summaryrefslogtreecommitdiff
path: root/data/templates/firewall
AgeCommit message (Collapse)Author
13 daysfirewall: T8761: re-introduce VRF interface names in generated firewall configDavid Vølker
This change re-implements the intended behaviour from T4180 aswell as from T4506, it ensures that both the vrf-member interface aswell as the vrf itself is added as an oifname -> meaning that traffic traversing and originating from withing VyOS is matches outbound. Changes done by c-po: * re-sort dependency list to keep diff low * vyos.configdict.is_vrf_changed() should return early and not carry over the to-be return value * keep common coding style (dict by . separation) in nftables-zone.j2 Co-authored-by: Christian Breunig <christian@breunig.cc>
2026-04-13T8478: Fix typo in the firewall template bridge chain nameViacheslav Hletenko
Internal typo/cosmitic bug, no functional changes
2026-03-24T8410: Fix typos and mistakes for operational and configuration commandsViacheslav Hletenko
Fix typos and mistakes in the commands and comments No functional changes
2026-03-14T8383: fix extra space in nftables ipv6 output chainAlex Kudentsov
2026-01-21geoip: T7926: Refactor geoip handlingsarthurdev
* Move core logic to separate vyos.geoip module * Use a sqlite database for storing and querying address ranges by country * Remove downloaded geoip ranges once loaded into sqlite db * No longer rebuild geoip sets on each commit unless necessary * Allows for extensibility using other geoip data vendors
2025-10-21firewall: T7739: Default ruleset for firewall zonesAdam Schultz
In large networks with many zones where simple allow/deny rules are not sufficient, zones become tedious to manage. Many use cases can be simplified by providing an ability to define a default ruleset for traffic from other zones. This change proposes adding the follwing syntax: set firewall zone <name> default_firewall name <name> set firewall zone <name> default_firewall ipv6_name <name> The proposed behavior is the following: local in: The default firewall ruleset for the local zone will be appended after all from configurations. local out: If a non-local zone does not have a from local ruleset but does have a default_firewall ruleset, the default_firewall ruleset will be appended using oifname forward: The default firewall ruleset for the zone will be appended after all from configurations To keep the behavior consistent with from ruleset configurations, a return is appended after the default_firewall ruleset. The proposed behavior differs slightly from the default_policy configuration for the local out chains. The default_policy applied in the out templates comes from the local zone, not the actual outbound zone. The proposed change does not amend this, but does make default_firewall logically consistent with the intent of the out rules.
2025-09-22Merge pull request #4698 from l0crian1/fw-disable-conntrackDaniil Baturin
firewall: T7475: Add an option to disable conntrack for individual firewall chaisn
2025-09-13firewall: T7475: Remove redundant if statement in jinja templatel0crian1
2025-09-05Firewall: T7475: Disable conntrack per firewall chainl0crian1
- Added command to disable conntrack per firewall chain - Added test_disable_conntrack_per_chain function to smoketest
2025-06-30firewall: T7452: update rule generation for Zone-based firewallDavid Vølker
2025-06-27vrf: T7544: Ensure correct quoting for VRF ifnames in nftablesAndrew Topp
* For VRF create/delete: * Simple dquoting, as before, was parsed away by the shell * Just escaping the double quotes could cause issues with the shell mangling VRF names (however unlikely) * Wrapping original quotes in shell-escaped single quotes is a quick & easy way to guard against both improper shell parsing and string names being taken as nft keywords. * Firewall configuration: * Firewall "interface name" rules support VRF ifnames and used them unquoted, fixed for nft_rule template tags (parse_rule) * Went through and quoted all iif/oifname usage by zones and interface groups. VRF ifnames weren't available for all cases, but there is no harm in completeness. * For this, also created a simple quoted_join template filter to replace any use of |join(',') * PBR calls nft but doesn't mind the "vni" name - table IDs used instead I may have missed some niche nft use-cases that would be exposed to this problem.
