summaryrefslogtreecommitdiff
path: root/smoketest/scripts/cli/test_firewall.py
AgeCommit message (Collapse)Author
13 daysfirewall: T8761: re-introduce VRF interface names in generated firewall configDavid Vølker
This change re-implements the intended behaviour from T4180 aswell as from T4506, it ensures that both the vrf-member interface aswell as the vrf itself is added as an oifname -> meaning that traffic traversing and originating from withing VyOS is matches outbound. Changes done by c-po: * re-sort dependency list to keep diff low * vyos.configdict.is_vrf_changed() should return early and not carry over the to-be return value * keep common coding style (dict by . separation) in nftables-zone.j2 Co-authored-by: Christian Breunig <christian@breunig.cc>
2026-06-04geoip: T5746: Add GeoIP ASN supportsarthurdev
2026-04-21Merge pull request #5100 from sarthurdev/T8446Daniil Baturin
firewall: T8446: Prevent chain with offload rule on local zone
2026-04-01firewall: T8275: Resolve migration issue for 'weekdays' option from 1.3.8Oleksandr Kuchmystyi
Fix error parsing for day of week while loading firewall configuration.
2026-03-31firewall: T8446: Prevent chain with offload rule on local zonesarthurdev
* Add warning when defining `offload-target` without setting action to `offload`
2026-03-17T8387: smoketest: add add-address-to-group destination-address checksAlex Kudentsov
2025-11-24Merge pull request #4672 from apschultz/zone_default_firewall_rulesetSimon
firewall: T7739: Default ruleset for firewall zones
2025-11-05firewall: T7112: Default action drop failsOleksandr Kuchmystyi
Prevent `KeyError` by safely handling missing 'member' dict in zone config. Add smoketest to verify commit fails gracefully when zone has no interfaces.
2025-10-31T7849: ZBF allow to use wildcard interfaces as memberViacheslav Hletenko
Allow to use wildcard interfaces for zone-based firewall It should allow interfaces like ipoe*/pppoe*/l2tp*
2025-10-21firewall: T7739: Default ruleset for firewall zonesAdam Schultz
In large networks with many zones where simple allow/deny rules are not sufficient, zones become tedious to manage. Many use cases can be simplified by providing an ability to define a default ruleset for traffic from other zones. This change proposes adding the follwing syntax: set firewall zone <name> default_firewall name <name> set firewall zone <name> default_firewall ipv6_name <name> The proposed behavior is the following: local in: The default firewall ruleset for the local zone will be appended after all from configurations. local out: If a non-local zone does not have a from local ruleset but does have a default_firewall ruleset, the default_firewall ruleset will be appended using oifname forward: The default firewall ruleset for the zone will be appended after all from configurations To keep the behavior consistent with from ruleset configurations, a return is appended after the default_firewall ruleset. The proposed behavior differs slightly from the default_policy configuration for the local out chains. The default_policy applied in the out templates comes from the local zone, not the actual outbound zone. The proposed change does not amend this, but does make default_firewall logically consistent with the intent of the out rules.
2025-10-21T7948: always call setUp() and tearDown() base class methodsChristian Breunig
While working on task T7664 (FRR 10.4 upgrade), I identified the need for additional validation and safeguards around the FRR management daemon. The most appropriate place for this logic is in the setUp() and tearDown() methods of the smoketest base class, VyOSUnitTestSHIM. However, during implementation, it became apparent that test cases do not consistently invoke the base class's setup and teardown methods. This inconsistency complicates the process of capturing the FRR mgmtd PID at the start of a test and verifying that it remains unchanged by the end - a key step in detecting crashes or unexpected terminations (e.g., SIGSEGV) of the FRR management daemon during tests.
2025-09-30smoketest: T7858: make failfast main argument dynamicChristian Breunig
When smoketest debugging is enabled (by creating the file /tmp/vyos.smoketest.debug), all available smoketests will fail fast instead of running to completion. This helps reduce test time when something is broken or undergoing refactoring, as it avoids waiting for the full test suite to finish.
