diff options
Diffstat (limited to 'interface-definitions')
38 files changed, 2589 insertions, 146 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in new file mode 100644 index 000000000..5528d6bc5 --- /dev/null +++ b/interface-definitions/firewall.xml.in @@ -0,0 +1,782 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="nfirewall" owner="${vyos_conf_scripts_dir}/firewall.py"> + <properties> + <priority>199</priority> + <help>Firewall</help> + </properties> + <children> + <leafNode name="all-ping"> + <properties> + <help>Policy for handling of all IPv4 ICMP echo requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="broadcast-ping"> + <properties> + <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="config-trap"> + <properties> + <help>SNMP trap generation on firewall configuration changes</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending SNMP trap on firewall configuration change</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending SNMP trap on firewall configuration change</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <node name="group"> + <properties> + <help>Firewall group</help> + </properties> + <children> + <tagNode name="address-group"> + <properties> + <help>Firewall address-group</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>Address-group member</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4range</format> + <description>IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-range"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/firewall/description.xml.i> + </children> + </tagNode> + <tagNode name="ipv6-address-group"> + <properties> + <help>Firewall ipv6-address-group</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>Address-group member</help> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv6-address"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/firewall/description.xml.i> + </children> + </tagNode> + <tagNode name="ipv6-network-group"> + <properties> + <help>Network-group member</help> + </properties> + <children> + #include <include/firewall/description.xml.i> + <leafNode name="network"> + <properties> + <help>Network-group member</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="network-group"> + <properties> + <help>Firewall network-group</help> + </properties> + <children> + #include <include/firewall/description.xml.i> + <leafNode name="network"> + <properties> + <help>Network-group member</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 Subnet to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="port-group"> + <properties> + <help>Firewall port-group</help> + </properties> + <children> + #include <include/firewall/description.xml.i> + <leafNode name="port"> + <properties> + <help>Port-group member</help> + <valueHelp> + <format>txt</format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format>u32:1-65535</format> + <description>Numbered port</description> + </valueHelp> + <valueHelp> + <format>start-end</format> + <description>Numbered port range (e.g. 1001-1050)</description> + </valueHelp> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <leafNode name="ip-src-route"> + <properties> + <help>Policy for handling IPv4 packets with source route option</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv4 packets with source route option</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv4 packets with source route option</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="ipv6-name"> + <properties> + <help>IPv6 firewall rule-set name</help> + </properties> + <children> + #include <include/firewall/name-default-action.xml.i> + #include <include/firewall/description.xml.i> + #include <include/firewall/name-default-log.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule number (1-9999)</help> + </properties> + <children> + #include <include/firewall/action.xml.i> + #include <include/firewall/description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + #include <include/firewall/common-rule.xml.i> + <node name="hop-limit"> + <properties> + <help>Hop Limit</help> + </properties> + <children> + <leafNode name="eq"> + <properties> + <help>Value to match a hop limit equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit equal to value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="gt"> + <properties> + <help>Value to match a hop limit greater than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit greater than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="lt"> + <properties> + <help>Value to match a hop limit less than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit less than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="icmpv6"> + <properties> + <help>ICMPv6 type and code information</help> + </properties> + <children> + <leafNode name="type"> + <properties> + <help>ICMP type-name</help> + <completionHelp> + <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list> + </completionHelp> + <valueHelp> + <format>any</format> + <description>Any ICMP type/code</description> + </valueHelp> + <valueHelp> + <format>echo-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>pong</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>destination-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>protocol-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>port-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>fragmentation-needed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-route-failed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>communication-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-precedence-violation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>precedence-cutoff</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-quench</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>echo-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ping</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-advertisement</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-solicitation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>time-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-transit</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-reassembly</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>parameter-problem</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ip-header-bad</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>required-option-missing</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <constraint> + <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="p2p"> + <properties> + <help>P2P application packets</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="applejuice"> + <properties> + <help>AppleJuice application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="bittorrent"> + <properties> + <help>BitTorrent application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="directconnect"> + <properties> + <help>Direct Connect application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="edonkey"> + <properties> + <help>eDonkey/eMule application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="gnutella"> + <properties> + <help>Gnutella application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="kazaa"> + <properties> + <help>KaZaA application packets</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="ipv6-receive-redirects"> + <properties> + <help>Policy for handling received ICMPv6 redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="ipv6-src-route"> + <properties> + <help>Policy for handling IPv6 packets with routing extension header</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv6 packets with routing header type 2</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv6 packets with routing header</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="log-martians"> + <properties> + <help>Policy for logging IPv4 packets with invalid addresses</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable logging of IPv4 packets with invalid addresses</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable logging of Ipv4 packets with invalid addresses</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="name"> + <properties> + <help>IPv4 firewall rule-set name</help> + </properties> + <children> + #include <include/firewall/name-default-action.xml.i> + #include <include/firewall/description.xml.i> + #include <include/firewall/name-default-log.