summaryrefslogtreecommitdiff
path: root/interface-definitions
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions')
-rw-r--r--interface-definitions/firewall.xml.in782
-rw-r--r--interface-definitions/include/bgp/afi-common.xml.i12
-rw-r--r--interface-definitions/include/bgp/protocol-common-config.xml.i1
-rw-r--r--interface-definitions/include/conntrack-module-disable.xml.i8
-rw-r--r--interface-definitions/include/firewall/action-accept-drop-reject.xml.i25
-rw-r--r--interface-definitions/include/firewall/action.xml.i21
-rw-r--r--interface-definitions/include/firewall/address-ipv6.xml.i37
-rw-r--r--interface-definitions/include/firewall/address.xml.i39
-rw-r--r--interface-definitions/include/firewall/common-rule.xml.i326
-rw-r--r--interface-definitions/include/firewall/description.xml.i11
-rw-r--r--interface-definitions/include/firewall/icmp-type-name.xml.i173
-rw-r--r--interface-definitions/include/firewall/log.xml.i15
-rw-r--r--interface-definitions/include/firewall/name-default-action.xml.i25
-rw-r--r--interface-definitions/include/firewall/name-default-log.xml.i8
-rw-r--r--interface-definitions/include/firewall/port.xml.i23
-rw-r--r--interface-definitions/include/firewall/source-destination-group.xml.i24
-rw-r--r--interface-definitions/include/interface/interface-parameters-key.xml.i2
-rw-r--r--interface-definitions/include/interface/vif.xml.i14
-rw-r--r--interface-definitions/include/ip-protocol.xml.i17
-rw-r--r--interface-definitions/include/isis/default-information-level.xml.i32
-rw-r--r--interface-definitions/include/isis/metric.xml.i14
-rw-r--r--interface-definitions/include/isis/protocol-common-config.xml.i71
-rw-r--r--interface-definitions/interfaces-bonding.xml.in20
-rw-r--r--interface-definitions/interfaces-tunnel.xml.in11
-rw-r--r--interface-definitions/interfaces-vti.xml.in39
-rw-r--r--interface-definitions/ipsec-settings.xml.in1
-rw-r--r--interface-definitions/policy.xml.in12
-rw-r--r--interface-definitions/protocols-nhrp.xml.in134
-rw-r--r--interface-definitions/protocols-ospfv3.xml.in20
-rw-r--r--interface-definitions/protocols-rpki.xml.in2
-rw-r--r--interface-definitions/service_conntrack-sync.xml.in164
-rw-r--r--interface-definitions/service_pppoe-server.xml.in39
-rw-r--r--interface-definitions/service_router-advert.xml.in68
-rw-r--r--interface-definitions/system-conntrack.xml.in348
-rw-r--r--interface-definitions/system-sysctl.xml.in40
-rw-r--r--interface-definitions/vpn_ipsec.xml.in109
-rw-r--r--interface-definitions/vpn_pptp.xml.in1
-rw-r--r--interface-definitions/vpn_rsa-keys.xml.in47
38 files changed, 2589 insertions, 146 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
new file mode 100644
index 000000000..5528d6bc5
--- /dev/null
+++ b/interface-definitions/firewall.xml.in
@@ -0,0 +1,782 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="nfirewall" owner="${vyos_conf_scripts_dir}/firewall.py">
+ <properties>
+ <priority>199</priority>
+ <help>Firewall</help>
+ </properties>
+ <children>
+ <leafNode name="all-ping">
+ <properties>
+ <help>Policy for handling of all IPv4 ICMP echo requests</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of all IPv4 ICMP echo requests</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of all IPv4 ICMP echo requests</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="broadcast-ping">
+ <properties>
+ <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="config-trap">
+ <properties>
+ <help>SNMP trap generation on firewall configuration changes</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable sending SNMP trap on firewall configuration change</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable sending SNMP trap on firewall configuration change</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="group">
+ <properties>
+ <help>Firewall group</help>
+ </properties>
+ <children>
+ <tagNode name="address-group">
+ <properties>
+ <help>Firewall address-group</help>
+ </properties>
+ <children>
+ <leafNode name="address">
+ <properties>
+ <help>Address-group member</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4range</format>
+ <description>IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="ipv4-range"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ #include <include/firewall/description.xml.i>
+ </children>
+ </tagNode>
+ <tagNode name="ipv6-address-group">
+ <properties>
+ <help>Firewall ipv6-address-group</help>
+ </properties>
+ <children>
+ <leafNode name="address">
+ <properties>
+ <help>Address-group member</help>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-address"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ #include <include/firewall/description.xml.i>
+ </children>
+ </tagNode>
+ <tagNode name="ipv6-network-group">
+ <properties>
+ <help>Network-group member</help>
+ </properties>
+ <children>
+ #include <include/firewall/description.xml.i>
+ <leafNode name="network">
+ <properties>
+ <help>Network-group member</help>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 address to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <tagNode name="network-group">
+ <properties>
+ <help>Firewall network-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/description.xml.i>
+ <leafNode name="network">
+ <properties>
+ <help>Network-group member</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 Subnet to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <tagNode name="port-group">
+ <properties>
+ <help>Firewall port-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/description.xml.i>
+ <leafNode name="port">
+ <properties>
+ <help>Port-group member</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Named port (any name in /etc/services, e.g., http)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Numbered port</description>
+ </valueHelp>
+ <valueHelp>
+ <format>start-end</format>
+ <description>Numbered port range (e.g. 1001-1050)</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ <leafNode name="ip-src-route">
+ <properties>
+ <help>Policy for handling IPv4 packets with source route option</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of IPv4 packets with source route option</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of IPv4 packets with source route option</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <tagNode name="ipv6-name">
+ <properties>
+ <help>IPv6 firewall rule-set name</help>
+ </properties>
+ <children>
+ #include <include/firewall/name-default-action.xml.i>
+ #include <include/firewall/description.xml.i>
+ #include <include/firewall/name-default-log.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule number (1-9999)</help>
+ </properties>
+ <children>
+ #include <include/firewall/action.xml.i>
+ #include <include/firewall/description.xml.i>
+ <node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ #include <include/firewall/port.xml.i>
+ </children>
+ </node>
+ <node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ #include <include/firewall/port.xml.i>
+ </children>
+ </node>
+ #include <include/firewall/common-rule.xml.i>
+ <node name="hop-limit">
+ <properties>
+ <help>Hop Limit</help>
+ </properties>
+ <children>
+ <leafNode name="eq">
+ <properties>
+ <help>Value to match a hop limit equal to it</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>Hop limit equal to value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="gt">
+ <properties>
+ <help>Value to match a hop limit greater than or equal to it</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>Hop limit greater than value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="lt">
+ <properties>
+ <help>Value to match a hop limit less than or equal to it</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>Hop limit less than value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="icmpv6">
+ <properties>
+ <help>ICMPv6 type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="type">
+ <properties>
+ <help>ICMP type-name</help>
+ <completionHelp>
+ <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list>
+ </completionHelp>
+ <valueHelp>
+ <format>any</format>
+ <description>Any ICMP type/code</description>
+ </valueHelp>
+ <valueHelp>
