From 6871c5541c1962e63d7a9b75d2bb43df2a8d372b Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 15 May 2024 17:09:16 +0000 Subject: T3900: add support for raw table in firewall. --- .../include/firewall/action-and-notrack.xml.i | 8 +- .../include/firewall/add-addr-to-group-ipv4.xml.i | 25 ++ .../include/firewall/add-addr-to-group-ipv6.xml.i | 25 ++ .../include/firewall/common-rule-inet.xml.i | 239 +--------------- .../include/firewall/common-rule-ipv4-raw.xml.i | 309 +-------------------- .../include/firewall/common-rule-ipv4.xml.i | 57 +--- .../include/firewall/common-rule-ipv6-raw.xml.i | 50 ++++ .../include/firewall/common-rule-ipv6.xml.i | 57 +--- .../include/firewall/connection-status.xml.i | 28 ++ .../include/firewall/fragment.xml.i | 21 ++ interface-definitions/include/firewall/icmp.xml.i | 34 +++ .../include/firewall/icmpv6.xml.i | 34 +++ .../include/firewall/ipv4-hook-output.xml.i | 27 ++ .../include/firewall/ipv4-hook-prerouting.xml.i | 34 --- .../include/firewall/ipv6-hook-output.xml.i | 27 ++ .../include/firewall/ipv6-hook-prerouting.xml.i | 51 ++++ interface-definitions/include/firewall/limit.xml.i | 33 +++ .../include/firewall/protocol.xml.i | 34 +++ .../include/firewall/recent.xml.i | 44 +++ interface-definitions/include/firewall/time.xml.i | 70 +++++ 20 files changed, 542 insertions(+), 665 deletions(-) create mode 100644 interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i create mode 100644 interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i create mode 100644 interface-definitions/include/firewall/connection-status.xml.i create mode 100644 interface-definitions/include/firewall/fragment.xml.i create mode 100644 interface-definitions/include/firewall/icmp.xml.i create mode 100644 interface-definitions/include/firewall/icmpv6.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i create mode 100644 interface-definitions/include/firewall/limit.xml.i create mode 100644 interface-definitions/include/firewall/protocol.xml.i create mode 100644 interface-definitions/include/firewall/recent.xml.i create mode 100644 interface-definitions/include/firewall/time.xml.i (limited to 'interface-definitions/include/firewall') diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i index 5f81a1451..e063c58d5 100644 --- a/interface-definitions/include/firewall/action-and-notrack.xml.i +++ b/interface-definitions/include/firewall/action-and-notrack.xml.i @@ -3,12 +3,16 @@ Rule action - accept jump notrack reject return drop queue + accept continue jump notrack reject return drop queue accept Accept matching entries + + continue + Continue parsing next rule + jump Jump to another chain @@ -34,7 +38,7 @@ Igone connection tracking - (accept|jump|notrack|reject|return|drop|queue) + (accept|continue|jump|notrack|reject|return|drop|queue) diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i new file mode 100644 index 000000000..a47cadd55 --- /dev/null +++ b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i @@ -0,0 +1,25 @@ + + + + Add ip address to dynamic address-group + + + + + Add source ip addresses to dynamic address-group + + + #include + + + + + Add destination ip addresses to dynamic address-group + + + #include + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i new file mode 100644 index 000000000..2cb077450 --- /dev/null +++ b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i @@ -0,0 +1,25 @@ + + + + Add ipv6 address to dynamic ipv6-address-group + + + + + Add source ipv6 addresses to dynamic ipv6-address-group + + + #include + + + + + Add destination ipv6 addresses to dynamic ipv6-address-group + + + #include + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i index bef1c3da5..55ffa3a8b 100644 --- a/interface-definitions/include/firewall/common-rule-inet.xml.i +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -1,235 +1,24 @@ #include -#include -#include -#include -#include -#include #include -#include +#include +#include +#include #include - - - IP fragment match - - - - - Second and further fragments of fragmented packets - - - - - - Head fragments or unfragmented packets - - - - - - - - Rate limit using a token bucket filter - - - - - Maximum number of packets to allow in excess of rate - - u32:0-4294967295 - Maximum number of packets to allow in excess of rate - - - - - - - - - Maximum average matching rate - - txt - integer/unit (Example: 5/minute) - - - \d+/(second|minute|hour|day) - - - - - +#include +#include +#include +#include #include #include - - - Connection status - - - - - NAT connection status - - destination source - - - destination - Match connections that are subject to destination NAT - - - source - Match connections that are subject to source NAT - - - (destination|source) - - - - - - - - Protocol to match (protocol name, number, or "all") - - - all tcp_udp - - - all - All IP protocols - - - tcp_udp - Both TCP and UDP - - - u32:0-255 - IP protocol number - - - <protocol> - IP protocol name - - - !