From 6871c5541c1962e63d7a9b75d2bb43df2a8d372b Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Wed, 15 May 2024 17:09:16 +0000
Subject: T3900: add support for raw table in firewall.
---
data/templates/firewall/nftables.j2 | 46 ++-
interface-definitions/firewall.xml.in | 2 +
.../include/firewall/action-and-notrack.xml.i | 8 +-
.../include/firewall/add-addr-to-group-ipv4.xml.i | 25 ++
.../include/firewall/add-addr-to-group-ipv6.xml.i | 25 ++
.../include/firewall/common-rule-inet.xml.i | 239 +---------------
.../include/firewall/common-rule-ipv4-raw.xml.i | 309 +--------------------
.../include/firewall/common-rule-ipv4.xml.i | 57 +---
.../include/firewall/common-rule-ipv6-raw.xml.i | 50 ++++
.../include/firewall/common-rule-ipv6.xml.i | 57 +---
.../include/firewall/connection-status.xml.i | 28 ++
.../include/firewall/fragment.xml.i | 21 ++
interface-definitions/include/firewall/icmp.xml.i | 34 +++
.../include/firewall/icmpv6.xml.i | 34 +++
.../include/firewall/ipv4-hook-output.xml.i | 27 ++
.../include/firewall/ipv4-hook-prerouting.xml.i | 34 ---
.../include/firewall/ipv6-hook-output.xml.i | 27 ++
.../include/firewall/ipv6-hook-prerouting.xml.i | 51 ++++
interface-definitions/include/firewall/limit.xml.i | 33 +++
.../include/firewall/protocol.xml.i | 34 +++
.../include/firewall/recent.xml.i | 44 +++
interface-definitions/include/firewall/time.xml.i | 70 +++++
.../include/policy/route-common.xml.i | 72 +----
.../include/policy/route-ipv4.xml.i | 33 +--
python/vyos/firewall.py | 6 +-
smoketest/scripts/cli/test_firewall.py | 40 ++-
src/conf_mode/firewall.py | 4 +-
src/conf_mode/system_conntrack.py | 3 +
28 files changed, 625 insertions(+), 788 deletions(-)
create mode 100644 interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
create mode 100644 interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
create mode 100644 interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
create mode 100644 interface-definitions/include/firewall/connection-status.xml.i
create mode 100644 interface-definitions/include/firewall/fragment.xml.i
create mode 100644 interface-definitions/include/firewall/icmp.xml.i
create mode 100644 interface-definitions/include/firewall/icmpv6.xml.i
create mode 100644 interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
create mode 100644 interface-definitions/include/firewall/limit.xml.i
create mode 100644 interface-definitions/include/firewall/protocol.xml.i
create mode 100644 interface-definitions/include/firewall/recent.xml.i
create mode 100644 interface-definitions/include/firewall/time.xml.i
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 833df3a67..343917fee 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -57,7 +57,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('FWD-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('FWD-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -77,7 +77,7 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('INP-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('INP-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
@@ -97,14 +97,11 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('OUT-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('OUT-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
- chain VYOS_FRAG_MARK {
- type filter hook prerouting priority -450; policy accept;
- ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
- }
+
{% if ipv4.prerouting is vyos_defined %}
{% for prior, conf in ipv4.prerouting.items() %}
chain VYOS_PREROUTING_{{ prior }} {
@@ -117,11 +114,16 @@ table ip vyos_filter {
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('PRE-filter', 'ipv4') }}
+ {{ conf | nft_default_rule('PRE-' + prior, 'ipv4') }}
}
{% endfor %}
{% endif %}
+ chain VYOS_FRAG_MARK {
+ type filter hook prerouting priority -450; policy accept;
+ ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
+ }
+
{% if ipv4.name is vyos_defined %}
{% for name_text, conf in ipv4.name.items() %}
chain NAME_{{ name_text }} {
@@ -202,13 +204,13 @@ table ip6 vyos_filter {
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('FWD-filter', 'ipv6') }}
+ {{ conf | nft_default_rule('FWD-' + prior, 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -222,13 +224,13 @@ table ip6 vyos_filter {
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
+ {{ rule_conf | nft_rule('INP', prior, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('INP-filter', 'ipv6') }}
+ {{ conf | nft_default_rule('INP-' + prior, 'ipv6') }}
}
{% endfor %}
{% endif %}
@@ -242,17 +244,33 @@ table ip6 vyos_filter {
{% endif %}
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
+ {{ rule_conf | nft_rule('OUT', prior, rule_id, 'ip6') }}
{% if rule_conf.recent is vyos_defined %}
{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %}
{% endif %}
{% endfor %}
{% endif %}
- {{ conf | nft_default_rule('OUT-filter', 'ipv6') }}
+ {{ conf | nft_default_rule('OUT-' + prior, 'ipv6') }}
}
{% endfor %}
{% endif %}
+{% if ipv6.prerouting is vyos_defined %}
+{% for prior, conf in ipv6.prerouting.items() %}
+ chain VYOS_IPV6_PREROUTING_{{ prior }} {
+ type filter hook prerouting priority {{ prior }}; policy accept;
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('PRE', prior, rule_id, 'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule('PRE-' + prior, 'ipv6') }}
+ }
+{% endfor %}
+{% endif %}
