summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall
AgeCommit message (Collapse)Author
2026-06-25geoip: T8987: Support updates via source-address/vrfsarthurdev
2026-06-04geoip: T5746: Add GeoIP ASN supportsarthurdev
2026-03-24T8410: Fix typos and mistakes for operational and configuration commandsViacheslav Hletenko
Fix typos and mistakes in the commands and comments No functional changes
2026-02-15xml: T8271: add additional information for ICMPv6 compeltion helpChristian Breunig
2026-02-15xml: T8271: consolidate source-destination-group.xml.i and it's IPv4 equivalentChristian Breunig
$ make interface_definitions $ git add -f templates-cfg $ ... refactor $ make interface_definitions $ git diff templates-cfg No change in any node.def file detected.
2026-02-15xml: T8271: create re-usable XML block for port-group and domain-groupChristian Breunig
$ make interface_definitions $ git add -f templates-cfg $ ... refactor $ make interface_definitions $ git diff templates-cfg No change in any node.def file detected.
2026-01-21geoip: T8049: Add MaxMind database supportsarthurdev
2025-12-10firewall: T8089: "geoip country-code" should get a completion helperChristian Breunig
There is a CLI constraint for lowercase country codes, but user's do not see this.
2025-09-05Firewall: T7475: Disable conntrack per firewall chainl0crian1
- Added command to disable conntrack per firewall chain - Added test_disable_conntrack_per_chain function to smoketest
2025-06-17firewall: T6951: Add a configuration command for ethertypes that bridge ↵Nataliia Solomko
firewalls should always accept
2025-06-05T7523: firewall: Accepting invalid traffic for pppoe discovery and wolopswill
2025-06-01T7512: firewall: Modify accepting invalid traffic for VLAN aware bridgeIndrajit Raychaudhuri
Allow accepting invalid packets for ethernet types `8021q` and `8021ad` in addition to ARP and UDP types so that stateful bridge firewall works for VLAN-aware bridges in addition to regular bridges.
2025-05-20xml: T7467: remove ^/$ wrapping from validation regexesDaniil Baturin
since the validation utility adds them implicitly
2025-05-07T7386: firewall: allow mix of IPv4 and IPv6 addresses/prefixes/ranges in ↵Mark Hayes
remote groups
2025-04-16firewall: T7358: add offload option to global state policyl0crian1
Since the jump to the global state chain is inserted before all rules, it wasn't possible to use offload with the global state policies This commit adds a new chain for offloaded traffic in the forward chain and jumps to that chain. Please enter the commit message for your changes. Lines starting
2025-03-21firewall: T5493: Implement remote-groupAlex W
2024-12-17T6918: Fix punctuationopswill
Co-authored-by: Daniil Baturin <daniil@baturin.org>
2024-12-13T6918: Accept invalid PPPoE Session in stateful bridge firewall.opswill
2024-10-07xml: T6430: add re-usable vrf CLI node for firewall and pbrChristian Breunig
2024-10-03T6760: firewall: add packet modifications existing in policy route to ↵Nicolas Fort
regular firewall ruleset.
2024-09-10T6698: firewall: add matcher for vlan type. (#4027)Nicolás Fort
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-05firewall: T4694: fix GRE key include path in XMLChristian Breunig
2024-08-04firewall: T4694: Adding GRE flags & fields matches to firewall rulesAndrew Topp
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T6570: firewall: add global-option to configure sysctl parameter for ↵Nicolas Fort
enabling/disabling sending traffic from bridge layer to ipvX layer
2024-08-01T4072: firewall: extend firewall bridge capabilities, in order to include ↵Nicolas Fort
new chains, priorities, and firewall groups
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-06-04T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵Nicolas Fort
timeout parameters defined in conntrack to firewall global-opton section.
2024-05-15T3900: add support for raw table in firewall.Nicolas Fort
2024-05-07T6305: accept ipoe interfaces on firewall rulesetNicolas Fort
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos
2024-03-12conntrack: T4022: add RTSP conntrack helperIndrek Ardel
2024-03-05xml: T5738: use generic-disable-node building block for "disable" CLI nodesChristian Breunig
Make the code more uniform and maintainable.
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-23T5977: firewall: remove ipsec options in output chain rule definitions, ↵Nicolas Fort
since it's not supported.
2023-12-26firewall: T5834: Improve log message and simplify log-option includeIndrajit Raychaudhuri
`include/firewall/rule-log-options.xml.i` is now more aptly renamed to `include/firewall/log-options.xml.i`.
2023-12-26firewall: T5834: Remove vestigial include fileIndrajit Raychaudhuri
This file is a left over from previous refactoring and no longer referenced anywhere in the interface definitions.
2023-12-26firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency.
2023-12-15firewall: T4502: add ofload to firewall table actionsGurliGebis
2023-11-24T5775: firewall: re-add state-policy to firewall. These commands are now ↵Nicolas Fort
included in <set firewall global-options state-policy> node.
2023-11-22T5637: firewall: extend rule for default-action to firewall bridge, in order ↵Nicolas Fort
to be able to catch logs using separte rule for default-action
2023-11-10T5729: firewall: switch to valueless in order to remove unnecessary ↵Nicolas Fort
<enable|disable> commands; log and state moved to new syntax.
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-10-06T5637: add new rule at the end of base chains for default-actions. This ↵Nicolas Fort
enables log capabilities for default-action in base chains. And of course, add option for enabling log for default-action
2023-09-30Merge pull request #2300 from nicolas-fort/T5600Christian Breunig
T5600: firewall: change constraints for inbound|outbound interface-name
2023-09-29T5616: firewall: add option to be able to match firewall marks in firewall ↵Nicolas Fort
filter and in policy route.
2023-09-28Merge pull request #2295 from sever-sever/T5217-synproxyChristian Breunig
T5217: Add firewall synproxy
2023-09-24firewall: T5614: Add support for matching on conntrack helpersarthurdev