Age | Commit message (Collapse) | Author |
|
This commit optimizes the speed of interaction with the ipset.
* removed extra `sudo` from `ipset` commands, because scripts that run `ipset`
commands already run under `sudo`. This gives approximately 4x performance
improvement.
* replaced logic in the `member_exists` function for port groups. Instead of
calling `ipset -T` for each port now the whole list is received in one command
and a search process is done inside Perl. This significantly improves speed for
port groups with long port ranges inside.
* delete ip address and port ranges using a single command instead deleting
each element individually.
* added the same ranges validation for address-group as for port-group.
|
|
ipset: T4002: Generate a temporary set name from UUID
|
|
ipset allows assigning set names up to 31 characters long.
Currently, we use a process -PID number as a suffix for generating
temporary set names. But this cuts effective set name to 25 characters
only (`set name in CLI` + `-` + `PID number`), however in CLI we have a
limit set to 31. So, set names with long prefixes cannot be configured.
This commit replaces PID-based temporary name with UUID-based, which
allows configuring set names with full name size.
|
|
firewall: T4100: default action number
|
|
|
|
Firewall: T4100: increase maximum number of rules
|
|
(cherry picked from commit df69f68e09b82f3e1ee928963709b1263cea5bdf)
|
|
|
|
T3115: Add firewall options for bridge vifs
|
|
|
|
|
|
(cherry picked from commit 44f91525cc72a26b365bb24cab22344bc5e06540)
|
|
(cherry picked from commit c5a8a802fa017808ba044d9151dd35a48ae60b94)
|
|
Fixed the completion help for icmp code & type which was showing out of range
values 0-4294967295 than the allowed values i.e. 0-255
(cherry picked from commit c89cbf844bc2f54fb599ab7bbb7821f3160b7d28)
|
|
(cherry picked from commit 55fe5936b39b9ba20b6ac927f3b8930ed2d0af60)
|
|
This is the second commit for fixing this issue, the first was for the
policy based routing and fixed in commit dc80ce45f95 ("T3456: add missing
priority when deleting interface policy").
set firewall name FOO rule 10 action 'accept'
set interfaces ethernet eth0 firewall local name 'FOO'
commit
This was not able to be removed again in one commit, two commits are required.
vyos@r4-roll# delete firewall
[edit]
vyos@r4-roll# delete interfaces ethernet eth0 firewall
[edit]
vyos@r4-roll# commit
[ firewall name FOO ]
Firewall configuration error: Cannot delete rule set "FOO" (still in use)
delete [ firewall name FOO ] failed
delete [ firewall ] failed
Commit failed
[edit]
vyos@r4-roll#
(cherry picked from commit 8e1ab2a747a26a3a574c411b95ffb2a3ca7e3854)
|
|
set interfaces ethernet eth1 policy route 'LAN-POLICY-BASED-ROUTING'
set policy route LAN-POLICY-BASED-ROUTING rule 10 destination
set policy route LAN-POLICY-BASED-ROUTING rule 10 disable
set policy route LAN-POLICY-BASED-ROUTING rule 10 set table '10'
set policy route LAN-POLICY-BASED-ROUTING rule 10 source address '192.168.0.119/32'
set policy route LAN-POLICY-BASED-ROUTING rule 20 destination
set policy route LAN-POLICY-BASED-ROUTING rule 20 set table '100'
set policy route LAN-POLICY-BASED-ROUTING rule 20 source address '192.168.0.240'
This was not able to be deleted in only one commit, two commits were required.
vyos@vyos# delete policy
vyos@vyos# delete interfaces ethernet eth1 policy
vyos@vyos# commit
[ policy route LAN-POLICY-BASED-ROUTING ]
Firewall configuration error: Cannot delete rule set "LAN-POLICY-BASED-ROUTING" (still in use)
delete [ policy route LAN-POLICY-BASED-ROUTING ] failed
[[]] failed
Commit failed
copy failed [/opt/vyatta/config/tmp/tmp_7724/work/.unionfs-fuse][/opt/vyatta/config/tmp/new_config_7724/.unionfs-fuse]
Failed to generate committed config
[edit]
vyos@vyos#
(cherry picked from commit dc80ce45f95e243afc6c3d9016f051cfab690846)
|
|
|
|
(cherry picked from commit eba416df08429eead009b30b7b72a286dd194dd4)
|
|
|
|
cfg-firewall: T2868: Delete option pmtu for tcp-mss
|
|
|
|
|
|
firewall: T1241: Check file before del
|
|
|
|
|
|
|
|
|
|
|
|
* 'equuleus' of github.com:vyos/vyatta-cfg-firewall:
Jenkins: import Pipeline from vyos-1x commit bd00ec7
update Jenkins file for equuleus
|
|
|
|
|
|
|
|
|
|
T1471: Fix wireguard entry in firewall template generator.
|
|
|
|
[ipset] T1456: Add check for duplicate items in port-group before commit
|
|
|
|
|
|
|
|
This reverts commit d1164b989295016436f20caa709603ec5d85a4d3.
|
|
T166: Changed NPTv6 to use NETMAP
|
|
into HEAD
|
|
|
|
|
|
|
|
Patch by Ray Patrick Soucy.
|
|
|
|
|
|
If left in place, it will create incorrect command definition tree
when vyatta-vrrp is removed and cause config loading errors.
|