From 654c8cad2daaf84a07e4664d2c0469a863a46bdc Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 25 May 2021 23:17:16 +0300 Subject: firewall: T3568: add XML definitions for firewall Add XML for configuration mode firewall. Used for future rewriting it to Python style. --- interface-definitions/firewall.xml.in | 782 +++++++++++++++++++++ .../firewall/action-accept-drop-reject.xml.i | 25 + .../include/firewall/action.xml.i | 21 + .../include/firewall/address-ipv6.xml.i | 37 + .../include/firewall/address.xml.i | 39 + .../include/firewall/common-rule.xml.i | 326 +++++++++ .../include/firewall/description.xml.i | 11 + .../include/firewall/icmp-type-name.xml.i | 173 +++++ interface-definitions/include/firewall/log.xml.i | 15 + .../include/firewall/name-default-action.xml.i | 25 + .../include/firewall/name-default-log.xml.i | 8 + interface-definitions/include/firewall/port.xml.i | 23 + .../firewall/source-destination-group.xml.i | 24 + 13 files changed, 1509 insertions(+) create mode 100644 interface-definitions/firewall.xml.in create mode 100644 interface-definitions/include/firewall/action-accept-drop-reject.xml.i create mode 100644 interface-definitions/include/firewall/action.xml.i create mode 100644 interface-definitions/include/firewall/address-ipv6.xml.i create mode 100644 interface-definitions/include/firewall/address.xml.i create mode 100644 interface-definitions/include/firewall/common-rule.xml.i create mode 100644 interface-definitions/include/firewall/description.xml.i create mode 100644 interface-definitions/include/firewall/icmp-type-name.xml.i create mode 100644 interface-definitions/include/firewall/log.xml.i create mode 100644 interface-definitions/include/firewall/name-default-action.xml.i create mode 100644 interface-definitions/include/firewall/name-default-log.xml.i create mode 100644 interface-definitions/include/firewall/port.xml.i create mode 100644 interface-definitions/include/firewall/source-destination-group.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in new file mode 100644 index 000000000..5528d6bc5 --- /dev/null +++ b/interface-definitions/firewall.xml.in @@ -0,0 +1,782 @@ + + + + + 199 + Firewall + + + + + Policy for handling of all IPv4 ICMP echo requests + + enable disable + + + enable + Enable processing of all IPv4 ICMP echo requests + + + disable + Disable processing of all IPv4 ICMP echo requests + + + ^(enable|disable)$ + + + + + + Policy for handling broadcast IPv4 ICMP echo and timestamp requests + + enable disable + + + enable + Enable processing of broadcast IPv4 ICMP echo/timestamp requests + + + disable + Disable processing of broadcast IPv4 ICMP echo/timestamp requests + + + ^(enable|disable)$ + + + + + + SNMP trap generation on firewall configuration changes + + enable disable + + + enable + Enable sending SNMP trap on firewall configuration change + + + disable + Disable sending SNMP trap on firewall configuration change + + + ^(enable|disable)$ + + + + + + Firewall group + + + + + Firewall address-group + + + + + Address-group member + + ipv4 + IPv4 address to match + + + ipv4range + IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) + + + + + + + + + #include + + + + + Firewall ipv6-address-group + + + + + Address-group member + + ipv6 + IPv6 address to match + + + + + + + + #include + + + + + Network-group member + + + #include + + + Network-group member + + ipv6net + IPv6 address to match + + + + + + + + + + + + Firewall network-group + + + #include + + + Network-group member + + ipv4net + IPv4 Subnet to match + + + + + + + + + + + + Firewall port-group + + + #include + + + Port-group member + + txt + Named port (any name in /etc/services, e.g., http) + + + u32:1-65535 + Numbered port + + + start-end + Numbered port range (e.g. 1001-1050) + + + + + + + + + + + Policy for handling IPv4 packets with source route option + + enable disable + + + enable + Enable processing of IPv4 packets with source route option + + + disable + Disable processing of IPv4 packets with source route option + + + ^(enable|disable)$ + + + + + + IPv6 firewall rule-set name + + + #include + #include + #include + + + Rule number (1-9999) + + + #include + #include + + + Destination parameters + + + #include + #include + #include + + + + + Source parameters + + + #include + #include + #include + + + #include + + + Hop Limit + + + + + Value to match a hop limit equal to it + + u32:0-255 + Hop limit equal to value + + + + + + + + + Value to match a hop limit greater than or equal to it + + u32:0-255 + Hop limit greater than value + + + + + + + + + Value to match a hop limit less than or equal to it + + u32:0-255 + Hop limit less than value + + + + + + + + + + + ICMPv6 type and code information + + + + + ICMP type-name + + any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply + + + any + Any ICMP type/code + + + echo-reply + ICMP type/code name + + + pong + ICMP type/code name + + + destination-unreachable + ICMP type/code name + + + network-unreachable + ICMP type/code name + + + host-unreachable + ICMP type/code name + + + protocol-unreachable + ICMP type/code name + + + port-unreachable + ICMP type/code name + + + fragmentation-needed + ICMP type/code name + + + source-route-failed + ICMP type/code name + + + network-unknown + ICMP type/code name + + + host-unknown + ICMP type/code name + + + network-prohibited + ICMP type/code name + + + host-prohibited + ICMP type/code name + + + TOS-network-unreachable + ICMP type/code name + + + TOS-host-unreachable + ICMP type/code name + + + communication-prohibited + ICMP type/code name + + + host-precedence-violation + ICMP type/code name + + + precedence-cutoff + ICMP type/code name + + + source-quench + ICMP type/code name + + + redirect + ICMP type/code name + + + network-redirect + ICMP type/code name + + + host-redirect + ICMP type/code name + + + TOS-network-redirect + ICMP type/code name + + + TOS host-redirect + ICMP type/code name + + + echo-request + ICMP type/code name + + + ping + ICMP type/code name + + + router-advertisement + ICMP type/code name + + + router-solicitation + ICMP type/code name + + + time-exceeded + ICMP type/code name + + + ttl-exceeded + ICMP type/code name + + + ttl-zero-during-transit + ICMP type/code name + + + ttl-zero-during-reassembly + ICMP type/code name + + + parameter-problem + ICMP type/code name + + + ip-header-bad + ICMP type/code name + + + required-option-missing + ICMP type/code name + + + timestamp-request + ICMP type/code name + + + timestamp-reply + ICMP type/code name + + + address-mask-request + ICMP type/code name + + + address-mask-reply + ICMP type/code name + + + ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$ + + + + + + + + + P2P application packets + + + + + AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets + + + + + + AppleJuice application packets + + + + + + BitTorrent application packets + + + + + + Direct Connect application packets + + + + + + eDonkey/eMule application packets + + + + + + Gnutella application packets + + + + + + KaZaA application packets + + + + + + + + + + + + Policy for handling received ICMPv6 redirect messages + + enable disable + + + enable + Enable processing of received ICMPv6 redirect messages + + + disable + Disable processing of received ICMPv6 redirect messages + + + ^(enable|disable)$ + + + + + + Policy for handling IPv6 packets with routing extension header + + enable disable + + + enable + Enable processing of IPv6 packets with routing header type 2 + + + disable + Disable processing of IPv6 packets with routing header + + + ^(enable|disable)$ + + + + + + Policy for logging IPv4 packets with invalid addresses + + enable disable + + + enable + Enable logging of IPv4 packets with invalid addresses + + + disable + Disable logging of Ipv4 packets with invalid addresses + + + ^(enable|disable)$ + + + + + + IPv4 firewall rule-set name + + + #include + #include + #include + + + Rule number (1-9999) + + + #include + #include + + + Destination parameters + + + #include + #include + #include + + + + + Source parameters + + + #include + #include + #include + + + #include + + + ICMP type and code information + + + + + ICMP code (0-255) + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type (0-255) + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + + + + + + + Policy for handling received IPv4 ICMP redirect messages + + enable disable + + + enable + Enable processing of received IPv4 ICMP redirect messages + + + disable + Disable processing of received IPv4 ICMP redirect messages + + + ^(enable|disable)$ + + + + + + Policy for sending IPv4 ICMP redirect messages + + enable disable + + + enable + Enable sending IPv4 ICMP redirect messages + + + disable + Disable sending IPv4 ICMP redirect messages + + + ^(enable|disable)$ + + + + + + Policy for source validation by reversed path, as specified in RFC3704 + + strict loose disable + + + strict + Enable Strict Reverse Path Forwarding as defined in RFC3704 + + + loose + Enable Loose Reverse Path Forwarding as defined in RFC3704 + + + disable + No source validation + + + ^(strict|loose|disable)$ + + + + + + Global firewall state-policy + + + + + Global firewall policy for packets part of an established connection + + + #include + #include + + + + + Global firewall policy for packets part of an invalid connection + + + #include + #include + + + + + Global firewall policy for packets part of a related connection + + + #include + #include + + + + + + + Policy for using TCP SYN cookies with IPv4 + + enable disable + + + enable + Enable use of TCP SYN cookies with IPv4 + + + disable + Disable use of TCP SYN cookies with IPv4 + + + ^(enable|disable)$ + + + + + + RFC1337 TCP TIME-WAIT assasination hazards protection + + enable disable + + + enable + Enable RFC1337 TIME-WAIT hazards protection + + + disable + Disable RFC1337 TIME-WAIT hazards protection + + + ^(enable|disable)$ + + + + + + diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i new file mode 100644 index 000000000..9f8baa884 --- /dev/null +++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i @@ -0,0 +1,25 @@ + + + + Action for packets + + accept drop reject + + + accept + Action to accept + + + drop + Action to drop + + + reject + Action to reject + + + ^(accept|drop|reject)$ + + + + diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i new file mode 100644 index 000000000..230f590cb --- /dev/null +++ b/interface-definitions/include/firewall/action.xml.i @@ -0,0 +1,21 @@ + + + + Rule action [REQUIRED] + + permit deny + + + permit + Permit matching entries + + + deny + Deny matching entries + + + ^(permit|deny)$ + + + + diff --git a/interface-definitions/include/firewall/address-ipv6.xml.i b/interface-definitions/include/firewall/address-ipv6.xml.i new file mode 100644 index 000000000..fa60c0c8a --- /dev/null +++ b/interface-definitions/include/firewall/address-ipv6.xml.i @@ -0,0 +1,37 @@ + + + + IP address, subnet, or range + + ipv6 + IP address to match + + + ipv6net + Subnet to match + + + ipv6range + IP range to match + + + !ipv6 + Match everything except the specified address + + + !ipv6net + Match everything except the specified prefix + + + !ipv6range + Match everything except the specified range + + + + + + + + + + diff --git a/interface-definitions/include/firewall/address.xml.i b/interface-definitions/include/firewall/address.xml.i new file mode 100644 index 000000000..2e1bde5a5 --- /dev/null +++ b/interface-definitions/include/firewall/address.xml.i @@ -0,0 +1,39 @@ + + + + IP address, subnet, or range + + ipv4 + IPv4 address to match + + + ipv4net + IPv4 prefix to match + + + ipv4range + IPv4 address range to match + + + !ipv4 + Match everything except the specified address + + + !ipv4net + Match everything except the specified prefix + + + !ipv4range + Match everything except the specified range + + + + + + + + + + + + diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i new file mode 100644 index 000000000..466599e0a --- /dev/null +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -0,0 +1,326 @@ + +#include +#include + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + burst__change_me + + + + + + + + + Maximum average matching rate + + u32:0-4294967295 + rate__change_me + + + + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + ^(enable|disable)$ + + + + + + Protocol to match (protocol name, number, or "all") + + + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + 0-255 + IP protocol number + + + !