi/>Christian Poessinger
2022-09-03smoketest: firewall: add re-usable variables when running testcasesChristian Poessinger
2022-09-01Firewall: T4651: Change proposed cli from ip-length to packet-lengthNicolas Fort
2022-08-27Firewall: T4651: Add options to match packet size on firewall rules.Nicolas Fort
2022-08-18firewall: T4622: Add TCP MSS optionViacheslav Hletenko
Ability to drop|accept packets based on TCP MSS size set firewall name <tag> rule <tag> tcp mss '501-1460'
2022-07-04firewall: T4299: Add ability to inverse match country codessarthurdev
2022-06-14firewall: T970: Use set prefix to domain groupssarthurdev
2022-06-14firewall: T4147: Use named sets for firewall groupssarthurdev
* Refactor nftables clean-up code * Adds policy route test for using firewall groups
2022-06-10Merge pull request #1356 from sarthurdev/nested_groupsChristian Poessinger
firewall: T478: Add support for nesting groups
2022-06-10firewall: T478: Add support for nesting groupssarthurdev
2022-06-10Firewall:T4458: Add ttl match option in firewallNicolas Fort
2022-06-10Merge pull request #1322 from nicolas-fort/T3907-fwall-logDaniil Baturin
Firewall: T3907: add log-level options in firewall
2022-06-10smoketest: T970: Add commit after static-host-mappingViacheslav Hletenko
Staic-host-mapping 'example.com' should be exists before we configure firewall domain-group FOO address example.com
2022-05-28firewall: T970: Add firewall group domain-groupViacheslav Hletenko
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
2022-05-27Firewall: T3907: Revert migration script 6-to-7 and add new 7-to-8Nicolas Fort
2022-05-11Firewall: T3907: add log-level options in firewallNicolas Fort
2022-05-09Merge pull request #1279 from nicolas-fort/T990Christian Poessinger
Firewall: T990: Add snat and dnat connection status on firewall
2022-04-25smoketest: bugfix on proper inheritance levels for classmethodChristian Poessinger
2022-04-23Firewall: T990: Modifications for new connection-status cliNicolas Fort