| Age | Commit message (Collapse) | Author |
|---|
|
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.
|
|
smoketest
|
|
One can now do `set policy route foo default-log` which will add log
to the policy route chain.
|
|
included in <set firewall global-options state-policy> node.
|
|
to be able to catch logs using separte rule for default-action
|
|
T5541: firewall zone: re add firewall zone-base firewall
|
|
|
|
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
|
|
A commit that removes `firewall bridge` will delete the table and not re-create it. Therefore any further firewall commit will fail trying to delete the non-existent bridge table. This commit ensures the table is always present (even if empty) to ensure successful commit.
|
|
`set firewall flowtable <name> interface <ifname>`
`set firewall flowtable <name> offload [software|hardware]`
`set firewall [ipv4|ipv6] forward filter rule N action offload`
`set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
|
|
firewall, nat, nat66
|
|
When rebasing https://github.com/vyos/vyos-1x/pull/2062, some additional
lines are mistakenly included.
https://github.com/vyos/vyos-1x/commit/45cfd569119b66abd2f0dfb954042b57921881bd
has removed the extra `}`, but the `{{ group_tmpl.groups(group, True)
}}` line needs to be removed as well.
|
|
|
|
T4502: firewall: Add software flow offload using flowtable
|
|
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
|
|
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
```
set firewall global-options flow-offload software interface <name>
set firewall global-options flow-offload hardware interface <name>
```
Generated nftables rules:
```
table inet vyos_offload {
flowtable VYOS_FLOWTABLE_software {
hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
counter
}
chain VYOS_OFFLOAD_software {
type filter hook forward priority filter - 1; policy accept;
ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
}
}
```
Use this option to count packets and bytes for each offloaded flow:
```
set system conntrack flow-accounting
```
To verify a connection is offloaded, run
```
cat /proc/net/nf_conntrack|grep OFFLOAD
```
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
|
|
T4072: add firewall bridge filtering.
|
|
forward chain and few matchers. Should be extended in the future.
|
|
|
|
- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
|
|
|
|
|
|
|
|
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
that contains fqnd and/or geo-ip in base chains. Fix mig script
|
|
|
|
scripts and src firewall
|
|
We cannot use some specific names like POSTROUTING/PREROUTING
as for PBR they overlaps with VyOS defined chains
Chains aftoconfigured by VyOS itself:
chain VYOS_PBR_PREROUTING
chain VYOS_PBR_POSTROUTING
If we try to use chain name "POSTROUTING" it generates 2 chains
with the same name "chain VYOS_PBR_POSTROUTING" one is
autoconfigured and the second defined by user
set policy route POSTROUTING rule 100
Add the user-defined (UD) prefix to separate user defined names
That allows to use any user-defined names
|
|
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
so this new group can be used in inbound and outbound matcher
|
|
<name> interface <ifname>`
* Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup
* T4605: Rename mangle table to vyos_mangle
|
|
|
|
`fqdn` node
|
|
|
|
|
|
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
vyos@vyos# show firewall
+name foo {
+ rule 1 {
+ action accept
+ packet-length 100
+ packet-length 105
+ packet-length 200-300
+ packet-length 220-250
+ }
+}
will report a nftables error upon load: Error: conflicting intervals specified
With nftables 1.0.3 there is an "auto-merge" option which corrects this:
https://lwn.net/Articles/896732/
|
|
|
|
|
|
|
|
|
