Age | Commit message (Collapse) | Author | |
---|---|---|---|
2023-08-11 | T5160: firewall refactor: new cli structure. Update jinja templates, python ↵ | Nicolas Fort | |
scripts and src firewall | |||
2023-07-03 | T5333: Set prefix UD for PBR generated user-defined chain names | Viacheslav Hletenko | |
We cannot use some specific names like POSTROUTING/PREROUTING as for PBR they overlaps with VyOS defined chains Chains aftoconfigured by VyOS itself: chain VYOS_PBR_PREROUTING chain VYOS_PBR_POSTROUTING If we try to use chain name "POSTROUTING" it generates 2 chains with the same name "chain VYOS_PBR_POSTROUTING" one is autoconfigured and the second defined by user set policy route POSTROUTING rule 100 Add the user-defined (UD) prefix to separate user defined names That allows to use any user-defined names | |||
2023-03-31 | T5128: Policy Route: allow wildcard on interface | Nicolas Fort | |
2022-12-17 | Merge pull request #1626 from nicolas-fort/fwall_group_interface | Christian Poessinger | |
T4780: Firewall: add firewall groups in firewall. Extend matching cri… | |||
2022-11-19 | T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵ | Nicolas Fort | |
so this new group can be used in inbound and outbound matcher | |||
2022-11-11 | policy: T2199: T4605: Migrate policy route interface to `policy route|route6 ↵ | sarthurdev | |
<name> interface <ifname>` * Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup * T4605: Rename mangle table to vyos_mangle | |||
2022-11-03 | nat: T1877: T970: Add firewall groups to NAT | sarthurdev | |
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-10-25 | nat: T4764: Remove tables on NAT deletion | sarthurdev | |
2022-10-10 | firewall: T4741: Verify zone `from` is defined before use | sarthurdev | |
2022-10-09 | firewall: T3907: Fix firewall state-policy logging | sarthurdev | |
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling. | |||
2022-09-21 | nat: T4605: Refactor static NAT to use python module for parsing rules | sarthurdev | |
* Rename table to vyos_nat * Add static NAT smoketest | |||
2022-09-21 | nat66: T4605: Refactor NAT66 to use python module for parsing rules | sarthurdev | |
* Rename table to vyos_nat * Refactor tests to use `verify_nftables` format | |||
2022-09-21 | nat: T4605: Refactor NAT to use python module for parsing rules | sarthurdev | |
* Rename table to vyos_nat * Refactor tests to use `verify_nftables` format | |||
2022-09-17 | Merge pull request #1546 from nicolas-fort/fwall-jump | Christian Poessinger | |
T4699: Firewall: Add jump action in firewall ruleset | |||
2022-09-16 | firewall: T2199: enable "auto-merge" on sets | Christian Poessinger | |
vyos@vyos# show firewall +name foo { + rule 1 { + action accept + packet-length 100 + packet-length 105 + packet-length 200-300 + packet-length 220-250 + } +} will report a nftables error upon load: Error: conflicting intervals specified With nftables 1.0.3 there is an "auto-merge" option which corrects this: https://lwn.net/Articles/896732/ | |||
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-13 | zone-policy: T2199: Migrate zone-policy to firewall node | sarthurdev | |
2022-09-13 | firewall: T4605: Rename filter tables to vyos_filter | sarthurdev | |
2022-09-13 | firewall: T2199: Move initial firewall tables to data | sarthurdev | |
2022-09-13 | firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵ | sarthurdev | |
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script | |||
2022-09-01 | Merge pull request #1466 from sever-sever/T538 | Christian Poessinger | |
nat: T538: Add static NAT one-to-one | |||
2022-09-01 | policy-route: T4655: Remove default_action from template | Viacheslav Hletenko | |
