Age | Commit message (Collapse) | Author | |
---|---|---|---|
2023-08-15 | T5478: remove config-trap configuration parser in firewall | Nicolas Fort | |
2023-08-12 | T5160: fix merge regression | John Estabrook | |
2023-08-11 | T5460: remove config-trap from firewall | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵ | Nicolas Fort | |
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip. | |||
2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: new cli structure. Update jinja templates, python ↵ | Nicolas Fort | |
scripts and src firewall | |||
2023-08-07 | T5319: remove workarounds for defaults in firewall.py | John Estabrook | |
2023-07-14 | T5195: vyos.util -> vyos.utils package refactoring (#2093) | Christian Breunig | |
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io | |||
2023-04-10 | T5065: Add verify for firewall port-group and port | Viacheslav Hletenko | |
We cannot use both 'port' and 'port-group' for the same direction in one rule at the same time Otherwise it generates wrong rules that don't block anything set P_pgrp { type inet_service flags interval auto-merge elements = { 101-105 } } chain NAME_foo { tcp dport 22 tcp dport @P_pgrp counter drop comment "foo-10" counter return comment "foo default-action accept" } | |||
2023-03-21 | T5050: Firewall: Add log options | Nicolas Fort | |
2023-02-28 | T5037: Firewall: Add queue action and options to firewall | Nicolas Fort | |
2022-12-17 | Merge pull request #1626 from nicolas-fort/fwall_group_interface | Christian Poessinger | |
T4780: Firewall: add firewall groups in firewall. Extend matching cri… | |||
2022-12-03 | Merge pull request #1691 from sarthurdev/T478 | Christian Poessinger | |
firewall: T478: Fix firewall group circular dependency check | |||
2022-12-03 | firewall: T478: Fix firewall group circular dependency check | sarthurdev | |
2022-11-28 | conf-mode: T4845: add external file for dict of config-mode dependencies | John Estabrook | |
2022-11-19 | T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵ | Nicolas Fort | |
so this new group can be used in inbound and outbound matcher | |||
2022-11-17 | firewall: T4821: correct calling of conf_mode script dependencies | John Estabrook | |
2022-11-03 | nat: T1877: T970: Add firewall groups to NAT | sarthurdev | |
2022-11-03 | firewall: T970: Refactor domain resolver, add firewall source/destination ↵ | sarthurdev | |
`fqdn` node | |||
2022-09-16 | T4699: Firewall: Add jump action in firewall rulest | Nicolas Fort | |
2022-09-13 | zone-policy: T2199: Migrate zone-policy to firewall node | sarthurdev | |
2022-09-13 | firewall: T4605: Rename filter tables to vyos_filter | sarthurdev | |
2022-09-13 | firewall: T2199: Move initial firewall tables to data | sarthurdev | |
2022-09-13 | firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵ | sarthurdev | |
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script | |||
2022-08-30 | firewall: T4655: implement XML defaultValue for name and ipv6-name | Christian Poessinger | |
This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix default action 'drop' for the firewall") in a way that we can now also use the XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This is a much cleaner approach which also adds the default value automatically to the CLIs completion helper ("?"). | |||
2022-06-14 | firewall: T970: Use set prefix to domain groups | sarthurdev | |
2022-06-14 | firewall: T4147: Use named sets for firewall groups | sarthurdev | |
* Refactor nftables clean-up code * Adds policy route test for using firewall groups | |||
2022-06-11 | firewall: T4299: Add support for GeoIP filtering | sarthurdev | |
2022-06-10 | Merge pull request #1356 from sarthurdev/nested_groups | Christian Poessinger | |
firewall: T478: Add support for nesting groups | |||
2022-06-10 | firewall: T478: Add support for nesting groups | sarthurdev | |
2022-06-10 | firewall: T970: Fix for Regex for domain and check empty group | Viacheslav Hletenko | |
It can be more then 5 symbols in top-level-domain address for example '.photography' and '.accountants' Firewall group can be added without address: * set firewall group domain-group DOMAIN Check if 'address' exists in group_config | |||
2022-06-05 | firewall: T970: Maintain a domain state to fallback if resolution fails | sarthurdev | |
2022-05-28 | firewall: T970: Add firewall group domain-group | Viacheslav Hletenko | |
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } } | |||
2022-05-01 | firewall: T4353: fix Jinja2 linting errors | Christian Poessinger | |
2022-04-16 | vyos.base: use Warning() helper where applicable | Christian Poessinger | |
2022-04-06 | firewall: T4345: Fix incorrect rule limit rate syntax | sarthurdev | |
2022-02-04 | firewall: T4209: Fix support for rule `recent` matches | sarthurdev | |
2022-01-31 | firewall: T2199: Fix errors when referencing an empty chain | sarthurdev | |
2022-01-29 | firewall: T4216: Add support for negated firewall groups | sarthurdev | |
2022-01-29 | firewall: T4218: Adds a prefix to all user defined chains | sarthurdev | |
2022-01-21 | firewall: T2199: Verify correct ICMP protocol for ipv4/ipv6 | sarthurdev | |
2022-01-18 | firewall: T2199: Raise ConfigError if deleted node is used in zone-policy | sarthurdev | |
2022-01-18 | firewall: policy: T1292: Clean up any rules required to delete a chain | sarthurdev | |
2022-01-17 | firewall: policy: T4178: Migrate and refactor tcp flags | sarthurdev | |
* Add support for ECN and CWR flags | |||
2022-01-14 | firewall: T4178: Use lowercase for TCP flags and add an validator | sarthurdev | |
2022-01-11 | firewall: T4159: Add warning when an empty group is applied to a rule | sarthurdev | |
2022-01-11 | firewall: policy: T2199: Reload policy route script if `firewall group` node ↵ | sarthurdev | |
is changed | |||
2022-01-11 | firewall: policy: T4159: T4164: Fix empty firewall groups, create separate ↵ | sarthurdev | |
file for group definitions. | |||
2022-01-10 | firewall: 4149: Fix verify steps being bypassed when base node is removed | sarthurdev | |
2022-01-05 | firewall: zone-policy: T4133: Prevent firewall from trying to clean-up ↵ | sarthurdev | |
zone-policy chains * Prevent firewall names from using the reserved VZONE prefix |