summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall
AgeCommit message (Collapse)Author
2023-11-24T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-11-22T5637: firewall: extend rule for default-action to firewall bridge, in order ↵Nicolas Fort
to be able to catch logs using separte rule for default-action
2023-11-10T5729: firewall: switch to valueless in order to remove unnecessary ↵Nicolas Fort
<enable|disable> commands; log and state moved to new syntax.
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-10-06T5637: add new rule at the end of base chains for default-actions. This ↵Nicolas Fort
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
2023-09-30Merge pull request #2300 from nicolas-fort/T5600Christian Breunig
T5600: firewall: change constraints for inbound|outbound interface-name
2023-09-29T5616: firewall: add option to be able to match firewall marks in firewall ↵Nicolas Fort
filter and in policy route.
2023-09-28Merge pull request #2295 from sever-sever/T5217-synproxyChristian Breunig
T5217: Add firewall synproxy
2023-09-24firewall: T5614: Add support for matching on conntrack helpersarthurdev
2023-09-21T5217: Add firewall synproxyViacheslav Hletenko
Add ability to SYNPROXY connections It is useful to protect against TCP SYN flood attacks and port-scanners set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '22' set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
2023-09-21T5600: firewall: change constraints for inbound|outbound interface-name. Now ↵Nicolas Fort
user can use VRF, and negated VRF, and configuration wonn't be broken after reboot.
2023-09-19firewall: T4502: Update to flowtable CLIsarthurdev
`set firewall flowtable <name> interface <ifname>` `set firewall flowtable <name> offload [software|hardware]` `set firewall [ipv4|ipv6] forward filter rule N action offload` `set firewall [ipv4|ipv6] forward filter rule N offload-target <name>`
2023-09-18conntrack: T5217: Add tcp flag matching to `system conntrack ignore`sarthurdev
- Moves MSS node out of `tcp-flags.xml.i` and into `tcp-mss.xml.i` - Update smoketest to verify TCP flag matching
2023-09-09T4502: firewall: Add software flow offload using flowtableYuxiang Zhu
The following commands will enable nftables flowtable offload on interfaces eth0 eth1: ``` set firewall global-options flow-offload software interface <name> set firewall global-options flow-offload hardware interface <name> ``` Generated nftables rules: ``` table inet vyos_offload { flowtable VYOS_FLOWTABLE_software { hook ingress priority filter - 1; devices = { eth0, eth1, eth2, eth3 }; counter } chain VYOS_OFFLOAD_software { type filter hook forward priority filter - 1; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software } } ``` Use this option to count packets and bytes for each offloaded flow: ``` set system conntrack flow-accounting ``` To verify a connection is offloaded, run ``` cat /proc/net/nf_conntrack|grep OFFLOAD ``` This PR follows firewalld's implementation: https://github.com/firewalld/firewalld/blob/e748b97787d685d0ca93f58e8d4292e87d3f0da6/src/firewall/core/nftables.py#L590 A good introduction to nftables flowtable: https://thermalcircle.de/doku.php?id=blog:linux:flowtables_1_a_netfilter_nftables_fastpath
2023-09-08Merge pull request #2222 from nicolas-fort/T4072-fwall-bridgeChristian Breunig
T4072: add firewall bridge filtering.
2023-09-07T4072: add firewall bridge filtering. First implementation only applies for ↵Nicolas Fort
forward chain and few matchers. Should be extended in the future.
2023-09-06Merge pull request #2199 from sarthurdev/T4309Christian Breunig
conntrack: T4309: T4903: Refactor `system conntrack ignore`, add IPv6 support and firewall groups
2023-09-05firewall: T3509: Split IPv4 and IPv6 reverse path filtering like on interfacessarthurdev
2023-09-04conntrack: T4309: T4903: Refactor `system conntrack ignore` rule generation, ↵sarthurdev
add IPv6 support and firewall groups
2023-08-23T5450: update smoketest and interface definition in order to work with new ↵Nicolas Fort
firewall cli
2023-08-11T5460: remove config-trap from firewallNicolas Fort
2023-08-11T5160: firewall refactor: fix regexep for connection-status. Create new file ↵Nicolas Fort
with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers
2023-08-11T5160: firewall refactor: change default value for <default-action> from ↵Nicolas Fort
<drop> to <accept> if default-action is not specified in base chains
2023-08-11T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵Nicolas Fort
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.