<protocol> - IP protocol name - - - - - - - - - Parameters for matching recently seen sources - - - - - Source addresses seen more than N times - - u32:1-255 - Source addresses seen more than N times - - - - - - - - - Source addresses seen in the last second/minute/hour - - second minute hour - - - second - Source addresses seen COUNT times in the last second - - - minute - Source addresses seen COUNT times in the last minute - - - hour - Source addresses seen COUNT times in the last hour - - - (second|minute|hour) - - - - - -#include +#include +#include +#include +#include +#include #include +#include #include #include - - - Time to match rule - - - - - Date to start matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to start matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Date to stop matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to stop matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Comma separated weekdays to match rule on - - txt - Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) - - - u32:0-6 - Day number (0 = Sunday ... 6 = Saturday) - - - - - +#include diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i index e7468bfba..960c960db 100644 --- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -1,9 +1,22 @@ +#include #include #include #include -#include +#include +#include +#include +#include +#include +#include +#include +#include #include +#include +#include +#include +#include +#include Destination parameters @@ -18,228 +31,6 @@ #include -#include - - - IP fragment match - - - - - Second and further fragments of fragmented packets - - - - - - Head fragments or unfragmented packets - - - - - - - - ICMP type and code information - - - - - ICMP code - - u32:0-255 - ICMP code (0-255) - - - - - - - - - ICMP type - - u32:0-255 - ICMP type (0-255) - - - - - - - #include - - - - - Inbound IPsec packets - - - - - Inbound IPsec packets - - - - - - Inbound non-IPsec packets - - - - - - - - Rate limit using a token bucket filter - - - - - Maximum number of packets to allow in excess of rate - - u32:0-4294967295 - Maximum number of packets to allow in excess of rate - - - - - - - - - Maximum average matching rate - - txt - integer/unit (Example: 5/minute) - - - \d+/(second|minute|hour|day) - - - - - - - - Option to log packets matching rule - - enable disable - - - enable - Enable log - - - disable - Disable log - - - (enable|disable) - - - -#include - - - Connection status - - - - - NAT connection status - - destination source - - - destination - Match connections that are subject to destination NAT - - - source - Match connections that are subject to source NAT - - - (destination|source) - - - - - - - - Protocol to match (protocol name, number, or "all") - - - all tcp_udp - - - all - All IP protocols - - - tcp_udp - Both TCP and UDP - - - u32:0-255 - IP protocol number - - - <protocol> - IP protocol name - - - !<protocol> - IP protocol name - - - - - - - - - Parameters for matching recently seen sources - - - - - Source addresses seen more than N times - - u32:1-255 - Source addresses seen more than N times - - - - - - - - - Source addresses seen in the last second/minute/hour - - second minute hour - - - second - Source addresses seen COUNT times in the last second - - - minute - Source addresses seen COUNT times in the last minute - - - hour - Source addresses seen COUNT times in the last hour - - - (second|minute|hour) - - - - - Source parameters @@ -254,74 +45,4 @@ #include -#include -#include - - - Time to match rule - - - - - Date to start matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to start matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Date to stop matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to stop matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Comma separated weekdays to match rule on - - txt - Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) - - - u32:0-6 - Day number (0 = Sunday ... 6 = Saturday) - - - - - - + \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i index 158c7a662..803b94b06 100644 --- a/interface-definitions/include/firewall/common-rule-ipv4.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i @@ -1,29 +1,8 @@ +#include #include +#include #include - - - Add ip address to dynamic address-group - - - - - Add source ip addresses to dynamic address-group - - - #include - - - - - Add destination ip addresses to dynamic address-group - - - #include - - - - Destination parameters @@ -39,38 +18,6 @@ #include - - - ICMP type and code information - - - - - ICMP code - - u32:0-255 - ICMP code (0-255) - - - - - - - - - ICMP type - - u32:0-255 - ICMP type (0-255) - - - - - - - #include - - Set jump target. Action jump must be defined to use this setting diff --git a/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i new file mode 100644 index 000000000..958167b89 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i @@ -0,0 +1,50 @@ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + + Destination parameters + + + #include + #include + #include + #include + #include + #include + #include + #include + + + + + Source parameters + + + #include + #include + #include + #include + #include + #include + #include + #include + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i index 78eeb361e..bb176fe71 100644 --- a/interface-definitions/include/firewall/common-rule-ipv6.