vyos-1x.git/data/templates/firewall, branch circinus-temp-bot-test

vyos-1x.git/data/templates/firewall, branch circinus-temp-bot-test VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=circinus-temp-bot-test 2024-06-06T15:19:01+00:00 Merge pull request #3578 from nicolas-fort/raw-hook 2024-06-06T15:19:01+00:00 Daniil Baturin daniil@vyos.io 2024-06-06T15:19:01+00:00 urn:sha1:85da43aa26470e0657ba68437a297ed11045d132 T3900: Add support for raw tables in firewall T3900: T6394: extend functionalities in firewall; move netfilter sysctl timeout parameters defined in conntrack to firewall global-opton section. 2024-06-04T13:22:24+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-05-24T16:44:41+00:00 urn:sha1:770edf016838523c248e3c8a36c5f327a0b98415 T3900: add support for raw table in firewall. 2024-05-15T17:09:16+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-05-15T17:09:16+00:00 urn:sha1:6871c5541c1962e63d7a9b75d2bb43df2a8d372b T3420: Remove service upnp 2024-05-14T16:47:29+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2024-05-14T16:47:29+00:00 urn:sha1:7c438caa2c21101cbefc2eec21935ab55af19c46 Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation. T5169: Add PoC for generating CGNAT rules rfc6888 2024-04-09T15:36:43+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2024-04-07T14:15:36+00:00 urn:sha1:6f9e6159be265ca91f873576d15ccbbc061fed8d Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ``` upnp: T5989: add ipv4-prefix as a valid option for UPnP ACLs 2024-02-01T20:24:26+00:00 Chris Buechler cbuechler@gmail.com 2024-02-01T20:24:26+00:00 urn:sha1:0307801b8928bbaaa20caf5bd10b928bae459490 Merge pull request #2756 from nicolas-fort/T4839 2024-02-01T20:21:54+00:00 Christian Breunig christian@breunig.cc 2024-02-01T20:21:54+00:00 urn:sha1:8a4017d91d5022cfca294a0873e937c39899c094 T4839: firewall: Add dynamic address group in firewall configuration T4839: firewall: Add dynamic address group in firewall configuration, and appropiate commands to populate such groups using source and destination address of the packet. 2024-01-25T12:35:46+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-01-05T12:13:17+00:00 urn:sha1:6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122 vrf: T5973: move initial conntrack firewall table to startup 2024-01-22T19:48:44+00:00 Christian Breunig christian@breunig.cc 2024-01-22T19:48:44+00:00 urn:sha1:89f0d347bfe5e468355817a617dc71823a58c284 There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code. T5922: firewall: fix intra-zone filtering parsing rules; update firewall smoketest 2024-01-12T13:52:26+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-01-12T13:52:26+00:00 urn:sha1:5c4c873f9c36459bc7bad73208450ee802440929