| Age | Commit message (Collapse) | Author |
|
|
|
|
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
|
|
$ make interface_definitions
$ git add -f templates-cfg
$ ... refactor
$ make interface_definitions
$ git diff templates-cfg
No change in any node.def file detected.
|
|
$ make interface_definitions
$ git add -f templates-cfg
$ ... refactor
$ make interface_definitions
$ git diff templates-cfg
No change in any node.def file detected.
|
|
|
|
There is a CLI constraint for lowercase country codes, but user's do not
see this.
|
|
- Added command to disable conntrack per firewall chain
- Added test_disable_conntrack_per_chain function to smoketest
|
|
firewalls should always accept
|
|
|
|
Allow accepting invalid packets for ethernet types `8021q` and `8021ad`
in addition to ARP and UDP types so that stateful bridge firewall works
for VLAN-aware bridges in addition to regular bridges.
|
|
since the validation utility adds them implicitly
|
|
remote groups
|
|
Since the jump to the global state chain is inserted before all rules,
it wasn't possible to use offload with the global state policies
This commit adds a new chain for offloaded traffic in the forward
chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
|
|
|
|
Co-authored-by: Daniil Baturin <daniil@baturin.org>
|
|
|
|
|
|
regular firewall ruleset.
|
|
|
|
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
|
|
|
|
* Only matching flags and fields used by modern RFC2890 "extended GRE" -
this is backwards-compatible, but does not match all possible flags.
* There are no nftables helpers for the GRE key field, which is critical
to match individual tunnel sessions (more detail in the forum post)
* nft expression syntax is not flexible enough for multiple field
matches in a single rule and the key offset changes depending on flags.
* Thus, clumsy compromise in requiring an explicit match on the "checksum"
flag if a key is present, so we know where key will be. In most cases,
nobody uses the checksum, but assuming it to be off or automatically
adding a "not checksum" match unless told otherwise would be confusing
* The automatic "flags key" check when specifying a key doesn't have similar
validation, I added it first and it makes sense. I would still like
to find a workaround to the "checksum" offset problem.
* If we could add 2 rules from 1 config definition, we could match
both cases with appropriate offsets, but this would break existing
FW generation logic, logging, etc.
* Added a "test_gre_match" smoketest
|
|
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
|
|
enabling/disabling sending traffic from bridge layer to ipvX layer
|
|
new chains, priorities, and firewall groups
|
|
(#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
|
|
timeout parameters defined in conntrack to firewall global-opton section.
|
|
|
|
|
|
to firewall global-optinos
|
|
|
|
Make the code more uniform and maintainable.
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
since it's not supported.
|
|
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to
`include/firewall/log-options.xml.i`.
|
|
This file is a left over from previous refactoring and no longer
referenced anywhere in the interface definitions.
|
|
Rename chain level defaults log option from `enable-default-log` to
`default-log` for consistency.
|
|
|
|
included in <set firewall global-options state-policy> node.
|
|
to be able to catch logs using separte rule for default-action
|
|
<enable|disable> commands; log and state moved to new syntax.
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
|
|
T5600: firewall: change constraints for inbound|outbound interface-name
|
|
filter and in policy route.
|
|
T5217: Add firewall synproxy
|
|
|