diff options
Diffstat (limited to 'interface-definitions')
19 files changed, 173 insertions, 55 deletions
diff --git a/interface-definitions/include/conntrack/log-common.xml.i b/interface-definitions/include/conntrack/log-common.xml.i deleted file mode 100644 index 38799f8f4..000000000 --- a/interface-definitions/include/conntrack/log-common.xml.i +++ /dev/null @@ -1,20 +0,0 @@ -<!-- include start from conntrack/log-common.xml.i --> -<leafNode name="destroy"> - <properties> - <help>Log connection deletion</help> - <valueless/> - </properties> -</leafNode> -<leafNode name="new"> - <properties> - <help>Log connection creation</help> - <valueless/> - </properties> -</leafNode> -<leafNode name="update"> - <properties> - <help>Log connection updates</help> - <valueless/> - </properties> -</leafNode> -<!-- include end --> diff --git a/interface-definitions/include/conntrack/log-protocols.xml.i b/interface-definitions/include/conntrack/log-protocols.xml.i new file mode 100644 index 000000000..019250760 --- /dev/null +++ b/interface-definitions/include/conntrack/log-protocols.xml.i @@ -0,0 +1,26 @@ +<!-- include start from conntrack/log-protocols.xml.i --> +<leafNode name="icmp"> + <properties> + <help>Log connection tracking events for ICMP</help> + <valueless/> + </properties> +</leafNode> +<leafNode name="other"> + <properties> + <help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help> + <valueless/> + </properties> +</leafNode> +<leafNode name="tcp"> + <properties> + <help>Log connection tracking events for TCP</help> + <valueless/> + </properties> +</leafNode> +<leafNode name="udp"> + <properties> + <help>Log connection tracking events for UDP</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i index 55ffa3a8b..0acb08ec9 100644 --- a/interface-definitions/include/firewall/common-rule-inet.xml.i +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -7,7 +7,6 @@ #include <include/generic-disable-node.xml.i> #include <include/firewall/dscp.xml.i> #include <include/firewall/fragment.xml.i> -#include <include/firewall/match-ipsec.xml.i> #include <include/firewall/limit.xml.i> #include <include/firewall/log.xml.i> #include <include/firewall/log-options.xml.i> diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i index 960c960db..e8da1a0e1 100644 --- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -9,7 +9,6 @@ #include <include/firewall/limit.xml.i> #include <include/firewall/log.xml.i> #include <include/firewall/log-options.xml.i> -#include <include/firewall/match-ipsec.xml.i> #include <include/firewall/protocol.xml.i> #include <include/firewall/nft-queue.xml.i> #include <include/firewall/recent.xml.i> diff --git a/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i index 958167b89..3f7c5a0a3 100644 --- a/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i @@ -9,7 +9,6 @@ #include <include/firewall/limit.xml.i> #include <include/firewall/log.xml.i> #include <include/firewall/log-options.xml.i> -#include <include/firewall/match-ipsec.xml.i> #include <include/firewall/protocol.xml.i> #include <include/firewall/nft-queue.xml.i> #include <include/firewall/recent.xml.i> diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i index cefb1ffa7..491d1a9f3 100644 --- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i @@ -27,7 +27,7 @@ <children> #include <include/firewall/common-rule-ipv4.xml.i> #include <include/firewall/inbound-interface.xml.i> - #include <include/firewall/match-ipsec.xml.i> + #include <include/firewall/match-ipsec-in.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i index ca47ae09b..ee9157592 100644 --- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -26,6 +26,7 @@ </properties> <children> #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> </children> </tagNode> @@ -53,6 +54,7 @@ </properties> <children> #include <include/firewall/common-rule-ipv4-raw.xml.i> + #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> </children> </tagNode> diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i index 17ecfe824..b431303ae 100644 --- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -33,6 +33,7 @@ </properties> <children> #include <include/firewall/common-rule-ipv4-raw.xml.i> + #include <include/firewall/match-ipsec-in.xml.i> #include <include/firewall/inbound-interface.xml.i> <leafNode name="jump-target"> <properties> diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i index e1f41e64c..154b10259 100644 --- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i @@ -27,7 +27,7 @@ <children> #include <include/firewall/common-rule-ipv6.xml.i> #include <include/firewall/inbound-interface.xml.i> - #include <include/firewall/match-ipsec.xml.i> + #include <include/firewall/match-ipsec-in.