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule number (1-9999)</help> + </properties> + <children> + #include <include/firewall/action.xml.i> + #include <include/firewall/description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + #include <include/firewall/common-rule.xml.i> + <node name="icmp"> + <properties> + <help>ICMP type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMP code (0-255)</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMP type (0-255)</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmp-type-name.xml.i> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="receive-redirects"> + <properties> + <help>Policy for handling received IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="send-redirects"> + <properties> + <help>Policy for sending IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="source-validation"> + <properties> + <help>Policy for source validation by reversed path, as specified in RFC3704</help> + <completionHelp> + <list>strict loose disable</list> + </completionHelp> + <valueHelp> + <format>strict</format> + <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>loose</format> + <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>No source validation</description> + </valueHelp> + <constraint> + <regex>^(strict|loose|disable)$</regex> + </constraint> + </properties> + </leafNode> + <node name="state-policy"> + <properties> + <help>Global firewall state-policy</help> + </properties> + <children> + <node name="established"> + <properties> + <help>Global firewall policy for packets part of an established connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + <node name="invalid"> + <properties> + <help>Global firewall policy for packets part of an invalid connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + <node name="related"> + <properties> + <help>Global firewall policy for packets part of a related connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + </children> + </node> + <leafNode name="syn-cookies"> + <properties> + <help>Policy for using TCP SYN cookies with IPv4</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="twa-hazards-protection"> + <properties> + <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/include/bgp/afi-common.xml.i b/interface-definitions/include/bgp/afi-common.xml.i index 20b0dda66..62beff40c 100644 --- a/interface-definitions/include/bgp/afi-common.xml.i +++ b/interface-definitions/include/bgp/afi-common.xml.i @@ -88,6 +88,18 @@ </constraint> </properties> </leafNode> +<leafNode name="maximum-prefix-out"> + <properties> + <help>Maximum number of prefixes to be sent to this peer</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Prefix limit</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> +</leafNode> #include <include/bgp/afi-nexthop-self.xml.i> <leafNode name="remove-private-as"> <properties> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index e6b81ceb1..78a4fb763 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1180,6 +1180,7 @@ <constraint> <validator name="numeric" argument="--range 1-4294967294"/> </constraint> + <multi/> </properties> </leafNode> </children> diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i new file mode 100644 index 000000000..f891225e0 --- /dev/null +++ b/interface-definitions/include/conntrack-module-disable.xml.i @@ -0,0 +1,8 @@ +<!-- include start from conntrack-module-disable.xml.i --> +<leafNode name="disable"> + <properties> + <help>Disable connection tracking helper</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i new file mode 100644 index 000000000..9f8baa884 --- /dev/null +++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i @@ -0,0 +1,25 @@ +<!-- include start from firewall/action-accept-drop-reject.xml.i --> +<leafNode name="action"> + <properties> + <help>Action for packets</help> + <completionHelp> + <list>accept drop reject</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Action to accept</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Action to drop</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Action to reject</description> + </valueHelp> + <constraint> + <regex>^(accept|drop|reject)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i new file mode 100644 index 000000000..230f590cb --- /dev/null +++ b/interface-definitions/include/firewall/action.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/action.xml.i --> +<leafNode name="action"> + <properties> + <help>Rule action [REQUIRED]</help> + <completionHelp> + <list>permit deny</list> + </completionHelp> + <valueHelp> + <format>permit</format> + <description>Permit matching entries</description> + </valueHelp> + <valueHelp> + <format>deny</format> + <description>Deny matching entries</description> + </valueHelp> + <constraint> + <regex>^(permit|deny)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/address-ipv6.xml.i b/interface-definitions/include/firewall/address-ipv6.xml.i new file mode 100644 index 000000000..fa60c0c8a --- /dev/null +++ b/interface-definitions/include/firewall/address-ipv6.xml.i @@ -0,0 +1,37 @@ +<!-- include start from firewall/address-ipv6.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, subnet, or range</help> + <valueHelp> + <format>ipv6</format> + <description>IP address to match</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>Subnet to match</description> + </valueHelp> + <valueHelp> + <format>ipv6range</format> + <description>IP range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv6</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv6net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv6range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <constraint> + <validator name="ipv6"/> + <validator name="ipv6-exclude"/> + <validator name="ipv6-range"/> + <validator name="ipv6-range-exclude"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/address.xml.i b/interface-definitions/include/firewall/address.xml.i new file mode 100644 index 000000000..2e1bde5a5 --- /dev/null +++ b/interface-definitions/include/firewall/address.xml.i @@ -0,0 +1,39 @@ +<!-- include start from firewall/address.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, subnet, or range</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 prefix to match</description> + </valueHelp> + <valueHelp> + <format>ipv4range</format> + <description>IPv4 address range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv4</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv4net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv4range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-prefix"/> + <validator name="ipv4-range"/> + <validator name="ipv4-address-exclude"/> + <validator name="ipv4-prefix-exclude"/> + <validator name="ipv4-range-exclude"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i new file mode 100644 index 000000000..466599e0a --- /dev/null +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -0,0 +1,326 @@ +<!