| Age | Commit message (Collapse) | Author |
|
This change re-implements the intended behaviour from T4180 aswell as from
T4506, it ensures that both the vrf-member interface aswell as the vrf itself
is added as an oifname -> meaning that traffic traversing and originating from
withing VyOS is matches outbound.
Changes done by c-po:
* re-sort dependency list to keep diff low
* vyos.configdict.is_vrf_changed() should return early and not carry
over the to-be return value
* keep common coding style (dict by . separation) in nftables-zone.j2
Co-authored-by: Christian Breunig <christian@breunig.cc>
|
|
Internal typo/cosmitic bug, no functional changes
|
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
|
|
* Move core logic to separate vyos.geoip module
* Use a sqlite database for storing and querying address ranges by country
* Remove downloaded geoip ranges once loaded into sqlite db
* No longer rebuild geoip sets on each commit unless necessary
* Allows for extensibility using other geoip data vendors
|
|
In large networks with many zones where simple allow/deny rules are not sufficient,
zones become tedious to manage. Many use cases can be simplified by providing an
ability to define a default ruleset for traffic from other zones. This change proposes
adding the follwing syntax:
set firewall zone <name> default_firewall name <name>
set firewall zone <name> default_firewall ipv6_name <name>
The proposed behavior is the following:
local in:
The default firewall ruleset for the local zone will be appended after all
from configurations.
local out:
If a non-local zone does not have a from local ruleset but does have a
default_firewall ruleset, the default_firewall ruleset will be appended using
oifname
forward:
The default firewall ruleset for the zone will be appended after all from
configurations
To keep the behavior consistent with from ruleset configurations, a return is appended
after the default_firewall ruleset.
The proposed behavior differs slightly from the default_policy configuration for the
local out chains. The default_policy applied in the out templates comes from the local
zone, not the actual outbound zone. The proposed change does not amend this, but does
make default_firewall logically consistent with the intent of the out rules.
|
|
firewall: T7475: Add an option to disable conntrack for individual firewall chaisn
|
|
|
|
- Added command to disable conntrack per firewall chain
- Added test_disable_conntrack_per_chain function to smoketest
|
|
|
|
* For VRF create/delete:
* Simple dquoting, as before, was parsed away by the shell
* Just escaping the double quotes could cause issues with the shell mangling
VRF names (however unlikely)
* Wrapping original quotes in shell-escaped single quotes is a quick & easy
way to guard against both improper shell parsing and string names being
taken as nft keywords.
* Firewall configuration:
* Firewall "interface name" rules support VRF ifnames and used them unquoted,
fixed for nft_rule template tags (parse_rule)
* Went through and quoted all iif/oifname usage by zones and interface
groups. VRF ifnames weren't available for all cases, but there is
no harm in completeness.
* For this, also created a simple quoted_join template filter to replace
any use of |join(',')
* PBR calls nft but doesn't mind the "vni" name - table IDs used instead
I may have missed some niche nft use-cases that would be exposed to this problem.
|
|
firewalls should always accept
|
|
|
|
Allow accepting invalid packets for ethernet types `8021q` and `8021ad`
in addition to ARP and UDP types so that stateful bridge firewall works
for VLAN-aware bridges in addition to regular bridges.
|
|
remote groups
|
|
firewall: T7358: add offload option to global state policy
|
|
- fixed CI smoketest failures (again)
|
|
- Fixed CI smoketest failures
|
|
Since the jump to the global state chain is inserted before all rules,
it wasn't possible to use offload with the global state policies
This commit adds a new chain for offloaded traffic in the forward
chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
|
|
|
|
|
|
|
|
Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
|
|
interfaces attached to VRFs
|
|
|
|
T6687: add fqdn support to nat rules.
|
|
|
|
|
|
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
|
|
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
|
|
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
|
|
|
|
enabling/disabling sending traffic from bridge layer to ipvX layer
|
|
new chains, priorities, and firewall groups
|
|
|
|
policy on OUTUT_raw
|
|
T3900: Add support for raw tables in firewall
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
|
|
Remove `service upnp` as it never worked as expected, nft rules do
not integrated and custom patches do not seem like a suitable
solution for now.
Security:
UPnP has been historically associated with security risks due to its automatic
and potentially unauthenticated nature.
UPnP devices might be vulnerable to unauthorized access or exploitation.
|
|
Add PoC for generating CGNAT rules
https://datatracker.ietf.org/doc/html/rfc6888
Not all requirements are implemented, but some of them.
Implemented:
REQ-2
```
A CGN MUST have a default "IP address pooling" behavior of "Paired"
CGN must use the same external IP
address mapping for all sessions associated with the same internal
IP address, be they TCP, UDP, ICMP, something else, or a mix of
different protocols.
```
REQ-3
```
The CGN function SHOULD NOT have any limitations on the size
or the contiguity of the external address pool
```
REQ-4
```
A CGN MUST support limiting the number of external ports (or,
equivalently, "identifiers" for ICMP) that are assigned per
subscriber
```
CLI:
```
set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'
```
|
|
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.
|
|
smoketest
|
|
One can now do `set policy route foo default-log` which will add log
to the policy route chain.
|
|
included in <set firewall global-options state-policy> node.
|
|
to be able to catch logs using separte rule for default-action
|
|
T5541: firewall zone: re add firewall zone-base firewall
|