Page MenuHomeVyOS Platform

Make firewall groups work everywhere that's appropropriate
In progress, NormalPublicFEATURE REQUEST

Description

Coming from other platforms, it's a bit of a disconnect that the firewall groups aren't usable universally. There might be other places where it could be appropriate to use them, but NAT is one that comes to mind.

For example:

set firewall group network-group PRIVATE-NETWORKS network '10.0.0.0/8'
set firewall group network-group PRIVATE-NETWORKS network '192.168.0.0/16'
set firewall group network-group PRIVATE-NETWORKS network '172.16.0.0/12'

It would be nice to have something like:

set nat source rule 102 outbound-interface 'eth0'
set nat source rule 102 source network-group PRIVATE-NETWORKS
set nat source rule 102 translation address 'masquerade'

Obviously the same could apply for port-groups, address-groups, etc.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

StatusSubtypeAssignedTask
Needs testingsdev
In progressFEATURE REQUESTsdev

Event Timeline

syncer triaged this task as Normal priority.Dec 21 2018, 10:28 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

ipsec policys, policy prefix-lists,

Viacheslav added a project: VyOS 1.4 Sagitta.
Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).
Viacheslav set Is it a breaking change? to Unspecified (possibly destroys the router).
sdev changed the task status from Open to In progress.Thu, Nov 3, 7:41 PM
sdev claimed this task.
sdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
sdev added a subscriber: sdev.