vyatta-cfg-firewall.git/lib, branch equuleusConfiguration templates and scripts for the firewall subsystem. (mirror of https://github.com/vyos/vyatta-cfg-firewall.git)
https://git.amelek.net/vyos/vyatta-cfg-firewall.git/atom?h=equuleus2022-12-09T15:19:30+00:00network-groups: T4869: Fixed operations with /32 and /128 netmasks2022-12-09T15:19:30+00:00zsdctaras@vyos.io2022-12-09T15:10:10+00:00urn:sha1:1636db20ee4b3d388a25b62e86bea1de52fcc339
When the configuration script performs operations with network-group items
received from CLI, it gets them in the format fixed by CLI restrictions - always
with netmasks. But inside ipset networks with netmasks /32 for IPv4 and
/128 for IPv6 for some reason represented as items without netmask. This breaks
comparison logic in the configuration script that relies on a direct match
between items.
This commit adds extra normalization for data received from ipset - an
appropriate netmask is added to networks with /32 and /128 netmasks while
preparing a hash with items. This allows using hash keys for matching as it is
intended to be.
ipset: T2189: optimized firewall groups performance2022-09-19T17:16:12+00:00zsdctaras@vyos.io2022-09-12T15:07:01+00:00urn:sha1:d55b9e14c14011577354b69cc569d2652d5e31fd
This commit optimizes the speed of interaction with the ipset.
* removed extra `sudo` from `ipset` commands, because scripts that run `ipset`
commands already run under `sudo`. This gives approximately 4x performance
improvement.
* replaced logic in the `member_exists` function for port groups. Instead of
calling `ipset -T` for each port now the whole list is received in one command
and a search process is done inside Perl. This significantly improves speed for
port groups with long port ranges inside.
* delete ip address and port ranges using a single command instead deleting
each element individually.
* added the same ranges validation for address-group as for port-group.
firewall: T4100: default action number2022-01-12T03:56:33+00:00goodNETnickpknet@ya.ru2022-01-12T03:56:33+00:00urn:sha1:7e00db319e5078c1f290e63a968af0c507c99bd4[ipset] T1456: Add check for duplicate items in port-group before commit2019-06-19T19:24:41+00:00zsdctaras@sentrium.io2019-06-19T19:24:41+00:00urn:sha1:835304e5aaa252e8b0bcf4651629cd089e670147T1111: use unique recent packet list names in rules.2018-12-17T21:47:54+00:00Daniil Baturindaniil@baturin.org2018-12-17T21:47:54+00:00urn:sha1:f9c89b30f7598e769837ff33dd9dfb2847e5053fT573: add support for matching IPv6 hop limit.2018-11-18T18:11:57+00:00Daniil Baturindaniil@baturin.org2018-11-18T18:11:57+00:00urn:sha1:152c7f8eefeea6d69b0b72ca1bb2e8345f66acd9
Patch by Ray Patrick Soucy.
Task T35 - fixing prune_deleted_sets for inet6 family2018-04-11T08:13:14+00:00Marian Tudosoiumarian.tudosoiu@1and1.ro2018-04-11T08:13:14+00:00urn:sha1:f6e4c60702f810cc06449782f64c7e5a7e20abb2Task T35 - fixing scoping rules2018-03-26T06:04:35+00:00mtudosoiumarian.tudosoiu@1and1.ro2018-03-26T06:04:35+00:00urn:sha1:fc5e3b8bb61690619ee739f11cac54abb689d5f2Task T35 change to solve port-group issue2018-03-23T09:00:49+00:00Marian Tudosoiumarian.tudosoiu@1and1.ro2018-03-23T09:00:49+00:00urn:sha1:9e61589926f6801c318406d373d5b9d01922e12eTask T35 place ipv6 groups under group config tree2018-03-14T08:32:41+00:00mtudosoiumarian.tudosoiu@1and1.ro2018-03-14T08:32:41+00:00urn:sha1:b831173966f0df13c1e916e85005a8e79ec93fe8