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0xffff1 return
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 24e63c5ec..dc4625af0 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -378,6 +378,7 @@
#include <include/firewall/ipv4-hook-forward.xml.i>
#include <include/firewall/ipv4-hook-input.xml.i>
#include <include/firewall/ipv4-hook-output.xml.i>
+ #include <include/firewall/ipv4-hook-prerouting.xml.i>
#include <include/firewall/ipv4-custom-name.xml.i>
</children>
</node>
@@ -389,6 +390,7 @@
#include <include/firewall/ipv6-hook-forward.xml.i>
#include <include/firewall/ipv6-hook-input.xml.i>
#include <include/firewall/ipv6-hook-output.xml.i>
+ #include <include/firewall/ipv6-hook-prerouting.xml.i>
#include <include/firewall/ipv6-custom-name.xml.i>
</children>
</node>
diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i
index 5f81a1451..e063c58d5 100644
--- a/interface-definitions/include/firewall/action-and-notrack.xml.i
+++ b/interface-definitions/include/firewall/action-and-notrack.xml.i
@@ -3,12 +3,16 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept jump notrack reject return drop queue</list>
+ <list>accept continue jump notrack reject return drop queue</list>
</completionHelp>
<valueHelp>
<format>accept</format>
<description>Accept matching entries</description>
</valueHelp>
+ <valueHelp>
+ <format>continue</format>
+ <description>Continue parsing next rule</description>
+ </valueHelp>
<valueHelp>
<format>jump</format>
<description>Jump to another chain</description>
@@ -34,7 +38,7 @@
<description>Igone connection tracking</description>
</valueHelp>
<constraint>
- <regex>(accept|jump|notrack|reject|return|drop|queue)</regex>
+ <regex>(accept|continue|jump|notrack|reject|return|drop|queue)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
new file mode 100644
index 000000000..a47cadd55
--- /dev/null
+++ b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv4.xml.i -->
+<node name="add-address-to-group">
+ <properties>
+ <help>Add ip address to dynamic address-group</help>
+ </properties>
+ <children>
+ <node name="source-address">
+ <properties>
+ <help>Add source ip addresses to dynamic address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-address-groups.xml.i>
+ </children>
+ </node>
+ <node name="destination-address">
+ <properties>
+ <help>Add destination ip addresses to dynamic address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-address-groups.xml.i>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
new file mode 100644
index 000000000..2cb077450
--- /dev/null
+++ b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv6.xml.i -->
+<node name="add-address-to-group">
+ <properties>
+ <help>Add ipv6 address to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ <node name="source-address">
+ <properties>
+ <help>Add source ipv6 addresses to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+ </children>
+ </node>
+ <node name="destination-address">
+ <properties>
+ <help>Add destination ipv6 addresses to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index bef1c3da5..55ffa3a8b 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -1,235 +1,24 @@
<!-- include start from firewall/common-rule-inet.xml.i -->
#include <include/firewall/action.xml.i>
-#include <include/generic-description.xml.i>
-#include <include/firewall/dscp.xml.i>
-#include <include/firewall/packet-options.xml.i>
-#include <include/firewall/firewall-mark.xml.i>
-#include <include/firewall/connection-mark.xml.i>
#include <include/firewall/conntrack-helper.xml.i>
-#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/connection-status.xml.i>
+#include <include/generic-description.xml.i>
#include <include/generic-disable-node.xml.i>
-<node name="fragment">
- <properties>
- <help>IP fragment match</help>
- </properties>
- <children>
- <leafNode name="match-frag">
- <properties>
- <help>Second and further fragments of fragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-non-frag">
- <properties>
- <help>Head fragments or unfragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="limit">
- <properties>
- <help>Rate limit using a token bucket filter</help>
- </properties>
- <children>
- <leafNode name="burst">
- <properties>
- <help>Maximum number of packets to allow in excess of rate</help>
- <valueHelp>
- <format>u32:0-4294967295</format>
- <description>Maximum number of packets to allow in excess of rate</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-4294967295"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="rate">
- <properties>
- <help>Maximum average matching rate</help>
- <valueHelp>
- <format>txt</format>
- <description>integer/unit (Example: 5/minute)</description>
- </valueHelp>
- <constraint>
- <regex>\d+/(second|minute|hour|day)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/limit.xml.i>
#include <include/firewall/log.xml.i>
#include <include/firewall/log-options.xml.i>
-<node name="connection-status">
- <properties>
- <help>Connection status</help>
- </properties>
- <children>
- <leafNode name="nat">
- <properties>
- <help>NAT connection status</help>
- <completionHelp>
- <list>destination source</list>
- </completionHelp>
- <valueHelp>
- <format>destination</format>
- <description>Match connections that are subject to destination NAT</description>
- </valueHelp>
- <valueHelp>
- <format>source</format>
