summaryrefslogtreecommitdiff
path: root/scripts/firewall
AgeCommit message (Collapse)Author
2011-05-03modify firewall groups to work with new commitnapa-devAn-Cheng Huang
2011-03-07more ipset 6.0 changeAn-Cheng Huang
2010-11-16Updated to change in error location api.Michael Larson
2010-10-30Fix 5247: Firewall groups CLI becomes out of sync with ipset when sets and ↵Stig Thormodsrud
deletes are contained within a single commit
2010-10-19add local hook setup/tear for filter table similar to in|out hooksMohit Mehta
2010-10-19use single variable to reference firewall IN and OUT hooksMohit Mehta
2010-10-15missing parenroot
2010-10-15additional errors w/ location of error.root
2010-10-11Use Sys::Syslog to avoid calling logger excessivelyStephen Hemminger
2010-10-01move chain_referenced function to Mgr.pm moduleMohit Mehta
2010-09-21* move count_iptables_rule to Iptables::Mgr and update it's usageMohit Mehta
2010-09-21* separate out post fw hooks for IN, FWD, OUT. Use count_iptables_rule from libMohit Mehta
2010-08-31Fix 6125: iptables errors on boot up of mendocinoStig Thormodsrud
Shorten chain from VYATTA_PRE_CT_PREROUTING_HOOK to VYATTA_CT_PREROUTING_HOOK
2010-06-12Dont tear down conntrack if the other table is using it.Stig Thormodsrud
2010-06-12Dont create FW_CONNTRACK if it already exists.Stig Thormodsrud
2010-06-11Add support for firewall enable-default-log.Stig Thormodsrud
2010-06-10Infrastruction needed for bug 5583.Stig Thormodsrud
2010-05-17Fix Bug 5588 Add ability to modify conntrack expectation table sizeMohit Mehta
* added 'firewall conntrack-expect-table-size' to modify expect table's size * added 'firewall conntrack-hash-size' to set hash size for conntrack table
2010-04-09Add VYATTA_PRE_DNAT_HOOK in nat PREROUTING table.Stig Thormodsrud
2010-03-18Fix firewall group parent delete while still referenced.Stig Thormodsrud
2010-03-17Fix 5453: can't delete "address" under "firewall group <> address-group <>"Stig Thormodsrud
2010-03-05Fix firewall conntrack teardown.Stig Thormodsrud
2010-02-15Fix 5227: firewall group config can get out of sync with ipsetStig Thormodsrud
2010-02-02Remove old Xorp templateStephen Hemminger
2009-09-22Bugfix 4951: Don't fail if IPv6 kernel module is not loaded.Bob Gilligan
Handle the case where the IPv6 kernel module is not loaded more gracefully.
2009-08-07* Fix Bug 3625 Firewall protocol option should have a selection for TCP and UDPMohit Mehta
added tcp_udp as a valid protocol value to match both tcp and udp in 1 rule
2009-07-31Another attempt to fix 4760.Stig Thormodsrud
(cherry picked from commit 4dadce6ebca29e6f6d7120a44541fd99034417f2)
2009-07-31Fix 4683: Firewall Rule number maximum 1024 reachedStig Thormodsrud
(cherry picked from commit 90fb731c3a846e9a951c6fd1c5f73082e2bcf93a)
2009-06-14Fix 4581: Firewall name issue causes failed commitStig Thormodsrud
2009-06-02Change firewall default-policy to default-action.Stig Thormodsrud
2009-05-27explicitly set conntrack table size to 16384 on system bootMohit Mehta
2009-05-11Add 'reject' as a configurable value for default-policyMohit Mehta
under name and ipv6-name rulesets
2009-05-08Fix Bug 4388 firewall name shouldn't have been set after commit failedMohit Mehta
* undo chain setup and refcnt work if chain rule failed during chain creation
2009-05-08Bugfix 4340: Enable net.netfilter.nf_conntrack_tcp_be_liberal by default.Bob Gilligan
The parameter in question loosens the "acceptability" check on TCP sequence and ACK numbers in the TCP conntrack module. This allows connection tracking to survive certain cases where packet loss would cause it to loose sync with the TCP endpoints.
2009-05-05* don't allow user to create a chain that exists in the system. This may beMohit Mehta
either vyatta/user defined chains or system chains such as INPUT, OUTPUT etc. * don't allow user to create chains with name starting from 'VZONE'. This is reserved for zone chains created by us.
2009-05-01* setup table only for specific tree, not both filter and mangleMohit Mehta
as we teardown table only for the tree that was in the CLI * remove 'next' statement for removed for loop * fix Bug 4244 - Committing firewall changes breaks WAN Load-balancing (WLB) we only delete chains that are configured under firewall and don't touch chains that might be owned by other features such as zone based firewall, WLB * remove unused code, code cleanup
2009-04-27outlaw applying firewall to an interface that is defined under a zoneMohit Mehta
2009-04-27Disable firewall debuging by default.Stig Thormodsrud
2009-04-24enable/disable conntrack separately for ipv4/ipv6Stig Thormodsrud
2009-04-24Move setup/teardown out from top-level firewall node.Stig Thormodsrud
Add refcnts to know when to teardown.
2009-04-13Add conntrack and post firewall hooks for IPv6.Bob Gilligan
2009-04-13Fix bug where an empty firewall rule deletes the default drop policy.Stig Thormodsrud
2009-04-13Move firewall "end" processing down to each table.Stig Thormodsrud
Fix bug for global enable/disable of conntrack.
2009-04-09Add ability for firename to select default policy.Stig Thormodsrud
2009-04-08Fix faulty search loop.Stig Thormodsrud
2009-04-07Apply interface firewalls to separate VYATTA_(IN|OUT)_HOOK.Stig Thormodsrud
This enforces in firewall to be processed before out firewall.
2009-03-27Revert "Allow user configurable default-policy on firewall."Stig Thormodsrud
Further test identified a problem. The patch is broken if a packet must do both an in & out filter. This reverts commit 754d0f4d855a59020afa20ad8867218708b5c978.
2009-03-27Allow user configurable default-policy on firewall.Stig Thormodsrud
2009-03-12Doing strict ES won't work for routerStephen Hemminger
Need a different kind of filter to fix 4061. (Not sure if it is even possible as firewall rule since it depends on quagga config rules).
2009-03-12Don't use -PStephen Hemminger
Changing default property of rules screws up other things
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-12 11:22:01 +0000