vyatta-cfg-firewall.git - Configuration templates and scripts for the firewall subsystem. (mirror of https://github.com/vyos/vyatta-cfg-firewall.git)

Age	Commit message (Collapse)	Author
2012-06-06	create nfct helper policies and prepare VYATTA_CT_HELPER chain	Gaurav Sinha

2012-06-06	Merge branch 'user_space_helpers' into pacifica	Gaurav Sinha

2012-05-14	don't add CTHELPER chain by default on boot. add when needed.	Gaurav Sinha

2012-04-30	service names with hyphen need to be escaped using square brackets.	Gaurav Sinha

2012-04-16	create CT_HELPER chain in PREROUTING and OUTPUT	Gaurav Sinha

2012-04-16	fixing 7998	Gaurav Sinha

2012-03-23	include CT_TIMEOUT chain for conntrack timeouts.	Gaurav

2012-02-29	7047:use DEFLT instead of default	Gaurav

2012-02-29	fixing 7047	Gaurav

2011-12-27	Create VRRP output filter to filter IGMP from vmac interfaces	John Southworth

2011-12-12	Setup filter for VRRP vmac interfaces	John Southworth

2011-12-01	Bug 6063 ENH: Provide option(s) to globally allow stateful return traffic	Mohit Mehta
	* add code to set global policy for established, related, invalid states
2011-08-29	Fix Bug 7477 firewall group negation doesn't work in vc6.3	Stig
	* use Ipset.pm method rather than CLI path to validate group name when using group as a match condition in a firewall ruleset
2011-07-15	Fix Bug 7340 Unable to apply modify firewall to interface when zone policy ↵	Mohit Mehta
	exists * change commit check to only check if the interface being applied firewall ruleset is in a zone if only the ruleset type is either name\|ipv6-name. Thus, ignoring the check when modify rule-set is being applied to an interface (cherry picked from commit 8b2b85a129d3cf23565efe7b0ee15871ebff15c0)
2011-05-20	add "two-stage commit" equivalent to previous fix for bug 5227.	An-Cheng Huang

2011-05-03	modify firewall groups to work with new commitnapa-dev	An-Cheng Huang

2011-03-07	more ipset 6.0 change	An-Cheng Huang

2010-11-16	Updated to change in error location api.	Michael Larson

2010-10-30	Fix 5247: Firewall groups CLI becomes out of sync with ipset when sets and ↵	Stig Thormodsrud
	deletes are contained within a single commit
2010-10-19	add local hook setup/tear for filter table similar to in\|out hooks	Mohit Mehta

2010-10-19	use single variable to reference firewall IN and OUT hooks	Mohit Mehta

2010-10-15	missing paren	root

2010-10-15	additional errors w/ location of error.	root

2010-10-11	Use Sys::Syslog to avoid calling logger excessively	Stephen Hemminger

2010-10-01	move chain_referenced function to Mgr.pm module	Mohit Mehta

2010-09-21	* move count_iptables_rule to Iptables::Mgr and update it's usage	Mohit Mehta

2010-09-21	* separate out post fw hooks for IN, FWD, OUT. Use count_iptables_rule from lib	Mohit Mehta

2010-08-31	Fix 6125: iptables errors on boot up of mendocino	Stig Thormodsrud
	Shorten chain from VYATTA_PRE_CT_PREROUTING_HOOK to VYATTA_CT_PREROUTING_HOOK
2010-06-12	Dont tear down conntrack if the other table is using it.	Stig Thormodsrud

2010-06-12	Dont create FW_CONNTRACK if it already exists.	Stig Thormodsrud

2010-06-11	Add support for firewall enable-default-log.	Stig Thormodsrud

2010-06-10	Infrastruction needed for bug 5583.	Stig Thormodsrud

2010-05-17	Fix Bug 5588 Add ability to modify conntrack expectation table size	Mohit Mehta
	* added 'firewall conntrack-expect-table-size' to modify expect table's size * added 'firewall conntrack-hash-size' to set hash size for conntrack table
2010-04-09	Add VYATTA_PRE_DNAT_HOOK in nat PREROUTING table.	Stig Thormodsrud

2010-03-18	Fix firewall group parent delete while still referenced.	Stig Thormodsrud

2010-03-17	Fix 5453: can't delete "address" under "firewall group <> address-group <>"	Stig Thormodsrud

2010-03-05	Fix firewall conntrack teardown.	Stig Thormodsrud

2010-02-15	Fix 5227: firewall group config can get out of sync with ipset	Stig Thormodsrud

2010-02-02	Remove old Xorp template	Stephen Hemminger

2009-09-22	Bugfix 4951: Don't fail if IPv6 kernel module is not loaded.	Bob Gilligan
	Handle the case where the IPv6 kernel module is not loaded more gracefully.
2009-08-07	* Fix Bug 3625 Firewall protocol option should have a selection for TCP and UDP	Mohit Mehta
	added tcp_udp as a valid protocol value to match both tcp and udp in 1 rule
2009-07-31	Another attempt to fix 4760.	Stig Thormodsrud
	(cherry picked from commit 4dadce6ebca29e6f6d7120a44541fd99034417f2)
2009-07-31	Fix 4683: Firewall Rule number maximum 1024 reached	Stig Thormodsrud
	(cherry picked from commit 90fb731c3a846e9a951c6fd1c5f73082e2bcf93a)
2009-06-14	Fix 4581: Firewall name issue causes failed commit	Stig Thormodsrud

2009-06-02	Change firewall default-policy to default-action.	Stig Thormodsrud

2009-05-27	explicitly set conntrack table size to 16384 on system boot	Mohit Mehta

2009-05-11	Add 'reject' as a configurable value for default-policy	Mohit Mehta
	under name and ipv6-name rulesets
2009-05-08	Fix Bug 4388 firewall name shouldn't have been set after commit failed	Mohit Mehta
	* undo chain setup and refcnt work if chain rule failed during chain creation
2009-05-08	Bugfix 4340: Enable net.netfilter.nf_conntrack_tcp_be_liberal by default.	Bob Gilligan
	The parameter in question loosens the "acceptability" check on TCP sequence and ACK numbers in the TCP conntrack module. This allows connection tracking to survive certain cases where packet loss would cause it to loose sync with the TCP endpoints.
2009-05-05	* don't allow user to create a chain that exists in the system. This may be	Mohit Mehta
	either vyatta/user defined chains or system chains such as INPUT, OUTPUT etc. * don't allow user to create chains with name starting from 'VZONE'. This is reserved for zone chains created by us.