summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_firewall.py
AgeCommit message (Collapse)Author
2024-10-03T6760: firewall: add packet modifications existing in policy route to ↵Nicolas Fort
regular firewall ruleset.
2024-09-10T6698: firewall: add matcher for vlan type. (#4027)Nicolás Fort
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-14T6636: firewall: fix firewall template in order to write logs for ↵Nicolas Fort
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
2024-08-09T6643: firewall: fix ip address range parsing on firewall rules.Nicolas Fort
2024-08-04firewall: T4694: Adding GRE flags & fields matches to firewall rulesAndrew Topp
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T4072: firewall: extend firewall bridge smoketestNicolas Fort
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-06-04T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵Nicolas Fort
timeout parameters defined in conntrack to firewall global-opton section.
2024-05-15T3900: add support for raw table in firewall.Nicolas Fort
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos
2024-03-20conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack
2024-03-05T6061: fix rule parsing when connection-status is usedNicolas Fort
2024-02-27smoketest: T5160: Deduplicate nftables verify functions to testcase class, ↵sarthurdev
remove obsolete imports
2024-02-13T5928: Smoketest change firewall flowtable test to use VLANViacheslav Hletenko
2024-02-12T6019: fix smoketest after upgrading nftables and libnftnl packages.Nicolas Fort
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-12T5922: firewall: fix intra-zone filtering parsing rules; update firewall ↵Nicolas Fort
smoketest
2023-12-26firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency.
2023-12-15firewall: T4502: add ofload to firewall table actionsGurliGebis
2023-11-24T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-11-22T5637: firewall: extend rule for default-action to firewall bridge, in order ↵Nicolas Fort
to be able to catch logs using separte rule for default-action
2023-11-10T5729: firewall: switch to valueless in order to remove unnecessary ↵Nicolas Fort
<enable|disable> commands; log and state moved to new syntax.
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-10-19Merge pull request #2362 from nicolas-fort/T5541Christian Breunig
T5541: firewall zone: re add firewall zone-base firewall
2023-10-13T5541: firewall zone: re add firewall zone-base firewallNicolas Fort
2023-10-06T5637: add new rule at the end of base chains for default-actions. This ↵Nicolas Fort
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
2023-09-29T5616: firewall: add option to be able to match firewall marks in firewall ↵Nicolas Fort
filter and in policy route.
2023-09-28Merge pull request #2295 from sever-sever/T5217-synproxyChristian Breunig
T5217: Add firewall synproxy
2023-09-24firewall: T5614: Add support for matching on conntrack helpersarthurdev
2023-09-21T5217: Add firewall synproxyViacheslav Hletenko
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
2023-09-19conntrack: firewall: T4502: Update conntrack check for new flowtable CLIsarthurdev
Also updates flowtable smoketest to verify conntrack enabled
2023-09-19firewall: ethernet: T4502: Add interface offload node and verify interface ↵sarthurdev
supports HW flowtable offload - Add required offload setting for interfaces + flowtable offload (hw-tc-offload) - Verification of interface support for hardware offloaded flowtables
2023-09-19firewall: T4502: Update to flowtable CLIsarthurdev
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
2023-09-16conntrack: T5571: Refactor conntrack to be independent conf script from ↵sarthurdev
firewall, nat, nat66
2023-09-09T4502: firewall: Add software flow offload using flowtableYuxiang Zhu
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
2023-09-08Merge pull request #2222 from nicolas-fort/T4072-fwall-bridgeChristian Breunig
T4072: add firewall bridge filtering.
2023-09-07T4072: add firewall bridge filtering. First implementation only applies for ↵Nicolas Fort
forward chain and few matchers. Should be extended in the future.
2023-09-05firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfacessarthurdev
2023-08-26firewall: T5080: Disable conntrack unless required by rulessarthurdev
2023-08-25firewall: T3509: Add support for IPv6 return path filteringsarthurdev
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-11T5160: firewall refactor: change default value for <default-action> from ↵Nicolas Fort
<drop> to <accept> if default-action is not specified in base chains
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewal refactor: fix tabulation for geo-ip parsing code. Typo fix in ↵Nicolas Fort
firewall smoketest
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: re-add missing code in template.py which was ↵Nicolas Fort
accidentaly removed. Update smokestest: remove zone test and fix test_sysfs test
2023-08-11T5160: firewall refactor: new cli structure. Add migration script and update ↵Nicolas Fort
smoketest