-- include start from firewall/common-rule.xml.i --> +#include <include/firewall/action.xml.i> +#include <include/firewall/description.xml.i> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> +<node name="fragment"> + <properties> + <help>IP fragment match</help> + </properties> + <children> + <leafNode name="match-frag"> + <properties> + <help>Second and further fragments of fragmented packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-non-frag"> + <properties> + <help>Head fragments or unfragmented packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec"> + <properties> + <help>Inbound IPsec packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none"> + <properties> + <help>Inbound non-IPsec packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="limit"> + <properties> + <help>Rate limit using a token bucket filter</help> + </properties> + <children> + <leafNode name="burst"> + <properties> + <help>Maximum number of packets to allow in excess of rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>burst__change_me</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rate"> + <properties> + <help>Maximum average matching rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>rate__change_me</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> +</leafNode> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol number</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> + <defaultValue>all</defaultValue> +</leafNode> +<node name="recent"> + <properties> + <help>Parameters for matching recently seen sources</help> + </properties> + <children> + <leafNode name="count"> + <properties> + <help>Source addresses seen more than N times</help> + <valueHelp> + <format>u32:1-255</format> + <description>Source addresses seen more than N times</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Source addresses seen in the last N seconds</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Source addresses seen in the last N seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + <leafNode name="mac-address"> + <properties> + <help>Source MAC address</help> + <valueHelp> + <format><MAC address></format> + <description>MAC address to match</description> + </valueHelp> + <valueHelp> + <format>!<MAC address></format> + <description>Match everything except the specified MAC address</description> + </valueHelp> + </properties> + </leafNode> + #include <include/firewall/port.xml.i> + </children> +</node> +<node name="state"> + <properties> + <help>Session state</help> + </properties> + <children> + <leafNode name="established"> + <properties> + <help>Established state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="invalid"> + <properties> + <help>Invalid state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="new"> + <properties> + <help>New state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="related"> + <properties> + <help>Related state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="tcp"> + <properties> + <help>TCP flags to match</help> + </properties> + <children> + <leafNode name="flags"> + <properties> + <help>TCP flags to match</help> + <valueHelp> + <format>txt</format> + <description>TCP flags to match</description> + </valueHelp> + <valueHelp> + <format> </format> + <description>\n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<node name="time"> + <properties> + <help>Time to match rule</help> + </properties> + <children> + <leafNode name="monthdays"> + <properties> + <help>Monthdays to match rule on</help> + </properties> + </leafNode> + <leafNode name="startdate"> + <properties> + <help>Date to start matching rule</help> + </properties> + </leafNode> + <leafNode name="starttime"> + <properties> + <help>Time of day to start matching rule</help> + </properties> + </leafNode> + <leafNode name="stopdate"> + <properties> + <help>Date to stop matching rule</help> + </properties> + </leafNode> + <leafNode name="stoptime"> + <properties> + <help>Time of day to stop matching rule</help> + </properties> + </leafNode> + <leafNode name="utc"> + <properties> + <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="weekdays"> + <properties> + <help>Weekdays to match rule on</help> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/description.xml.i b/interface-definitions/include/firewall/description.xml.i new file mode 100644 index 000000000..b6bae406b --- /dev/null +++ b/interface-definitions/include/firewall/description.xml.i @@ -0,0 +1,11 @@ +<!-- include start from firewall/description.xml.i --> +<leafNode name="description"> + <properties> + <help>Description</help> + <valueHelp> + <format>txt</format> + <description>Description</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i new file mode 100644 index 000000000..b45fb619b --- /dev/null +++ b/interface-definitions/include/firewall/icmp-type-name.xml.i @@ -0,0 +1,173 @@ +<!-- include start from firewall/icmp-type-name.xml.i --> +<leafNode name="type-name"> + <properties> + <help>ICMP type-name</help> + <completionHelp> + <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list> + </completionHelp> + <valueHelp> + <format>any</format> + <description>Any ICMP type/code</description> + </valueHelp> + <valueHelp> + <format>echo-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>pong</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>destination-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>protocol-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>port-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>fragmentation-needed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-route-failed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>communication-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-precedence-violation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>precedence-cutoff</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-quench</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>echo-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ping</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-advertisement</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-solicitation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>time-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-transit</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-reassembly</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>parameter-problem</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ip-header-bad</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>required-option-missing</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <constraint> + <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i new file mode 100644 index 000000000..46d20c1df --- /dev/null +++ b/interface-definitions/include/firewall/log.xml.i @@ -0,0 +1,15 @@ +<!-- include start from firewall/log.xml.i --> +<node name="log"> + <properties> + <help>Option to log packets</help> + </properties> + <children> + <leafNode name="enable"> + <properties> + <help>Enable logging</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i new file mode 100644 index 000000000..1b61b076f --- /dev/null +++ b/interface-definitions/include/firewall/name-default-action.xml.i @@ -0,0 +1,25 @@ +<!-- include start from firewall/name-default-action.xml.i --> +<leafNode name="default-action"> + <properties> + <help>Default-action for rule-set</help> + <completionHelp> + <list>drop reject accept</list> + </completionHelp> + <valueHelp> + <format>drop</format> + <description>Drop if no prior rules are hit (default)</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Drop and notify source if no prior rules are hit</description> + </valueHelp> + <valueHelp> + <format>accept</format> + <description>Accept if no prior rules are hit</description> + </valueHelp> + <constraint> + <regex>^(drop|reject|accept)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i new file mode 100644 index 000000000..979395146 --- /dev/null +++ b/interface-definitions/include/firewall/name-default-log.xml.i @@ -0,0 +1,8 @@ +<!