summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2024-06-14 11:14:53 -0300
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-06-18 19:32:13 +0000
commitd9bf0b09177c9a8e754b9de2e6094ac36f69b3fb (patch)
treee5789602dc7aeb7789bccc6c7ce98b186af96948 /docs/configuration/firewall
parent5a5c8fd3056cc0a012da204f511eb50aa403e526 (diff)
downloadvyos-documentation-d9bf0b09177c9a8e754b9de2e6094ac36f69b3fb.tar.gz
vyos-documentation-d9bf0b09177c9a8e754b9de2e6094ac36f69b3fb.zip
Configuration Blueprints: add new example for firewall+vrf. Also, add note about usage of inbound and outbound interface when interface is attached to a non-default vrf.
(cherry picked from commit fe416b56cfa30494172a0310c16fd2787330c7bb) # Conflicts: # docs/configexamples/zone-policy.rst
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r--docs/configuration/firewall/ipv4.rst8
-rw-r--r--docs/configuration/firewall/ipv6.rst8
2 files changed, 16 insertions, 0 deletions
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
index d425b41f..2a654fd7 100644
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@@ -686,6 +686,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **inbound-interface**, vrf name must be used. For example ``set firewall
+ ipv4 forward filter rule 10 inbound-interface name MGMT``
+
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
@@ -707,6 +711,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **outbound-interface**, real interface name must be used. For example
+ ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``
+
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst
index ce8c5ccf..19df996a 100644
--- a/docs/configuration/firewall/ipv6.rst
+++ b/docs/configuration/firewall/ipv6.rst
@@ -700,6 +700,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **inbound-interface**, vrf name must be used. For example ``set firewall
+ ipv6 forward filter rule 10 inbound-interface name MGMT``
+
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
@@ -721,6 +725,10 @@ geoip) to keep database and rules updated.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
+.. note:: If an interface is attached to a non-default vrf, when using
+ **outbound-interface**, real interface name must be used. For example
+ ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``
+
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>