diff options
Diffstat (limited to 'interface-definitions')
23 files changed, 625 insertions, 245 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 78a48a522..987ccaca6 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -109,8 +109,13 @@ <format>ipv6</format> <description>IPv6 address to match</description> </valueHelp> + <valueHelp> + <format>ipv6range</format> + <description>IPv6 range to match (e.g. 2002::1-2002::ff)</description> + </valueHelp> <constraint> <validator name="ipv6-address"/> + <validator name="ipv6-range"/> </constraint> <multi/> </properties> @@ -120,7 +125,7 @@ </tagNode> <tagNode name="ipv6-network-group"> <properties> - <help>Network-group member</help> + <help>Firewall ipv6-network-group</help> </properties> <children> #include <include/generic-description.xml.i> @@ -139,6 +144,27 @@ </leafNode> </children> </tagNode> + <tagNode name="mac-group"> + <properties> + <help>Firewall mac-group</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <leafNode name="mac-address"> + <properties> + <help>Mac-group member</help> + <valueHelp> + <format><MAC address></format> + <description>MAC address to match</description> + </valueHelp> + <constraint> + <validator name="mac-address"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> <tagNode name="network-group"> <properties> <help>Firewall network-group</help> @@ -182,6 +208,9 @@ <description>Numbered port range (e.g. 1001-1050)</description> </valueHelp> <multi/> + <constraint> + <validator name="port-range"/> + </constraint> </properties> </leafNode> </children> diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in index f46343c76..ee1d70484 100644 --- a/interface-definitions/high-availability.xml.in +++ b/interface-definitions/high-availability.xml.in @@ -177,8 +177,37 @@ <valueless/> </properties> </leafNode> + <node name="track"> + <properties> + <help>Track settings</help> + </properties> + <children> + <leafNode name="exclude-vrrp-interface"> + <properties> + <valueless/> + <help>Disable track state of main interface</help> + </properties> + </leafNode> + <leafNode name="interface"> + <properties> + <help>Interface name state check</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py --broadcast</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Interface name</description> + </valueHelp> + <constraint> + <validator name="interface-name"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </node> #include <include/vrrp-transition-script.xml.i> - <leafNode name="address"> + <tagNode name="address"> <properties> <help>Virtual IP address</help> <valueHelp> @@ -193,9 +222,11 @@ <validator name="ipv4-host"/> <validator name="ipv6-host"/> </constraint> - <multi/> </properties> - </leafNode> + <children> + #include <include/generic-interface-broadcast.xml.i> + </children> + </tagNode> <leafNode name="excluded-address"> <properties> <help>Virtual address (If you need additional IPv4 and IPv6 in same group)</help> diff --git a/interface-definitions/include/conntrack/log-common.xml.i b/interface-definitions/include/conntrack/log-common.xml.i new file mode 100644 index 000000000..38799f8f4 --- /dev/null +++ b/interface-definitions/include/conntrack/log-common.xml.i @@ -0,0 +1,20 @@ +<!-- include start from conntrack/log-common.xml.i --> +<leafNode name="destroy"> + <properties> + <help>Log connection deletion</help> + <valueless/> + </properties> +</leafNode> +<leafNode name="new"> + <properties> + <help>Log connection creation</help> + <valueless/> + </properties> +</leafNode> +<leafNode name="update"> + <properties> + <help>Log connection updates</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/conntrack/timeout-common-protocols.xml.i b/interface-definitions/include/conntrack/timeout-common-protocols.xml.i new file mode 100644 index 000000000..2676d846e --- /dev/null +++ b/interface-definitions/include/conntrack/timeout-common-protocols.xml.i @@ -0,0 +1,172 @@ +<!