-- include start from firewall/name-default-log.xml.i --> +<leafNode name="enable-default-log"> + <properties> + <help>Option to log packets hitting default-action</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i new file mode 100644 index 000000000..59d92978b --- /dev/null +++ b/interface-definitions/include/firewall/port.xml.i @@ -0,0 +1,23 @@ +<!-- include start from firewall/port.xml.i --> +<leafNode name="port"> + <properties> + <help>Port</help> + <valueHelp> + <format>txt</format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format>u32:1-65535</format> + <description>Numbered port</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>Numbered port range (e.g. 1001-1005)</description> + </valueHelp> + <valueHelp> + <format> </format> + <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i new file mode 100644 index 000000000..30226b0d8 --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-group.xml.i @@ -0,0 +1,24 @@ +<!-- include start from firewall/source-destination-group.xml.i --> +<node name="group"> + <properties> + <help>Group</help> + </properties> + <children> + <leafNode name="address-group"> + <properties> + <help>Group of addresses</help> + </properties> + </leafNode> + <leafNode name="network-group"> + <properties> + <help>Group of networks</help> + </properties> + </leafNode> + <leafNode name="port-group"> + <properties> + <help>Group of ports</help> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/interface/interface-parameters-key.xml.i b/interface-definitions/include/interface/interface-parameters-key.xml.i index 1b1d67174..6c59f7879 100644 --- a/interface-definitions/include/interface/interface-parameters-key.xml.i +++ b/interface-definitions/include/interface/interface-parameters-key.xml.i @@ -1,7 +1,7 @@ <!-- include start from interface/interface-parameters-key.xml.i --> <leafNode name="key"> <properties> - <help>Tunnel key</help> + <help>Tunnel key (only GRE tunnels)</help> <valueHelp> <format>u32</format> <description>Tunnel key</description> diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 0355054a4..9e89cbbf6 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -22,9 +22,10 @@ <leafNode name="egress-qos"> <properties> <help>VLAN egress QoS</help> - <completionHelp> - <script>echo Format for qos mapping, e.g.: '0:1 1:6 7:6'</script> - </completionHelp> + <valueHelp> + <format>txt</format> + <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> + </valueHelp> <constraint> <regex>[:0-7 ]+$</regex> </constraint> @@ -34,9 +35,10 @@ <leafNode name="ingress-qos"> <properties> <help>VLAN ingress QoS</help> - <completionHelp> - <script>echo Format for qos mapping '0:1 1:6 7:6'</script> - </completionHelp> + <valueHelp> + <format>txt</format> + <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> + </valueHelp> <constraint> <regex>[:0-7 ]+$</regex> </constraint> diff --git a/interface-definitions/include/ip-protocol.xml.i b/interface-definitions/include/ip-protocol.xml.i new file mode 100644 index 000000000..ce9345024 --- /dev/null +++ b/interface-definitions/include/ip-protocol.xml.i @@ -0,0 +1,17 @@ +<!-- include start from ip-protocol.xml.i --> +<leafNode name="protocol"> + <properties> + <help>Protocol</help> + <valueHelp> + <format>txt</format> + <description>Protocol name</description> + </valueHelp> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + </completionHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<!-- include end from ip-protocol.xml.i --> diff --git a/interface-definitions/include/isis/default-information-level.xml.i b/interface-definitions/include/isis/default-information-level.xml.i new file mode 100644 index 000000000..5ade72a4b --- /dev/null +++ b/interface-definitions/include/isis/default-information-level.xml.i @@ -0,0 +1,32 @@ +<!-- include start from isis/default-information-level.xml.i --> +<node name="level-1"> + <properties> + <help>Distribute default route into level-1</help> + </properties> + <children> + <leafNode name="always"> + <properties> + <help>Always advertise default route</help> + <valueless/> + </properties> + </leafNode> + #include <include/isis/metric.xml.i> + #include <include/route-map.xml.i> + </children> +</node> +<node name="level-2"> + <properties> + <help>Distribute default route into level-2</help> + </properties> + <children> + <leafNode name="always"> + <properties> + <help>Always advertise default route</help> + <valueless/> + </properties> + </leafNode> + #include <include/isis/metric.xml.i> + #include <include/route-map.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/isis/metric.xml.i b/interface-definitions/include/isis/metric.xml.i new file mode 100644 index 000000000..30e2cdc10 --- /dev/null +++ b/interface-definitions/include/isis/metric.xml.i @@ -0,0 +1,14 @@ +<!-- include start from isis/metric.xml.i --> +<leafNode name="metric"> + <properties> + <help>Set default metric for circuit</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>Default metric value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i index c4a913385..831d12694 100644 --- a/interface-definitions/include/isis/protocol-common-config.xml.i +++ b/interface-definitions/include/isis/protocol-common-config.xml.i @@ -39,18 +39,7 @@ <help>Distribute default route for IPv4</help> </properties> <children> - <leafNode name="level-1"> - <properties> - <help>Distribute default route into level-1</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="level-2"> - <properties> - <help>Distribute default route into level-2</help> - <valueless/> - </properties> - </leafNode> + #include <include/isis/default-information-level.xml.i> </children> </node> <node name="ipv6"> @@ -58,30 +47,7 @@ <help>Distribute default route for IPv6</help> </properties> <children> - <leafNode name="level-1"> - <properties> - <help>Distribute default route into level-1</help> - <completionHelp> - <list>always</list> - </completionHelp> - <valueHelp> - <format>always</format> - <description>Always advertise default route</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="level-2"> - <properties> - <help>Distribute default route into level-2</help> - <completionHelp> - <list>always</list> - </completionHelp> - <valueHelp> - <format>always</format> - <description>Always advertise default route</description> - </valueHelp> - </properties> - </leafNode> + #include <include/isis/default-information-level.xml.i> </children> </node> </children> @@ -102,7 +68,6 @@ </valueHelp> </properties> </leafNode> -<!