2023-08-11T5160: firewall refactor: change firewall ip to firewall ipv4Nicolas Fort
2023-08-11T5160: firewall refactor: new cli structure. Update only all xmlNicolas Fort
2023-07-31T5014: fix conflicts. Add code for redirection, which is causing conflicts. ↵Nicolas Fort
Change code for new syntax
2023-07-31T5014: nat: add source and destination nat options for configuring load ↵Nicolas Fort
balance within a single rule.
2023-03-21T5050: Firewall: Add log optionsNicolas Fort
2023-03-10Merge pull request #1871 from nicolas-fort/T5055Christian Breunig
T5055: Firewall: add packet-type matcher in firewall and route policy
2023-03-09xml: T4952: improve interface completion helper CLI experienceChristian Breunig
2023-03-06T5055: Firewall: add packet-type matcher in firewall and route policyNicolas Fort
2023-02-28T5037: Firewall: Add queue action and options to firewallNicolas Fort
2023-02-18T4886: allow connection-mark 0 value, which is acceptableNicolas Fort
2023-01-02T4904: keepalived virtual-server allow multiple ports with fwmarkViacheslav Hletenko
Allow multiple ports for high-availability virtual-server The current implementation allows balance only one "virtual" address and port between between several "real servers" Allow matching "fwmark" to set traffic which should be balanced Allow to set port 0 (all traffic) if we use "fwmark" Add health-check script set high-availability virtual-server 203.0.113.1 fwmark '111' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
2022-12-23firewall: T2199: Fix typo in `rule-log-level.xml.i` headersarthurdev
2022-12-23firewall: T2199: Add mac-address match to `destination` sidesarthurdev
2022-12-19T4886: Firewall and route policy: Add connection-mark feature to vyos.Nicolas Fort
2022-12-17Merge pull request #1626 from nicolas-fort/fwall_group_interfaceChristian Poessinger
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
2022-12-15firewall: T4882: add missing ICMPv6 type namesinitramfs
2022-11-24Merge pull request #1641 from Rain/T4612-arbitrary-netmasksChristian Poessinger
firewall: T4612: Support arbitrary netmasks
2022-11-19T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵Nicolas Fort
so this new group can be used in inbound and outbound matcher
2022-11-03Merge pull request #1633 from sarthurdev/fqdnChristian Poessinger
firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT
2022-11-03firewall: T970: Refactor domain resolver, add firewall source/destination ↵sarthurdev
`fqdn` node
2022-11-03validators: T4795: migrate mac-address python validator to validate-valueChristian Poessinger
Instead of spawning the Python interpreter for every mac-address to validate, rather use the base validate-value OCaml implementation which is much faster. This removes redundant code and also makes the CLI more responsive. Validator is moved out to a dedicated file instead of using XML inlined <regex> for the reason of re-usability. So if that regex needs to be touched again - it can all happen in one single file.
2022-11-03xml: T4795: provide common and re-usable XML definitions for policyChristian Poessinger
Remove duplicated code and move to single-source of truth.
2022-10-08firewall: T4612: Support arbitrary netmasksRain
Add support for arbitrary netmasks on source/destination addresses in firewall rules. This is particularly useful with DHCPv6-PD when the delegated prefix changes periodically.
2022-09-26T4700: Firewall: add interface matching criteriaNicolas Fort
2022-09-22xml: T4698: validating a range must be explicitly enabled in the validatorChristian Poessinger
This extends commit 28573ffe4f ("xml: T4698: drop validator name="range" and replace it with numeric"). The first version allowed both a range and discrete numbers to be validated by the numeric validator. This had a flaw as both 22 and 22-30 were valid at the same time. The generic "port-number.xml.i" building block only allows a discrete number. Now if a user set port 22-30 for e.g. SSH the daemon did no longer start. This is why range validation must be explicitly enabled.
2022-09-21T4699: Firewall: Add return action, since jump action was added recentlyNicolas Fort