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i index f877cfaaf..d3c4c1ead 100644 --- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -26,6 +26,7 @@ </properties> <children> #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> </children> </tagNode> @@ -53,6 +54,7 @@ </properties> <children> #include <include/firewall/common-rule-ipv6-raw.xml.i> + #include <include/firewall/match-ipsec-out.xml.i> #include <include/firewall/outbound-interface.xml.i> </children> </tagNode> diff --git a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i index 3f384828d..21f8de6f9 100644 --- a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i @@ -33,6 +33,7 @@ </properties> <children> #include <include/firewall/common-rule-ipv6-raw.xml.i> + #include <include/firewall/match-ipsec-in.xml.i> #include <include/firewall/inbound-interface.xml.i> <leafNode name="jump-target"> <properties> diff --git a/interface-definitions/include/firewall/match-ipsec-in.xml.i b/interface-definitions/include/firewall/match-ipsec-in.xml.i new file mode 100644 index 000000000..62ed6466b --- /dev/null +++ b/interface-definitions/include/firewall/match-ipsec-in.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/match-ipsec-in.xml.i --> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec-in"> + <properties> + <help>Inbound traffic that was IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none-in"> + <properties> + <help>Inbound traffic that was not IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/match-ipsec-out.xml.i b/interface-definitions/include/firewall/match-ipsec-out.xml.i new file mode 100644 index 000000000..880fdd4d8 --- /dev/null +++ b/interface-definitions/include/firewall/match-ipsec-out.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/match-ipsec-out.xml.i --> +<node name="ipsec"> + <properties> + <help>Outbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec-out"> + <properties> + <help>Outbound traffic to be IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none-out"> + <properties> + <help>Outbound traffic that will not be IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/match-ipsec.xml.i b/interface-definitions/include/firewall/match-ipsec.xml.i index 82c2b324d..d8d31ef1a 100644 --- a/interface-definitions/include/firewall/match-ipsec.xml.i +++ b/interface-definitions/include/firewall/match-ipsec.xml.i @@ -1,21 +1,33 @@ <!-- include start from firewall/match-ipsec.xml.i --> <node name="ipsec"> <properties> - <help>Inbound IPsec packets</help> + <help>IPsec encapsulated packets</help> </properties> <children> - <leafNode name="match-ipsec"> + <leafNode name="match-ipsec-in"> <properties> - <help>Inbound IPsec packets</help> + <help>Inbound traffic that was IPsec encapsulated</help> <valueless/> </properties> </leafNode> - <leafNode name="match-none"> + <leafNode name="match-none-in"> <properties> - <help>Inbound non-IPsec packets</help> + <help>Inbound traffic that was not IPsec encapsulated</help> <valueless/> </properties> </leafNode> + <leafNode name="match-ipsec-out"> + <properties> + <help>Outbound traffic to be IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none-out"> + <properties> + <help>Outbound traffic that will not be IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> </children> </node> <!