- <description>Match connections that are subject to source NAT</description>
- </valueHelp>
- <constraint>
- <regex>(destination|source)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-<leafNode name="protocol">
- <properties>
- <help>Protocol to match (protocol name, number, or "all")</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_protocols.sh</script>
- <list>all tcp_udp</list>
- </completionHelp>
- <valueHelp>
- <format>all</format>
- <description>All IP protocols</description>
- </valueHelp>
- <valueHelp>
- <format>tcp_udp</format>
- <description>Both TCP and UDP</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-255</format>
- <description>IP protocol number</description>
- </valueHelp>
- <valueHelp>
- <format><protocol></format>
- <description>IP protocol name</description>
- </valueHelp>
- <valueHelp>
- <format>!<protocol></format>
- <description>IP protocol name</description>
- </valueHelp>
- <constraint>
- <validator name="ip-protocol"/>
- </constraint>
- </properties>
-</leafNode>
-<node name="recent">
- <properties>
- <help>Parameters for matching recently seen sources</help>
- </properties>
- <children>
- <leafNode name="count">
- <properties>
- <help>Source addresses seen more than N times</help>
- <valueHelp>
- <format>u32:1-255</format>
- <description>Source addresses seen more than N times</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="time">
- <properties>
- <help>Source addresses seen in the last second/minute/hour</help>
- <completionHelp>
- <list>second minute hour</list>
- </completionHelp>
- <valueHelp>
- <format>second</format>
- <description>Source addresses seen COUNT times in the last second</description>
- </valueHelp>
- <valueHelp>
- <format>minute</format>
- <description>Source addresses seen COUNT times in the last minute</description>
- </valueHelp>
- <valueHelp>
- <format>hour</format>
- <description>Source addresses seen COUNT times in the last hour</description>
- </valueHelp>
- <constraint>
- <regex>(second|minute|hour)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-#include <include/firewall/synproxy.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
#include <include/firewall/state.xml.i>
+#include <include/firewall/synproxy.xml.i>
#include <include/firewall/tcp-flags.xml.i>
#include <include/firewall/tcp-mss.xml.i>
-<node name="time">
- <properties>
- <help>Time to match rule</help>
- </properties>
- <children>
- <leafNode name="startdate">
- <properties>
- <help>Date to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="starttime">
- <properties>
- <help>Time of day to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stopdate">
- <properties>
- <help>Date to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stoptime">
- <properties>
- <help>Time of day to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="weekdays">
- <properties>
- <help>Comma separated weekdays to match rule on</help>
- <valueHelp>
- <format>txt</format>
- <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-6</format>
- <description>Day number (0 = Sunday ... 6 = Saturday)</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/time.xml.i>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index e7468bfba..960c960db 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -1,9 +1,22 @@
<!-- include start from firewall/common-rule-ipv4-raw.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv4.xml.i>
#include <include/firewall/action-and-notrack.xml.i>
#include <include/generic-description.xml.i>
#include <include/firewall/dscp.xml.i>
-#include <include/firewall/ttl.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/icmp.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/protocol.xml.i>
#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/time.xml.i>
+#include <include/firewall/ttl.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -18,228 +31,6 @@
#include <include/firewall/source-destination-group.xml.i>
</children>
</node>
-#include <include/generic-disable-node.xml.i>
-<node name="fragment">
- <properties>
- <help>IP fragment match</help>
- </properties>
- <children>
- <leafNode name="match-frag">
- <properties>
- <help>Second and further fragments of fragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-non-frag">
- <properties>
- <help>Head fragments or unfragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="icmp">
- <properties>
- <help>ICMP type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMP code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMP type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmp-type-name.xml.i>
- </children>
-</node>
-<node name="ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- </properties>
- <children>
- <leafNode name="match-ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-none">
- <properties>
- <help>Inbound non-IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="limit">
- <properties>
- <help>Rate limit using a token bucket filter</help>
- </properties>
- <children>
- <leafNode name="burst">
- <properties>
- <help>Maximum number of packets to allow in excess of rate</help>
- <valueHelp>
- <format>u32:0-4294967295</format>
- <description>Maximum number of packets to allow in excess of rate</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-4294967295"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="rate">
- <properties>
- <help>Maximum average matching rate</help>