-- include start from conntrack/timeout-common-protocols.xml.i --> +<leafNode name="icmp"> + <properties> + <help>ICMP timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>ICMP timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> +</leafNode> +<leafNode name="other"> + <properties> + <help>Generic connection timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>600</defaultValue> +</leafNode> +<node name="tcp"> + <properties> + <help>TCP connection timeout options</help> + </properties> + <children> + <leafNode name="close-wait"> + <properties> + <help>TCP CLOSE-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="close"> + <properties> + <help>TCP CLOSE timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>10</defaultValue> + </leafNode> + <leafNode name="established"> + <properties> + <help>TCP ESTABLISHED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP ESTABLISHED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>432000</defaultValue> + </leafNode> + <leafNode name="fin-wait"> + <properties> + <help>TCP FIN-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP FIN-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="last-ack"> + <properties> + <help>TCP LAST-ACK timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP LAST-ACK timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="syn-recv"> + <properties> + <help>TCP SYN-RECEIVED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-RECEIVED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="syn-sent"> + <properties> + <help>TCP SYN-SENT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-SENT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="time-wait"> + <properties> + <help>TCP TIME-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP TIME-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + </children> +</node> +<node name="udp"> + <properties> + <help>UDP timeout options</help> + </properties> + <children> + <leafNode name="other"> + <properties> + <help>UDP generic timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP generic timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="stream"> + <properties> + <help>UDP stream timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP stream timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>180</defaultValue> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i index 727200ed7..521fe54f2 100644 --- a/interface-definitions/include/firewall/common-rule.xml.i +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -100,6 +100,7 @@ <help>Protocol to match (protocol name, number, or "all")</help> <completionHelp> <script>${vyos_completion_dir}/list_protocols.sh</script> + <list>all tcp_udp</list> </completionHelp> <valueHelp> <format>all</format> @@ -114,8 +115,12 @@ <description>IP protocol number</description> </valueHelp> <valueHelp> + <format><protocol></format> + <description>IP protocol name</description> + </valueHelp> + <valueHelp> <format>!<protocol></format> - <description>IP protocol number</description> + <description>IP protocol name</description> </valueHelp> <constraint> <validator name="ip-protocol"/> @@ -171,6 +176,9 @@ <format>!<MAC address></format> <description>Match everything except the specified MAC address</description> </valueHelp> + <constraint> + <validator name="mac-address-firewall"/> + </constraint> </properties> </leafNode> #include <include/firewall/port.xml.i> @@ -259,26 +267,7 @@ </leafNode> </children> </node> -<node name="tcp"> - <properties> - <help>TCP flags to match</help> - </properties> - <children> - <leafNode name="flags"> - <properties> - <help>TCP flags to match</help> - <valueHelp> - <format>txt</format> - <description>TCP flags to match</description> - </valueHelp> - <valueHelp> - <format> </format> - <description>\n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description> - </valueHelp> - </properties> - </leafNode> - </children> -</node> +#include <include/firewall/tcp-flags.xml.i> <node name="time"> <properties> <help>Time to match rule</help> diff --git a/interface-definitions/include/firewall/mac-group.xml.i b/interface-definitions/include/firewall/mac-group.xml.i new file mode 100644 index 000000000..dbce3fc88 --- /dev/null +++ b/interface-definitions/include/firewall/mac-group.xml.i @@ -0,0 +1,10 @@ +<!-- include start from firewall/mac-group.xml.i --> +<leafNode name="mac-group"> + <properties> + <help>Group of MAC addresses</help> + <completionHelp> + <path>firewall group mac-group</path> + </completionHelp> + </properties> +</leafNode> +<!-- include start from firewall/mac-group.xml.i -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i index 59d92978b..3bacafff8 100644 --- a/interface-definitions/include/firewall/port.xml.i +++ b/interface-definitions/include/firewall/port.xml.i @@ -16,8 +16,11 @@ </valueHelp> <valueHelp> <format> </format> - <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'</description> + <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n For example: 'telnet,http,123,1001-1005'</description> </valueHelp> + <constraint> + <validator name="port-multi"/> + </constraint> </properties> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i index 7815b78d4..c2cc7edb3 100644 --- a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i +++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i @@ -12,6 +12,7 @@ </completionHelp> </properties> </leafNode> + #include <include/firewall/mac-group.xml.i> <leafNode name="network-group"> <properties> <help>Group of networks</help> diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i index 9a9bed0fe..ab11e89e9 100644 --- a/interface-definitions/include/firewall/source-destination-group.xml.i +++ b/interface-definitions/include/firewall/source-destination-group.xml.i @@ -12,6 +12,7 @@ </completionHelp> </properties> </leafNode> + #include <include/firewall/mac-group.xml.i> <leafNode name="network-group"> <properties> <help>Group of networks</help> diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i new file mode 100644 index 000000000..b99896687 --- /dev/null +++ b/interface-definitions/include/firewall/tcp-flags.xml.i @@ -0,0 +1,119 @@ +<!-- include start from firewall/tcp-flags.xml.i --> +<node name="tcp"> + <properties> + <help>TCP flags to match</help> + </properties> + <children> + <node name="flags"> + <properties> + <help>TCP flags to match</help> + </properties> + <children> + <leafNode name="syn"> + <properties> + <help>Synchronise flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ack"> + <properties> + <help>Acknowledge flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="fin"> + <properties> + <help>Finish flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="rst"> + <properties> + <help>Reset flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="urg"> + <properties> + <help>Urgent flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="psh"> + <properties> + <help>Push flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ecn"> + <properties> + <help>Explicit Congestion Notification flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="cwr"> + <properties> + <help>Congestion Window Reduced flag</help> + <valueless/> + </properties> + </leafNode> + <node name="not"> + <properties> + <help>Match flags not set</help> + </properties> + <children> + <leafNode name="syn"> + <properties> + <help>Synchronise flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ack"> + <properties> + <help>Acknowledge flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="fin"> + <properties> + <help>Finish flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="rst"> + <properties> + <help>Reset flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="urg"> + <properties> + <help>Urgent flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="psh"> + <properties> + <help>Push flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ecn"> + <properties> + <help>Explicit Congestion Notification flag</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="cwr"> + <properties> + <help>Congestion Window Reduced flag</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/interface/interface-policy-vif-c.xml.i b/interface-definitions/include/interface/interface-policy-vif-c.xml.i index 5dad6422b..866fcd5c0 100644 --- a/interface-definitions/include/interface/interface-policy-vif-c.xml.i +++ b/interface-definitions/include/interface/interface-policy-vif-c.xml.i @@ -13,11 +13,11 @@ </completionHelp> </properties> </leafNode> - <leafNode name="ipv6-route"> + <leafNode name="route6"> <properties> <help>IPv6 policy route ruleset for interface</help> <completionHelp> - <path>policy ipv6-route</path> + <path>policy route6</path> </completionHelp> </properties> </leafNode> diff --git a/interface-definitions/include/interface/interface-policy-vif.xml.i b/interface-definitions/include/interface/interface-policy-vif.xml.i index 5ee80ae13..83510fe59 100644 --- a/interface-definitions/include/interface/interface-policy-vif.xml.i +++ b/interface-definitions/include/interface/interface-policy-vif.xml.i @@ -13,11 +13,11 @@ </completionHelp> </properties> </leafNode> - <leafNode name="ipv6-route"> + <leafNode name="route6"> <properties> <help>IPv6 policy route ruleset for interface</help> <completionHelp> - <path>policy ipv6-route</path> + <path>policy route6</path> </completionHelp> </properties> </leafNode> diff --git a/interface-definitions/include/interface/interface-policy.xml.i b/interface-definitions/include/interface/interface-policy.xml.i index 06f025af1..42a8fd009 100644 --- a/interface-definitions/include/interface/interface-policy.xml.i +++ b/interface-definitions/include/interface/interface-policy.xml.i @@ -13,11 +13,11 @@ </completionHelp> </properties> </leafNode> - <leafNode name="ipv6-route"> + <leafNode name="route6"> <properties> <help>IPv6 policy route ruleset for interface</help> <completionHelp> - <path>policy ipv6-route</path> + <path>policy route6</path> </completionHelp> </properties> </leafNode> diff --git a/interface-definitions/include/nat-port.xml.i b/interface-definitions/include/nat-port.xml.i index ebba43712..7aabc33c3 100644 --- a/interface-definitions/include/nat-port.xml.i +++ b/interface-definitions/include/nat-port.xml.i @@ -11,7 +11,7 @@ <description>Numbered port range (e.g. 1001-1005)</description> </valueHelp> <valueHelp> - <format> </format> + <format/> <description>\n\nMultiple destination ports can be specified as a comma-separated list.