+ <format>echo-reply</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>pong</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>destination-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>protocol-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>port-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>fragmentation-needed</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source-route-failed</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-unknown</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-unknown</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-prohibited</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-prohibited</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS-network-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS-host-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>communication-prohibited</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-precedence-violation</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>precedence-cutoff</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source-quench</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS-network-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS host-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>echo-request</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ping</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>router-advertisement</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>router-solicitation</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>time-exceeded</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ttl-exceeded</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ttl-zero-during-transit</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ttl-zero-during-reassembly</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>parameter-problem</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ip-header-bad</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>required-option-missing</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>timestamp-request</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>timestamp-reply</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>address-mask-request</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>address-mask-reply</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="p2p">
+ <properties>
+ <help>P2P application packets</help>
+ </properties>
+ <children>
+ <leafNode name="all">
+ <properties>
+ <help>AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="applejuice">
+ <properties>
+ <help>AppleJuice application packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="bittorrent">
+ <properties>
+ <help>BitTorrent application packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="directconnect">
+ <properties>
+ <help>Direct Connect application packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="edonkey">
+ <properties>
+ <help>eDonkey/eMule application packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="gnutella">
+ <properties>
+ <help>Gnutella application packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="kazaa">
+ <properties>
+ <help>KaZaA application packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <leafNode name="ipv6-receive-redirects">
+ <properties>
+ <help>Policy for handling received ICMPv6 redirect messages</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of received ICMPv6 redirect messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of received ICMPv6 redirect messages</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="ipv6-src-route">
+ <properties>
+ <help>Policy for handling IPv6 packets with routing extension header</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of IPv6 packets with routing header type 2</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of IPv6 packets with routing header</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="log-martians">
+ <properties>
+ <help>Policy for logging IPv4 packets with invalid addresses</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable logging of IPv4 packets with invalid addresses</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable logging of Ipv4 packets with invalid addresses</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <tagNode name="name">
+ <properties>
+ <help>IPv4 firewall rule-set name</help>
+ </properties>
+ <children>
+ #include <include/firewall/name-default-action.xml.i>
+ #include <include/firewall/description.xml.i>
+ #include <include/firewall/name-default-log.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Rule number (1-9999)</help>
+ </properties>
+ <children>
+ #include <include/firewall/action.xml.i>
+ #include <include/firewall/description.xml.i>
+ <node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ #include <include/firewall/port.xml.i>
+ </children>
+ </node>
+ <node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ #include <include/firewall/port.xml.i>
+ </children>
+ </node>
+ #include <include/firewall/common-rule.xml.i>
+ <node name="icmp">
+ <properties>
+ <help>ICMP type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMP code (0-255)</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMP type (0-255)</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmp-type-name.xml.i>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <leafNode name="receive-redirects">
+ <properties>
+ <help>Policy for handling received IPv4 ICMP redirect messages</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable processing of received IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable processing of received IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="send-redirects">
+ <properties>
+ <help>Policy for sending IPv4 ICMP redirect messages</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable sending IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable sending IPv4 ICMP redirect messages</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="source-validation">
+ <properties>
+ <help>Policy for source validation by reversed path, as specified in RFC3704</help>
+ <completionHelp>
+ <list>strict loose disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>strict</format>
+ <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description>
+ </valueHelp>
+ <valueHelp>
+ <format>loose</format>
+ <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>No source validation</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(strict|loose|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="state-policy">
+ <properties>
+ <help>Global firewall state-policy</help>
+ </properties>
+ <children>
+ <node name="established">
+ <properties>
+ <help>Global firewall policy for packets part of an established connection</help>
+ </properties>
+ <children>
+ #include <include/firewall/action-accept-drop-reject.xml.i>
+ #include <include/firewall/log.xml.i>
+ </children>
+ </node>
+ <node name="invalid">
+ <properties>
+ <help>Global firewall policy for packets part of an invalid connection</help>
+ </properties>
+ <children>
+ #include <include/firewall/action-accept-drop-reject.xml.i>
+ #include <include/firewall/log.xml.i>
+ </children>
+ </node>
+ <node name="related">
+ <properties>
+ <help>Global firewall policy for packets part of a related connection</help>
+ </properties>
+ <children>
+ #include <include/firewall/action-accept-drop-reject.xml.i>
+ #include <include/firewall/log.xml.i>
+ </children>
+ </node>
+ </children>
+ </node>
+ <leafNode name="syn-cookies">
+ <properties>
+ <help>Policy for using TCP SYN cookies with IPv4</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable use of TCP SYN cookies with IPv4</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable use of TCP SYN cookies with IPv4</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="twa-hazards-protection">
+ <properties>
+ <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable RFC1337 TIME-WAIT hazards protection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable RFC1337 TIME-WAIT hazards protection</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/include/bgp/afi-common.xml.i b/interface-definitions/include/bgp/afi-common.xml.i
index 20b0dda66..62beff40c 100644
--- a/interface-definitions/include/bgp/afi-common.xml.i
+++ b/interface-definitions/include/bgp/afi-common.xml.i
@@ -88,6 +88,18 @@
</constraint>
</properties>
</leafNode>
+<leafNode name="maximum-prefix-out">
+ <properties>
+ <help>Maximum number of prefixes to be sent to this peer</help>
+ <valueHelp>
+ <format>u32:1-4294967295</format>
+ <description>Prefix limit</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-4294967295"/>
+ </constraint>
+ </properties>
+</leafNode>
#include <include/bgp/afi-nexthop-self.xml.i>
<leafNode name="remove-private-as">
<properties>
diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i
index e6b81ceb1..78a4fb763 100644
--- a/interface-definitions/include/bgp/protocol-common-config.xml.i
+++ b/interface-definitions/include/bgp/protocol-common-config.xml.i
@@ -1180,6 +1180,7 @@
<constraint>
<validator name="numeric" argument="--range 1-4294967294"/>
</constraint>
+ <multi/>
</properties>
</leafNode>
</children>
diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i
new file mode 100644
index 000000000..f891225e0
--- /dev/null
+++ b/interface-definitions/include/conntrack-module-disable.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from conntrack-module-disable.xml.i -->
+<leafNode name="disable">
+ <properties>
+ <help>Disable connection tracking helper</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i
new file mode 100644
index 000000000..9f8baa884
--- /dev/null