2025-06-17firewall: T6951: Add a configuration command for ethertypes that bridge ↵Nataliia Solomko
firewalls should always accept
2025-06-05T7523: firewall: Accepting invalid traffic for pppoe discovery and wolopswill
2025-06-01T7512: firewall: Modify accepting invalid traffic for VLAN aware bridgeIndrajit Raychaudhuri
Allow accepting invalid packets for ethernet types `8021q` and `8021ad` in addition to ARP and UDP types so that stateful bridge firewall works for VLAN-aware bridges in addition to regular bridges.
2025-05-07T7386: firewall: allow mix of IPv4 and IPv6 addresses/prefixes/ranges in ↵Mark Hayes
remote groups
2025-04-25Merge pull request #4457 from l0crian1/t7358-add-offload-to-global-stateViacheslav Hletenko
firewall: T7358: add offload option to global state policy
2025-04-18firewall: T7358: add offload option to global state policyl0crian1
- fixed CI smoketest failures (again)
2025-04-18firewall: T7358: add offload option to global state policyl0crian1
- Fixed CI smoketest failures
2025-04-16firewall: T7358: add offload option to global state policyl0crian1
Since the jump to the global state chain is inserted before all rules, it wasn't possible to use offload with the global state policies This commit adds a new chain for offloaded traffic in the forward chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
2025-03-28geoip: T5636: Add geoip for policy route/route6sskaje
2025-03-21firewall: T5493: Implement remote-groupAlex W
2025-02-20firewall: T7148: Bridge state-policy uses drop in place of rejectsarthurdev
2025-01-06T6841: firewall: Fixed issues in ZBF when using VRFsaapostoliuk
Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
2025-01-06T6841: firewall: improve config parsing for ZBF when using VRFs and ↵Nicolas Fort
interfaces attached to VRFs
2024-12-13T6918: Accept invalid PPPoE Session in stateful bridge firewall.opswill
2024-09-30Merge pull request #4024 from nicolas-fort/T6687Daniil Baturin
T6687: add fqdn support to nat rules.
2024-09-16T6687: add fqdn support to nat rules.Nicolas Fort
2024-09-02T6679: add destination groupsNicolas Vollmar
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-14T6636: firewall: fix firewall template in order to write logs for ↵Nicolas Fort
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T4072: firewall: extend firewall bridge smoketestNicolas Fort
2024-08-01T6570: firewall: add global-option to configure sysctl parameter for ↵Nicolas Fort
enabling/disabling sending traffic from bridge layer to ipvX layer
2024-08-01T4072: firewall: extend firewall bridge capabilities, in order to include ↵Nicolas Fort
new chains, priorities, and firewall groups
2024-06-25T3900: extend latest fix for firewall raw implementation to ipv6.Nicolas Fort
2024-06-20T3900: firewall: fix for initial implementation - remove jump to state ↵Nicolas Fort
policy on OUTUT_raw
2024-06-06Merge pull request #3578 from nicolas-fort/raw-hookDaniil Baturin
T3900: Add support for raw tables in firewall
2024-06-04T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵Nicolas Fort
timeout parameters defined in conntrack to firewall global-opton section.
2024-05-15T3900: add support for raw table in firewall.Nicolas Fort
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation.
2024-04-09T5169: Add PoC for generating CGNAT rules rfc6888Viacheslav Hletenko
Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ```
2024-02-01upnp: T5989: add ipv4-prefix as a valid option for UPnP ACLsChris Buechler
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-22vrf: T5973: move initial conntrack firewall table to startupChristian Breunig
There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code.
2024-01-12T5922: firewall: fix intra-zone filtering parsing rules; update firewall ↵Nicolas Fort
smoketest
2023-12-26firewall: T5834: Add support for default log for route policyIndrajit Raychaudhuri
One can now do `set policy route foo default-log` which will add log to the policy route chain.
2023-11-24T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-11-22T5637: firewall: extend rule for default-action to firewall bridge, in order ↵Nicolas Fort
to be able to catch logs using separte rule for default-action
2023-10-19Merge pull request #2362 from nicolas-fort/T5541Christian Breunig
T5541: firewall zone: re add firewall zone-base firewall