\nThe whole list can also be negated using '!'.\nFor example: '!22,telnet,http,123,1001-1005'</description> </valueHelp> </properties> diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i index 084f1f722..bdb86ed9b 100644 --- a/interface-definitions/include/nat-rule.xml.i +++ b/interface-definitions/include/nat-rule.xml.i @@ -4,7 +4,7 @@ <help>Rule number for NAT</help> <valueHelp> <format>u32:1-999999</format> - <description>Number for this NAT rule</description> + <description>Number of NAT rule</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-999999"/> @@ -12,11 +12,7 @@ <constraintErrorMessage>NAT rule number must be between 1 and 999999</constraintErrorMessage> </properties> <children> - <leafNode name="description"> - <properties> - <help>Rule description</help> - </properties> - </leafNode> + #include <include/generic-description.xml.i> <node name="destination"> <properties> <help>NAT destination parameters</help> diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 688e78034..e783f4bec 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -289,6 +289,18 @@ </constraint> </properties> </leafNode> +<leafNode name="maximum-paths"> + <properties> + <help>Maximum multiple paths (ECMP)</help> + <valueHelp> + <format>u32:1-64</format> + <description>Maximum multiple paths (ECMP)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-64"/> + </constraint> + </properties> +</leafNode> <node name="distance"> <properties> <help>Administrative distance</help> diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i index 2d6adcd1d..406125e55 100644 --- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i +++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i @@ -232,6 +232,9 @@ <format>!<MAC address></format> <description>Match everything except the specified MAC address</description> </valueHelp> + <constraint> + <validator name="mac-address-firewall"/> + </constraint> </properties> </leafNode> #include <include/firewall/port.xml.i> @@ -320,26 +323,7 @@ </leafNode> </children> </node> -<node name="tcp"> - <properties> - <help>TCP flags to match</help> - </properties> - <children> - <leafNode name="flags"> - <properties> - <help>TCP flags to match</help> - <valueHelp> - <format>txt</format> - <description>TCP flags to match</description> - </valueHelp> - <valueHelp> - <format> </format> - <description>\n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description> - </valueHelp> - </properties> - </leafNode> - </children> -</node> +#include <include/firewall/tcp-flags.xml.i> <node name="time"> <properties> <help>Time to match rule</help> diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i index c4deefd2a..33c4ba77c 100644 --- a/interface-definitions/include/policy/route-common-rule.xml.i +++ b/interface-definitions/include/policy/route-common-rule.xml.i @@ -232,6 +232,9 @@ <format>!<MAC address></format> <description>Match everything except the specified MAC address</description> </valueHelp> + <constraint> + <validator name="mac-address-firewall"/> + </constraint> </properties> </leafNode> #include <include/firewall/port.xml.i> @@ -320,26 +323,7 @@ </leafNode> </children> </node> -<node name="tcp"> - <properties> - <help>TCP flags to match</help> - </properties> - <children> - <leafNode name="flags"> - <properties> - <help>TCP flags to match</help> - <valueHelp> - <format>txt</format> - <description>TCP flags to match</description> - </valueHelp> - <valueHelp> - <format> </format> - <description>\n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description> - </valueHelp> - </properties> - </leafNode> - </children> -</node> +#include <include/firewall/tcp-flags.xml.i> <node name="time"> <properties> <help>Time to match rule</help> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 7a7c9c1d9..1b4b4a816 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -101,6 +101,7 @@ </valueHelp> <constraint> <validator name="ip-address"/> + <validator name="ipv6-link-local"/> </constraint> </properties> </leafNode> diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in