+++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/action-accept-drop-reject.xml.i -->
+<leafNode name="action">
+ <properties>
+ <help>Action for packets</help>
+ <completionHelp>
+ <list>accept drop reject</list>
+ </completionHelp>
+ <valueHelp>
+ <format>accept</format>
+ <description>Action to accept</description>
+ </valueHelp>
+ <valueHelp>
+ <format>drop</format>
+ <description>Action to drop</description>
+ </valueHelp>
+ <valueHelp>
+ <format>reject</format>
+ <description>Action to reject</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(accept|drop|reject)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
new file mode 100644
index 000000000..230f590cb
--- /dev/null
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from firewall/action.xml.i -->
+<leafNode name="action">
+ <properties>
+ <help>Rule action [REQUIRED]</help>
+ <completionHelp>
+ <list>permit deny</list>
+ </completionHelp>
+ <valueHelp>
+ <format>permit</format>
+ <description>Permit matching entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>deny</format>
+ <description>Deny matching entries</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(permit|deny)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/address-ipv6.xml.i b/interface-definitions/include/firewall/address-ipv6.xml.i
new file mode 100644
index 000000000..fa60c0c8a
--- /dev/null
+++ b/interface-definitions/include/firewall/address-ipv6.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/address-ipv6.xml.i -->
+<leafNode name="address">
+ <properties>
+ <help>IP address, subnet, or range</help>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IP address to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>Subnet to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6range</format>
+ <description>IP range to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv6</format>
+ <description>Match everything except the specified address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv6net</format>
+ <description>Match everything except the specified prefix</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv6range</format>
+ <description>Match everything except the specified range</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6"/>
+ <validator name="ipv6-exclude"/>
+ <validator name="ipv6-range"/>
+ <validator name="ipv6-range-exclude"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/address.xml.i b/interface-definitions/include/firewall/address.xml.i
new file mode 100644
index 000000000..2e1bde5a5
--- /dev/null
+++ b/interface-definitions/include/firewall/address.xml.i
@@ -0,0 +1,39 @@
+<!-- include start from firewall/address.xml.i -->
+<leafNode name="address">
+ <properties>
+ <help>IP address, subnet, or range</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 prefix to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4range</format>
+ <description>IPv4 address range to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv4</format>
+ <description>Match everything except the specified address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv4net</format>
+ <description>Match everything except the specified prefix</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!ipv4range</format>
+ <description>Match everything except the specified range</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv4-range"/>
+ <validator name="ipv4-address-exclude"/>
+ <validator name="ipv4-prefix-exclude"/>
+ <validator name="ipv4-range-exclude"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
new file mode 100644
index 000000000..466599e0a
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -0,0 +1,326 @@
+<!-- include start from firewall/common-rule.xml.i -->
+#include <include/firewall/action.xml.i>
+#include <include/firewall/description.xml.i>
+<leafNode name="disable">
+ <properties>
+ <help>Option to disable firewall rule</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<node name="fragment">
+ <properties>
+ <help>IP fragment match</help>
+ </properties>
+ <children>
+ <leafNode name="match-frag">
+ <properties>
+ <help>Second and further fragments of fragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-non-frag">
+ <properties>
+ <help>Head fragments or unfragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ </properties>
+ <children>
+ <leafNode name="match-ipsec">
+ <properties>
+ <help>Inbound IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-none">
+ <properties>
+ <help>Inbound non-IPsec packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="limit">
+ <properties>
+ <help>Rate limit using a token bucket filter</help>
+ </properties>
+ <children>
+ <leafNode name="burst">
+ <properties>
+ <help>Maximum number of packets to allow in excess of rate</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>burst__change_me</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="rate">
+ <properties>
+ <help>Maximum average matching rate</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>rate__change_me</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<leafNode name="log">
+ <properties>
+ <help>Option to log packets matching rule</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable log</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable log</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name, number, or "all")</help>
+ <completionHelp>
+ <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All IP protocols</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp_udp</format>
+ <description>Both TCP and UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!&lt;protocol&gt;</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+ <defaultValue>all</defaultValue>
+</leafNode>
+<node name="recent">
+ <properties>
+ <help>Parameters for matching recently seen sources</help>
+ </properties>
+ <children>
+ <leafNode name="count">
+ <properties>
+ <help>Source addresses seen more than N times</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Source addresses seen more than N times</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="time">
+ <properties>
+ <help>Source addresses seen in the last N seconds</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Source addresses seen in the last N seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address.xml.i>
+ #include <include/firewall/source-destination-group.xml.i>
+ <leafNode name="mac-address">
+ <properties>
+ <help>Source MAC address</help>
+ <valueHelp>
+ <format>&lt;MAC address&gt;</format>
+ <description>MAC address to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!&lt;MAC address&gt;</format>
+ <description>Match everything except the specified MAC address</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ #include <include/firewall/port.xml.i>
+ </children>
+</node>
+<node name="state">
+ <properties>
+ <help>Session state</help>
+ </properties>
+ <children>
+ <leafNode name="established">
+ <properties>
+ <help>Established state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="invalid">
+ <properties>
+ <help>Invalid state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="new">
+ <properties>
+ <help>New state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="related">
+ <properties>
+ <help>Related state</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="tcp">
+ <properties>
+ <help>TCP flags to match</help>
+ </properties>
+ <children>
+ <leafNode name="flags">
+ <properties>
+ <help>TCP flags to match</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>TCP flags to match</description>
+ </valueHelp>
+ <valueHelp>
+ <format> </format>
+ <description>\n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<node name="time">
+ <properties>
+ <help>Time to match rule</help>
+ </properties>
+ <children>
+ <leafNode name="monthdays">
+ <properties>
+ <help>Monthdays to match rule on</help>
+ </properties>
+ </leafNode>
+ <leafNode name="startdate">
+ <properties>
+ <help>Date to start matching rule</help>
+ </properties>
+ </leafNode>
+ <leafNode name="starttime">
+ <properties>
+ <help>Time of day to start matching rule</help>
+ </properties>
+ </leafNode>
+ <leafNode name="stopdate">
+ <properties>
+ <help>Date to stop matching rule</help>
+ </properties>
+ </leafNode>
+ <leafNode name="stoptime">
+ <properties>
+ <help>Time of day to stop matching rule</help>
+ </properties>
+ </leafNode>
+ <leafNode name="utc">
+ <properties>
+ <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="weekdays">
+ <properties>
+ <help>Weekdays to match rule on</help>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/description.xml.i b/interface-definitions/include/firewall/description.xml.i
new file mode 100644
index 000000000..b6bae406b
--- /dev/null
+++ b/interface-definitions/include/firewall/description.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from firewall/description.xml.i -->
+<leafNode name="description">
+ <properties>