Remove `default_action` from template "nftables-policy" as XML policy route does not use it Set default action 'accept' for policy route, as default action 'drop' must be used only for firewall and not related to the policy route | |||
2022-08-31 | nat: T538: Move nat configs to /run directory | Viacheslav Hletenko | |
2022-08-20 | nat66: T4631: Add port and protocol to nat66 | Viacheslav Hletenko | |
Ability to configure src/dst/translation port and protocol for SNAT and DNAT IPv6 | |||
2022-08-19 | UPnP: T4611: Rule must be as prefix instead of an address | Viacheslav Hletenko | |
From the doc miniupnpd IP/mask format must be nnn.nnn.nnn.nnn/nn Comment out invalid option "anchor" | |||
2022-08-17 | nat: T538: Add static NAT one-to-one | Viacheslav Hletenko | |
Ability to set static NAT (one-to-one) in one rule set nat static rule 10 destination address '203.0.113.0/24' set nat static rule 10 inbound-interface 'eth0' set nat static rule 10 translation address '192.0.2.0/24' It will be enough for PREROUTING and POSTROUTING rules Use a separate table 'vyos_static_nat' as SRC/DST rules and STATIC rules can have the same rule number | |||
2022-08-16 | UPnP: T4620: Fix Jinja2 template rules | Viacheslav Hletenko | |
2022-08-05 | nat66: T4598: Add exclude options in nat66 | Nicolas Fort | |
2022-08-03 | nat66: T4586: Add SNAT destination prefix and DNAT address | Viacheslav Hletenko | |
Ability to configure SNAT destination prefix and DNAT source address Add option "!" - not address/prefix for NAT66 | |||
2022-06-14 | firewall: T970: Use set prefix to domain groups | sarthurdev | |
2022-06-14 | firewall: T4147: Use named sets for firewall groups | sarthurdev | |
* Refactor nftables clean-up code * Adds policy route test for using firewall groups | |||
2022-06-11 | firewall: T4299: Add support for GeoIP filtering | sarthurdev | |
2022-06-10 | firewall: T478: Add support for nesting groups | sarthurdev | |
2022-05-28 | firewall: T970: Add firewall group domain-group | Viacheslav Hletenko | |
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } } | |||
2022-05-01 | firewall: T4353: fix Jinja2 linting errors | Christian Poessinger | |
2022-05-01 | vrf: T4353: fix Jinja2 linting errors | Christian Poessinger | |
2022-04-25 | nat: T4210: Fix template for negated ports | Viacheslav Hletenko | |
2022-04-18 | NAT: T4365: Fix for nat tables manipulation on netfilter | Nicolas Fort | |
2022-04-13 | firewall: T4333: migrate to new vyos_defined Jinja2 test | Christian Poessinger | |
2022-04-10 | firewall: T4333: migrate to new vyos_defined Jinja2 test | Christian Poessinger | |
2022-04-10 | policy: route: T4333: migrate to new vyos_defined Jinja2 test | Christian Poessinger | |
2022-04-10 | nat(66): T4333: migrate to new vyos_defined Jinja2 test | Christian Poessinger | |
2022-02-04 | firewall: T4209: Fix support for rule `recent` matches | sarthurdev | |
2022-01-29 | firewall: T4218: Adds a prefix to all user defined chains | sarthurdev | |
2022-01-30 | Merge pull request #789 from jack9603301/T3420 | Daniil Baturin | |
upnpd: T3420: Support UPNP protocol | |||
2022-01-20 | firewall: T2199: Add log prefix to match legacy perl behaviour | sarthurdev | |
Example syslog: [FWNAME-default-D] ... * Also clean-up firewall default-action | |||
2022-01-19 | Merge pull request #1177 from sarthurdev/mac_groups | Christian Poessinger | |
firewall: T3560: Add support for MAC address groups | |||
2022-01-18 | firewall: T3560: Add support for MAC address groups | sarthurdev | |
2022-01-18 | firewall: T4188: Create default conntrack `FW_CONNTRACK` chain | sarthurdev | |
This chain was missing from the XML/Python rewrite thus all traffic fell through to the `notrack` rule. |