summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-x[-rw-r--r--]op-mode-definitions/firewall.xml.in220
-rwxr-xr-x[-rw-r--r--]op-mode-definitions/show-log.xml.in125
-rwxr-xr-xsrc/activation-scripts/20-ethernet_offload.py13
3 files changed, 353 insertions, 5 deletions
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in
index b6ce5bae2..82e6c8668 100644..100755
--- a/op-mode-definitions/firewall.xml.in
+++ b/op-mode-definitions/firewall.xml.in
@@ -98,6 +98,138 @@
</node>
</children>
</node>
+ <node name="input">
+ <properties>
+ <help>Show bridge input firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge input filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge input filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge input filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge input filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge input filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge input filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show bridge output firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge output filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge output filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge output filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge output filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge output filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge output filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
+ <node name="prerouting">
+ <properties>
+ <help>Show bridge prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show bridge prerouting filter firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of bridge prerouting filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of bridge prerouting filter firewall rules</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of specific bridge prerouting filter firewall rule</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show bridge custom firewall chains</help>
@@ -278,6 +410,50 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show IPv6 prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show IPv6 prerouting raw firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv6 prerouting raw firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv6 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv6 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show IPv6 custom firewall chains</help>
@@ -458,6 +634,50 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show IPv4 prerouting firewall ruleset</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show IPv4 prerouting raw firewall ruleset</help>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv4 prerouting raw firewall ruleset</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --detail $6</command>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Show summary of IPv4 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="detail">
+ <properties>
+ <help>Show list view of IPv4 prerouting raw firewall rules</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule detail</path>
+ </completionHelp>
+ </properties>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7 --detail $8</command>
+ </leafNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5 --rule $7</command>
+ </tagNode>
+ </children>
+ <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --family $3 --hook $4 --priority $5</command>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show IPv4 custom firewall chains</help>
diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in
index f0fad63d2..c2504686d 100644..100755
--- a/op-mode-definitions/show-log.xml.in
+++ b/op-mode-definitions/show-log.xml.in
@@ -172,6 +172,81 @@
</node>
</children>
</node>
+ <node name="input">
+ <properties>
+ <help>Show Bridge input firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-INP</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall input filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-INP-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge input filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-INP-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="output">
+ <properties>
+ <help>Show Bridge output firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-OUT</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall output filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-OUT-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge output filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-OUT-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="prerouting">
+ <properties>
+ <help>Show Bridge prerouting firewall log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-PRE</command>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Show Bridge firewall prerouting filter</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep bri-PRE-filter</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall bridge prerouting filter rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[bri-PRE-filter-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
<tagNode name="name">
<properties>
<help>Show custom Bridge firewall log</help>
@@ -295,6 +370,31 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show firewall IPv4 prerouting log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv4-PRE</command>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show firewall IPv4 prerouting raw log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv4-PRE-raw</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall ipv4 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[ipv4-PRE-raw-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
</children>
</node>
<node name="ipv6">
@@ -398,6 +498,31 @@
</node>
</children>
</node>
+ <node name="prerouting">
+ <properties>
+ <help>Show firewall IPv6 prerouting log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv6-PRE</command>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>Show firewall IPv6 prerouting raw log</help>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | grep ipv6-PRE-raw</command>
+ <children>
+ <tagNode name="rule">
+ <properties>
+ <help>Show log for a rule in the specified firewall</help>
+ <completionHelp>
+ <path>firewall ipv6 prerouting raw rule</path>
+ </completionHelp>
+ </properties>
+ <command>journalctl --no-hostname --boot -k | egrep "\[ipv6-PRE-raw-$8-[ADRJC]\]"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
</children>
</node>
</children>
diff --git a/src/activation-scripts/20-ethernet_offload.py b/src/activation-scripts/20-ethernet_offload.py
index 33b0ea469..ca7213512 100755
--- a/src/activation-scripts/20-ethernet_offload.py
+++ b/src/activation-scripts/20-ethernet_offload.py
@@ -17,9 +17,12 @@
# CLI. See https://vyos.dev/T3619#102254 for all the details.
# T3787: Remove deprecated UDP fragmentation offloading option
# T6006: add to activation-scripts: migration-scripts/interfaces/20-to-21
+# T6716: Honor the configured offload settings and don't automatically add
+# them to the config if the kernel has them set (unless its a live boot)
from vyos.ethtool import Ethtool
from vyos.configtree import ConfigTree
+from vyos.system.image import is_live_boot
def activate(config: ConfigTree):
base = ['interfaces', 'ethernet']
@@ -36,7 +39,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_generic_receive_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'gro'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'gro'])
# If GSO is enabled by the Kernel - we reflect this on the CLI. If GSO is
@@ -45,7 +48,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_generic_segmentation_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'gso'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'gso'])
# If LRO is enabled by the Kernel - we reflect this on the CLI. If LRO is
@@ -54,7 +57,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_large_receive_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'lro'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'lro'])
# If SG is enabled by the Kernel - we reflect this on the CLI. If SG is
@@ -63,7 +66,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_scatter_gather()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'sg'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'sg'])
# If TSO is enabled by the Kernel - we reflect this on the CLI. If TSO is
@@ -72,7 +75,7 @@ def activate(config: ConfigTree):
enabled, fixed = eth.get_tcp_segmentation_offload()
if configured and fixed:
config.delete(base + [ifname, 'offload', 'tso'])
- elif enabled and not fixed:
+ elif is_live_boot() and enabled and not fixed:
config.set(base + [ifname, 'offload', 'tso'])
# Remove deprecated UDP fragmentation offloading option
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 08:11:46 +0000