+ <help>Description</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Description</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i
new file mode 100644
index 000000000..b45fb619b
--- /dev/null
+++ b/interface-definitions/include/firewall/icmp-type-name.xml.i
@@ -0,0 +1,173 @@
+<!-- include start from firewall/icmp-type-name.xml.i -->
+<leafNode name="type-name">
+ <properties>
+ <help>ICMP type-name</help>
+ <completionHelp>
+ <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list>
+ </completionHelp>
+ <valueHelp>
+ <format>any</format>
+ <description>Any ICMP type/code</description>
+ </valueHelp>
+ <valueHelp>
+ <format>echo-reply</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>pong</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>destination-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>protocol-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>port-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>fragmentation-needed</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source-route-failed</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-unknown</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-unknown</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-prohibited</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-prohibited</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS-network-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS-host-unreachable</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>communication-prohibited</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-precedence-violation</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>precedence-cutoff</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source-quench</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>network-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS-network-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>TOS host-redirect</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>echo-request</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ping</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>router-advertisement</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>router-solicitation</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>time-exceeded</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ttl-exceeded</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ttl-zero-during-transit</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ttl-zero-during-reassembly</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>parameter-problem</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ip-header-bad</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>required-option-missing</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>timestamp-request</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>timestamp-reply</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>address-mask-request</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>address-mask-reply</format>
+ <description>ICMP type/code name</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i
new file mode 100644
index 000000000..46d20c1df
--- /dev/null
+++ b/interface-definitions/include/firewall/log.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from firewall/log.xml.i -->
+<node name="log">
+ <properties>
+ <help>Option to log packets</help>
+ </properties>
+ <children>
+ <leafNode name="enable">
+ <properties>
+ <help>Enable logging</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i
new file mode 100644
index 000000000..1b61b076f
--- /dev/null
+++ b/interface-definitions/include/firewall/name-default-action.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/name-default-action.xml.i -->
+<leafNode name="default-action">
+ <properties>
+ <help>Default-action for rule-set</help>
+ <completionHelp>
+ <list>drop reject accept</list>
+ </completionHelp>
+ <valueHelp>
+ <format>drop</format>
+ <description>Drop if no prior rules are hit (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>reject</format>
+ <description>Drop and notify source if no prior rules are hit</description>
+ </valueHelp>
+ <valueHelp>
+ <format>accept</format>
+ <description>Accept if no prior rules are hit</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(drop|reject|accept)$</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i
new file mode 100644
index 000000000..979395146
--- /dev/null
+++ b/interface-definitions/include/firewall/name-default-log.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from firewall/name-default-log.xml.i -->
+<leafNode name="enable-default-log">
+ <properties>
+ <help>Option to log packets hitting default-action</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i
new file mode 100644
index 000000000..59d92978b
--- /dev/null
+++ b/interface-definitions/include/firewall/port.xml.i
@@ -0,0 +1,23 @@
+<!-- include start from firewall/port.xml.i -->
+<leafNode name="port">
+ <properties>
+ <help>Port</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Named port (any name in /etc/services, e.g., http)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Numbered port</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;start-end&gt;</format>
+ <description>Numbered port range (e.g. 1001-1005)</description>
+ </valueHelp>
+ <valueHelp>
+ <format> </format>
+ <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i
new file mode 100644
index 000000000..30226b0d8
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group.xml.i
@@ -0,0 +1,24 @@
+<!-- include start from firewall/source-destination-group.xml.i -->
+<node name="group">
+ <properties>
+ <help>Group</help>
+ </properties>
+ <children>
+ <leafNode name="address-group">
+ <properties>
+ <help>Group of addresses</help>
+ </properties>
+ </leafNode>
+ <leafNode name="network-group">
+ <properties>
+ <help>Group of networks</help>
+ </properties>
+ </leafNode>
+ <leafNode name="port-group">
+ <properties>
+ <help>Group of ports</help>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/interface/interface-parameters-key.xml.i b/interface-definitions/include/interface/interface-parameters-key.xml.i
index 1b1d67174..6c59f7879 100644
--- a/interface-definitions/include/interface/interface-parameters-key.xml.i
+++ b/interface-definitions/include/interface/interface-parameters-key.xml.i
@@ -1,7 +1,7 @@
<!-- include start from interface/interface-parameters-key.xml.i -->
<leafNode name="key">
<properties>
- <help>Tunnel key</help>
+ <help>Tunnel key (only GRE tunnels)</help>
<valueHelp>
<format>u32</format>
<description>Tunnel key</description>
diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i
index 0355054a4..9e89cbbf6 100644
--- a/interface-definitions/include/interface/vif.xml.i
+++ b/interface-definitions/include/interface/vif.xml.i
@@ -22,9 +22,10 @@
<leafNode name="egress-qos">
<properties>
<help>VLAN egress QoS</help>
- <completionHelp>
- <script>echo Format for qos mapping, e.g.: '0:1 1:6 7:6'</script>
- </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description>
+ </valueHelp>
<constraint>
<regex>[:0-7 ]+$</regex>
</constraint>
@@ -34,9 +35,10 @@
<leafNode name="ingress-qos">
<properties>
<help>VLAN ingress QoS</help>
- <completionHelp>
- <script>echo Format for qos mapping '0:1 1:6 7:6'</script>
- </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description>
+ </valueHelp>
<constraint>
<regex>[:0-7 ]+$</regex>
</constraint>
diff --git a/interface-definitions/include/ip-protocol.xml.i b/interface-definitions/include/ip-protocol.xml.i
new file mode 100644
index 000000000..ce9345024
--- /dev/null
+++ b/interface-definitions/include/ip-protocol.xml.i
@@ -0,0 +1,17 @@
+<!-- include start from ip-protocol.xml.i -->
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Protocol name</description>
+ </valueHelp>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ </completionHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end from ip-protocol.xml.i -->
diff --git a/interface-definitions/include/isis/default-information-level.xml.i b/interface-definitions/include/isis/default-information-level.xml.i
new file mode 100644
index 000000000..5ade72a4b
--- /dev/null
+++ b/interface-definitions/include/isis/default-information-level.xml.i
@@ -0,0 +1,32 @@
+<!-- include start from isis/default-information-level.xml.i -->
+<node name="level-1">
+ <properties>
+ <help>Distribute default route into level-1</help>
+ </properties>
+ <children>
+ <leafNode name="always">
+ <properties>
+ <help>Always advertise default route</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ #include <include/isis/metric.xml.i>
+ #include <include/route-map.xml.i>
+ </children>
+</node>
+<node name="level-2">
+ <properties>
+ <help>Distribute default route into level-2</help>
+ </properties>
+ <children>
+ <leafNode name="always">
+ <properties>
+ <help>Always advertise default route</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ #include <include/isis/metric.xml.i>