index ed726d1e4..4ce953b52 100644 --- a/interface-definitions/policy-route.xml.in +++ b/interface-definitions/policy-route.xml.in @@ -2,9 +2,9 @@ <interfaceDefinition> <node name="policy"> <children> - <tagNode name="ipv6-route" owner="${vyos_conf_scripts_dir}/policy-route.py"> + <tagNode name="route6" owner="${vyos_conf_scripts_dir}/policy-route.py"> <properties> - <help>IPv6 policy route rule set name</help> + <help>Policy route rule set name for IPv6</help> <priority>201</priority> </properties> <children> @@ -12,7 +12,15 @@ #include <include/firewall/name-default-log.xml.i> <tagNode name="rule"> <properties> - <help>Rule number (1-9999)</help> + <help>Policy rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number of policy rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Policy rule number must be between 1 and 999999</constraintErrorMessage> </properties> <children> <node name="destination"> @@ -42,7 +50,7 @@ </tagNode> <tagNode name="route" owner="${vyos_conf_scripts_dir}/policy-route.py"> <properties> - <help>Policy route rule set name</help> + <help>Policy route rule set name for IPv4</help> <priority>201</priority> </properties> <children> @@ -50,7 +58,15 @@ #include <include/firewall/name-default-log.xml.i> <tagNode name="rule"> <properties> - <help>Rule number (1-9999)</help> + <help>Policy rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number of policy rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Policy rule number must be between 1 and 999999</constraintErrorMessage> </properties> <children> <node name="destination"> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 225f9a6f9..61c5ab90a 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -793,7 +793,7 @@ </node> <leafNode name="local-preference"> <properties> - <help>local-preference_help</help> + <help>Local Preference</help> <valueHelp> <format>u32:0-4294967295</format> <description>Local Preference</description> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in index daa4177c9..65edab839 100644 --- a/interface-definitions/system-conntrack.xml.in +++ b/interface-definitions/system-conntrack.xml.in @@ -35,6 +35,128 @@ </properties> <defaultValue>32768</defaultValue> </leafNode> + <node name="ignore"> + <properties> + <help>Customized rules to ignore selective connection tracking</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number of conntrack ignore rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/generic-description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/nat-address.xml.i> + #include <include/nat-port.xml.i> + </children> + </node> + <leafNode name="inbound-interface"> + <properties> + <help>Interface to ignore connections tracking on</help> + <completionHelp> + <list>any</list> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + </leafNode> + #include <include/ip-protocol.xml.i> + <leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + <list>all tcp_udp</list> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>u32:0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format><protocol></format> + <description>IP protocol name</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol name</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> + </leafNode> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/nat-address.xml.i> + #include <include/nat-port.xml.i> + </children> + </node> + </children> + </tagNode> + </children> + </node> + <node name="log"> + <properties> + <help>Log connection tracking events per protocol</help> + </properties> + <children> + <node name="icmp"> + <properties> + <help>Log connection tracking events for ICMP</help> + </properties> + <children> + #include <include/conntrack/log-common.xml.i> + </children> + </node> + <node name="other"> + <properties> + <help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help> + </properties> + <children> + #include <include/conntrack/log-common.xml.i> + </children> + </node> + <node name="tcp"> + <properties> + <help>Log connection tracking events for TCP</help> + </properties> + <children> + #include <include/conntrack/log-common.xml.i> + </children> + </node> + <node name="udp"> + <properties> + <help>Log connection tracking events for UDP</help> + </properties> + <children> + #include <include/conntrack/log-common.xml.i> + </children> + </node> + </children> + </node> <node name="modules"> <properties> <help>Connection tracking modules</help> @@ -155,176 +277,66 @@ <help>Connection timeout options</help> </properties> <children> - <leafNode name="icmp"> - <properties> - <help>ICMP timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>ICMP timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>30</defaultValue> - </leafNode> - <leafNode name="other"> - <properties> - <help>Generic connection timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>Generic connection timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>600</defaultValue> - </leafNode> - <node name="tcp"> - <properties> - <help>TCP connection timeout options</help> - </properties> - <children> - <leafNode name="close-wait"> - <properties> - <help>TCP CLOSE-WAIT timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP CLOSE-WAIT timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>60</defaultValue> - </leafNode> - <leafNode name="close"> - <properties> - <help>TCP CLOSE timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP CLOSE timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>10</defaultValue> - </leafNode> - <leafNode name="established"> - <properties> - <help>TCP ESTABLISHED timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP ESTABLISHED timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>432000</defaultValue> - </leafNode> - <leafNode name="fin-wait"> - <properties> - <help>TCP FIN-WAIT timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP FIN-WAIT timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>120</defaultValue> - </leafNode> - <leafNode name="last-ack"> - <properties> - <help>TCP LAST-ACK timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP LAST-ACK timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>30</defaultValue> - </leafNode> - <leafNode name="syn-recv"> - <properties> - <help>TCP SYN-RECEIVED timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP SYN-RECEIVED timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>60</defaultValue> - </leafNode> - <leafNode name="syn-sent"> - <properties> - <help>TCP SYN-SENT timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP SYN-SENT timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>120</defaultValue> - </leafNode> - <leafNode name="time-wait"> - <properties> - <help>TCP TIME-WAIT timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>TCP TIME-WAIT timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>120</defaultValue> - </leafNode> - </children> - </node> - <node name="udp"> + <node name="custom"> <properties> - <help>UDP timeout options</help> + <help>Define custom timeouts per connection</help> </properties> <children> - <leafNode name="other"> + <tagNode name="rule"> <properties> - <help>UDP generic timeout in seconds</help> + <help>Rule number</help> <valueHelp> - <format>u32:1-21474836</format> - <description>UDP generic timeout in seconds</description> + <format>u32:1-999999</format> + <description>Number of conntrack rule</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-21474836"/> + <validator name="numeric" argument="--range 1-999999"/> </constraint> + <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage> </properties> - <defaultValue>30</defaultValue> - </leafNode> - <leafNode name="stream"> - <properties> - <help>UDP stream timeout in seconds</help> - <valueHelp> - <format>u32:1-21474836</format> - <description>UDP stream timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-21474836"/> - </constraint> - </properties> - <defaultValue>180</defaultValue> - </leafNode> + <children> + #include <include/generic-description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/nat-address.xml.i> + #include <include/nat-port.xml.i> + </children> + </node> + <leafNode name="inbound-interface"> + <properties> + <help>Interface to ignore connections tracking on</help> + <completionHelp> + <list>any</list> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + </leafNode> + #include <include/ip-protocol.xml.i> + <node name="protocol"> + <properties> + <help>Customize protocol specific timers, one protocol configuration per rule</help> + </properties> + <children> + #include <include/conntrack/timeout-common-protocols.xml.i> + </children> + </node> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/nat-address.xml.i> + #include <include/nat-port.xml.i> + </children> + </node> + </children> + </tagNode> </children> </node> + #include <include/conntrack/timeout-common-protocols.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 0c2205410..afa3d52a0 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -286,7 +286,7 @@ </node> <leafNode name="ikev2-reauth"> <properties> - <help>ikev2-reauth_help</help> + <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help> <completionHelp> <list>yes no</list> </completionHelp> |