Age | Commit message (Collapse) | Author | |
---|---|---|---|
2024-07-30 | firewall: T4694: incomplete node checks in migration script | Andrew Topp | |
This patch on #3616 will only attempt to fix ipsec matches in rules if the firewall config tree passed to migrate_chain() has rules attached. | |||
2024-07-28 | firewall: T4694: Adding rt ipsec exists/missing match to firewall configs ↵ | talmakion | |
(#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests | |||
2024-07-03 | T6536: change wildcard character from + to * - extend fix to interfaces ↵ | Nicolas Fort | |
defined in zone policy. | |||
2024-06-26 | migration: T6007: convert all migration scripts to load as module | John Estabrook | |
2024-06-11 | firewall: T3900: fix migration and smoketests | Christian Breunig | |
Commit 770edf016838523 ("T3900: T6394: extend functionalities in firewall") changed the position in the CLI for conntrack timeout. This lead to failing smoketests because of a regression in the migrator. | |||
2024-06-04 | T3900: T6394: extend functionalities in firewall; move netfilter sysctl ↵ | Nicolas Fort | |
timeout parameters defined in conntrack to firewall global-opton section. | |||
2024-04-15 | T5535: firewall: migrate command <set system ip disable-directed-broadcast> ↵ | Nicolas Fort | |
to firewall global-optinos | |||
2024-04-11 | T6216: firewall: add patch while migrating from 1.3 to 1.4 in order to avoid ↵ | Nicolas Fort | |
errors when using character <+> in 1.3 in firewall groups and custom firewall chains. | |||
2024-04-06 | T6199: remove unused Python imports from migration scripts | Christian Breunig | |
2024-03-10 | firewall: T6071: truncate rule description field to 255 characters | Christian Breunig | |
2024-01-10 | firewall: T5814: Retain legacy 'accept' behaviour and re-order migration | sarthurdev | |
Pre-1.4 firewall 'accept' action acted as a 'return'. This change ensures the migrated rules meet the expected behaviour. This commit also re-orders migrated in/out/local jumps ordered by direction instead of interface. | |||
2024-01-02 | T5888: fix migration script in order to fit new type-names for icmp and icmpv6. | Nicolas Fort | |
2023-12-26 | firewall: T5834: Migration for 'enable-default-log' to 'default-log' | Indrajit Raychaudhuri | |
2023-11-28 | T5575: Update migration scripts for state policy parsing | Nicolas Fort | |
2023-11-14 | T5729: firewall and policy: fix latest migration script | Nicolas Fort | |
2023-11-10 | T5729: firewall: switch to valueless in order to remove unnecessary ↵ | Nicolas Fort | |
<enable|disable> commands; log and state moved to new syntax. | |||
2023-10-25 | T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵ | Nicolas Fort | |
(valid for interfaces and groups) in firewal, nat and nat66. | |||
2023-10-17 | T5541: remove migration script from zone-based firewall to new cli. Syntax ↵ | Nicolas Fort | |
remains the same, so no migration is needed regarding this feature | |||
2023-08-11 | Merge pull request #2016 from nicolas-fort/T5160 | Christian Breunig | |
T5160: Firewall refactor | |||
2023-08-11 | interface: T5465: adjust-mss: config migration fails if applied to a VLAN or ↵ | Christian Breunig | |
Q-in-Q interface When migration from 1.3 to 1.4 and a user hat the following configured: options { interface eth0.10{ adjust-mss 1452 adjust-mss6 1432 } } The configuration was wrongly migrated to: interfaces { ethernet eth0.10 { ipv6 { adjust-mss "1432" } ip { adjust-mss "1452" } } Instead of interfaces { ethernet eth0 { vif 10 { ipv6 { adjust-mss "1432" } ip { adjust-mss "1452" } } } | |||
2023-08-11 | T5460: remove config-trap from firewall | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to <set ↵ | Nicolas Fort | |
firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip. | |||
2023-08-11 | T5160: firewall refactor: fix firewall template for correct rule parsing ↵ | Nicolas Fort | |
that contains fqnd and/or geo-ip in base chains. Fix mig script | |||
2023-08-11 | T5160: firewall refactor: change firewall ip to firewall ipv4 | Nicolas Fort | |
2023-08-11 | T5160: firewall refactor: new cli structure. Add migration script and update ↵ | Nicolas Fort | |
smoketest | |||
2023-08-02 | T5427: Fix migration script arguments len expects 2 args | Viacheslav Hletenko | |
The script's name is always provided as the first argument sys.argv[0] Expected length for argv is 2 (script itself + config file) Change: 'if (len(argv) < 1)' to 'if len(argv) < 2' | |||
2023-03-21 | T5050: Firewall: Add log options | Nicolas Fort | |
2022-11-19 | T4780: Firewall: add firewall groups in firewall. Extend matching criteria ↵ | Nicolas Fort | |
so this new group can be used in inbound and outbound matcher | |||
2022-09-13 | zone-policy: T2199: Migrate zone-policy to firewall node | sarthurdev | |
2022-09-13 | firewall: T2199: Refactor firewall + zone-policy, move interfaces under ↵ | sarthurdev | |
firewall node * Refactor firewall and zone-policy rule creation and cleanup * Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>` * Remove `firewall-interface.py` conf script | |||
2022-07-05 | firewall: T2199: Fix migration when `icmpv6 type` is an integer | sarthurdev | |
2022-02-04 | firewall: T4209: Fix support for rule `recent` matches | sarthurdev | |
2022-01-28 | firewall: T4217: install protocol tcp_udp if port group does not use a protocol | Christian Poessinger | |
2022-01-21 | firewall: T4186: ICMP/v6 migrations | sarthurdev | |
2022-01-17 | firewall: policy: T4178: Migrate and refactor tcp flags | sarthurdev | |
* Add support for ECN and CWR flags | |||
2021-12-06 | firewall: T2199: Migrate firewall to XML/Python | sarthurdev | |
2021-08-21 | interfaces: T3090: migrate adjust-mss from "firewall options" to "interface" ↵ | Christian Poessinger | |
level Getting rid of "set firewall options" and move it from: set firewall options interface ethX adjust-mss 1400 set firewall options interface ethX adjust-mss6 1400 to: set interfaces ethernet ethX ip adjust-mss 1400 set interfaces ethernet ethX ipv6 adjust-mss 1400 In addition add an extra option called clamp-mss-to-pmtu instead of a value. |