+ #include <include/route-map.xml.i>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/isis/metric.xml.i b/interface-definitions/include/isis/metric.xml.i
new file mode 100644
index 000000000..30e2cdc10
--- /dev/null
+++ b/interface-definitions/include/isis/metric.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from isis/metric.xml.i -->
+<leafNode name="metric">
+ <properties>
+ <help>Set default metric for circuit</help>
+ <valueHelp>
+ <format>u32:0-16777215</format>
+ <description>Default metric value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-16777215"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i
index c4a913385..831d12694 100644
--- a/interface-definitions/include/isis/protocol-common-config.xml.i
+++ b/interface-definitions/include/isis/protocol-common-config.xml.i
@@ -39,18 +39,7 @@
<help>Distribute default route for IPv4</help>
</properties>
<children>
- <leafNode name="level-1">
- <properties>
- <help>Distribute default route into level-1</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="level-2">
- <properties>
- <help>Distribute default route into level-2</help>
- <valueless/>
- </properties>
- </leafNode>
+ #include <include/isis/default-information-level.xml.i>
</children>
</node>
<node name="ipv6">
@@ -58,30 +47,7 @@
<help>Distribute default route for IPv6</help>
</properties>
<children>
- <leafNode name="level-1">
- <properties>
- <help>Distribute default route into level-1</help>
- <completionHelp>
- <list>always</list>
- </completionHelp>
- <valueHelp>
- <format>always</format>
- <description>Always advertise default route</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="level-2">
- <properties>
- <help>Distribute default route into level-2</help>
- <completionHelp>
- <list>always</list>
- </completionHelp>
- <valueHelp>
- <format>always</format>
- <description>Always advertise default route</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/isis/default-information-level.xml.i>
</children>
</node>
</children>
@@ -102,7 +68,6 @@
</valueHelp>
</properties>
</leafNode>
-<!--
<leafNode name="md5">
<properties>
<help>MD5 authentication type</help>
@@ -112,7 +77,6 @@
</valueHelp>
</properties>
</leafNode>
--->
</children>
</node>
<leafNode name="dynamic-hostname">
@@ -144,6 +108,12 @@
</constraint>
</properties>
</leafNode>
+<leafNode name="log-adjacency-changes">
+ <properties>
+ <help>Log adjacency state changes</help>
+ <valueless/>
+ </properties>
+</leafNode>
<leafNode name="lsp-gen-interval">
<properties>
<help>Minimum interval between regenerating same LSP</help>
@@ -570,7 +540,7 @@
<help>Delay used while in LONG_WAIT</help>
<valueHelp>
<format>u32:0-60000</format>
- <description>Delay used while in LONG_WAIT state (in ms)</description>
+ <description>Delay used while in LONG_WAIT state in ms</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-60000"/>
@@ -582,7 +552,7 @@
<help>Time with no received IGP events before considering IGP stable</help>
<valueHelp>
<format>u32:0-60000</format>
- <description>Time with no received IGP events before considering IGP stable (in ms)</description>
+ <description>Time with no received IGP events before considering IGP stable in ms</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-60000"/>
@@ -594,7 +564,7 @@
<help>Maximum duration needed to learn all the events related to a single failure</help>
<valueHelp>
<format>u32:0-60000</format>
- <description>Maximum duration needed to learn all the events related to a single failure (in ms)</description>
+ <description>Maximum duration needed to learn all the events related to a single failure in ms</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-60000"/>
@@ -608,7 +578,7 @@
<help>Minimum interval between SPF calculations</help>
<valueHelp>
<format>u32:1-120</format>
- <description>Minimum interval between consecutive SPFs in seconds</description>
+ <description>Interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-120"/>
@@ -677,18 +647,7 @@
</constraint>
</properties>
</leafNode>
- <leafNode name="metric">
- <properties>
- <help>Set default metric for circuit</help>
- <valueHelp>
- <format>u32:0-16777215</format>
- <description>Default metric value</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-16777215"/>
- </constraint>
- </properties>
- </leafNode>
+ #include <include/isis/metric.xml.i>
<node name="network">
<properties>
<help>Set network type</help>
@@ -733,10 +692,10 @@
</leafNode>
<leafNode name="psnp-interval">
<properties>
- <help>Set PSNP interval in seconds</help>
+ <help>Set PSNP interval</help>
<valueHelp>
<format>u32:0-127</format>
- <description>Priority value</description>
+ <description>PSNP interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-127"/>
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index 846f6eb54..2efdaea3d 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -97,6 +97,26 @@
</properties>
<defaultValue>0</defaultValue>
</leafNode>
+ <leafNode name="lacp-rate">
+ <properties>
+ <help>Rate in which we will ask our link partner to transmit LACPDU packets</help>
+ <completionHelp>
+ <list>slow fast</list>
+ </completionHelp>
+ <valueHelp>
+ <format>slow</format>
+ <description>Request partner to transmit LACPDUs every 30 seconds (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>fast</format>
+ <description>Request partner to transmit LACPDUs every 1 second</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(slow|fast)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>slow</defaultValue>
+ </leafNode>
<leafNode name="mode">
<properties>
<help>Bonding mode</help>
diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in
index 536edcb99..56f8ea79c 100644
--- a/interface-definitions/interfaces-tunnel.xml.in
+++ b/interface-definitions/interfaces-tunnel.xml.in
@@ -227,13 +227,22 @@
<children>
<leafNode name="no-pmtu-discovery">
<properties>
- <help>Disable path MTU discovery</help>
+ <help>Disable Path MTU Discovery on this tunnel</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="ignore-df">
+ <properties>
+ <help>Enable IPv4 DF suppression on this tunnel</help>
<valueless/>
</properties>
</leafNode>
#include <include/interface/interface-parameters-key.xml.i>
#include <include/interface/interface-parameters-tos.xml.i>
#include <include/interface/interface-parameters-ttl.xml.i>
+ <leafNode name="ttl">
+ <defaultValue>64</defaultValue>
+ </leafNode>
</children>
</node>
<node name="ipv6">
diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in
new file mode 100644
index 000000000..604d7dd29
--- /dev/null
+++ b/interface-definitions/interfaces-vti.xml.in
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="interfaces">
+ <children>
+ <tagNode name="vti" owner="${vyos_conf_scripts_dir}/interfaces-vti.py">
+ <properties>
+ <help>Virtual Tunnel interface</help>
+ <priority>381</priority>
+ <constraint>
+ <regex>^vti[0-9]+$</regex>
+ </constraint>
+ <constraintErrorMessage>VTI interface must be named vtiN</constraintErrorMessage>
+ <valueHelp>
+ <format>vtiN</format>
+ <description>VTI interface name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="address">
+ <properties>
+ <help>IP address</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 address and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-host"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ #include <include/interface/interface-description.xml.i>
+ #include <include/interface/interface-disable.xml.i>
+ #include <include/interface/interface-mtu-68-16000.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/ipsec-settings.xml.in b/interface-definitions/ipsec-settings.xml.in
index bc54baa27..0bcba9a84 100644
--- a/interface-definitions/ipsec-settings.xml.in
+++ b/interface-definitions/ipsec-settings.xml.in
@@ -7,6 +7,7 @@
<node name="options" owner="${vyos_conf_scripts_dir}/ipsec-settings.py">
<properties>
<help>Global IPsec settings</help>
+ <priority>902</priority>
</properties>
<children>
<leafNode name="disable-route-autoinstall">
diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in
index 900fac27e..195e074a3 100644
--- a/interface-definitions/policy.xml.in
+++ b/interface-definitions/policy.xml.in
@@ -912,7 +912,7 @@
</leafNode>
<leafNode name="as-path-prepend">
<properties>
- <help>as-path-prepend_help</help>
+ <help>Prepend string for a Border Gateway Protocol (BGP) AS-path attribute</help>
<valueHelp>
<format>txt</format>
<description>BGP AS path prepend string (ex: "64501 64501")</description>
@@ -961,7 +961,7 @@
</node>
<leafNode name="community">
<properties>
- <help>community_help</help>
+ <help>Border Gateway Protocl (BGP) community attribute</help>
<completionHelp>
<list>local-AS no-advertise no-export internet additive none</list>
</completionHelp>
@@ -1066,6 +1066,12 @@
</constraint>
</properties>
</leafNode>
+ <leafNode name="prefer-global">
+ <properties>
+ <help>Prefer global address as the nexthop</help>
+ <valueless/>
+ </properties>