-- <leafNode name="md5"> <properties> <help>MD5 authentication type</help> @@ -112,7 +77,6 @@ </valueHelp> </properties> </leafNode> ---> </children> </node> <leafNode name="dynamic-hostname"> @@ -144,6 +108,12 @@ </constraint> </properties> </leafNode> +<leafNode name="log-adjacency-changes"> + <properties> + <help>Log adjacency state changes</help> + <valueless/> + </properties> +</leafNode> <leafNode name="lsp-gen-interval"> <properties> <help>Minimum interval between regenerating same LSP</help> @@ -570,7 +540,7 @@ <help>Delay used while in LONG_WAIT</help> <valueHelp> <format>u32:0-60000</format> - <description>Delay used while in LONG_WAIT state (in ms)</description> + <description>Delay used while in LONG_WAIT state in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -582,7 +552,7 @@ <help>Time with no received IGP events before considering IGP stable</help> <valueHelp> <format>u32:0-60000</format> - <description>Time with no received IGP events before considering IGP stable (in ms)</description> + <description>Time with no received IGP events before considering IGP stable in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -594,7 +564,7 @@ <help>Maximum duration needed to learn all the events related to a single failure</help> <valueHelp> <format>u32:0-60000</format> - <description>Maximum duration needed to learn all the events related to a single failure (in ms)</description> + <description>Maximum duration needed to learn all the events related to a single failure in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -608,7 +578,7 @@ <help>Minimum interval between SPF calculations</help> <valueHelp> <format>u32:1-120</format> - <description>Minimum interval between consecutive SPFs in seconds</description> + <description>Interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-120"/> @@ -677,18 +647,7 @@ </constraint> </properties> </leafNode> - <leafNode name="metric"> - <properties> - <help>Set default metric for circuit</help> - <valueHelp> - <format>u32:0-16777215</format> - <description>Default metric value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-16777215"/> - </constraint> - </properties> - </leafNode> + #include <include/isis/metric.xml.i> <node name="network"> <properties> <help>Set network type</help> @@ -733,10 +692,10 @@ </leafNode> <leafNode name="psnp-interval"> <properties> - <help>Set PSNP interval in seconds</help> + <help>Set PSNP interval</help> <valueHelp> <format>u32:0-127</format> - <description>Priority value</description> + <description>PSNP interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-127"/> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 846f6eb54..2efdaea3d 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -97,6 +97,26 @@ </properties> <defaultValue>0</defaultValue> </leafNode> + <leafNode name="lacp-rate"> + <properties> + <help>Rate in which we will ask our link partner to transmit LACPDU packets</help> + <completionHelp> + <list>slow fast</list> + </completionHelp> + <valueHelp> + <format>slow</format> + <description>Request partner to transmit LACPDUs every 30 seconds (default)</description> + </valueHelp> + <valueHelp> + <format>fast</format> + <description>Request partner to transmit LACPDUs every 1 second</description> + </valueHelp> + <constraint> + <regex>^(slow|fast)$</regex> + </constraint> + </properties> + <defaultValue>slow</defaultValue> + </leafNode> <leafNode name="mode"> <properties> <help>Bonding mode</help> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 536edcb99..56f8ea79c 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -227,13 +227,22 @@ <children> <leafNode name="no-pmtu-discovery"> <properties> - <help>Disable path MTU discovery</help> + <help>Disable Path MTU Discovery on this tunnel</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ignore-df"> + <properties> + <help>Enable IPv4 DF suppression on this tunnel</help> <valueless/> </properties> </leafNode> #include <include/interface/interface-parameters-key.xml.i> #include <include/interface/interface-parameters-tos.xml.i> #include <include/interface/interface-parameters-ttl.xml.i> + <leafNode name="ttl"> + <defaultValue>64</defaultValue> + </leafNode> </children> </node> <node name="ipv6"> diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in new file mode 100644 index 000000000..604d7dd29 --- /dev/null +++ b/interface-definitions/interfaces-vti.xml.in @@ -0,0 +1,39 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="interfaces"> + <children> + <tagNode name="vti" owner="${vyos_conf_scripts_dir}/interfaces-vti.py"> + <properties> + <help>Virtual Tunnel interface</help> + <priority>381</priority> + <constraint> + <regex>^vti[0-9]+$</regex> + </constraint> + <constraintErrorMessage>VTI interface must be named vtiN</constraintErrorMessage> + <valueHelp> + <format>vtiN</format> + <description>VTI interface name</description> + </valueHelp> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>IP address</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 address and prefix length</description> + </valueHelp> + <constraint> + <validator name="ipv4-host"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/interface/interface-description.xml.i> + #include <include/interface/interface-disable.xml.i> + #include <include/interface/interface-mtu-68-16000.xml.i> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/ipsec-settings.xml.in b/interface-definitions/ipsec-settings.xml.in index bc54baa27..0bcba9a84 100644 --- a/interface-definitions/ipsec-settings.xml.in +++ b/interface-definitions/ipsec-settings.xml.in @@ -7,6 +7,7 @@ <node name="options" owner="${vyos_conf_scripts_dir}/ipsec-settings.py"> <properties> <help>Global IPsec settings</help> + <priority>902</priority> </properties> <children> <leafNode name="disable-route-autoinstall"> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 900fac27e..195e074a3 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -912,7 +912,7 @@ </leafNode> <leafNode name="as-path-prepend"> <properties> - <help>as-path-prepend_help</help> + <help>Prepend string for a Border Gateway Protocol (BGP) AS-path attribute</help> <valueHelp> <format>txt</format> <description>BGP AS path prepend string (ex: "64501 64501")</description> @@ -961,7 +961,7 @@ </node> <leafNode name="community"> <properties> - <help>community_help</help> + <help>Border Gateway Protocl (BGP) community attribute</help> <completionHelp> <list>local-AS no-advertise no-export internet additive none</list> </completionHelp> @@ -1066,6 +1066,12 @@ </constraint> </properties> </leafNode> + <leafNode name="prefer-global"> + <properties> + <help>Prefer global address as the nexthop</help> + <valueless/> + </properties> + </leafNode> </children> </node> <leafNode name="large-community"> @@ -1129,7 +1135,7 @@ </leafNode> <leafNode name="origin"> <properties> - <help>origin_help</help> + <help>Border Gateway Protocl (BGP) origin code</help> <completionHelp> <list>igp egp incomplete</list> </completionHelp> diff --git a/interface-definitions/protocols-nhrp.xml.in b/interface-definitions/protocols-nhrp.xml.in new file mode 100644 index 000000000..9dd9d3389 --- /dev/null +++ b/interface-definitions/protocols-nhrp.xml.in @@ -0,0 +1,134 @@ +<?xml version="1.0" encoding="UTF-8"?> +<interfaceDefinition> + <node name="protocols"> + <children> + <node name="nhrp" owner="${vyos_conf_scripts_dir}/protocols_nhrp.py"> + <properties> + <help>NHRP parameters</help> + <priority>680</priority> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Tunnel for NHRP [REQUIRED]</help> + <constraint> + <regex>^tun[0-9]+$</regex> + </constraint> + <valueHelp> + <format>tunN</format> + <description>NHRP tunnel name</description> + </valueHelp> + </properties> + <children> + <leafNode name="cisco-authentication"> + <properties> + <help>Pass phrase for cisco authentication</help> + <valueHelp> + <format>txt</format> + <description>Pass phrase for cisco authentication</description> + </valueHelp> + </properties> + </leafNode> + <tagNode name="dynamic-map"> + <properties> + <help>Set an HUB tunnel address</help> + <valueHelp> + <format>ipv4net</format> + <description>Set the IP address and prefix length</description> + </valueHelp> + </properties> + <children> + <leafNode name="nbma-domain-name"> + <properties> + <help>Set HUB fqdn (nbma-address - fqdn) [REQUIRED]</help> + <valueHelp> + <format><fqdn></format> + <description>Set the external HUB fqdn</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="holding-time"> + <properties> + <help>Holding time in seconds</help> + </properties> + </leafNode> + <tagNode name="map"> + <properties> + <help>Set an HUB tunnel address</help> + </properties> + <children> + <leafNode