Configuration templates and scripts for the firewall subsystem. (mirror of https://github.com/vyos/vyatta-cfg-firewall.git) https://git.amelek.net/vyos/vyatta-cfg-firewall.git/atom?h=equuleus 2024-04-09T15:11:41+00:00 2024-04-09T15:11:41+00:00 Christian Breunig christian@poessinger.com 2024-04-09T15:11:41+00:00 urn:sha1:2e2f4cd1a5d9df38780b14e3d4c5d4b3a1afdc15 T6215: Replace confusing error messages with clear ones 2024-04-09T13:35:41+00:00 aslanvyos 126803786+aslanvyos@users.noreply.github.com 2024-04-09T09:30:46+00:00 urn:sha1:572f8dbef0c5a596dfbe7bd9284238016662762e 2023-01-03T15:34:59+00:00 zdc zdc@users.noreply.github.com 2023-01-03T15:34:59+00:00 urn:sha1:49dd3dc21d7069c1934541c05ecb2201bd8313a2 network-groups: T4869: Fixed operations with /32 and /128 netmasks 2022-12-09T15:19:30+00:00 zsdc taras@vyos.io 2022-12-09T15:10:10+00:00 urn:sha1:1636db20ee4b3d388a25b62e86bea1de52fcc339 When the configuration script performs operations with network-group items received from CLI, it gets them in the format fixed by CLI restrictions - always with netmasks. But inside ipset networks with netmasks /32 for IPv4 and /128 for IPv6 for some reason represented as items without netmask. This breaks comparison logic in the configuration script that relies on a direct match between items. This commit adds extra normalization for data received from ipset - an appropriate netmask is added to networks with /32 and /128 netmasks while preparing a hash with items. This allows using hash keys for matching as it is intended to be. 2022-09-23T05:31:58+00:00 Christian Poessinger christian@poessinger.com 2022-09-23T05:31:58+00:00 urn:sha1:2bc88186b952e32bcf26419af2563c6f1bd7daac ipset: T2189: optimized firewall groups performance 2022-09-19T17:16:12+00:00 zsdc taras@vyos.io 2022-09-12T15:07:01+00:00 urn:sha1:d55b9e14c14011577354b69cc569d2652d5e31fd This commit optimizes the speed of interaction with the ipset. * removed extra `sudo` from `ipset` commands, because scripts that run `ipset` commands already run under `sudo`. This gives approximately 4x performance improvement. * replaced logic in the `member_exists` function for port groups. Instead of calling `ipset -T` for each port now the whole list is received in one command and a search process is done inside Perl. This significantly improves speed for port groups with long port ranges inside. * delete ip address and port ranges using a single command instead deleting each element individually. * added the same ranges validation for address-group as for port-group. 2022-03-10T17:03:38+00:00 Christian Poessinger christian@poessinger.com 2022-03-10T17:03:38+00:00 urn:sha1:6de742432786b4035842d3e3f2e4a10df68199f2 ipset: T4002: Generate a temporary set name from UUID 2022-03-06T13:15:17+00:00 zsdc taras@vyos.io 2022-03-06T13:15:17+00:00 urn:sha1:2649cb10598e5b3ad605950afabcd6facd4eab70 ipset allows assigning set names up to 31 characters long. Currently, we use a process -PID number as a suffix for generating temporary set names. But this cuts effective set name to 25 characters only (`set name in CLI` + `-` + `PID number`), however in CLI we have a limit set to 31. So, set names with long prefixes cannot be configured. This commit replaces PID-based temporary name with UUID-based, which allows configuring set names with full name size. 2022-01-29T18:37:57+00:00 Christian Poessinger christian@poessinger.com 2022-01-29T18:37:57+00:00 urn:sha1:9b750c11011761099f06ccce89a9b7001764629e firewall: T4100: default action number 2022-01-12T03:56:33+00:00 goodNETnick pknet@ya.ru 2022-01-12T03:56:33+00:00 urn:sha1:7e00db319e5078c1f290e63a968af0c507c99bd4