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i index 97795601e..203be73e7 100644 --- a/interface-definitions/include/policy/route-common.xml.i +++ b/interface-definitions/include/policy/route-common.xml.i @@ -128,6 +128,24 @@ </completionHelp> </properties> </leafNode> + <leafNode name="vrf"> + <properties> + <help>VRF to forward packet with</help> + <valueHelp> + <format>txt</format> + <description>VRF instance name</description> + </valueHelp> + <valueHelp> + <format>default</format> + <description>Forward into default global VRF</description> + </valueHelp> + <completionHelp> + <list>default</list> + <path>vrf name</path> + </completionHelp> + #include <include/constraint/vrf.xml.i> + </properties> + </leafNode> <leafNode name="tcp-mss"> <properties> <help>TCP Maximum Segment Size</help> diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i index 560ed9e5f..a15cf0eec 100644 --- a/interface-definitions/include/version/firewall-version.xml.i +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/firewall-version.xml.i --> -<syntaxVersion component='firewall' version='16'></syntaxVersion> +<syntaxVersion component='firewall' version='17'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/openvpn-version.xml.i b/interface-definitions/include/version/openvpn-version.xml.i index e03ad55c0..67ef21983 100644 --- a/interface-definitions/include/version/openvpn-version.xml.i +++ b/interface-definitions/include/version/openvpn-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/openvpn-version.xml.i --> -<syntaxVersion component='openvpn' version='3'></syntaxVersion> +<syntaxVersion component='openvpn' version='4'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces_openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in index 1860523c2..13ef3ae5b 100644 --- a/interface-definitions/interfaces_openvpn.xml.in +++ b/interface-definitions/interfaces_openvpn.xml.in @@ -87,7 +87,7 @@ </constraint> </properties> </leafNode> - <leafNode name="ncp-ciphers"> + <leafNode name="data-ciphers"> <properties> <help>Cipher negotiation list for use in server or client mode</help> <completionHelp> diff --git a/interface-definitions/system_conntrack.xml.in b/interface-definitions/system_conntrack.xml.in index 0dfa2ea81..cd59d1308 100644 --- a/interface-definitions/system_conntrack.xml.in +++ b/interface-definitions/system_conntrack.xml.in @@ -223,41 +223,78 @@ </node> <node name="log"> <properties> - <help>Log connection tracking events per protocol</help> + <help>Log connection tracking</help> </properties> <children> - <node name="icmp"> + <node name="event"> <properties> - <help>Log connection tracking events for ICMP</help> + <help>Event type and protocol</help> </properties> <children> - #include <include/conntrack/log-common.xml.i> + <node name="destroy"> + <properties> + <help>Log connection deletion</help> + </properties> + <children> + #include <include/conntrack/log-protocols.xml.i> + </children> + </node> + <node name="new"> + <properties> + <help>Log connection creation</help> + </properties> + <children> + #include <include/conntrack/log-protocols.xml.i> + </children> + </node> + <node name="update"> + <properties> + <help>Log connection updates</help> + </properties> + <children> + #include <include/conntrack/log-protocols.xml.i> + </children> + </node> </children> </node> - <node name="other"> + <leafNode name="timestamp"> <properties> - <help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help> + <help>Log connection tracking events include flow-based timestamp</help> + <valueless/> </properties> - <children> - #include <include/conntrack/log-common.xml.i> - </children> - </node> - <node name="tcp"> + </leafNode> + <leafNode name="queue-size"> <properties> - <help>Log connection tracking events for TCP</help> + <help>Internal message queue size</help> + <valueHelp> + <format>u32:100-999999</format> + <description>Queue size</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Queue size must be between 100 and 999999</constraintErrorMessage> </properties> - <children> - #include <include/conntrack/log-common.xml.i> - </children> - </node> - <node name="udp"> + </leafNode> + <leafNode name="log-level"> <properties> - <help>Log connection tracking events for UDP</help> + <help>Set log-level. Log must be enable.</help> + <completionHelp> + <list>info debug</list> + </completionHelp> + <valueHelp> + <format>info</format> + <description>Info log level</description> + </valueHelp> + <valueHelp> + <format>debug</format> + <description>Debug log level</description> + </valueHelp> + <constraint> + <regex>(info|debug)</regex> + </constraint> </properties> - <children> - #include <include/conntrack/log-common.xml.i> - </children> - </node> + </leafNode> </children> </node> <node name="modules"> |