- <valueHelp>
- <format>txt</format>
- <description>integer/unit (Example: 5/minute)</description>
- </valueHelp>
- <constraint>
- <regex>\d+/(second|minute|hour|day)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-<leafNode name="log">
- <properties>
- <help>Option to log packets matching rule</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable log</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable log</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
-</leafNode>
-#include <include/firewall/log-options.xml.i>
-<node name="connection-status">
- <properties>
- <help>Connection status</help>
- </properties>
- <children>
- <leafNode name="nat">
- <properties>
- <help>NAT connection status</help>
- <completionHelp>
- <list>destination source</list>
- </completionHelp>
- <valueHelp>
- <format>destination</format>
- <description>Match connections that are subject to destination NAT</description>
- </valueHelp>
- <valueHelp>
- <format>source</format>
- <description>Match connections that are subject to source NAT</description>
- </valueHelp>
- <constraint>
- <regex>(destination|source)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-<leafNode name="protocol">
- <properties>
- <help>Protocol to match (protocol name, number, or "all")</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_protocols.sh</script>
- <list>all tcp_udp</list>
- </completionHelp>
- <valueHelp>
- <format>all</format>
- <description>All IP protocols</description>
- </valueHelp>
- <valueHelp>
- <format>tcp_udp</format>
- <description>Both TCP and UDP</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-255</format>
- <description>IP protocol number</description>
- </valueHelp>
- <valueHelp>
- <format><protocol></format>
- <description>IP protocol name</description>
- </valueHelp>
- <valueHelp>
- <format>!<protocol></format>
- <description>IP protocol name</description>
- </valueHelp>
- <constraint>
- <validator name="ip-protocol"/>
- </constraint>
- </properties>
-</leafNode>
-<node name="recent">
- <properties>
- <help>Parameters for matching recently seen sources</help>
- </properties>
- <children>
- <leafNode name="count">
- <properties>
- <help>Source addresses seen more than N times</help>
- <valueHelp>
- <format>u32:1-255</format>
- <description>Source addresses seen more than N times</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="time">
- <properties>
- <help>Source addresses seen in the last second/minute/hour</help>
- <completionHelp>
- <list>second minute hour</list>
- </completionHelp>
- <valueHelp>
- <format>second</format>
- <description>Source addresses seen COUNT times in the last second</description>
- </valueHelp>
- <valueHelp>
- <format>minute</format>
- <description>Source addresses seen COUNT times in the last minute</description>
- </valueHelp>
- <valueHelp>
- <format>hour</format>
- <description>Source addresses seen COUNT times in the last hour</description>
- </valueHelp>
- <constraint>
- <regex>(second|minute|hour)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
<node name="source">
<properties>
<help>Source parameters</help>
@@ -254,74 +45,4 @@
#include <include/firewall/source-destination-group.xml.i>
</children>
</node>
-#include <include/firewall/tcp-flags.xml.i>
-#include <include/firewall/tcp-mss.xml.i>
-<node name="time">
- <properties>
- <help>Time to match rule</help>
- </properties>
- <children>
- <leafNode name="startdate">
- <properties>
- <help>Date to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="starttime">
- <properties>
- <help>Time of day to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stopdate">
- <properties>
- <help>Date to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stoptime">
- <properties>
- <help>Time of day to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="weekdays">
- <properties>
- <help>Comma separated weekdays to match rule on</help>
- <valueHelp>
- <format>txt</format>
- <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-6</format>
- <description>Day number (0 = Sunday ... 6 = Saturday)</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
-</node>
-<!-- include end -->
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
index 158c7a662..803b94b06 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
@@ -1,29 +1,8 @@
<!-- include start from firewall/common-rule-ipv4.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv4.xml.i>
#include <include/firewall/common-rule-inet.xml.i>
+#include <include/firewall/icmp.xml.i>
#include <include/firewall/ttl.xml.i>
-<node name="add-address-to-group">
- <properties>
- <help>Add ip address to dynamic address-group</help>
- </properties>
- <children>
- <node name="source-address">
- <properties>
- <help>Add source ip addresses to dynamic address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-address-groups.xml.i>
- </children>
- </node>
- <node name="destination-address">
- <properties>
- <help>Add destination ip addresses to dynamic address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-address-groups.xml.i>
- </children>
- </node>
- </children>
-</node>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -39,38 +18,6 @@
#include <include/firewall/source-destination-dynamic-group.xml.i>
</children>
</node>
-<node name="icmp">
- <properties>
