Age | Commit message (Collapse) | Author |
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
|
|
T5600: firewall: change constraints for inbound|outbound interface-name
|
|
filter and in policy route.
|
|
T5217: Add firewall synproxy
|
|
|
|
Add ability to SYNPROXY connections
It is useful to protect against TCP SYN flood attacks and port-scanners
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
|
|
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.
|
|
`set firewall flowtable <name> interface <ifname>`
`set firewall flowtable <name> offload [software|hardware]`
`set firewall [ipv4|ipv6] forward filter rule N action offload`
`set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
|
|
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i`
- Update smoketest to verify TCP flag matching
|
|
The following commands will enable nftables flowtable offload on interfaces eth0 eth1:
```
set firewall global-options flow-offload software interface <name>
set firewall global-options flow-offload hardware interface <name>
```
Generated nftables rules:
```
table inet vyos_offload {
flowtable VYOS_FLOWTABLE_software {
hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 };
counter
}
chain VYOS_OFFLOAD_software {
type filter hook forward priority filter - 1; policy accept;
ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
}
}
```
Use this option to count packets and bytes for each offloaded flow:
```
set system conntrack flow-accounting
```
To verify a connection is offloaded, run
```
cat /proc/net/nf_conntrack|grep OFFLOAD
```
This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590
A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
|
|
T4072: add firewall bridge filtering.
|
|
forward chain and few matchers. Should be extended in the future.
|
|
conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups
|
|
|
|
add IPv6 support and firewall groups
|
|
firewall cli
|
|
|
|
with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers
|
|
<drop> to <accept> if default-action is not specified in base chains
|
|
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
|
|
|
|
|
|
Change code for new syntax
|
|
balance within a single rule.
|
|
|
|
T5055: Firewall: add packet-type matcher in firewall and route policy
|
|
|
|
|
|
|
|
|
|
Allow multiple ports for high-availability virtual-server
The current implementation allows balance only one "virtual" address
and port between between several "real servers"
Allow matching "fwmark" to set traffic which should be balanced
Allow to set port 0 (all traffic) if we use "fwmark"
Add health-check script
set high-availability virtual-server 203.0.113.1 fwmark '111'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
|
|
|
|
|
|
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|
|
|
|
firewall: T4612: Support arbitrary netmasks
|
|
so this new group can be used in inbound and outbound matcher
|
|
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
|
|
`fqdn` node
|
|
Instead of spawning the Python interpreter for every mac-address to
validate, rather use the base validate-value OCaml implementation which
is much faster.
This removes redundant code and also makes the CLI more responsive.
Validator is moved out to a dedicated file instead of using XML inlined <regex>
for the reason of re-usability. So if that regex needs to be touched again - it
can all happen in one single file.
|
|
Remove duplicated code and move to single-source of truth.
|
|
Add support for arbitrary netmasks on source/destination addresses in
firewall rules. This is particularly useful with DHCPv6-PD when the
delegated prefix changes periodically.
|
|
|
|
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and
replace it with numeric"). The first version allowed both a range and discrete
numbers to be validated by the numeric validator.
This had a flaw as both 22 and 22-30 were valid at the same time. The generic
"port-number.xml.i" building block only allows a discrete number. Now if a user
set port 22-30 for e.g. SSH the daemon did no longer start. This is why range
validation must be explicitly enabled.
|
|
|
|
T4699: Firewall: Add jump action in firewall ruleset
|
|
|
|
After T4669 added support for range validation to the OCaml validator there is
no need to keep the slow Python validator in place.
Raplace all occurances of <validator name="range" argument="--min=1 --max=65535"/>
with <validator name="numeric" argument="--range 1-65535"/>.
|