Age | Commit message (Collapse) | Author |
|
Remove `service upnp` as it never worked as expected, nft rules do
not integrated and custom patches do not seem like a suitable
solution for now.
Security:
UPnP has been historically associated with security risks due to its automatic
and potentially unauthenticated nature.
UPnP devices might be vulnerable to unauthorized access or exploitation.
(cherry picked from commit 7c438caa2c21101cbefc2eec21935ab55af19c46)
|
|
T5989 fix: Add ipv4-prefix as a valid option for UPnP ACLs. (backport #2897)
|
|
(cherry picked from commit 0307801b8928bbaaa20caf5bd10b928bae459490)
|
|
appropiate commands to populate such groups using source and destination address of the packet.
(cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122)
|
|
There is no need to add and remove this table during runtime - it can lurk
in the standard firewall init code.
(cherry picked from commit 89f0d347bfe5e468355817a617dc71823a58c284)
|
|
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
|
|
interface: T5550: Interface source-validation priority over global value (backport)
|
|
One can now do `set policy route foo default-log` which will add log
to the policy route chain.
(cherry picked from commit 6278ce9b7cb2060c8226a60ccbdb580a0d8a3fb5)
|
|
|
|
included in <set firewall global-options state-policy> node.
|
|
|
|
|
|
|
|
This enables logs capabilities for default-action in base chains.
|
|
|
|
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
|
|
|
|
- Migrate IPv4 source-validation to nftables
- Interface source-validation value takes priority, fallback to global value
|
|
|
|
|
|
|
|
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
that contains fqnd and/or geo-ip in base chains. Fix mig script
|
|
|
|
scripts and src firewall
|
|
We cannot use some specific names like POSTROUTING/PREROUTING
as for PBR they overlaps with VyOS defined chains
Chains aftoconfigured by VyOS itself:
chain VYOS_PBR_PREROUTING
chain VYOS_PBR_POSTROUTING
If we try to use chain name "POSTROUTING" it generates 2 chains
with the same name "chain VYOS_PBR_POSTROUTING" one is
autoconfigured and the second defined by user
set policy route POSTROUTING rule 100
Add the user-defined (UD) prefix to separate user defined names
That allows to use any user-defined names
|
|
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
so this new group can be used in inbound and outbound matcher
|
|
<name> interface <ifname>`
* Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup
* T4605: Rename mangle table to vyos_mangle
|
|
|
|
`fqdn` node
|
|
|
|
|
|
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling.
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
vyos@vyos# show firewall
+name foo {
+ rule 1 {
+ action accept
+ packet-length 100
+ packet-length 105
+ packet-length 200-300
+ packet-length 220-250
+ }
+}
will report a nftables error upon load: Error: conflicting intervals specified
With nftables 1.0.3 there is an "auto-merge" option which corrects this:
https://lwn.net/Articles/896732/
|
|
|
|
|
|
|
|
|
|
firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
|
|
nat: T538: Add static NAT one-to-one
|
|
Remove `default_action` from template "nftables-policy" as XML
policy route does not use it
Set default action 'accept' for policy route, as default action
'drop' must be used only for firewall and not related to the
policy route
|
|
|
|
Ability to configure src/dst/translation port and protocol for
SNAT and DNAT IPv6
|