- <help>ICMP type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMP code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMP type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmp-type-name.xml.i>
- </children>
-</node>
<leafNode name="jump-target">
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
diff --git a/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
new file mode 100644
index 000000000..958167b89
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
@@ -0,0 +1,50 @@
+<!-- include start from firewall/common-rule-ipv6-raw.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv6.xml.i>
+#include <include/firewall/action-and-notrack.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/icmpv6.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/time.xml.i>
+#include <include/firewall/hop-limit.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/address-mask-ipv6.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+ </children>
+</node>
+<node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/address-mask-ipv6.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
index 78eeb361e..bb176fe71 100644
--- a/interface-definitions/include/firewall/common-rule-ipv6.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
@@ -1,29 +1,8 @@
<!-- include start from firewall/common-rule-ipv6.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv6.xml.i>
#include <include/firewall/common-rule-inet.xml.i>
#include <include/firewall/hop-limit.xml.i>
-<node name="add-address-to-group">
- <properties>
- <help>Add ipv6 address to dynamic ipv6-address-group</help>
- </properties>
- <children>
- <node name="source-address">
- <properties>
- <help>Add source ipv6 addresses to dynamic ipv6-address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
- </children>
- </node>
- <node name="destination-address">
- <properties>
- <help>Add destination ipv6 addresses to dynamic ipv6-address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
- </children>
- </node>
- </children>
-</node>
+#include <include/firewall/icmpv6.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -39,38 +18,6 @@
#include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
</children>
</node>
-<node name="icmpv6">
- <properties>
- <help>ICMPv6 type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMPv6 code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMPv6 type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmpv6-type-name.xml.i>
- </children>
-</node>
<leafNode name="jump-target">
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
diff --git a/interface-definitions/include/firewall/connection-status.xml.i b/interface-definitions/include/firewall/connection-status.xml.i
new file mode 100644
index 000000000..5236c2f4f
--- /dev/null
+++ b/interface-definitions/include/firewall/connection-status.xml.i
@@ -0,0 +1,28 @@
+<!-- include start from firewall/connection-status.xml.i -->
+<node name="connection-status">
+ <properties>
+ <help>Connection status</help>
+ </properties>
+ <children>
+ <leafNode name="nat">
+ <properties>
+ <help>NAT connection status</help>
+ <completionHelp>
+ <list>destination source</list>
+ </completionHelp>
+ <valueHelp>
+ <format>destination</format>
+ <description>Match connections that are subject to destination NAT</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source</format>
+ <description>Match connections that are subject to source NAT</description>
+ </valueHelp>
+ <constraint>
+ <regex>(destination|source)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/fragment.xml.i b/interface-definitions/include/firewall/fragment.xml.i
new file mode 100644
index 000000000..1f4c11055
--- /dev/null
+++ b/interface-definitions/include/firewall/fragment.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from firewall/fragment.xml.i -->
+<node name="fragment">
+ <properties>
+ <help>IP fragment match</help>
+ </properties>
+ <children>
+ <leafNode name="match-frag">
+ <properties>
+ <help>Second and further fragments of fragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-non-frag">
+ <properties>
+ <help>Head fragments or unfragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/icmp.xml.i b/interface-definitions/include/firewall/icmp.xml.i
new file mode 100644
index 000000000..deb50a410
--- /dev/null
+++ b/interface-definitions/include/firewall/icmp.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/icmp.xml.i -->
+<node name="icmp">
+ <properties>
+ <help>ICMP type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMP code</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMP type</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmp-type-name.xml.i>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/icmpv6.xml.i b/interface-definitions/include/firewall/icmpv6.xml.i
new file mode 100644
index 000000000..c0118626e
--- /dev/null
+++ b/interface-definitions/include/firewall/icmpv6.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/icmpv6.xml.i -->
+<node name="icmpv6">
+ <properties>
+ <help>ICMPv6 type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMPv6 code</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMPv6 code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMPv6 type</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMPv6 type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmpv6-type-name.xml.i>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
index 2b537ce5e..ca47ae09b 100644
--- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -31,6 +31,33 @@
</tagNode>
</children>
</node>
+ <node name="raw">
+ <properties>
+ <help>IPv4 firewall output raw</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/firewall/default-log.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall output raw rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4-raw.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
index c38918375..17ecfe824 100644
--- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
@@ -4,40 +4,6 @@
<help>IPv4 prerouting firewall</help>
</properties>
<children>
- <node name="filter">
- <properties>
- <help>IPv4 firewall prerouting filter</help>
- </properties>
- <children>
- #include <include/firewall/default-action-base-chains.xml.i>
- #include <include/generic-description.xml.i>
- <tagNode name="rule">
- <properties>
- <help>IPv4 Firewall prerouting filter rule number</help>
- <valueHelp>
- <format>u32:1-999999</format>
- <description>Number for this firewall rule</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-999999"/>
- </constraint>
- <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
- </properties>
- <children>
- #include <include/firewall/common-rule-ipv4.xml.i>
- #include <include/firewall/inbound-interface.xml.i>
- <leafNode name="jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined to use this setting</help>
- <completionHelp>
- <path>firewall ipv4 name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- </children>
- </node>
<node name="raw">
<properties>
<help>IPv4 firewall prerouting raw</help>
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
index ffe1c72b8..f877cfaaf 100644
--- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -30,6 +30,33 @@
</children>
</tagNode>
</children>
+ </node>
+ <node name="raw">
+ <properties>
+ <help>IPv6 firewall output raw</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/firewall/default-log.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall output raw rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6-raw.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
</node>
</children>
</node>
diff --git a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
new file mode 100644
index 000000000..3f384828d
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
@@ -0,0 +1,51 @@
+<!-- include start from firewall/ipv6-hook-prerouting.xml.i -->
+<node name="prerouting">
+ <properties>
+ <help>IPv6 prerouting firewall</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>IPv6 firewall prerouting raw</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <leafNode name="default-jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv6 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall prerouting raw rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6-raw.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ <leafNode name="jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv6 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/limit.xml.i b/interface-definitions/include/firewall/limit.xml.i
new file mode 100644
index 000000000..21068dec2
--- /dev/null
+++ b/interface-definitions/include/firewall/limit.xml.i
@@ -0,0 +1,33 @@
+<!-- include start from firewall/limit.xml.i -->
+<node name="limit">
+ <properties>
+ <help>Rate limit using a token bucket filter</help>
+ </properties>
+ <children>
+ <leafNode name="burst">
+ <properties>
+ <help>Maximum number of packets to allow in excess of rate</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Maximum number of packets to allow in excess of rate</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="rate">
+ <properties>
+ <help>Maximum average matching rate</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>integer/unit (Example: 5/minute)</description>
+ </valueHelp>
+ <constraint>
+ <regex>\d+/(second|minute|hour|day)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/protocol.xml.i b/interface-definitions/include/firewall/protocol.xml.i
new file mode 100644
index 000000000..e391cae41
--- /dev/null
+++ b/interface-definitions/include/firewall/protocol.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/protocol.xml.i -->
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name, number, or "all")</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ <list>all tcp_udp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All IP protocols</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp_udp</format>
+ <description>Both TCP and UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format><protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!<protocol></format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/recent.xml.i b/interface-definitions/include/firewall/recent.xml.i
new file mode 100644
index 000000000..38f40b916
--- /dev/null
+++ b/interface-definitions/include/firewall/recent.xml.i
@@ -0,0 +1,44 @@
+<!-- include start from firewall/recent.xml.i -->
+<node name="recent">
+ <properties>
+ <help>Parameters for matching recently seen sources</help>
+ </properties>
+ <children>
+ <leafNode name="count">
+ <properties>
+ <help>Source addresses seen more than N times</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Source addresses seen more than N times</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="time">
+ <properties>
+ <help>Source addresses seen in the last second/minute/hour</help>
+ <completionHelp>
+ <list>second minute hour</list>
+ </completionHelp>
+ <valueHelp>
+ <format>second</format>
+ <description>Source addresses seen COUNT times in the last second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>minute</format>
+ <description>Source addresses seen COUNT times in the last minute</description>
+ </valueHelp>
+ <valueHelp>
+ <format>hour</format>
+ <description>Source addresses seen COUNT times in the last hour</description>
+ </valueHelp>
+ <constraint>
+ <regex>(second|minute|hour)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/time.xml.i b/interface-definitions/include/firewall/time.xml.i
new file mode 100644
index 000000000..7bd737450
--- /dev/null
+++ b/interface-definitions/include/firewall/time.xml.i
@@ -0,0 +1,70 @@
+<!-- include start from firewall/time.xml.i -->
+<node name="time">
+ <properties>
+ <help>Time to match rule</help>
+ </properties>
+ <children>
+ <leafNode name="startdate">
+ <properties>
+ <help>Date to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="starttime">
+ <properties>
+ <help>Time of day to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stopdate">
+ <properties>
+ <help>Date to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stoptime">
+ <properties>
+ <help>Time of day to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="weekdays">
+ <properties>
+ <help>Comma separated weekdays to match rule on</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-6</format>
+ <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index e412fe58e..97795601e 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -3,75 +3,9 @@
#include <include/generic-description.xml.i>
#include <include/firewall/firewall-mark.xml.i>
#include <include/generic-disable-node.xml.i>
-<node name="fragment">
- <properties>
- <help>IP fragment match</help>
- </properties>
- <children>
- <leafNode name="match-frag">
- <properties>
- <help>Second and further fragments of fragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-non-frag">
- <properties>
- <help>Head fragments or unfragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- </properties>
- <children>
- <leafNode name="match-ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-none">
- <properties>
- <help>Inbound non-IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="limit">
- <properties>
- <help>Rate limit using a token bucket filter</help>
- </properties>
- <children>
- <leafNode name="burst">
- <properties>
- <help>Maximum number of packets to allow in excess of rate</help>
- <valueHelp>
- <format>u32:0-4294967295</format>
- <description>Maximum number of packets to allow in excess of rate</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-4294967295"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="rate">
- <properties>
- <help>Maximum average matching rate</help>
- <valueHelp>
- <format>u32:0-4294967295</format>
- <description>Maximum average matching rate</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-4294967295"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/fragment.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/limit.xml.i>
#include <include/firewall/log.xml.i>
<leafNode name="protocol">
<properties>
diff --git a/interface-definitions/include/policy/route-ipv4.xml.i b/interface-definitions/include/policy/route-ipv4.xml.i
index 1f717a1a4..c12abcae2 100644
--- a/interface-definitions/include/policy/route-ipv4.xml.i
+++ b/interface-definitions/include/policy/route-ipv4.xml.i
@@ -10,36 +10,5 @@
#include <include/firewall/port.xml.i>
</children>
</node>
-<node name="icmp">
- <properties>
- <help>ICMP type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMP code (0-255)</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMP type (0-255)</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmp-type-name.xml.i>
- </children>
-</node>
+#include <include/firewall/icmp.xml.i>
<!-- include end -->
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index d7b7b80a8..664df28cc 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -178,6 +178,8 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
hook_name = 'input'
if hook == 'OUT':
hook_name = 'output'
+ if hook == 'PRE':
+ hook_name = 'prerouting'
if hook == 'NAM':
hook_name = f'name{def_suffix}'
output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{hook_name}_{fw_name}_{rule_id}_{prefix}')
@@ -193,6 +195,8 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
hook_name = 'input'
if hook == 'OUT':
hook_name = 'output'
+ if hook == 'PRE':
+ hook_name = 'prerouting'
if hook == 'NAM':
hook_name = f'name'
output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC{def_suffix}_{hook_name}_{fw_name}_{rule_id}')
@@ -477,8 +481,6 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
output.append(f'tcp option maxseg size set {mss}')
if 'action' in rule_conf:
- # Change action=return to action=action
- # #output.append(nft_action(rule_conf['action']))
if rule_conf['action'] == 'offload':
offload_target = rule_conf['offload_target']
output.append(f'flow add @VYOS_FLOWTABLE_{offload_target}')
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index c47562714..5cf2b2146 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -236,6 +236,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