name="cisco"> + <properties> + <help>If the statically mapped peer is running Cisco IOS, specify this</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="nbma-address"> + <properties> + <help>Set HUB address (nbma-address - external hub address or fqdn) [REQUIRED]</help> + </properties> + </leafNode> + <leafNode name="register"> + <properties> + <help>Specifies that Registration Request should be sent to this peer on startup</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="multicast"> + <properties> + <help>Set multicast for NHRP</help> + <completionHelp> + <list>dynamic nhs</list> + </completionHelp> + <constraint> + <regex>^(dynamic|nhs)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="non-caching"> + <properties> + <help>This can be used to reduce memory consumption on big NBMA subnets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="redirect"> + <properties> + <help>Enable sending of Cisco style NHRP Traffic Indication packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="shortcut-destination"> + <properties> + <help>This instructs opennhrp to reply with authorative answers on NHRP Resolution Requests destined to addresses in this interface</help> + <valueless/> + </properties> + </leafNode> + <tagNode name="shortcut-target"> + <properties> + <help>Defines an off-NBMA network prefix for which the GRE interface will act as a gateway</help> + </properties> + <children> + <leafNode name="holding-time"> + <properties> + <help>Holding time in seconds</help> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="shortcut"> + <properties> + <help>Enable creation of shortcut routes. A received NHRP Traffic Indication will trigger the resolution and establishment of a shortcut route</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/protocols-ospfv3.xml.in b/interface-definitions/protocols-ospfv3.xml.in index 99e671b32..7b42c448d 100644 --- a/interface-definitions/protocols-ospfv3.xml.in +++ b/interface-definitions/protocols-ospfv3.xml.in @@ -25,6 +25,26 @@ </constraint> </properties> <children> + <node name="area-type"> + <properties> + <help>OSPFv3 Area type</help> + </properties> + <children> + <node name="stub"> + <properties> + <help>Stub OSPFv3 area</help> + </properties> + <children> + <leafNode name="no-summary"> + <properties> + <help>Do not inject inter-area routes into the stub</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </node> <leafNode name="export-list"> <properties> <help>Name of export-list</help> diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols-rpki.xml.in index 94fab54a5..a73d0aae4 100644 --- a/interface-definitions/protocols-rpki.xml.in +++ b/interface-definitions/protocols-rpki.xml.in @@ -35,7 +35,7 @@ <help>Preference of the cache server</help> <valueHelp> <format>u32:1-255</format> - <description>Polling period</description> + <description>Preference of the cache server</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> diff --git a/interface-definitions/service_conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in new file mode 100644 index 000000000..8d6b57183 --- /dev/null +++ b/interface-definitions/service_conntrack-sync.xml.in @@ -0,0 +1,164 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="service"> + <children> + <node name="conntrack-sync" owner="${vyos_conf_scripts_dir}/conntrack_sync.py"> + <properties> + <help>Connection tracking synchronization</help> + <priority>995</priority> + </properties> + <children> + <leafNode name="accept-protocol"> + <properties> + <help>Protocols for which local conntrack entries will be synced</help> + <completionHelp> + <list>tcp udp icmp icmp6 sctp dccp</list> + </completionHelp> + <valueHelp> + <format>tcp</format> + <description>Sync Transmission Control Protocol entries</description> + </valueHelp> + <valueHelp> + <format>udp</format> + <description>Sync User Datagram Protocol entries</description> + </valueHelp> + <valueHelp> + <format>icmp</format> + <description>Sync Internet Control Message Protocol entries</description> + </valueHelp> + <valueHelp> + <format>icmp6</format> + <description>Sync IPv6 Internet Control Message Protocol entries</description> + </valueHelp> + <valueHelp> + <format>sctp</format> + <description>Sync Stream Control Transmission Protocol entries</description> + </valueHelp> + <valueHelp> + <format>dccp</format> + <description>Sync Datagram Congestion Control Protocol entries</description> + </valueHelp> + <constraint> + <regex>^(tcp|udp|icmp|icmp6|sctp|dccp)$</regex> + </constraint> + <constraintErrorMessage>Allowed protocols: tcp udp icmp or sctp</constraintErrorMessage> + <multi/> + </properties> + </leafNode> + <leafNode name="disable-external-cache"> + <properties> + <help>Directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall.</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="event-listen-queue-size"> + <properties> + <help>Queue size for local conntrack events</help> + <valueHelp> + <format>u32</format> + <description>Queue size in MB</description> + </valueHelp> + </properties> + <defaultValue>8</defaultValue> + </leafNode> + <leafNode name="expect-sync"> + <properties> + <help>Protocol for which expect entries need to be synchronized</help> + <completionHelp> + <list>all ftp sip h323 nfs sqlnet</list> + </completionHelp> + <constraint> + <regex>^(all|ftp|sip|h323|nfs|sqlnet)$</regex> + </constraint> + <constraintErrorMessage>Invalid protocol</constraintErrorMessage> + <multi/> + </properties> + </leafNode> + <node name="failover-mechanism"> + <properties> + <help>Failover mechanism to use for conntrack-sync</help> + </properties> + <children> + <node name="vrrp"> + <properties> + <help>VRRP as failover-mechanism to use for conntrack-sync</help> + </properties> + <children> + <leafNode name="sync-group"> + <properties> + <help>VRRP sync group</help> + <completionHelp> + <path>high-availability vrrp sync-group</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + <leafNode name="ignore-address"> + <properties> + <help>IP addresses for which local conntrack entries will not be synced</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to ignore</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 prefix to ignore</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address to ignore</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 prefix to ignore</description> + </valueHelp> + <constraint> + <validator name="ipv4"/> + <validator name="ipv6"/> + </constraint> + <multi/> + </properties> + </leafNode> + <tagNode name="interface"> + <properties> + <help>Interface to use for syncing conntrack entries</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py --bridgeable</script> + </completionHelp> + </properties> + <children> + <leafNode name="peer"> + <properties> + <help>IP address of the peer to send the UDP conntrack info too. This disable multicast.