summaryrefslogtreecommitdiff
path: root/scripts/firewall
AgeCommit message (Collapse)Author
2009-04-13Add conntrack and post firewall hooks for IPv6.Bob Gilligan
2009-04-13Fix bug where an empty firewall rule deletes the default drop policy.Stig Thormodsrud
2009-04-13Move firewall "end" processing down to each table.Stig Thormodsrud
Fix bug for global enable/disable of conntrack.
2009-04-09Add ability for firename to select default policy.Stig Thormodsrud
2009-04-08Fix faulty search loop.Stig Thormodsrud
2009-04-07Apply interface firewalls to separate VYATTA_(IN|OUT)_HOOK.Stig Thormodsrud
This enforces in firewall to be processed before out firewall.
2009-03-27Revert "Allow user configurable default-policy on firewall."Stig Thormodsrud
Further test identified a problem. The patch is broken if a packet must do both an in & out filter. This reverts commit 754d0f4d855a59020afa20ad8867218708b5c978.
2009-03-27Allow user configurable default-policy on firewall.Stig Thormodsrud
2009-03-12Doing strict ES won't work for routerStephen Hemminger
Need a different kind of filter to fix 4061. (Not sure if it is even possible as firewall rule since it depends on quagga config rules).
2009-03-12Don't use -PStephen Hemminger
Changing default property of rules screws up other things
2009-03-12Enable strict host matchingStephen Hemminger
Bug 4061 Host (INPUT) chain will only accept packets where destination address matches address on incoming interface.
2009-03-04Don't attempt to delete ruleset from "other" treesBob Gilligan
When a ruleset was being applied to an interface, the code previously attempted to find out if that ruleset name was being applied to that same interface and in the same direction, but under a different "tree" name (e.g. "name", "ipv6-name", "modify", etc.). If it found a match, it would delete the other rule. But the matching logic was insufficient, so it killed off some random other rule instead. There is really no need to perform this check anyway, so I have removed it.
2009-02-24Allow IPv6 firewall rulesets to be configured on an interface independent of ↵Bob Gilligan
IPv4. Replaced the hand-coded config templates under each type of interface with script-generated templates. This should be easier to maintain as we add new types of interfaces. Added sub-trees for "modify", "ipv6-name" and "ipv6-modify" under "in", "out" and "local" for all interfaces. Added command-completion for ruleset names being configured on an interface.
2009-02-15Add support for ranges in firewall group address & port.Stig Thormodsrud
2009-02-13Add description and references to "show firewall group".Stig Thormodsrud
2009-02-13Add show-set to display all sets.Stig Thormodsrud
2009-02-13Add support for "show firewall group".Stig Thormodsrud
2009-02-09Add back parameter that was dropped when converting to use run_cmd().Stig Thormodsrud
2009-02-06Add carriage return to error message.Stig Thormodsrud
2009-02-06Add validation of group type.Stig Thormodsrud
2009-02-04Delete commented out code.Stig Thormodsrud
2009-02-03Turn on strict checking and fix warningsStephen Hemminger
Turn on strict checking and fix the resulting errors. Get rid of perlcritic warnings.
2009-02-02Add 1st pass of firewall group support (ipset netfilter moduleStig Thormodsrud
integration).
2009-01-29Use iptables comment to identify CLI rule numbers in iptables outputMohit Mehta
2009-01-23Bugfix 4062: Don't reference parameters outside the config tree.Bob Gilligan
The AddressFilter module was reaching up the config tree to find a config parameter that was used to determine whether the address type was IPv4 or IPv6. This breaks when the functions are called from some locations in the config tree. I added explicity function calls to allow the caller to to set the IP version, obviating the need to reference a config parameter to determin the IP version.
2009-01-21Initial support for IPv6.Bob Gilligan
2008-12-03fix for perl module reorganizationAn-Cheng Huang
2008-11-24Convert VyattaConfig to Vyatta::ConfigStephen Hemminger
2008-11-21Rename VyattaIpTablesRule to Vyatta::IpTables::RuleStephen Hemminger
2008-08-21fix for bug 3622: add pre-SNAT hookAn-Cheng Huang
2008-08-21fix for bug 3604: add fragment matching optionsAn-Cheng Huang
2008-08-07fix conntrack enabling mechanismAn-Cheng Huang
2008-08-07fix for bug 2224: add "recent" matchingAn-Cheng Huang
2008-06-04rename "mangle" to "modify"An-Cheng Huang
2008-05-19allow firewall rule to match inbound IPsec packets.An-Cheng Huang
2008-05-13add "inspect" action (maps to QUEUE) so "custom" traffic-filter for IPSAn-Cheng Huang
can be defined in "firewall".
2008-05-09add mangle table support to firewall configuration. initial implementationAn-Cheng Huang
allows MARK and DSCP jump targets.
2008-04-21Merge branch 'glendale' into hollywoodrbalocca
2008-04-16fix for bug 3167: disallow multiport specification if both source andAn-Cheng Huang
destination ports are defined.
2008-04-16fix for bug 3167: get the actual return status from iptables.An-Cheng Huang
2008-04-08add post-firewall hook for other featuresAn-Cheng Huang
2008-04-08fix for bug 3127: look for an exact match to replace/delete.An-Cheng Huang
2008-04-08fix for bug 3127: look for an exact match to replace/delete.An-Cheng Huang
2008-03-10update from VPL1 to GPLv2Stephen Hemminger
2008-03-10Change to GPLv2Stephen Hemminger
VPL 1.0 is replaced with GPL in Glendale.
2008-02-29fix a problem in the interaction between "firewall" and "interfaces".An-Cheng Huang
2008-02-11move common module to vyatta-cfgAn-Cheng Huang
2008-02-08add address validationAn-Cheng Huang
2008-02-08merge address range into addressAn-Cheng Huang
2008-02-08merge ports in show outputAn-Cheng Huang
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-13 00:58:52 +0000