| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2009-06-14 | Fix 4581: Firewall name issue causes failed commit | Stig Thormodsrud | |
| 2009-06-02 | Change firewall default-policy to default-action. | Stig Thormodsrud | |
| 2009-05-27 | explicitly set conntrack table size to 16384 on system boot | Mohit Mehta | |
| 2009-05-11 | Add 'reject' as a configurable value for default-policy | Mohit Mehta | |
| under name and ipv6-name rulesets | |||
| 2009-05-08 | Fix Bug 4388 firewall name shouldn't have been set after commit failed | Mohit Mehta | |
| * undo chain setup and refcnt work if chain rule failed during chain creation | |||
| 2009-05-08 | Bugfix 4340: Enable net.netfilter.nf_conntrack_tcp_be_liberal by default. | Bob Gilligan | |
| The parameter in question loosens the "acceptability" check on TCP sequence and ACK numbers in the TCP conntrack module. This allows connection tracking to survive certain cases where packet loss would cause it to loose sync with the TCP endpoints. | |||
| 2009-05-05 | * don't allow user to create a chain that exists in the system. This may be | Mohit Mehta | |
| either vyatta/user defined chains or system chains such as INPUT, OUTPUT etc. * don't allow user to create chains with name starting from 'VZONE'. This is reserved for zone chains created by us. | |||
| 2009-05-01 | * setup table only for specific tree, not both filter and mangle | Mohit Mehta | |
| as we teardown table only for the tree that was in the CLI * remove 'next' statement for removed for loop * fix Bug 4244 - Committing firewall changes breaks WAN Load-balancing (WLB) we only delete chains that are configured under firewall and don't touch chains that might be owned by other features such as zone based firewall, WLB * remove unused code, code cleanup | |||
| 2009-04-27 | outlaw applying firewall to an interface that is defined under a zone | Mohit Mehta | |
| 2009-04-27 | Disable firewall debuging by default. | Stig Thormodsrud | |
| 2009-04-24 | enable/disable conntrack separately for ipv4/ipv6 | Stig Thormodsrud | |
| 2009-04-24 | Move setup/teardown out from top-level firewall node. | Stig Thormodsrud | |
| Add refcnts to know when to teardown. | |||
| 2009-04-13 | Add conntrack and post firewall hooks for IPv6. | Bob Gilligan | |
| 2009-04-13 | Fix bug where an empty firewall rule deletes the default drop policy. | Stig Thormodsrud | |
| 2009-04-13 | Move firewall "end" processing down to each table. | Stig Thormodsrud | |
| Fix bug for global enable/disable of conntrack. | |||
| 2009-04-09 | Add ability for firename to select default policy. | Stig Thormodsrud | |
| 2009-04-08 | Fix faulty search loop. | Stig Thormodsrud | |
| 2009-04-07 | Apply interface firewalls to separate VYATTA_(IN|OUT)_HOOK. | Stig Thormodsrud | |
| This enforces in firewall to be processed before out firewall. | |||
| 2009-03-27 | Revert "Allow user configurable default-policy on firewall." | Stig Thormodsrud | |
| Further test identified a problem. The patch is broken if a packet must do both an in & out filter. This reverts commit 754d0f4d855a59020afa20ad8867218708b5c978. | |||
| 2009-03-27 | Allow user configurable default-policy on firewall. | Stig Thormodsrud | |
| 2009-03-12 | Doing strict ES won't work for router | Stephen Hemminger | |
| Need a different kind of filter to fix 4061. (Not sure if it is even possible as firewall rule since it depends on quagga config rules). | |||
| 2009-03-12 | Don't use -P | Stephen Hemminger | |
| Changing default property of rules screws up other things | |||
| 2009-03-12 | Enable strict host matching | Stephen Hemminger | |
| Bug 4061 Host (INPUT) chain will only accept packets where destination address matches address on incoming interface. | |||
| 2009-03-04 | Don't attempt to delete ruleset from "other" trees | Bob Gilligan | |
