<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/conf_mode/firewall.py, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-07-01T19:51:21+00:00</updated>
<entry>
<title>firewall: T8761: re-introduce VRF interface names in generated firewall config</title>
<updated>2026-07-01T19:51:21+00:00</updated>
<author>
<name>David Vølker</name>
<email>david@voelker.dk</email>
</author>
<published>2026-06-01T06:09:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=0d3ac22b95cef90e7c54ef823c00bb59b935c158'/>
<id>urn:sha1:0d3ac22b95cef90e7c54ef823c00bb59b935c158</id>
<content type='text'>
This change re-implements the intended behaviour from T4180 aswell as from
T4506, it ensures that both the vrf-member interface aswell as the vrf itself
is added as an oifname -&gt; meaning that traffic traversing and originating from
withing VyOS is matches outbound.

Changes done by c-po:
* re-sort dependency list to keep diff low
* vyos.configdict.is_vrf_changed() should return early and not carry
  over the to-be return value
* keep common coding style (dict by . separation) in nftables-zone.j2

Co-authored-by: Christian Breunig &lt;christian@breunig.cc&gt;
</content>
</entry>
<entry>
<title>geoip: T5746: Add GeoIP ASN support</title>
<updated>2026-06-04T14:18:29+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2025-11-28T14:43:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=dffcc04dc143202b412a96ba60867d8509c57e1c'/>
<id>urn:sha1:dffcc04dc143202b412a96ba60867d8509c57e1c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>geoip: T8590: fix initialization failure and set clobbering on boot and commit</title>
<updated>2026-05-19T21:33:48+00:00</updated>
<author>
<name>xTITUSMAXIMUSX</name>
<email>chad@chadhigh.com</email>
</author>
<published>2026-05-01T01:43:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=a263b2b62e72b208fd330f9055aefca29640ff2b'/>
<id>urn:sha1:a263b2b62e72b208fd330f9055aefca29640ff2b</id>
<content type='text'>
Three related bugs prevented GeoIP nftables sets from being populated
correctly at boot and when incrementally modifying firewall or policy
route rules.

1. geoip_updated() always returned False

   The previous implementation called node_changed() and then searched
   the result with dict_search_recursive(changes, 'geoip').  This could
   never match: node_changed() is annotated `-&gt; list` and returns a flat
   list of the immediate top-level child names whose subtree changed
   (e.g. ['ipv4'] for the firewall path, or route names for policy
   route).  The 'geoip' key sits several levels deeper than those names,
   so dict_search_recursive — which only walks dicts and lists for a
   matching dict key — never yielded a hit, and geoip_updated() always
   returned False.  As a consequence, geoip_update() was never triggered
   by an incremental add or change of a GeoIP rule; the only path that
   ever populated /run/nftables-geoip.conf was the explicit \"update
   geoip\" command or the fallback when geoip_refresh() failed.

   Fix: bypass node_changed() and call get_config_diff() /
   get_child_nodes_diff() directly with expand_nodes=Diff.ADD|Diff.DELETE
   and recursive=True.  In that mode, the 'add' and 'delete' values in
   the returned dict are full nested subtrees of the config diff, so
   dict_search_recursive correctly finds 'geoip' wherever it appears in
   the change set.

2. GeoIP block executed unconditionally, breaking the boot sequence

   geoip_sets() always returns {'name': [], 'ipv6_name': []}.  A
   non-empty dict is truthy in Python regardless of whether its values
   are empty lists, so the guards \"if geoip_sets:\" and
   \"if 'name' in geoip_sets:\" were always True.

   On boot, when policy_route.py is invoked as a dependent of
   firewall.py (triggered by group_resync), it entered the GeoIP block
   even with no policy route GeoIP rules configured.  Because
   /run/nftables-geoip.conf did not yet exist, geoip_refresh() returned
   False and geoip_update(policy=policy) was called with an empty
   policy.  This created /run/nftables-geoip.conf containing only empty
   table stubs.  When firewall.py subsequently called geoip_refresh(),
   the file existed and nft loaded it successfully — so the
   geoip_update(firewall) call was never reached and the firewall GeoIP
   sets stayed empty for the entire uptime of the router.

   Fix: check the actual list contents instead of the container dict:
   if geoip_sets['name'] or geoip_sets['ipv6_name'].

3. geoip_update() clobbered the other caller's sets

   geoip_update() renders /run/nftables-geoip.conf from both
   firewall_sets and policy_sets in a single pass.  When called with
   only one argument (as firewall.py and policy_route.py each do), the
   other argument defaulted to None and that half of the file was
   rendered empty, erasing whatever the other script had written.  The
   geoip-update helper used by \"update geoip\" and the weekly cron was
   unaffected because it always passes both arguments, which masked
   this bug in normal manual operation.

