From 8e0e1a99e5510c7575ab8a09145d6b4354692d55 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Mon, 26 Aug 2024 18:10:01 +0000 Subject: T6647: firewall. Introduce patch for accepting ARP and DHCP replies on stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall. --- .../include/firewall/common-rule-bridge.xml.i | 1 + .../include/firewall/global-options.xml.i | 6 +++++ .../include/firewall/match-ether-type.xml.i | 30 ++++++++++++++++++++++ 3 files changed, 37 insertions(+) mode change 100644 => 100755 interface-definitions/include/firewall/common-rule-bridge.xml.i mode change 100644 => 100755 interface-definitions/include/firewall/global-options.xml.i create mode 100755 interface-definitions/include/firewall/match-ether-type.xml.i (limited to 'interface-definitions/include') diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i old mode 100644 new mode 100755 index 9ae28f7be..80088bbec --- a/interface-definitions/include/firewall/common-rule-bridge.xml.i +++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i old mode 100644 new mode 100755 index cee8f1854..05fdd75cb --- a/interface-definitions/include/firewall/global-options.xml.i +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -49,6 +49,12 @@ Apply configured firewall rules to traffic switched by bridges + + + Accept ARP and DHCP despite they are marked as invalid connection + + + Apply configured IPv4 firewall rules diff --git a/interface-definitions/include/firewall/match-ether-type.xml.i b/interface-definitions/include/firewall/match-ether-type.xml.i new file mode 100755 index 000000000..abfa9034d --- /dev/null +++ b/interface-definitions/include/firewall/match-ether-type.xml.i @@ -0,0 +1,30 @@ + + + + Ethernet type + + 802.1q 802.1ad arp ipv4 ipv6 + + + 802.1q + Customer VLAN tag type + + + 802.1ad + Service VLAN tag type + + + arp + Adress Resolution Protocol + + + _ipv4 + Internet Protocol version 4 + + + _ipv6 + Internet Protocol version 6 + + + + -- cgit v1.2.3