2025-09-22Merge pull request #4698 from l0crian1/fw-disable-conntrackDaniil Baturin
firewall: T7475: Add an option to disable conntrack for individual firewall chaisn
2025-09-16Merge pull request #4506 from davi2367/zbf-vrfDaniil Baturin
firewall: T7452: update rule generation for Zone-based firewall
2025-09-05Firewall: T7475: Disable conntrack per firewall chainl0crian1
- Added command to disable conntrack per firewall chain - Added test_disable_conntrack_per_chain function to smoketest
2025-06-30firewall: T7452: update rule generation for Zone-based firewallDavid Vølker
2025-06-28T7591: remove copyright years from source filesChristian Breunig
The legal team says years are not necessary so we can go ahead with it, since it will simplify backporting. Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \ 's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g' In addition we will error-out during "make" if someone re-adds a legacy copyright notice
2025-06-17firewall: T6951: Add a configuration command for ethertypes that bridge ↵Nataliia Solomko
firewalls should always accept
2025-06-05T7523: firewall: Accepting invalid traffic for pppoe discovery and wolopswill
2025-06-01T7512: Update smoketest for invalid traffic for VLAN aware bridgeIndrajit Raychaudhuri
2025-05-21flowtable: T7350: Prevent interface deletion if referenced on flowtablesarthurdev
2025-05-07T7386: firewall: allow mix of IPv4 and IPv6 addresses/prefixes/ranges in ↵Mark Hayes
remote groups
2025-04-19T7358: add offload option to global state policyl0crian1
- Added smoketest for offload in global state policy
2025-03-21firewall: T5493: Implement remote-groupAlex W
2025-02-20firewall: T7148: Bridge state-policy uses drop in place of rejectsarthurdev
2025-02-19firewall: T7177: update interface-name.xml.i constraint and smoketest to ↵Mark
support pod interfaces from containers
2025-01-06T6841: firewall: Fixed issues in ZBF when using VRFsaapostoliuk
Improve config parsing for ZBF when using VRFs and interfaces attached to VRFs
2025-01-06T6841: firewall: improve config parsing for ZBF when using VRFs and ↵Nicolas Fort
interfaces attached to VRFs
2024-12-13T6918: Accept invalid PPPoE Session in stateful bridge firewall.opswill
2024-10-03T6760: firewall: add packet modifications existing in policy route to ↵Nicolas Fort
regular firewall ruleset.
2024-09-10T6698: firewall: add matcher for vlan type. (#4027)Nicolás Fort
2024-08-28T6647: firewall. Introduce patch for accepting ARP and DHCP replies on ↵Nicolas Fort
stateful bridge firewall. This patch is needed because ARP and DHCP are marked as invalid connections. Also, add ehternet-type matcher in bridge firewall.
2024-08-14T6636: firewall: fix firewall template in order to write logs for ↵Nicolas Fort
default-action in order to match same structure as in rules. This way op-mode command for showing firewall log prints logs for default-actions too
2024-08-09T6643: firewall: fix ip address range parsing on firewall rules.Nicolas Fort
2024-08-04firewall: T4694: Adding GRE flags & fields matches to firewall rulesAndrew Topp
* Only matching flags and fields used by modern RFC2890 "extended GRE" - this is backwards-compatible, but does not match all possible flags. * There are no nftables helpers for the GRE key field, which is critical to match individual tunnel sessions (more detail in the forum post) * nft expression syntax is not flexible enough for multiple field matches in a single rule and the key offset changes depending on flags. * Thus, clumsy compromise in requiring an explicit match on the "checksum" flag if a key is present, so we know where key will be. In most cases, nobody uses the checksum, but assuming it to be off or automatically adding a "not checksum" match unless told otherwise would be confusing * The automatic "flags key" check when specifying a key doesn't have similar validation, I added it first and it makes sense. I would still like to find a workaround to the "checksum" offset problem. * If we could add 2 rules from 1 config definition, we could match both cases with appropriate offsets, but this would break existing FW generation logic, logging, etc. * Added a "test_gre_match" smoketest
2024-08-02T4072: change same helpers in xml definitions; add notrack action for ↵Nicolas Fort
prerouting chain; re introduce <set vrf> in policy; change global options for passing traffic to IPvX firewall; update smoketest
2024-08-01T4072: firewall: extend firewall bridge smoketestNicolas Fort
2024-07-28firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵talmakion
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
2024-06-04T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵Nicolas Fort
timeout parameters defined in conntrack to firewall global-opton section.
2024-05-15T3900: add support for raw table in firewall.Nicolas Fort
2024-04-15T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵Nicolas Fort
to firewall global-optinos
2024-03-20conntrack: T6147: Enable conntrack when firewall state-policy is definedsarthurdev
* Move global state-policy smoketest to it's own test, verify conntrack
2024-03-05T6061: fix rule parsing when connection-status is usedNicolas Fort
2024-02-27smoketest: T5160: Deduplicate nftables verify functions to testcase class, ↵sarthurdev
remove obsolete imports
2024-02-13T5928: Smoketest change firewall flowtable test to use VLANViacheslav Hletenko
2024-02-12T6019: fix smoketest after upgrading nftables and libnftnl packages.Nicolas Fort
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-12T5922: firewall: fix intra-zone filtering parsing rules; update firewall ↵Nicolas Fort
smoketest
2023-12-26firewall: T5834: Rename 'enable-default-log' to 'default-log'Indrajit Raychaudhuri
Rename chain level defaults log option from `enable-default-log` to `default-log` for consistency.