   Fix: when either argument is absent, read the missing config from
   the live Config session before building the set tables, so every
   invocation writes the complete combined firewall + policy file.
</content>
</entry>
<entry>
<title>firewall: T8446: Prevent chain with offload rule on local zone</title>
<updated>2026-03-31T21:09:09+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2026-03-31T20:47:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=5d51856e5d350ba8d855c047cbc942fcf48b575c'/>
<id>urn:sha1:5d51856e5d350ba8d855c047cbc942fcf48b575c</id>
<content type='text'>
* Add warning when defining `offload-target` without setting action to `offload`
</content>
</entry>
<entry>
<title>geoip: T8049: Add MaxMind database support</title>
<updated>2026-01-21T10:52:29+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2025-11-06T10:14:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8a329ef98eb120cc91aac6f7da6cd61dbc1ab950'/>
<id>urn:sha1:8a329ef98eb120cc91aac6f7da6cd61dbc1ab950</id>
<content type='text'>
</content>
</entry>
<entry>
<title>geoip: T7926: Refactor geoip handling</title>
<updated>2026-01-21T10:52:29+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2025-10-02T15:47:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=7f6f94370ec04ce48e7a19880a74ba0c25f7bfb5'/>
<id>urn:sha1:7f6f94370ec04ce48e7a19880a74ba0c25f7bfb5</id>
<content type='text'>
* Move core logic to separate vyos.geoip module
* Use a sqlite database for storing and querying address ranges by country
* Remove downloaded geoip ranges once loaded into sqlite db
* No longer rebuild geoip sets on each commit unless necessary
* Allows for extensibility using other geoip data vendors
</content>
</entry>
<entry>
<title>Merge pull request #4672 from apschultz/zone_default_firewall_ruleset</title>
<updated>2025-11-24T19:48:07+00:00</updated>
<author>
<name>Simon</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2025-11-24T19:48:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=fdda826b48688e253c30d3578ca5edd45b034ab0'/>
<id>urn:sha1:fdda826b48688e253c30d3578ca5edd45b034ab0</id>
<content type='text'>
firewall: T7739: Default ruleset for firewall zones</content>
</entry>
<entry>
<title>firewall: T7112: Default action drop fails</title>
<updated>2025-11-05T07:30:31+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-11-05T07:21:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=909780c13714bcba488467165494af84bc7262cf'/>
<id>urn:sha1:909780c13714bcba488467165494af84bc7262cf</id>
<content type='text'>
Prevent `KeyError` by safely handling missing 'member' dict in zone config.
Add smoketest to verify commit fails gracefully when zone has no interfaces.
</content>
</entry>
<entry>
<title>firewall: T7739: Default ruleset for firewall zones</title>
<updated>2025-10-21T23:46:37+00:00</updated>
<author>
<name>Adam Schultz</name>
<email>adam.schultz@live.com</email>
</author>
<published>2025-08-17T02:29:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=cc5895fe61f938189e229dffb7746fc93aac0f3b'/>
<id>urn:sha1:cc5895fe61f938189e229dffb7746fc93aac0f3b</id>
<content type='text'>
In large networks with many zones where simple allow/deny rules are not sufficient,
zones become tedious to manage. Many use cases can be simplified by providing an
ability to define a default ruleset for traffic from other zones. This change proposes
adding the follwing syntax:
   set firewall zone &lt;name&gt; default_firewall name &lt;name&gt;
   set firewall zone &lt;name&gt; default_firewall ipv6_name &lt;name&gt;

The proposed behavior is the following:
   local in:
      The default firewall ruleset for the local zone will be appended after all
      from configurations.
   local out:
      If a non-local zone does not have a from local ruleset but does have a
      default_firewall ruleset, the default_firewall ruleset will be appended using
      oifname
   forward:
      The default firewall ruleset for the zone will be appended after all from
      configurations

To keep the behavior consistent with from ruleset configurations, a return is appended
after the default_firewall ruleset.

The proposed behavior differs slightly from the default_policy configuration for the
local out chains. The default_policy applied in the out templates comes from the local
zone, not the actual outbound zone. The proposed change does not amend this, but does
make default_firewall logically consistent with the intent of the out rules.
</content>
</entry>
<entry>
<title>Firewall: T7475: Disable conntrack per firewall chain</title>
<updated>2025-09-05T20:37:19+00:00</updated>
<author>
<name>l0crian1</name>
<email>ryan.claridge13@gmail.com</email>
</author>
<published>2025-09-05T20:37:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=6611627f6a73af912082dc79c3039e6c492a6cc6'/>
<id>urn:sha1:6611627f6a73af912082dc79c3039e6c492a6cc6</id>
<content type='text'>
- Added command to disable conntrack per firewall chain
- Added test_disable_conntrack_per_chain function to smoketest
</content>
</entry>
</feed>
