VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=T7065-pr-mirror-trigger-restrict 2025-01-06T11:05:22+00:00 2025-01-06T11:05:22+00:00 Christian Breunig christian@breunig.cc 2025-01-06T10:56:53+00:00 urn:sha1:dda428fc42c44decb3e661a7b6ba4e55b178dc4f VRF support was introduced in VyOS 1.4.0. If a VRF is added as an interface in the zone based firewall, it will be migrated to the new syntax. OLD: set firewall zone FOO interface RED set firewall zone FOO interface eth0 NEW: set firewall zone FOO member vrf RED set firewall zone FOO member interface eth0 2025-01-06T11:05:22+00:00 aapostoliuk a.apostoliuk@vyos.io 2024-12-17T11:39:49+00:00 urn:sha1:4a194b32509ffcd9574bb7571a5a6347f7dc4e42 Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs 2025-01-06T11:05:22+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-10-29T19:05:52+00:00 urn:sha1:df176d9b9b4cc67ae509ae2ff17a02f2520cc881 2024-07-29T15:05:21+00:00 Andrew Topp andrewt@telekinetica.net 2024-07-29T15:05:21+00:00 urn:sha1:3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8 This patch on #3616 will only attempt to fix ipsec matches in rules if the firewall config tree passed to migrate_chain() has rules attached. 2024-07-28T11:47:07+00:00 talmakion andrewt@telekinetica.net 2024-07-28T11:47:07+00:00 urn:sha1:e2bf8812f73a75356f56274968be8859a2186d73 * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests 2024-07-03T13:05:35+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-07-03T12:53:56+00:00 urn:sha1:66ec278393dbabe71f320c543816f27797d51140 2024-06-26T20:38:41+00:00 John Estabrook jestabro@vyos.io 2024-06-20T01:16:05+00:00 urn:sha1:26740a8d583f64dc0a27b59dd4ae303056972c0b 2024-06-11T07:51:15+00:00 Christian Breunig christian@breunig.cc 2024-06-11T07:49:11+00:00 urn:sha1:2cbc4eb005fc936e37a34a1ef539d164f21f90b5 Commit 770edf016838523 ("T3900: T6394: extend functionalities in firewall") changed the position in the CLI for conntrack timeout. This lead to failing smoketests because of a regression in the migrator. 2024-06-04T13:22:24+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-05-24T16:44:41+00:00 urn:sha1:770edf016838523c248e3c8a36c5f327a0b98415 2024-04-15T14:15:14+00:00 Nicolas Fort nicolasfort1988@gmail.com 2024-04-15T14:15:14+00:00 urn:sha1:76dcecafca977b640dd16d8e68c4a050ca1af4fb