</help> + </properties> + </leafNode> + </children> + </tagNode> + #include <include/listen-address-ipv4.xml.i> + <leafNode name="mcast-group"> + <properties> + <help>Multicast group to use for syncing conntrack entries</help> + <constraint> + <validator name="ipv4-multicast"/> + </constraint> + </properties> + <defaultValue>225.0.0.50</defaultValue> + </leafNode> + <leafNode name="sync-queue-size"> + <properties> + <help>Queue size for syncing conntrack entries</help> + <valueHelp> + <format>u32</format> + <description>Queue size in MB</description> + </valueHelp> + </properties> + <defaultValue>1</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index dc8af67af..9d0f887a9 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -334,6 +334,45 @@ </leafNode> </children> </node> + <node name="extended-scripts"> + <properties> + <help>Extended script execution</help> + </properties> + <children> + <leafNode name="on-pre-up"> + <properties> + <help>Script to run before PPPoE session interface comes up</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-up"> + <properties> + <help>Script to run when PPPoE session interface is completely configured and started</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-down"> + <properties> + <help>Script to run when PPPoE session interface going to terminate</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-change"> + <properties> + <help>Script to run when PPPoE session interface changed by RADIUS CoA handling</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + </children> + </node> </children> </node> </children> diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in index 47ac4e25d..750ae314c 100644 --- a/interface-definitions/service_router-advert.xml.in +++ b/interface-definitions/service_router-advert.xml.in @@ -10,7 +10,7 @@ <children> <tagNode name="interface"> <properties> - <help>Interface to send DDNS updates for [REQUIRED]</help> + <help>Interface to send RA on [REQUIRED]</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> @@ -154,6 +154,72 @@ <valueless/> </properties> </leafNode> + <tagNode name="route"> + <properties> + <help>IPv6 route to be advertised in Router Advertisements (RAs)</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 route to be advertized</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + <children> + <leafNode name="valid-lifetime"> + <properties> + <help>Time in seconds that the route will remain valid (default: 1800 seconds)</help> + <completionHelp> + <list>infinity</list> + </completionHelp> + <valueHelp> + <format>1-4294967295</format> + <description>Time in seconds that the route will remain valid</description> + </valueHelp> + <valueHelp> + <format>infinity</format> + <description>Route will remain preferred forever</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + <regex>^(infinity)$</regex> + </constraint> + </properties> + <defaultValue>1800</defaultValue> + </leafNode> + <leafNode name="route-preference"> + <properties> + <help>Preference associated with the route,</help> + <completionHelp> + <list>low medium high</list> + </completionHelp> + <valueHelp> + <format>low</format> + <description>Route has low preference</description> + </valueHelp> + <valueHelp> + <format>medium</format> + <description>Route has medium preference (default)</description> + </valueHelp> + <valueHelp> + <format>high</format> + <description>Route has high preference</description> + </valueHelp> + <constraint> + <regex>^(low|medium|high)$</regex> + </constraint> + <constraintErrorMessage>Route preference must be low, medium or high</constraintErrorMessage> + </properties> + <defaultValue>medium</defaultValue> + </leafNode> + <leafNode name="no-remove-route"> + <properties> + <help>Do not announce this route with a zero second lifetime upon shutdown</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> <tagNode name="prefix"> <properties> <help>IPv6 prefix to be advertised in Router Advertisements (RAs)</help> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in new file mode 100644 index 000000000..fa73df3db --- /dev/null +++ b/interface-definitions/system-conntrack.xml.in @@ -0,0 +1,348 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="system"> + <children> + <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py"> + <properties> + <help>Connection Tracking Engine Options</help> + <!-- Before NAT and conntrack-sync are configured --> + <priority>218</priority> + </properties> + <children> + <leafNode name="expect-table-size"> + <properties> + <help>Size of connection tracking expect table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Number of entries allowed in connection tracking expect table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>2048</defaultValue> + </leafNode> + <leafNode name="hash-size"> + <properties> + <help>Hash size for connection tracking table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Size of hash to use for connection tracking table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>32768</defaultValue> + </leafNode> + <node name="modules"> + <properties> + <help>Connection tracking modules settings</help> + </properties> + <children> + <node name="ftp"> + <properties> + <help>FTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="h323"> + <properties> + <help>H.323 connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="nfs"> + <properties> + <help>NFS connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="pptp"> + <properties> + <help>PPTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sip"> + <properties> + <help>SIP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sqlnet"> + <properties> + <help>SQLnet connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="tftp"> + <properties> + <help>TFTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + </children> + </node> + <leafNode name="table-size"> + <properties> + <help>Size of connection tracking table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Number of entries allowed in connection tracking table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>262144</defaultValue> + </leafNode> + <node name="tcp"> + <properties> + <help>TCP options</help> + </properties> + <children> + <leafNode name="half-open-connections"> + <properties> + <help>Maximum number of TCP half-open connections</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + <defaultValue>512</defaultValue> + </leafNode> + <leafNode name="loose"> + <properties> + <help>Policy to track previously established connections</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Allow tracking of previously established connections</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Do not allow tracking of previously established connections</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="max-retrans"> + <properties> + <help>TCP maximum retransmit attempts</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + </children> + </node> + <node name="timeout"> + <properties> + <help>Connection timeout options</help> + </properties> + <children> + <leafNode name="icmp"> + <properties> + <help>ICMP timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>ICMP timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="other"> + <properties> + <help>Generic connection timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>600</defaultValue> + </leafNode> + <node name="tcp"> + <properties> + <help>TCP connection timeout options</help> + </properties> + <children> + <leafNode name="close-wait"> + <properties> + <help>TCP CLOSE-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="close"> + <properties> + <help>TCP CLOSE timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>10</defaultValue> + </leafNode> + <leafNode name="established"> + <properties> + <help>TCP ESTABLISHED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP ESTABLISHED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>432000</defaultValue> + </leafNode> + <leafNode name="fin-wait"> + <properties> + <help>TCP FIN-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP FIN-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="last-ack"> + <properties> + <help>TCP LAST-ACK timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP LAST-ACK timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="syn-recv"> + <properties> + <help>TCP SYN-RECEIVED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-RECEIVED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="syn-sent"> + <properties> + <help>TCP SYN-SENT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-SENT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="time-wait"> + <properties> + <help>TCP