<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/interface-definitions/include/firewall/common-rule-inet.xml.i, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2024-08-04T07:52:57+00:00</updated>
<entry>
<title>firewall: T4694: Adding GRE flags &amp; fields matches to firewall rules</title>
<updated>2024-08-04T07:52:57+00:00</updated>
<author>
<name>Andrew Topp</name>
<email>andrewt@telekinetica.net</email>
</author>
<published>2024-08-04T07:52:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=60b0614296874c144665417130d4881461114db0'/>
<id>urn:sha1:60b0614296874c144665417130d4881461114db0</id>
<content type='text'>
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
  this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
  to match individual tunnel sessions (more detail in the forum post)
  * nft expression syntax is not flexible enough for multiple field
    matches in a single rule and the key offset changes depending on flags.
  * Thus, clumsy compromise in requiring an explicit match on the "checksum"
    flag if a key is present, so we know where key will be. In most cases,
    nobody uses the checksum, but assuming it to be off or automatically
    adding a "not checksum" match unless told otherwise would be confusing
  * The automatic "flags key" check when specifying a key doesn't have similar
    validation, I added it first and it makes sense. I would still like
    to find a workaround to the "checksum" offset problem.
  * If we could add 2 rules from 1 config definition, we could match
    both cases with appropriate offsets, but this would break existing
    FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
</content>
</entry>
<entry>
<title>firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)</title>
<updated>2024-07-28T11:47:07+00:00</updated>
<author>
<name>talmakion</name>
<email>andrewt@telekinetica.net</email>
</author>
<published>2024-07-28T11:47:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=e2bf8812f73a75356f56274968be8859a2186d73'/>
<id>urn:sha1:e2bf8812f73a75356f56274968be8859a2186d73</id>
<content type='text'>
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
   fw rules
 * Add ipsec match-ipsec-out and match-none-out
 * Change all the points where the match-ipsec.xml.i include was used
   before, making sure the new includes (match-ipsec-in/out.xml.i) are
   used appropriately. There were a handful of spots where match-ipsec.xml.i
   had snuck back in for output hooked chains already
   (the common-rule-* includes)
 * Add the -out generators to rendered templates
 * Heavy modification to firewall config validators:
   * I needed to check for ipsec-in matches no matter how deeply nested
     under an output-hook chain(via jump-target) - this always generates
     an error.
   * Ended up retrofitting the jump-targets validator from root chains
     and for named custom chains. It checks for recursive loops and improper
     IPsec matches.
 * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
   smoketests</content>
</entry>
<entry>
<title>T3900: add support for raw table in firewall.</title>
<updated>2024-05-15T17:09:16+00:00</updated>
<author>
<name>Nicolas Fort</name>
<email>nicolasfort1988@gmail.com</email>
</author>
<published>2024-05-15T17:09:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6871c5541c1962e63d7a9b75d2bb43df2a8d372b'/>
<id>urn:sha1:6871c5541c1962e63d7a9b75d2bb43df2a8d372b</id>
<content type='text'>
</content>
</entry>
<entry>
<title>xml: T5738: use generic-disable-node building block for "disable" CLI nodes</title>
<updated>2024-03-05T19:20:27+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2024-03-05T19:20:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=21b0bf0168697fdbe514ae49a4a28b39a91ec777'/>
<id>urn:sha1:21b0bf0168697fdbe514ae49a4a28b39a91ec777</id>
<content type='text'>
Make the code more uniform and maintainable.
</content>
</entry>
<entry>
<title>T5977: firewall: remove ipsec options in output chain rule definitions, since it's not supported.</title>
<updated>2024-01-23T18:43:34+00:00</updated>
<author>
<name>Nicolas Fort</name>
<email>nicolasfort1988@gmail.com</email>
</author>
<published>2024-01-23T18:43:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=9d490ecf616eb9d019beee37a3802705c4109d9d'/>
<id>urn:sha1:9d490ecf616eb9d019beee37a3802705c4109d9d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>firewall: T5834: Improve log message and simplify log-option include</title>
<updated>2023-12-27T03:49:51+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2023-12-22T23:22:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=53a48f499ae9bcc2f657136bb7779b38aad1c242'/>
<id>urn:sha1:53a48f499ae9bcc2f657136bb7779b38aad1c242</id>
<content type='text'>
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to
`include/firewall/log-options.xml.i`.
</content>
</entry>
<entry>
<title>T5729: firewall: switch to valueless in order to remove unnecessary &lt;enable|disable&gt; commands; log and state moved to new syntax.</title>
<updated>2023-11-10T19:26:35+00:00</updated>
<author>
<name>Nicolas Fort</name>
<email>nicolasfort1988@gmail.com</email>
</author>
<published>2023-11-10T19:26:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=c4409d6a4e11bf2acc7b5b96888e2c471c4559e5'/>
<id>urn:sha1:c4409d6a4e11bf2acc7b5b96888e2c471c4559e5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T5616: firewall: add option to be able to match firewall marks in firewall filter and in policy route.</title>
<updated>2023-09-29T11:15:59+00:00</updated>
<author>
<name>Nicolas Fort</name>
<email>nicolasfort1988@gmail.com</email>
</author>
<published>2023-09-27T17:41:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2ae3de0848dee0f3da28727fc30e2beeecd412e1'/>
<id>urn:sha1:2ae3de0848dee0f3da28727fc30e2beeecd412e1</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge pull request #2295 from sever-sever/T5217-synproxy</title>
<updated>2023-09-28T15:02:33+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-09-28T15:02:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=852e9c3328e61f5d0b92a9efca376aec94533f2b'/>
<id>urn:sha1:852e9c3328e61f5d0b92a9efca376aec94533f2b</id>
<content type='text'>
T5217: Add firewall synproxy</content>
</entry>
<entry>
<title>firewall: T5614: Add support for matching on conntrack helper</title>
<updated>2023-09-24T14:44:32+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2023-09-24T12:38:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=81dee963a9ca3224ddbd54767a36efae5851a001'/>
<id>urn:sha1:81dee963a9ca3224ddbd54767a36efae5851a001</id>
<content type='text'>
</content>
</entry>
</feed>