+ </leafNode>
</children>
</node>
<leafNode name="large-community">
@@ -1129,7 +1135,7 @@
</leafNode>
<leafNode name="origin">
<properties>
- <help>origin_help</help>
+ <help>Border Gateway Protocl (BGP) origin code</help>
<completionHelp>
<list>igp egp incomplete</list>
</completionHelp>
diff --git a/interface-definitions/protocols-nhrp.xml.in b/interface-definitions/protocols-nhrp.xml.in
new file mode 100644
index 000000000..9dd9d3389
--- /dev/null
+++ b/interface-definitions/protocols-nhrp.xml.in
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<interfaceDefinition>
+ <node name="protocols">
+ <children>
+ <node name="nhrp" owner="${vyos_conf_scripts_dir}/protocols_nhrp.py">
+ <properties>
+ <help>NHRP parameters</help>
+ <priority>680</priority>
+ </properties>
+ <children>
+ <tagNode name="tunnel">
+ <properties>
+ <help>Tunnel for NHRP [REQUIRED]</help>
+ <constraint>
+ <regex>^tun[0-9]+$</regex>
+ </constraint>
+ <valueHelp>
+ <format>tunN</format>
+ <description>NHRP tunnel name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="cisco-authentication">
+ <properties>
+ <help>Pass phrase for cisco authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Pass phrase for cisco authentication</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="dynamic-map">
+ <properties>
+ <help>Set an HUB tunnel address</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>Set the IP address and prefix length</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="nbma-domain-name">
+ <properties>
+ <help>Set HUB fqdn (nbma-address - fqdn) [REQUIRED]</help>
+ <valueHelp>
+ <format>&lt;fqdn&gt;</format>
+ <description>Set the external HUB fqdn</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="holding-time">
+ <properties>
+ <help>Holding time in seconds</help>
+ </properties>
+ </leafNode>
+ <tagNode name="map">
+ <properties>
+ <help>Set an HUB tunnel address</help>
+ </properties>
+ <children>
+ <leafNode name="cisco">
+ <properties>
+ <help>If the statically mapped peer is running Cisco IOS, specify this</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="nbma-address">
+ <properties>
+ <help>Set HUB address (nbma-address - external hub address or fqdn) [REQUIRED]</help>
+ </properties>
+ </leafNode>
+ <leafNode name="register">
+ <properties>
+ <help>Specifies that Registration Request should be sent to this peer on startup</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="multicast">
+ <properties>
+ <help>Set multicast for NHRP</help>
+ <completionHelp>
+ <list>dynamic nhs</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(dynamic|nhs)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="non-caching">
+ <properties>
+ <help>This can be used to reduce memory consumption on big NBMA subnets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="redirect">
+ <properties>
+ <help>Enable sending of Cisco style NHRP Traffic Indication packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="shortcut-destination">
+ <properties>
+ <help>This instructs opennhrp to reply with authorative answers on NHRP Resolution Requests destined to addresses in this interface</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <tagNode name="shortcut-target">
+ <properties>
+ <help>Defines an off-NBMA network prefix for which the GRE interface will act as a gateway</help>
+ </properties>
+ <children>
+ <leafNode name="holding-time">
+ <properties>
+ <help>Holding time in seconds</help>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="shortcut">
+ <properties>
+ <help>Enable creation of shortcut routes. A received NHRP Traffic Indication will trigger the resolution and establishment of a shortcut route</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/protocols-ospfv3.xml.in b/interface-definitions/protocols-ospfv3.xml.in
index 99e671b32..7b42c448d 100644
--- a/interface-definitions/protocols-ospfv3.xml.in
+++ b/interface-definitions/protocols-ospfv3.xml.in
@@ -25,6 +25,26 @@
</constraint>
</properties>
<children>
+ <node name="area-type">
+ <properties>
+ <help>OSPFv3 Area type</help>
+ </properties>
+ <children>
+ <node name="stub">
+ <properties>
+ <help>Stub OSPFv3 area</help>
+ </properties>
+ <children>
+ <leafNode name="no-summary">
+ <properties>
+ <help>Do not inject inter-area routes into the stub</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
<leafNode name="export-list">
<properties>
<help>Name of export-list</help>
diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols-rpki.xml.in
index 94fab54a5..a73d0aae4 100644
--- a/interface-definitions/protocols-rpki.xml.in
+++ b/interface-definitions/protocols-rpki.xml.in
@@ -35,7 +35,7 @@
<help>Preference of the cache server</help>
<valueHelp>
<format>u32:1-255</format>
- <description>Polling period</description>
+ <description>Preference of the cache server</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
diff --git a/interface-definitions/service_conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in
new file mode 100644
index 000000000..8d6b57183
--- /dev/null
+++ b/interface-definitions/service_conntrack-sync.xml.in
@@ -0,0 +1,164 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="service">
+ <children>
+ <node name="conntrack-sync" owner="${vyos_conf_scripts_dir}/conntrack_sync.py">
+ <properties>
+ <help>Connection tracking synchronization</help>
+ <priority>995</priority>
+ </properties>
+ <children>
+ <leafNode name="accept-protocol">
+ <properties>
+ <help>Protocols for which local conntrack entries will be synced</help>
+ <completionHelp>
+ <list>tcp udp icmp icmp6 sctp dccp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>tcp</format>
+ <description>Sync Transmission Control Protocol entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>udp</format>
+ <description>Sync User Datagram Protocol entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>icmp</format>
+ <description>Sync Internet Control Message Protocol entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>icmp6</format>
+ <description>Sync IPv6 Internet Control Message Protocol entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sctp</format>
+ <description>Sync Stream Control Transmission Protocol entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dccp</format>
+ <description>Sync Datagram Congestion Control Protocol entries</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(tcp|udp|icmp|icmp6|sctp|dccp)$</regex>
+ </constraint>
+ <constraintErrorMessage>Allowed protocols: tcp udp icmp or sctp</constraintErrorMessage>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="disable-external-cache">
+ <properties>
+ <help>Directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall.</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="event-listen-queue-size">
+ <properties>
+ <help>Queue size for local conntrack events</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Queue size in MB</description>
+ </valueHelp>
+ </properties>
+ <defaultValue>8</defaultValue>
+ </leafNode>
+ <leafNode name="expect-sync">
+ <properties>
+ <help>Protocol for which expect entries need to be synchronized</help>
+ <completionHelp>
+ <list>all ftp sip h323 nfs sqlnet</list>
+ </completionHelp>
+ <constraint>
+ <regex>^(all|ftp|sip|h323|nfs|sqlnet)$</regex>
+ </constraint>
+ <constraintErrorMessage>Invalid protocol</constraintErrorMessage>
+ <multi/>
+ </properties>
+ </leafNode>
+ <node name="failover-mechanism">
+ <properties>
+ <help>Failover mechanism to use for conntrack-sync</help>
+ </properties>
+ <children>
+ <node name="vrrp">
+ <properties>
+ <help>VRRP as failover-mechanism to use for conntrack-sync</help>
+ </properties>
+ <children>
+ <leafNode name="sync-group">
+ <properties>
+ <help>VRRP sync group</help>
+ <completionHelp>
+ <path>high-availability vrrp sync-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <leafNode name="ignore-address">
+ <properties>
+ <help>IP addresses for which local conntrack entries will not be synced</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address to ignore</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 prefix to ignore</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address to ignore</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 prefix to ignore</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4"/>
+ <validator name="ipv6"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <tagNode name="interface">
+ <properties>
+ <help>Interface to use for syncing conntrack entries</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py --bridgeable</script>
+ </completionHelp>
+ </properties>
+ <children>
+ <leafNode name="peer">
+ <properties>
+ <help>IP address of the peer to send the UDP conntrack info too. This disable multicast.</help>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ #include <include/listen-address-ipv4.xml.i>
+ <leafNode name="mcast-group">
+ <properties>
+ <help>Multicast group to use for syncing conntrack entries</help>
