vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

T6760: add docs for new commands available in firewall: packet modifications commands.

Browse Source
This commit is contained in:
Nicolas Fort 2024-10-08 14:33:59 -03:00
parent 1bbe5de12c
commit 177ba9dd0d
3 changed files with 138 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
docs/configuration/firewall/bridge.rst
View File

@ -386,6 +386,44 @@ described in this section:
Match based on VLAN priority (Priority Code Point - PCP). Range is also Match based on VLAN priority (Priority Code Point - PCP). Range is also
supported. supported.
Packet Modifications
====================
Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify
packets before they are sent out. This feaure provides more flexibility in
packet handling.
.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
rule <1-999999> set dscp <0-63>
Set a specific value of Differentiated Services Codepoint (DSCP).
.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
rule <1-999999> set mark <1-2147483647>
Set a specific packet mark value.
.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
rule <1-999999> set tcp-mss <500-1460>
Set the TCP-MSS (TCP maximum segment size) for the connection.
.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
rule <1-999999> set ttl <0-255>
Set the TTL (Time to Live) value.
.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
rule <1-999999> set hop-limit <0-255>
Set hop limit value.
.. cfgcmd:: set firewall bridge [forward | output] filter
rule <1-999999> set connection-mark <0-2147483647>
Set connection mark value.
Use IP firewall Use IP firewall
=============== ===============

50
docs/configuration/firewall/ipv4.rst
View File

@ -980,6 +980,56 @@ geoip) to keep database and rules updated.
Match when 'count' amount of connections are seen within 'time'. These Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts. matching criteria can be used to block brute-force attempts.
Packet Modifications
====================
Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify
packets before they are sent out. This feaure provides more flexibility in
packet handling.
.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
set dscp <0-63>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
set dscp <0-63>
.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
set dscp <0-63>
Set a specific value of Differentiated Services Codepoint (DSCP).
.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
set mark <1-2147483647>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
set mark <1-2147483647>
.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
set mark <1-2147483647>
Set a specific packet mark value.
.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
set tcp-mss <500-1460>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
set tcp-mss <500-1460>
.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
set tcp-mss <500-1460>
Set the TCP-MSS (TCP maximum segment size) for the connection.
.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
set ttl <0-255>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
set ttl <0-255>
.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
set ttl <0-255>
Set the TTL (Time to Live) value.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
set connection-mark <0-2147483647>
.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
set connection-mark <0-2147483647>
Set connection mark value.
******** ********
Synproxy Synproxy
******** ********

50
docs/configuration/firewall/ipv6.rst
View File

@ -970,6 +970,56 @@ geoip) to keep database and rules updated.
Match when 'count' amount of connections are seen within 'time'. These Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts. matching criteria can be used to block brute-force attempts.
Packet Modifications
====================
Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify
packets before they are sent out. This feaure provides more flexibility in
packet handling.
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
set dscp <0-63>
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
set dscp <0-63>
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
set dscp <0-63>
Set a specific value of Differentiated Services Codepoint (DSCP).
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
set mark <1-2147483647>
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
set mark <1-2147483647>
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
set mark <1-2147483647>
Set a specific packet mark value.
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
set tcp-mss <500-1460>
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
set tcp-mss <500-1460>
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
set tcp-mss <500-1460>
Set the TCP-MSS (TCP maximum segment size) for the connection.
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
set hop-limit <0-255>
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
set hop-limit <0-255>
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
set hop-limit <0-255>
Set hop limit value.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
set connection-mark <0-2147483647>
.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
set connection-mark <0-2147483647>
Set connection mark value.
******** ********
Synproxy Synproxy
******** ********