+ self.cli_set(['firewall', 'ipv4', 'output', 'raw', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'raw', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv4', 'output', 'raw', 'rule', '1', 'protocol', 'udp'])
+
+ self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv4', 'prerouting', 'raw', 'rule', '1', 'destination', 'port', '23'])
+
self.cli_commit()
mark_hex = "{0:#010x}".format(int(conn_mark))
@@ -256,6 +264,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['meta l4proto gre', f'oifname != "{interface}"', 'drop'],
['meta l4proto icmp', f'ct mark {mark_hex}', 'return'],
['log prefix "[ipv4-OUT-filter-default-D]"','OUT-filter default-action drop', 'drop'],
+ ['chain VYOS_OUTPUT_raw'],
+ ['type filter hook output priority raw; policy accept;'],
+ ['udp', 'accept'],
+ ['OUT-raw default-action drop', 'drop'],
+ ['chain VYOS_PREROUTING_raw'],
+ ['type filter hook prerouting priority raw; policy accept;'],
+ ['tcp dport 23', 'drop'],
+ ['PRE-raw default-action accept', 'accept'],
['chain NAME_smoketest'],
['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[ipv4-NAM-smoketest-1-A]" log level debug', 'ip ttl 15', 'accept'],
['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[ipv4-NAM-smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'],
@@ -446,16 +462,24 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'destination', 'port', '8888'])
self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'inbound-interface', 'name', interface])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'source', 'address', '2002::1:2'])
+ self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'inbound-interface', 'name', interface])
+
self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'default-action', 'drop'])
self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'default-log'])
self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'action', 'return'])
self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'protocol', 'gre'])
self.cli_set(['firewall', 'ipv6', 'output', 'filter', 'rule', '3', 'outbound-interface', 'name', interface])
- self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'action', 'accept'])
- self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
- self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'source', 'address', '2002::1:2'])
- self.cli_set(['firewall', 'ipv6', 'input', 'filter', 'rule', '3', 'inbound-interface', 'name', interface])
+ self.cli_set(['firewall', 'ipv6', 'output', 'raw', 'default-action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'raw', 'rule', '1', 'action', 'accept'])
+ self.cli_set(['firewall', 'ipv6', 'output', 'raw', 'rule', '1', 'protocol', 'udp'])
+
+ self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'action', 'drop'])
+ self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'protocol', 'tcp'])
+ self.cli_set(['firewall', 'ipv6', 'prerouting', 'raw', 'rule', '1', 'destination', 'port', '23'])
self.cli_commit()
@@ -472,6 +496,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
['type filter hook output priority filter; policy accept;'],
['meta l4proto gre', f'oifname "{interface}"', 'return'],
['log prefix "[ipv6-OUT-filter-default-D]"','OUT-filter default-action drop', 'drop'],
+ ['chain VYOS_IPV6_OUTPUT_raw'],
+ ['type filter hook output priority raw; policy accept;'],
+ ['udp', 'accept'],
+ ['OUT-raw default-action drop', 'drop'],
+ ['chain VYOS_IPV6_PREROUTING_raw'],
+ ['type filter hook prerouting priority raw; policy accept;'],
+ ['tcp dport 23', 'drop'],
+ ['PRE-raw default-action accept', 'accept'],
[f'chain NAME6_{name}'],
['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
[f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'],
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index e96e57154..acf3805d2 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -351,7 +351,7 @@ def verify(firewall):
verify_nested_group(group_name, group, groups, [])
if 'ipv4' in firewall:
- for name in ['name','forward','input','output']:
+ for name in ['name','forward','input','output', 'prerouting']:
if name in firewall['ipv4']:
for name_id, name_conf in firewall['ipv4'][name].items():
if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
@@ -371,7 +371,7 @@ def verify(firewall):
verify_rule(firewall, rule_conf, False)
if 'ipv6' in firewall:
- for name in ['name','forward','input','output']:
+ for name in ['name','forward','input','output', 'prerouting']:
if name in firewall['ipv6']:
for name_id, name_conf in firewall['ipv6'][name].items():
if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
diff --git a/src/conf_mode/system_conntrack.py b/src/conf_mode/system_conntrack.py
index 031fe63b0..d9c38fd95 100755
--- a/src/conf_mode/system_conntrack.py
+++ b/src/conf_mode/system_conntrack.py
@@ -18,6 +18,7 @@ import os
from sys import exit
+from vyos.base import Warning
from vyos.config import Config
from vyos.configdep import set_dependents, call_dependents
from vyos.utils.dict import dict_search
@@ -165,6 +166,8 @@ def verify(conntrack):
if not group_obj:
Warning(f'{error_group} "{group_name}" has no members!')
+ Warning(f'It is prefered to defined {inet} conntrack ignore rules in the <firewall {inet} prerouting raw> section')
+
if dict_search_args(conntrack, 'timeout', 'custom', inet, 'rule') != None:
for rule, rule_config in conntrack['timeout']['custom'][inet]['rule'].items():
if 'protocol' not in rule_config:
--
cgit v1.2.3