diff options
| author | Daniil Baturin <daniil@vyos.io> | 2024-10-10 16:16:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-10 16:16:51 +0100 |
| commit | f335bd75474b8e355ea86ceff5550dd39a32064b (patch) | |
| tree | 9b07f688f0e55659c1723153fedc09905c897272 | |
| parent | e1f61e448be5422303c5aa80fd4c4d0a35209e3c (diff) | |
| parent | 177ba9dd0d8a9eacd5ca5e022a68a1aa6170c3fa (diff) | |
| download | vyos-documentation-f335bd75474b8e355ea86ceff5550dd39a32064b.tar.gz vyos-documentation-f335bd75474b8e355ea86ceff5550dd39a32064b.zip | |
Merge pull request #1559 from nicolas-fort/firewall-packet-modifications
T6760: add docs for new commands available in firewall: packet modifications
| -rw-r--r-- | docs/configuration/firewall/bridge.rst | 38 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 50 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv6.rst | 50 |
3 files changed, 138 insertions, 0 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index 39956236..9c360d35 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -386,6 +386,44 @@ described in this section: Match based on VLAN priority (Priority Code Point - PCP). Range is also supported. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set ttl <0-255> + + Set the TTL (Time to Live) value. + +.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter + rule <1-999999> set hop-limit <0-255> + + Set hop limit value. + +.. cfgcmd:: set firewall bridge [forward | output] filter + rule <1-999999> set connection-mark <0-2147483647> + + Set connection mark value. + + Use IP firewall =============== diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index abae31a5..419a9339 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -980,6 +980,56 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> + set ttl <0-255> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set ttl <0-255> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set ttl <0-255> + + Set the TTL (Time to Live) value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + set connection-mark <0-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set connection-mark <0-2147483647> + + Set connection mark value. + ******** Synproxy ******** diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 5f526dac..0c995c12 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -970,6 +970,56 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +Packet Modifications +==================== + +Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify +packets before they are sent out. This feaure provides more flexibility in +packet handling. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set dscp <0-63> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set dscp <0-63> + + Set a specific value of Differentiated Services Codepoint (DSCP). + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set mark <1-2147483647> + + Set a specific packet mark value. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set tcp-mss <500-1460> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set tcp-mss <500-1460> + + Set the TCP-MSS (TCP maximum segment size) for the connection. + +.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> + set hop-limit <0-255> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set hop-limit <0-255> +.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999> + set hop-limit <0-255> + + Set hop limit value. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + set connection-mark <0-2147483647> +.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999> + set connection-mark <0-2147483647> + + Set connection mark value. + ******** Synproxy ******** |