Age | Commit message (Collapse) | Author | |
---|---|---|---|
2024-08-16 | T5794: change firewall priority in oder to be loaded after all interfaces.mergify/bp/sagitta/pr-3988 | nicolas | |
(cherry picked from commit b3ae35987a860a5d2cf64dfbc156a7ee7cc799a2) | |||
2024-04-11 | T6214: T6213: change constraint <alpha-numeric-hyphen-underscore-dot.xml.i> ↵ | Nicolas Fort | |
in order to not allow string starting with dot character; use such constraint in firewall group definitions. (cherry picked from commit c455a1f71674300b8a74863ddfe6e551fe8fd252) | |||
2024-02-13 | Merge pull request #3003 from vyos/mergify/bp/sagitta/pr-3000 | Daniil Baturin | |
T5064: Firewall fix RegEx for for domain-group (backport #3000) | |||
2024-02-13 | T5064: Firewall fix RegEx for for domain-group | Viacheslav Hletenko | |
Improve RegEx for firewall domain-groups. This domain group looks good, but the current RegEx validation fils: ``` set firewall group domain-group a_aa ``` (cherry picked from commit b67049edab41e8714aec087b81d589fdb03a350b) | |||
2024-02-13 | T5928: Change firewall priority to 319 | Viacheslav Hletenko | |
Change the firewall priority to 319, after interface ethernet configuration For example if we use VLANs and the vlan interface must be created before we can use it in the firewall/flowtable The current priority ``` 199 firewall 300 interfaces/dummy 300 interfaces/loopback 300 interfaces/virtual-ethernet 310 interfaces/bridge 310 interfaces/input 318 interfaces/ethernet ... ``` (cherry picked from commit f1dcd2d23f89251b0a96c61f8186002cb0d50d18) | |||
2024-02-01 | T4839: firewall: Add dynamic address group in firewall configuration, and ↵ | Nicolas Fort | |
appropiate commands to populate such groups using source and destination address of the packet. (cherry picked from commit 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122) | |||
2023-12-30 | firewall: T5834: Rename 'enable-default-log' to 'default-log' | Indrajit Raychaudhuri | |
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency. (cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992) | |||
2023-12-15 | T5775: firewall: re-add state-policy to firewall. These commands are now ↵ | Nicolas Fort | |
included in <set firewall global-options state-policy> node. | |||
2023-11-21 | T5419: firewall: backport firewall flowtable to Sagitta. | Nicolas Fort | |
2023-11-16 | T4072: firewall: backport bridge firewall to sagitta | Nicolas Fort | |
2023-10-20 | T5541: firewall: re-add zone-based firewall. | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: new cli structure. Update only all xml | Nicolas Fort | |
2023-06-10 | zone-policy: T2199: add VRF completion helper for interface | Christian Breunig | |
2023-04-01 | xml: include building block file name should end with .i and not .in | Christian Breunig | |
2023-03-31 | T5128: Add contraint for firewall interface. Also update smoketest to ↵ | Nicolas Fort | |
include at least one wildcarded interface | |||
2023-03-10 | Merge pull request #1871 from nicolas-fort/T5055 | Christian Breunig | |
T5055: Firewall: add packet-type matcher in firewall and route policy | |||
2023-03-09 | xml: T4952: improve interface completion helper CLI experience | Christian Breunig | |
2023-03-06 | T5055: Firewall: add packet-type matcher in firewall and route policy | Nicolas Fort | |
2023-02-28 | T5037: Firewall: Add queue action and options to firewall | Nicolas Fort | |
2022-12-19 | T4886: Firewall and route policy: Add connection-mark feature to vyos. | Nicolas Fort | |
2022-12-17 | Merge pull request #1626 from nicolas-fort/fwall_group_interface | Christian Poessinger | |
T4780: Firewall: add firewall groups in firewall. Extend matching cri… | |||
2022-11-24 | Merge pull request #1641 from Rain/T4612-arbitrary-netmasks | Christian Poessinger | |
firewall: T4612: Support arbitrary netmasks | |||
2022-11-19 | T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵ | Nicolas Fort | |
so this new group can be used in inbound and outbound matcher | |||
2022-11-03 | Merge pull request #1633 from sarthurdev/fqdn | Christian Poessinger | |
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT | |||
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-11-03 | xml: T4795: provide common and re-usable XML definitions for policy | Christian Poessinger | |
Remove duplicated code and move to single-source of truth. | |||
2022-10-09 | firewall: T3907: Fix firewall state-policy logging | sarthurdev | |
When log-level was introduced node `state-policy x log` was removed without migrator. This commit adds it back and improves log handling. | |||
2022-10-08 | firewall: T4612: Support arbitrary netmasks | Rain | |
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically. | |||
2022-09-20 | xml: firewall: T2199: improve interface help string | Christian Poessinger | |
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-13 | zone-policy: T2199: Migrate zone-policy to firewall node | sarthurdev | |
2022-09-13 | firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵ | sarthurdev | |
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script | |||
2022-09-07 | T1024: Firewall and Policy route: add option to match dscp value, both on ↵ | Nicolas Fort | |
firewall and in policy route | |||
2022-09-06 | T4670: policy route: extend matching criteria for policy route and route6. ↵ | Nicolas Fort | |
Matching criteria added: ttl/hoplimit and packet-length | |||
2022-09-03 | firewall: T3568: add XML include block for eq,gt,lt options | Christian Poessinger | |
2022-09-02 | Merge branch 'T4651' of https://github.com/nicolas-fort/vyos-1x into firewall | Christian Poessinger | |
* 'T4651' of https://github.com/nicolas-fort/vyos-1x: Firewall: T4651: Change proposed cli from ip-length to packet-length Firewall: T4651: Add options to match packet size on firewall rules. | |||
2022-09-01 | Firewall: T4651: Change proposed cli from ip-length to packet-length | Nicolas Fort | |
2022-08-30 | firewall: T3568: cleanup XML help node - remove information passed via valueHelp | Christian Poessinger | |
2022-08-30 | firewall: T3568: rename XML building blocks to match CLI node name | Christian Poessinger | |
2022-08-27 | Firewall: T4651: Add options to match packet size on firewall rules. | Nicolas Fort | |
2022-06-11 | firewall: T4299: Add support for GeoIP filtering | sarthurdev | |
2022-06-10 | Merge pull request #1356 from sarthurdev/nested_groups | Christian Poessinger | |
firewall: T478: Add support for nesting groups | |||
2022-06-10 | firewall: T478: Add support for nesting groups | sarthurdev | |
2022-06-10 | Merge pull request #1355 from nicolas-fort/T4458-ipv4-ttl | Christian Poessinger | |
Firewall:T4458: Add ttl match option in firewall | |||
2022-06-10 | Firewall:T4458: Add ttl match option in firewall | Nicolas Fort | |
2022-06-10 | firewall: T970: Fix for Regex for domain and check empty group | Viacheslav Hletenko | |
It can be more then 5 symbols in top-level-domain address for example '.photography' and '.accountants' Firewall group can be added without address: * set firewall group domain-group DOMAIN Check if 'address' exists in group_config | |||
2022-06-10 | Merge pull request #1322 from nicolas-fort/T3907-fwall-log | Daniil Baturin | |
Firewall: T3907: add log-level options in firewall | |||
2022-06-07 | firewall: T970: domain-group should not starts with numeric | Viacheslav Hletenko | |
Edit regex to check firewall-group | |||
2022-05-28 | firewall: T970: Add firewall group domain-group | Viacheslav Hletenko | |
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } } |