summaryrefslogtreecommitdiff
path: root/data/templates/firewall
AgeCommit message (Collapse)Author
2024-12-13T6918: Accept invalid PPPoE Session in stateful bridge firewall.opswill
2024-09-30Merge pull request #4024 from nicolas-fort/T6687Daniil Baturin
T6687: add fqdn support to nat rules.
2024-09-16T6687: add fqdn support to nat rules.Nicolas Fort
2024-09-02T6679: add destination groupsNicolas Vollmar
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-14T6636: firewall: fix firewall template in order to write logs for ↵Nicolas Fort
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T4072: firewall: extend firewall bridge smoketestNicolas Fort
2024-08-01T6570: firewall: add global-option to configure sysctl parameter for ↵Nicolas Fort
enabling/disabling sending traffic from bridge layer to ipvX layer
2024-08-01T4072: firewall: extend firewall bridge capabilities, in order to include ↵Nicolas Fort
new chains, priorities, and firewall groups
2024-06-25T3900: extend latest fix for firewall raw implementation to ipv6.Nicolas Fort
2024-06-20T3900: firewall: fix for initial implementation - remove jump to state ↵Nicolas Fort
policy on OUTUT_raw
2024-06-06Merge pull request #3578 from nicolas-fort/raw-hookDaniil Baturin
T3900: Add support for raw tables in firewall
2024-06-04T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵Nicolas Fort
timeout parameters defined in conntrack to firewall global-opton section.
2024-05-15T3900: add support for raw table in firewall.Nicolas Fort
2024-05-14T3420: Remove service upnpViacheslav Hletenko
Remove `service upnp` as it never worked as expected, nft rules do not integrated and custom patches do not seem like a suitable solution for now. Security: UPnP has been historically associated with security risks due to its automatic and potentially unauthenticated nature. UPnP devices might be vulnerable to unauthorized access or exploitation.
2024-04-09T5169: Add PoC for generating CGNAT rules rfc6888Viacheslav Hletenko
Add PoC for generating CGNAT rules https://datatracker.ietf.org/doc/html/rfc6888 Not all requirements are implemented, but some of them. Implemented: REQ-2 ``` A CGN MUST have a default "IP address pooling" behavior of "Paired" CGN must use the same external IP address mapping for all sessions associated with the same internal IP address, be they TCP, UDP, ICMP, something else, or a mix of different protocols. ``` REQ-3 ``` The CGN function SHOULD NOT have any limitations on the size or the contiguity of the external address pool ``` REQ-4 ``` A CGN MUST support limiting the number of external ports (or, equivalently, "identifiers" for ICMP) that are assigned per subscriber ``` CLI: ``` set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1' ```
2024-02-01upnp: T5989: add ipv4-prefix as a valid option for UPnP ACLsChris Buechler
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-22vrf: T5973: move initial conntrack firewall table to startupChristian Breunig
There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code.
2024-01-12T5922: firewall: fix intra-zone filtering parsing rules; update firewall ↵Nicolas Fort
smoketest
2023-12-26firewall: T5834: Add support for default log for route policyIndrajit Raychaudhuri
One can now do `set policy route foo default-log` which will add log to the policy route chain.
2023-11-24T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-11-22T5637: firewall: extend rule for default-action to firewall bridge, in order ↵Nicolas Fort
to be able to catch logs using separte rule for default-action
2023-10-19Merge pull request #2362 from nicolas-fort/T5541Christian Breunig
T5541: firewall zone: re add firewall zone-base firewall
2023-10-13T5541: firewall zone: re add firewall zone-base firewallNicolas Fort
2023-10-06T5637: add new rule at the end of base chains for default-actions. This ↵Nicolas Fort
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
2023-09-19bridge: T4072: Prevent error when removing firewall bridge configsarthurdev
A commit that removes `firewall bridge` will delete the table and not re-create it. Therefore any further firewall commit will fail trying to delete the non-existent bridge table. This commit ensures the table is always present (even if empty) to ensure successful commit.
2023-09-19firewall: T4502: Update to flowtable CLIsarthurdev
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
2023-09-16conntrack: T5571: Refactor conntrack to be independent conf script from ↵sarthurdev
firewall, nat, nat66
2023-09-15T4502: Fix syntax error introduced by #2062Yuxiang Zhu
When rebasing https://github.com/vyos/vyos-1x/pull/2062, some additional lines are mistakenly included. https://github.com/vyos/vyos-1x/commit/45cfd569119b66abd2f0dfb954042b57921881bd has removed the extra `}`, but the `{{ group_tmpl.groups(group, True) }}` line needs to be removed as well.
2023-09-15firewall: T4502: fix syntax error unexpected '}'Christian Breunig
2023-09-14Merge pull request #2062 from vfreex/simple-fastpath-supportViacheslav Hletenko
T4502: firewall: Add software flow offload using flowtable
2023-09-11T3655: Fix NAT problem with VRFYuxiang Zhu
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/ adds direction support for conntrack zones, which makes it possible to do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host. According to the description of the kernel patch: > ... overlapping tuples can be made unique with the zone identifier in original direction, where the NAT engine will then allocate a unique tuple in the commonly shared default zone for the reply direction. I did some basic tests in my lab and it worked fine to forward packets from eth0 to pppoe0. - eth0 192.168.1.1/24 in VRF red - pppoe0 dynamic public IP from ISP VRF default - set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default' - set protocols static route 192.168.1.0/24 interface eth0 vrf 'red' `conntrack -L` shows something like: ``` tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1 ``` It would be much appreciated if someone could test this with more complex VRF setup.
2023-09-09T4502: firewall: Add software flow offload using flowtableYuxiang Zhu
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
2023-09-08Merge pull request #2222 from nicolas-fort/T4072-fwall-bridgeChristian Breunig
T4072: add firewall bridge filtering.
2023-09-07T4072: add firewall bridge filtering. First implementation only applies for ↵Nicolas Fort
forward chain and few matchers. Should be extended in the future.
2023-09-05firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfacessarthurdev
2023-09-05interface: T5550: Interface source-validation priority over global valuesarthurdev
- Migrate IPv4 source-validation to nftables - Interface source-validation value takes priority, fallback to global value
2023-08-26firewall: T5080: Disable conntrack unless required by rulessarthurdev
2023-08-25firewall: T5160: Remove unused zone templatesarthurdev
2023-08-25interface: T3509: Add per-interface IPv6 source validationsarthurdev
2023-08-25firewall: T3509: Add support for IPv6 return path filteringsarthurdev
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewall refactor: fix firewall template for correct rule parsing ↵Nicolas Fort
that contains fqnd and/or geo-ip in base chains. Fix mig script
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: new cli structure. Update jinja templates, python ↵Nicolas Fort
scripts and src firewall
2023-07-03T5333: Set prefix UD for PBR generated user-defined chain namesViacheslav Hletenko
We cannot use some specific names like POSTROUTING/PREROUTING as for PBR they overlaps with VyOS defined chains Chains aftoconfigured by VyOS itself: chain VYOS_PBR_PREROUTING chain VYOS_PBR_POSTROUTING If we try to use chain name "POSTROUTING" it generates 2 chains with the same name "chain VYOS_PBR_POSTROUTING" one is autoconfigured and the second defined by user set policy route POSTROUTING rule 100 Add the user-defined (UD) prefix to separate user defined names That allows to use any user-defined names
2023-03-31T5128: Policy Route: allow wildcard on interfaceNicolas Fort