| When a ruleset was being applied to an interface, the code previously attempted to find out if that ruleset name was being applied to that same interface and in the same direction, but under a different "tree" name (e.g. "name", "ipv6-name", "modify", etc.). If it found a match, it would delete the other rule. But the matching logic was insufficient, so it killed off some random other rule instead. There is really no need to perform this check anyway, so I have removed it. | |||
| 2009-02-24 | Allow IPv6 firewall rulesets to be configured on an interface independent of ↵ | Bob Gilligan | |
| IPv4. Replaced the hand-coded config templates under each type of interface with script-generated templates. This should be easier to maintain as we add new types of interfaces. Added sub-trees for "modify", "ipv6-name" and "ipv6-modify" under "in", "out" and "local" for all interfaces. Added command-completion for ruleset names being configured on an interface. | |||
| 2009-02-15 | Add support for ranges in firewall group address & port. | Stig Thormodsrud | |
| 2009-02-13 | Add description and references to "show firewall group". | Stig Thormodsrud | |
| 2009-02-13 | Add show-set to display all sets. | Stig Thormodsrud | |
| 2009-02-13 | Add support for "show firewall group". | Stig Thormodsrud | |
| 2009-02-09 | Add back parameter that was dropped when converting to use run_cmd(). | Stig Thormodsrud | |
| 2009-02-06 | Add carriage return to error message. | Stig Thormodsrud | |
| 2009-02-06 | Add validation of group type. | Stig Thormodsrud | |
| 2009-02-04 | Delete commented out code. | Stig Thormodsrud | |
| 2009-02-03 | Turn on strict checking and fix warnings | Stephen Hemminger | |
| Turn on strict checking and fix the resulting errors. Get rid of perlcritic warnings. | |||
| 2009-02-02 | Add 1st pass of firewall group support (ipset netfilter module | Stig Thormodsrud | |
| integration). | |||
| 2009-01-29 | Use iptables comment to identify CLI rule numbers in iptables output | Mohit Mehta | |
| 2009-01-23 | Bugfix 4062: Don't reference parameters outside the config tree. | Bob Gilligan | |
| The AddressFilter module was reaching up the config tree to find a config parameter that was used to determine whether the address type was IPv4 or IPv6. This breaks when the functions are called from some locations in the config tree. I added explicity function calls to allow the caller to to set the IP version, obviating the need to reference a config parameter to determin the IP version. | |||
| 2009-01-21 | Initial support for IPv6. | Bob Gilligan | |
| 2008-12-03 | fix for perl module reorganization | An-Cheng Huang | |
| 2008-11-24 | Convert VyattaConfig to Vyatta::Config | Stephen Hemminger | |
| 2008-11-21 | Rename VyattaIpTablesRule to Vyatta::IpTables::Rule | Stephen Hemminger | |
| 2008-08-21 | fix for bug 3622: add pre-SNAT hook | An-Cheng Huang | |
| 2008-08-21 | fix for bug 3604: add fragment matching options | An-Cheng Huang | |
| 2008-08-07 | fix conntrack enabling mechanism | An-Cheng Huang | |
| 2008-08-07 | fix for bug 2224: add "recent" matching | An-Cheng Huang | |
| 2008-06-04 | rename "mangle" to "modify" | An-Cheng Huang | |
| 2008-05-19 | allow firewall rule to match inbound IPsec packets. | An-Cheng Huang | |
| 2008-05-13 | add "inspect" action (maps to QUEUE) so "custom" traffic-filter for IPS | An-Cheng Huang | |
| can be defined in "firewall". | |||
| 2008-05-09 | add mangle table support to firewall configuration. initial implementation | An-Cheng Huang | |
| allows MARK and DSCP jump targets. | |||
| 2008-04-21 | Merge branch 'glendale' into hollywood | rbalocca | |
 |
index : vyatta-cfg-firewall.git | |
| Configuration templates and scripts for the firewall subsystem. (mirror of https://github.com/vyos/vyatta-cfg-firewall.git) |
| summaryrefslogtreecommitdiff |