| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2024-04-15 | T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵ | Nicolas Fort | |
| to firewall global-optinos | |||
| 2024-03-12 | conntrack: T4022: add RTSP conntrack helper | Indrek Ardel | |
| 2024-03-05 | xml: T5738: use generic-disable-node building block for "disable" CLI nodes | Christian Breunig | |
| Make the code more uniform and maintainable. | |||
| 2024-02-01 | Merge pull request #2756 from nicolas-fort/T4839 | Christian Breunig | |
| T4839: firewall: Add dynamic address group in firewall configuration | |||
| 2024-01-25 | T4839: firewall: Add dynamic address group in firewall configuration, and ↵ | Nicolas Fort | |
| appropiate commands to populate such groups using source and destination address of the packet. | |||
| 2024-01-23 | T5977: firewall: remove ipsec options in output chain rule definitions, ↵ | Nicolas Fort | |
| since it's not supported. | |||
| 2023-12-26 | firewall: T5834: Improve log message and simplify log-option include | Indrajit Raychaudhuri | |
| `include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`. | |||
| 2023-12-26 | firewall: T5834: Remove vestigial include file | Indrajit Raychaudhuri | |
| This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions. | |||
| 2023-12-26 | firewall: T5834: Rename 'enable-default-log' to 'default-log' | Indrajit Raychaudhuri | |
| Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency. | |||
| 2023-12-15 | firewall: T4502: add ofload to firewall table actions | GurliGebis | |
| 2023-11-24 | T5775: firewall: re-add state-policy to firewall. These commands are now ↵ | Nicolas Fort | |
| included in <set firewall global-options state-policy> node. | |||
| 2023-11-22 | T5637: firewall: extend rule for default-action to firewall bridge, in order ↵ | Nicolas Fort | |
| to be able to catch logs using separte rule for default-action | |||
| 2023-11-10 | T5729: firewall: switch to valueless in order to remove unnecessary ↵ | Nicolas Fort | |
| <enable|disable> commands; log and state moved to new syntax. | |||
| 2023-10-25 | T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵ | Nicolas Fort | |
| (valid for interfaces and groups) in firewal, nat and nat66. | |||
| 2023-10-06 | T5637: add new rule at the end of base chains for default-actions. This ↵ | Nicolas Fort | |
| enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action | |||
| 2023-09-30 | Merge pull request #2300 from nicolas-fort/T5600 | Christian Breunig | |
| T5600: firewall: change constraints for inbound|outbound interface-name | |||
| 2023-09-29 | T5616: firewall: add option to be able to match firewall marks in firewall ↵ | Nicolas Fort | |
| filter and in policy route. | |||
| 2023-09-28 | Merge pull request #2295 from sever-sever/T5217-synproxy | Christian Breunig | |
| T5217: Add firewall synproxy | |||
| 2023-09-24 | firewall: T5614: Add support for matching on conntrack helper | sarthurdev | |
| 2023-09-21 | T5217: Add firewall synproxy | Viacheslav Hletenko | |
| Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' | |||
| 2023-09-21 | T5600: firewall: change constraints for inbound|outbound interface-name. Now ↵ | Nicolas Fort | |
| user can use VRF, and negated VRF, and configuration wonn't be broken after reboot. | |||
| 2023-09-19 | firewall: T4502: Update to flowtable CLI | sarthurdev | |
| `set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>` | |||
| 2023-09-18 | conntrack: T5217: Add tcp flag matching to `system conntrack ignore` | sarthurdev | |
| - Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i` - Update smoketest to verify TCP flag matching | |||
| 2023-09-09 | T4502: firewall: Add software flow offload using flowtable | Yuxiang Zhu | |
| The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath | |||
| 2023-09-08 | Merge pull request #2222 from nicolas-fort/T4072-fwall-bridge | Christian Breunig | |
| T4072: add firewall bridge filtering. | |||
| 2023-09-07 | T4072: add firewall bridge filtering. First implementation only applies for ↵ | Nicolas Fort | |
| forward chain and few matchers. Should be extended in the future. | |||
| 2023-09-06 | Merge pull request #2199 from sarthurdev/T4309 | Christian Breunig | |
| conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups | |||
| 2023-09-05 | firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfaces | sarthurdev | |
| 2023-09-04 | conntrack: T4309: T4903: Refactor `system conntrack ignore` rule generation, ↵ | sarthurdev | |
| add IPv6 support and firewall groups | |||
| 2023-08-23 | T5450: update smoketest and interface definition in order to work with new ↵ | Nicolas Fort | |
| firewall cli | |||
| 2023-08-11 | T5460: remove config-trap from firewall | Nicolas Fort | |
| 2023-08-11 | T5160: firewall refactor: fix regexep for connection-status. Create new file ↵ | Nicolas Fort | |
| with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers | |||
| 2023-08-11 | T5160: firewall refactor: change default value for <default-action> from ↵ | Nicolas Fort | |
| <drop> to <accept> if default-action is not specified in base chains | |||
| 2023-08-11 | T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵ | Nicolas Fort | |
| firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip. | |||
| 2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
| 2023-08-11 | T5160: firewall refactor: new cli structure. Update only all xml | Nicolas Fort | |
| 2023-07-31 | T5014: fix conflicts. Add code for redirection, which is causing conflicts. ↵ | Nicolas Fort | |
| Change code for new syntax | |||
| 2023-07-31 | T5014: nat: add source and destination nat options for configuring load ↵ | Nicolas Fort | |
| balance within a single rule. | |||
| 2023-03-21 | T5050: Firewall: Add log options | Nicolas Fort | |
| 2023-03-10 | Merge pull request #1871 from nicolas-fort/T5055 | Christian Breunig | |
| T5055: Firewall: add packet-type matcher in firewall and route policy | |||
| 2023-03-09 | xml: T4952: improve interface completion helper CLI experience | Christian Breunig | |
| 2023-03-06 | T5055: Firewall: add packet-type matcher in firewall and route policy | Nicolas Fort | |
| 2023-02-28 | T5037: Firewall: Add queue action and options to firewall | Nicolas Fort | |
| 2023-02-18 | T4886: allow connection-mark 0 value, which is acceptable | Nicolas Fort | |
| 2023-01-02 | T4904: keepalived virtual-server allow multiple ports with fwmark | Viacheslav Hletenko | |
| Allow multiple ports for high-availability virtual-server The current implementation allows balance only one "virtual" address and port between between several "real servers" Allow matching "fwmark" to set traffic which should be balanced Allow to set port 0 (all traffic) if we use "fwmark" Add health-check script set high-availability virtual-server 203.0.113.1 fwmark '111' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0' | |||
| 2022-12-23 | firewall: T2199: Fix typo in `rule-log-level.xml.i` header | sarthurdev | |
| 2022-12-23 | firewall: T2199: Add mac-address match to `destination` side | sarthurdev | |
| 2022-12-19 | T4886: Firewall and route policy: Add connection-mark feature to vyos. | Nicolas Fort | |
| 2022-12-17 | Merge pull request #1626 from nicolas-fort/fwall_group_interface | Christian Poessinger | |
| T4780: Firewall: add firewall groups in firewall. Extend matching cri… | |||
| 2022-12-15 | firewall: T4882: add missing ICMPv6 type names | initramfs | |
 |
index : vyos-1x.git | |
| VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) |
| summaryrefslogtreecommitdiff |