vyos-1x.git/data/templates/firewall, branch current

vyos-1x.git/data/templates/firewall, branch current VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=current 2025-06-26T14:23:13+00:00 vrf: T7544: Ensure correct quoting for VRF ifnames in nftables 2025-06-26T14:23:13+00:00 Andrew Topp andrewt@telekinetica.net 2025-06-26T14:23:13+00:00 urn:sha1:c741a290261eb53d5f9ca4849109f19ced8fda9f * For VRF create/delete: * Simple dquoting, as before, was parsed away by the shell * Just escaping the double quotes could cause issues with the shell mangling VRF names (however unlikely) * Wrapping original quotes in shell-escaped single quotes is a quick & easy way to guard against both improper shell parsing and string names being taken as nft keywords. * Firewall configuration: * Firewall "interface name" rules support VRF ifnames and used them unquoted, fixed for nft_rule template tags (parse_rule) * Went through and quoted all iif/oifname usage by zones and interface groups. VRF ifnames weren't available for all cases, but there is no harm in completeness. * For this, also created a simple quoted_join template filter to replace any use of |join(',') * PBR calls nft but doesn't mind the "vni" name - table IDs used instead I may have missed some niche nft use-cases that would be exposed to this problem. firewall: T6951: Add a configuration command for ethertypes that bridge firewalls should always accept 2025-06-17T15:16:51+00:00 Nataliia Solomko natalirs1985@gmail.com 2025-06-13T09:20:40+00:00 urn:sha1:8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f T7523: firewall: Accepting invalid traffic for pppoe discovery and wol 2025-06-05T04:25:21+00:00 opswill will@nixops.org 2025-06-05T04:04:10+00:00 urn:sha1:bfdba4079b0a76a8c578277adae3f36add832b41 T7512: firewall: Modify accepting invalid traffic for VLAN aware bridge 2025-06-02T04:52:08+00:00 Indrajit Raychaudhuri irc@indrajit.com 2025-06-02T04:32:13+00:00 urn:sha1:b47adae7a3e963bfca3b775f4b84d5121907c76d Allow accepting invalid packets for ethernet types `8021q` and `8021ad` in addition to ARP and UDP types so that stateful bridge firewall works for VLAN-aware bridges in addition to regular bridges. T7386: firewall: allow mix of IPv4 and IPv6 addresses/prefixes/ranges in remote groups 2025-05-07T14:55:00+00:00 Mark Hayes mark.hayes0338@gmail.com 2025-04-25T15:10:07+00:00 urn:sha1:02c63e7ded23ea90d55638f768ff943671c2c574 Merge pull request #4457 from l0crian1/t7358-add-offload-to-global-state 2025-04-25T15:34:30+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2025-04-25T15:34:30+00:00 urn:sha1:df2e9cbc2cbe04a6de0eedfe9154afc87bd3d45d firewall: T7358: add offload option to global state policy firewall: T7358: add offload option to global state policy 2025-04-18T14:26:18+00:00 l0crian1 ryan.claridge13@gmail.com 2025-04-18T14:26:18+00:00 urn:sha1:12ba00ecdd2927207106f709a3ba2b23448a5997 - fixed CI smoketest failures (again) firewall: T7358: add offload option to global state policy 2025-04-18T14:16:59+00:00 l0crian1 ryan.claridge13@gmail.com 2025-04-18T14:16:59+00:00 urn:sha1:76c4fcbad8698f277b2b5ed859edb068359af463 - Fixed CI smoketest failures firewall: T7358: add offload option to global state policy 2025-04-16T18:49:44+00:00 l0crian1 ryan.claridge13@gmail.com 2025-04-16T16:31:34+00:00 urn:sha1:382c6fc6ffe76d7ce418018f69902572701215a3 Since the jump to the global state chain is inserted before all rules, it wasn't possible to use offload with the global state policies This commit adds a new chain for offloaded traffic in the forward chain and jumps to that chain. Please enter the commit message for your changes. Lines starting geoip: T5636: Add geoip for policy route/route6 2025-03-28T07:47:24+00:00 sskaje sskaje@gmail.com 2025-03-28T07:47:24+00:00 urn:sha1:795154d9009b669f8858ed983c6b7486aaee1125