+ <constraint>
+ <validator name="ipv4-multicast"/>
+ </constraint>
+ </properties>
+ <defaultValue>225.0.0.50</defaultValue>
+ </leafNode>
+ <leafNode name="sync-queue-size">
+ <properties>
+ <help>Queue size for syncing conntrack entries</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Queue size in MB</description>
+ </valueHelp>
+ </properties>
+ <defaultValue>1</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in
index dc8af67af..9d0f887a9 100644
--- a/interface-definitions/service_pppoe-server.xml.in
+++ b/interface-definitions/service_pppoe-server.xml.in
@@ -334,6 +334,45 @@
</leafNode>
</children>
</node>
+ <node name="extended-scripts">
+ <properties>
+ <help>Extended script execution</help>
+ </properties>
+ <children>
+ <leafNode name="on-pre-up">
+ <properties>
+ <help>Script to run before PPPoE session interface comes up</help>
+ <constraint>
+ <validator name="script"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="on-up">
+ <properties>
+ <help>Script to run when PPPoE session interface is completely configured and started</help>
+ <constraint>
+ <validator name="script"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="on-down">
+ <properties>
+ <help>Script to run when PPPoE session interface going to terminate</help>
+ <constraint>
+ <validator name="script"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="on-change">
+ <properties>
+ <help>Script to run when PPPoE session interface changed by RADIUS CoA handling</help>
+ <constraint>
+ <validator name="script"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
</children>
</node>
</children>
diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in
index 47ac4e25d..750ae314c 100644
--- a/interface-definitions/service_router-advert.xml.in
+++ b/interface-definitions/service_router-advert.xml.in
@@ -10,7 +10,7 @@
<children>
<tagNode name="interface">
<properties>
- <help>Interface to send DDNS updates for [REQUIRED]</help>
+ <help>Interface to send RA on [REQUIRED]</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
@@ -154,6 +154,72 @@
<valueless/>
</properties>
</leafNode>
+ <tagNode name="route">
+ <properties>
+ <help>IPv6 route to be advertised in Router Advertisements (RAs)</help>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 route to be advertized</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="valid-lifetime">
+ <properties>
+ <help>Time in seconds that the route will remain valid (default: 1800 seconds)</help>
+ <completionHelp>
+ <list>infinity</list>
+ </completionHelp>
+ <valueHelp>
+ <format>1-4294967295</format>
+ <description>Time in seconds that the route will remain valid</description>
+ </valueHelp>
+ <valueHelp>
+ <format>infinity</format>
+ <description>Route will remain preferred forever</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ <regex>^(infinity)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>1800</defaultValue>
+ </leafNode>
+ <leafNode name="route-preference">
+ <properties>
+ <help>Preference associated with the route,</help>
+ <completionHelp>
+ <list>low medium high</list>
+ </completionHelp>
+ <valueHelp>
+ <format>low</format>
+ <description>Route has low preference</description>
+ </valueHelp>
+ <valueHelp>
+ <format>medium</format>
+ <description>Route has medium preference (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>high</format>
+ <description>Route has high preference</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(low|medium|high)$</regex>
+ </constraint>
+ <constraintErrorMessage>Route preference must be low, medium or high</constraintErrorMessage>
+ </properties>
+ <defaultValue>medium</defaultValue>
+ </leafNode>
+ <leafNode name="no-remove-route">
+ <properties>
+ <help>Do not announce this route with a zero second lifetime upon shutdown</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
<tagNode name="prefix">
<properties>
<help>IPv6 prefix to be advertised in Router Advertisements (RAs)</help>
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
new file mode 100644
index 000000000..fa73df3db
--- /dev/null
+++ b/interface-definitions/system-conntrack.xml.in
@@ -0,0 +1,348 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="system">
+ <children>
+ <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py">
+ <properties>
+ <help>Connection Tracking Engine Options</help>
+ <!-- Before NAT and conntrack-sync are configured -->
+ <priority>218</priority>
+ </properties>
+ <children>
+ <leafNode name="expect-table-size">
+ <properties>
+ <help>Size of connection tracking expect table</help>
+ <valueHelp>
+ <format>u32:1-50000000</format>
+ <description>Number of entries allowed in connection tracking expect table</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-50000000"/>
+ </constraint>
+ </properties>
+ <defaultValue>2048</defaultValue>
+ </leafNode>
+ <leafNode name="hash-size">
+ <properties>
+ <help>Hash size for connection tracking table</help>
+ <valueHelp>
+ <format>u32:1-50000000</format>
+ <description>Size of hash to use for connection tracking table</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-50000000"/>
+ </constraint>
+ </properties>
+ <defaultValue>32768</defaultValue>
+ </leafNode>
+ <node name="modules">
+ <properties>
+ <help>Connection tracking modules settings</help>
+ </properties>
+ <children>
+ <node name="ftp">
+ <properties>
+ <help>FTP connection tracking settings</help>
+ </properties>
+ <children>
+ #include <include/conntrack-module-disable.xml.i>
+ </children>
+ </node>
+ <node name="h323">
+ <properties>
+ <help>H.323 connection tracking settings</help>
+ </properties>
+ <children>
+ #include <include/conntrack-module-disable.xml.i>
+ </children>
+ </node>
+ <node name="nfs">
+ <properties>
+ <help>NFS connection tracking settings</help>
+ </properties>
+ <children>
+ #include <include/conntrack-module-disable.xml.i>
+ </children>
+ </node>
+ <node name="pptp">
+ <properties>
+ <help>PPTP connection tracking settings</help>
+ </properties>
+ <children>
+ #include <include/conntrack-module-disable.xml.i>
+ </children>
+ </node>
+ <node name="sip">
+ <properties>
+ <help>SIP connection tracking settings</help>
+ </properties>
+ <children>
+ #include <include/conntrack-module-disable.xml.i>
+ </children>
+ </node>
+ <node name="sqlnet">
+ <properties>
+ <help>SQLnet connection tracking settings</help>
+ </properties>
+ <children>
+ #include <include/conntrack-module-disable.xml.i>
+ </children>
+ </node>
+ <node name="tftp">
+ <properties>
+ <help>TFTP connection tracking settings</help>
+ </properties>
+ <children>
+ #include <include/conntrack-module-disable.xml.i>
+ </children>
+ </node>
+ </children>
+ </node>
+ <leafNode name="table-size">
+ <properties>
+ <help>Size of connection tracking table</help>
+ <valueHelp>
+ <format>u32:1-50000000</format>
+ <description>Number of entries allowed in connection tracking table</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-50000000"/>
+ </constraint>
+ </properties>
+ <defaultValue>262144</defaultValue>
+ </leafNode>
+ <node name="tcp">
+ <properties>
+ <help>TCP options</help>
+ </properties>
+ <children>
+ <leafNode name="half-open-connections">
+ <properties>
+ <help>Maximum number of TCP half-open connections</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Generic connection timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ </properties>
+ <defaultValue>512</defaultValue>
+ </leafNode>
+ <leafNode name="loose">
+ <properties>
+ <help>Policy to track previously established connections</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Allow tracking of previously established connections</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Do not allow tracking of previously established connections</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(enable|disable)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>enable</defaultValue>
+ </leafNode>
+ <leafNode name="max-retrans">
+ <properties>
+ <help>TCP maximum retransmit attempts</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Generic connection timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ </properties>
+ <defaultValue>3</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ <node name="timeout">
+ <properties>
+ <help>Connection timeout options</help>
+ </properties>
+ <children>
+ <leafNode name="icmp">
+ <properties>
+ <help>ICMP timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>ICMP timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="other">
+ <properties>
+ <help>Generic connection timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>Generic connection timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>600</defaultValue>
+ </leafNode>
+ <node name="tcp">
+ <properties>
+ <help>TCP connection timeout options</help>
+ </properties>
+ <children>
+ <leafNode name="close-wait">
+ <properties>