TIME-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP TIME-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + </children> + </node> + <node name="udp"> + <properties> + <help>UDP timeout options</help> + </properties> + <children> + <leafNode name="other"> + <properties> + <help>UDP generic timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP generic timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="stream"> + <properties> + <help>UDP stream timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP stream timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>180</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/system-sysctl.xml.in b/interface-definitions/system-sysctl.xml.in new file mode 100644 index 000000000..bf118c24b --- /dev/null +++ b/interface-definitions/system-sysctl.xml.in @@ -0,0 +1,40 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="system"> + <properties> + <help>System parameters</help> + </properties> + <children> + <node name="sysctl" owner="${vyos_conf_scripts_dir}/system_sysctl.py"> + <properties> + <help>Configure kernel parameters at runtime</help> + <priority>318</priority> + </properties> + <children> + <tagNode name="parameter"> + <properties> + <help>Sysctl key name</help> + <completionHelp> + <script>${vyos_completion_dir}/list_sysctl_parameters.sh</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Sysctl key name</description> + </valueHelp> + <constraint> + <validator name="sysctl"/> + </constraint> + </properties> + <children> + <leafNode name="value"> + <properties> + <help>Sysctl configuration value</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 426d7e71c..604f49cb6 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -1,10 +1,14 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="vpn"> + <properties> + <help>Virtual Private Network (VPN)</help> + </properties> <children> - <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> + <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> <properties> <help>VPN IP security (IPsec) parameters</help> + <priority>901</priority> </properties> <children> <leafNode name="auto-update"> @@ -296,7 +300,7 @@ </completionHelp> <valueHelp> <format>yes</format> - <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description> + <description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description> </valueHelp> <valueHelp> <format>no</format> @@ -386,6 +390,7 @@ </properties> <children> <leafNode name="dh-group"> + <defaultValue>2</defaultValue> <properties> <help>dh-grouphelp</help> <completionHelp> @@ -619,59 +624,6 @@ </leafNode> </children> </node> - <node name="nat-networks"> - <properties> - <help>Network Address Translation (NAT) networks</help> - </properties> - <children> - <tagNode name="allowed-network"> - <properties> - <help>NAT networks to allow</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to allow</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - </properties> - <children> - <leafNode name="exclude"> - <properties> - <help>NAT networks to exclude from allowed-networks</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to exclude from allowed-networks</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - <multi/> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> - <leafNode name="nat-traversal"> - <properties> - <help>Network Address Translation (NAT) traversal</help> - <completionHelp> - <list>disable enable</list> - </completionHelp> - <valueHelp> - <format>disable</format> - <description>Disable NAT-T</description> - </valueHelp> - <valueHelp> - <format>enable</format> - <description>Enable NAT-T</description> - </valueHelp> - <constraint> - <regex>^(disable|enable)$</regex> - </constraint> - </properties> - </leafNode> <node name="options"> <properties> <help>Global IPsec settings</help> @@ -695,19 +647,18 @@ <help>Authentication [REQUIRED]</help> </properties> <children> - <node name="mode"> + <leafNode name="mode"> <properties> <help>Authentication mode</help> + <completionHelp> + <list>pre-shared-secret</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>Use pre shared secret key</description> + </valueHelp> </properties> - <children> - <leafNode name="pre-shared-secret"> - <properties> - <help>Use pre-shared secret key</help> - <valueless/> - </properties> - </leafNode> - </children> - </node> + </leafNode> <leafNode name="pre-shared-secret"> <properties> <help>Pre-shared secret key</help> @@ -724,17 +675,21 @@ <help>DMVPN crypto configuration</help> </properties> <children> - <leafNode name="bind_child"> + <leafNode name="tunnel"> <properties> - <help>bind_child_help</help> - <valueless/> + <help>Tunnel interface associated with this configuration profile</help> + <valueHelp> + <format>txt</format> + <description>Tunnel interface associated with this configuration profile</description> + </valueHelp> + <multi/> </properties> </leafNode> </children> </node> <leafNode name="esp-group"> <properties> - <help>Esp group name [REQUIRED]</help> + <help>ESP group name [REQUIRED]</help> <completionHelp> <path>vpn ipsec esp-group</path> </completionHelp> @@ -742,7 +697,7 @@ </leafNode> <leafNode name="ike-group"> <properties> - <help>Ike group name [REQUIRED]</help> + <help>IKE group name [REQUIRED]</help> <completionHelp> <path>vpn ipsec ike-group</path> </completionHelp> @@ -909,6 +864,9 @@ <leafNode name="default-esp-group"> <properties> <help>Defult ESP group name</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> </properties> </leafNode> <leafNode name="description"> @@ -920,7 +878,9 @@ <leafNode name="dhcp-interface"> <properties> <help>DHCP interface to listen on</help> - <valueless/> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> </properties> </leafNode> <leafNode name="force-encapsulation"> @@ -1091,12 +1051,7 @@ </leafNode> </children> </node> - <leafNode name="protocol"> - <properties> - <help>Protocol to encrypt</help> - <valueless/> - </properties> - </leafNode> + #include <include/ip-protocol.xml.i> <node name="remote"> <properties> <help>Remote parameters for interesting traffic</help> diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in index 91c8cd76f..dab317f68 100644 --- a/interface-definitions/vpn_pptp.xml.in +++ b/interface-definitions/vpn_pptp.xml.in @@ -5,6 +5,7 @@ <node name="pptp" owner="${vyos_conf_scripts_dir}/vpn_pptp.py"> <properties> <help>Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN)</help> + <priority>901</priority> </properties> <children> <node name="remote-access"> diff --git a/interface-definitions/vpn_rsa-keys.xml.in b/interface-definitions/vpn_rsa-keys.xml.in new file mode 100644 index 000000000..2d8e97f4f --- /dev/null +++ b/interface-definitions/vpn_rsa-keys.xml.in @@ -0,0 +1,47 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="vpn"> + <children> + <node name="rsa-keys" owner="${vyos_conf_scripts_dir}/vpn_rsa-keys.py"> + <properties> + <help>RSA keys</help> + <priority>900</priority> + </properties> + <children> + <node name="local-key"> + <properties> + <help>Local RSA key</help> + </properties> + <children> + <leafNode name="file"> + <properties> + <help>Local RSA key file location</help> + <valueHelp> + <format>txt</format> + <description>File in /config/auth or /config/ipsec.d/rsa-keys</description> + </valueHelp> + </properties> + </leafNode> + </children> + </node> + <tagNode name="rsa-key-name"> + <properties> + <help>Name of remote RSA key</help> + </properties> + <children> + <leafNode name="rsa-key"> + <properties> + <help>Remote RSA key</help> + <valueHelp> + <format>txt</format> + <description>Remote RSA key</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> |