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i @@ -1,29 +1,8 @@ +#include #include #include - - - Add ipv6 address to dynamic ipv6-address-group - - - - - Add source ipv6 addresses to dynamic ipv6-address-group - - - #include - - - - - Add destination ipv6 addresses to dynamic ipv6-address-group - - - #include - - - - +#include Destination parameters @@ -39,38 +18,6 @@ #include - - - ICMPv6 type and code information - - - - - ICMPv6 code - - u32:0-255 - ICMPv6 code (0-255) - - - - - - - - - ICMPv6 type - - u32:0-255 - ICMPv6 type (0-255) - - - - - - - #include - - Set jump target. Action jump must be defined to use this setting diff --git a/interface-definitions/include/firewall/connection-status.xml.i b/interface-definitions/include/firewall/connection-status.xml.i new file mode 100644 index 000000000..5236c2f4f --- /dev/null +++ b/interface-definitions/include/firewall/connection-status.xml.i @@ -0,0 +1,28 @@ + + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + (destination|source) + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/fragment.xml.i b/interface-definitions/include/firewall/fragment.xml.i new file mode 100644 index 000000000..1f4c11055 --- /dev/null +++ b/interface-definitions/include/firewall/fragment.xml.i @@ -0,0 +1,21 @@ + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/icmp.xml.i b/interface-definitions/include/firewall/icmp.xml.i new file mode 100644 index 000000000..deb50a410 --- /dev/null +++ b/interface-definitions/include/firewall/icmp.xml.i @@ -0,0 +1,34 @@ + + + + ICMP type and code information + + + + + ICMP code + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/icmpv6.xml.i b/interface-definitions/include/firewall/icmpv6.xml.i new file mode 100644 index 000000000..c0118626e --- /dev/null +++ b/interface-definitions/include/firewall/icmpv6.xml.i @@ -0,0 +1,34 @@ + + + + ICMPv6 type and code information + + + + + ICMPv6 code + + u32:0-255 + ICMPv6 code (0-255) + + + + + + + + + ICMPv6 type + + u32:0-255 + ICMPv6 type (0-255) + + + + + + + #include + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i index 2b537ce5e..ca47ae09b 100644 --- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -31,6 +31,33 @@ + + + IPv4 firewall output raw + + + #include + #include + #include + + + IPv4 Firewall output raw rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + + diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i index c38918375..17ecfe824 100644 --- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -4,40 +4,6 @@ IPv4 prerouting firewall - - - IPv4 firewall prerouting filter - - - #include - #include - - - IPv4 Firewall prerouting filter rule number - - u32:1-999999 - Number for this firewall rule - - - - - Firewall rule number must be between 1 and 999999 - - - #include - #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv4 name - - - - - - - IPv4 firewall prerouting raw diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i index ffe1c72b8..f877cfaaf 100644 --- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -30,6 +30,33 @@ + + + + IPv6 firewall output raw + + + #include + #include + #include + + + IPv6 Firewall output raw rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + diff --git a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i new file mode 100644 index 000000000..3f384828d --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i @@ -0,0 +1,51 @@ + + + + IPv6 prerouting firewall + + + + + IPv6 firewall prerouting raw + + + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall ipv6 name + + + + + + IPv6 Firewall prerouting raw rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/limit.xml.i b/interface-definitions/include/firewall/limit.xml.i new file mode 100644 index 000000000..21068dec2 --- /dev/null +++ b/interface-definitions/include/firewall/limit.xml.i @@ -0,0 +1,33 @@ + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/protocol.xml.i b/interface-definitions/include/firewall/protocol.xml.i new file mode 100644 index 000000000..e391cae41 --- /dev/null +++ b/interface-definitions/include/firewall/protocol.xml.i @@ -0,0 +1,34 @@ + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/recent.xml.i b/interface-definitions/include/firewall/recent.xml.i new file mode 100644 index 000000000..38f40b916 --- /dev/null +++ b/interface-definitions/include/firewall/recent.xml.i @@ -0,0 +1,44 @@ + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/time.xml.i b/interface-definitions/include/firewall/time.xml.i new file mode 100644 index 000000000..7bd737450 --- /dev/null +++ b/interface-definitions/include/firewall/time.xml.i @@ -0,0 +1,70 @@ + + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + \ No newline at end of file -- cgit v1.2.3