| Age | Commit message (Collapse) | Author |
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
|
|
$ make interface_definitions
$ git add -f templates-cfg
$ ... refactor
$ make interface_definitions
$ git diff templates-cfg
No change in any node.def file detected.
|
|
$ make interface_definitions
$ git add -f templates-cfg
$ ... refactor
$ make interface_definitions
$ git diff templates-cfg
No change in any node.def file detected.
|
|
|
|
There is a CLI constraint for lowercase country codes, but user's do not
see this.
|
|
- Added command to disable conntrack per firewall chain
- Added test_disable_conntrack_per_chain function to smoketest
|
|
firewalls should always accept
|
|
|
|
Allow accepting invalid packets for ethernet types `8021q` and `8021ad`
in addition to ARP and UDP types so that stateful bridge firewall works
for VLAN-aware bridges in addition to regular bridges.
|
|
since the validation utility adds them implicitly
|
|
remote groups
|
|
Since the jump to the global state chain is inserted before all rules,
it wasn't possible to use offload with the global state policies
This commit adds a new chain for offloaded traffic in the forward
chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
|
|
|
|
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
|
|
|
|
regular firewall ruleset.
|
|
|
|
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
|
|
|
|
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
|
|
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
|
|
enabling/disabling sending traffic from bridge layer to ipvX layer
|
|
new chains, priorities, and firewall groups
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
|
|
|
|
to firewall global-optinos
|
|
|
|
Make the code more uniform and maintainable.
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
since it's not supported.
|
|
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to
`include/firewall/log-options.xml.i`.
|
|
This file is a left over from previous refactoring and no longer
referenced anywhere in the interface definitions.
|
|
Rename chain level defaults log option from `enable-default-log` to
`default-log` for consistency.
|
|
|
|
included in <set firewall global-options state-policy> node.
|
|
to be able to catch logs using separte rule for default-action
|
|
<enable|disable> commands; log and state moved to new syntax.
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
|
|
T5600: firewall: change constraints for inbound|outbound interface-name
|
|
filter and in policy route.
|
|
T5217: Add firewall synproxy
|
|
|
|
Add ability to SYNPROXY connections
It is useful to protect against TCP SYN flood attacks and port-scanners
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
|
|
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.
|