+ <help>TCP CLOSE-WAIT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP CLOSE-WAIT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>60</defaultValue>
+ </leafNode>
+ <leafNode name="close">
+ <properties>
+ <help>TCP CLOSE timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP CLOSE timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>10</defaultValue>
+ </leafNode>
+ <leafNode name="established">
+ <properties>
+ <help>TCP ESTABLISHED timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP ESTABLISHED timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>432000</defaultValue>
+ </leafNode>
+ <leafNode name="fin-wait">
+ <properties>
+ <help>TCP FIN-WAIT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP FIN-WAIT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ <leafNode name="last-ack">
+ <properties>
+ <help>TCP LAST-ACK timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP LAST-ACK timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="syn-recv">
+ <properties>
+ <help>TCP SYN-RECEIVED timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP SYN-RECEIVED timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>60</defaultValue>
+ </leafNode>
+ <leafNode name="syn-sent">
+ <properties>
+ <help>TCP SYN-SENT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP SYN-SENT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ <leafNode name="time-wait">
+ <properties>
+ <help>TCP TIME-WAIT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP TIME-WAIT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ <node name="udp">
+ <properties>
+ <help>UDP timeout options</help>
+ </properties>
+ <children>
+ <leafNode name="other">
+ <properties>
+ <help>UDP generic timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>UDP generic timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="stream">
+ <properties>
+ <help>UDP stream timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>UDP stream timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>180</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/system-sysctl.xml.in b/interface-definitions/system-sysctl.xml.in
new file mode 100644
index 000000000..bf118c24b
--- /dev/null
+++ b/interface-definitions/system-sysctl.xml.in
@@ -0,0 +1,40 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="system">
+ <properties>
+ <help>System parameters</help>
+ </properties>
+ <children>
+ <node name="sysctl" owner="${vyos_conf_scripts_dir}/system_sysctl.py">
+ <properties>
+ <help>Configure kernel parameters at runtime</help>
+ <priority>318</priority>
+ </properties>
+ <children>
+ <tagNode name="parameter">
+ <properties>
+ <help>Sysctl key name</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_sysctl_parameters.sh</script>
+ </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Sysctl key name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="sysctl"/>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="value">
+ <properties>
+ <help>Sysctl configuration value</help>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 426d7e71c..604f49cb6 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -1,10 +1,14 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="vpn">
+ <properties>
+ <help>Virtual Private Network (VPN)</help>
+ </properties>
<children>
- <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
+ <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
<properties>
<help>VPN IP security (IPsec) parameters</help>
+ <priority>901</priority>
</properties>
<children>
<leafNode name="auto-update">
@@ -296,7 +300,7 @@
</completionHelp>
<valueHelp>
<format>yes</format>
- <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description>
+ <description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description>
</valueHelp>
<valueHelp>
<format>no</format>
@@ -386,6 +390,7 @@
</properties>
<children>
<leafNode name="dh-group">
+ <defaultValue>2</defaultValue>
<properties>
<help>dh-grouphelp</help>
<completionHelp>
@@ -619,59 +624,6 @@
</leafNode>
</children>
</node>
- <node name="nat-networks">
- <properties>
- <help>Network Address Translation (NAT) networks</help>
- </properties>
- <children>
- <tagNode name="allowed-network">
- <properties>
- <help>NAT networks to allow</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>NAT networks to allow</description>
- </valueHelp>
- <constraint>
- <validator name="ip-prefix"/>
- </constraint>
- </properties>
- <children>
- <leafNode name="exclude">
- <properties>
- <help>NAT networks to exclude from allowed-networks</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>NAT networks to exclude from allowed-networks</description>
- </valueHelp>
- <constraint>
- <validator name="ip-prefix"/>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- </children>
- </node>
- <leafNode name="nat-traversal">
- <properties>
- <help>Network Address Translation (NAT) traversal</help>
- <completionHelp>
- <list>disable enable</list>
- </completionHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable NAT-T</description>
- </valueHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable NAT-T</description>
- </valueHelp>
- <constraint>
- <regex>^(disable|enable)$</regex>
- </constraint>
- </properties>
- </leafNode>
<node name="options">
<properties>
<help>Global IPsec settings</help>
@@ -695,19 +647,18 @@
<help>Authentication [REQUIRED]</help>
</properties>
<children>
- <node name="mode">
+ <leafNode name="mode">
<properties>
<help>Authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>Use pre shared secret key</description>
+ </valueHelp>
</properties>
- <children>
- <leafNode name="pre-shared-secret">
- <properties>
- <help>Use pre-shared secret key</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
- </node>
+ </leafNode>
<leafNode name="pre-shared-secret">
<properties>
<help>Pre-shared secret key</help>
@@ -724,17 +675,21 @@
<help>DMVPN crypto configuration</help>
</properties>
<children>
- <leafNode name="bind_child">
+ <leafNode name="tunnel">
<properties>
- <help>bind_child_help</help>
- <valueless/>
+ <help>Tunnel interface associated with this configuration profile</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Tunnel interface associated with this configuration profile</description>
+ </valueHelp>
+ <multi/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="esp-group">
<properties>
- <help>Esp group name [REQUIRED]</help>
+ <help>ESP group name [REQUIRED]</help>
<completionHelp>
<path>vpn ipsec esp-group</path>
</completionHelp>
@@ -742,7 +697,7 @@
</leafNode>
<leafNode name="ike-group">
<properties>
- <help>Ike group name [REQUIRED]</help>
+ <help>IKE group name [REQUIRED]</help>
<completionHelp>
<path>vpn ipsec ike-group</path>
</completionHelp>
@@ -909,6 +864,9 @@
<leafNode name="default-esp-group">
<properties>
<help>Defult ESP group name</help>
+ <completionHelp>
+ <path>vpn ipsec esp-group</path>
+ </completionHelp>
</properties>
</leafNode>
<leafNode name="description">
@@ -920,7 +878,9 @@
<leafNode name="dhcp-interface">
<properties>
<help>DHCP interface to listen on</help>
- <valueless/>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
</properties>
</leafNode>
<leafNode name="force-encapsulation">
@@ -1091,12 +1051,7 @@
</leafNode>
</children>
</node>
- <leafNode name="protocol">
- <properties>
- <help>Protocol to encrypt</help>
- <valueless/>
- </properties>
- </leafNode>
+ #include <include/ip-protocol.xml.i>
<node name="remote">
<properties>
<help>Remote parameters for interesting traffic</help>
diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in
index 91c8cd76f..dab317f68 100644
--- a/interface-definitions/vpn_pptp.xml.in
+++ b/interface-definitions/vpn_pptp.xml.in
@@ -5,6 +5,7 @@
<node name="pptp" owner="${vyos_conf_scripts_dir}/vpn_pptp.py">
<properties>
<help>Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN)</help>
+ <priority>901</priority>
</properties>
<children>
<node name="remote-access">
diff --git a/interface-definitions/vpn_rsa-keys.xml.in b/interface-definitions/vpn_rsa-keys.xml.in
new file mode 100644
index 000000000..2d8e97f4f
--- /dev/null
+++ b/interface-definitions/vpn_rsa-keys.xml.in
@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="vpn">
+ <children>
+ <node name="rsa-keys" owner="${vyos_conf_scripts_dir}/vpn_rsa-keys.py">
+ <properties>
+ <help>RSA keys</help>
+ <priority>900</priority>
+ </properties>
+ <children>
+ <node name="local-key">
+ <properties>
+ <help>Local RSA key</help>
+ </properties>
+ <children>
+ <leafNode name="file">
+ <properties>
+ <help>Local RSA key file location</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>File in /config/auth or /config/ipsec.d/rsa-keys</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <tagNode name="rsa-key-name">
+ <properties>
+ <help>Name of remote RSA key</help>
+ </properties>
+ <children>
+ <leafNode name="rsa-key">
+ <properties>
+ <help>Remote RSA key</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Remote RSA key</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>