<protocol> + IP protocol number + + + + + + all + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last N seconds + + u32:0-4294967295 + Source addresses seen in the last N seconds + + + + + + + + + + + Source parameters + + + #include + #include + + + Source MAC address + + <MAC address> + MAC address to match + + + !<MAC address> + Match everything except the specified MAC address + + + + #include + + + + + Session state + + + + + Established state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + Invalid state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + New state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + Related state + + enable disable + + + enable + Enable + + + disable + Disable + + + ^(enable|disable)$ + + + + + + + + TCP flags to match + + + + + TCP flags to match + + txt + TCP flags to match + + + + \n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset + + + + + + + + Time to match rule + + + + + Monthdays to match rule on + + + + + Date to start matching rule + + + + + Time of day to start matching rule + + + + + Date to stop matching rule + + + + + Time of day to stop matching rule + + + + + Interpret times for startdate, stopdate, starttime and stoptime to be UTC + + + + + + Weekdays to match rule on + + + + + diff --git a/interface-definitions/include/firewall/description.xml.i b/interface-definitions/include/firewall/description.xml.i new file mode 100644 index 000000000..b6bae406b --- /dev/null +++ b/interface-definitions/include/firewall/description.xml.i @@ -0,0 +1,11 @@ + + + + Description + + txt + Description + + + + diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i new file mode 100644 index 000000000..b45fb619b --- /dev/null +++ b/interface-definitions/include/firewall/icmp-type-name.xml.i @@ -0,0 +1,173 @@ + + + + ICMP type-name + + any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply + + + any + Any ICMP type/code + + + echo-reply + ICMP type/code name + + + pong + ICMP type/code name + + + destination-unreachable + ICMP type/code name + + + network-unreachable + ICMP type/code name + + + host-unreachable + ICMP type/code name + + + protocol-unreachable + ICMP type/code name + + + port-unreachable + ICMP type/code name + + + fragmentation-needed + ICMP type/code name + + + source-route-failed + ICMP type/code name + + + network-unknown + ICMP type/code name + + + host-unknown + ICMP type/code name + + + network-prohibited + ICMP type/code name + + + host-prohibited + ICMP type/code name + + + TOS-network-unreachable + ICMP type/code name + + + TOS-host-unreachable + ICMP type/code name + + + communication-prohibited + ICMP type/code name + + + host-precedence-violation + ICMP type/code name + + + precedence-cutoff + ICMP type/code name + + + source-quench + ICMP type/code name + + + redirect + ICMP type/code name + + + network-redirect + ICMP type/code name + + + host-redirect + ICMP type/code name + + + TOS-network-redirect + ICMP type/code name + + + TOS host-redirect + ICMP type/code name + + + echo-request + ICMP type/code name + + + ping + ICMP type/code name + + + router-advertisement + ICMP type/code name + + + router-solicitation + ICMP type/code name + + + time-exceeded + ICMP type/code name + + + ttl-exceeded + ICMP type/code name + + + ttl-zero-during-transit + ICMP type/code name + + + ttl-zero-during-reassembly + ICMP type/code name + + + parameter-problem + ICMP type/code name + + + ip-header-bad + ICMP type/code name + + + required-option-missing + ICMP type/code name + + + timestamp-request + ICMP type/code name + + + timestamp-reply + ICMP type/code name + + + address-mask-request + ICMP type/code name + + + address-mask-reply + ICMP type/code name + + + ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$ + + + + diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i new file mode 100644 index 000000000..46d20c1df --- /dev/null +++ b/interface-definitions/include/firewall/log.xml.i @@ -0,0 +1,15 @@ + + + + Option to log packets + + + + + Enable logging + + + + + + diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i new file mode 100644 index 000000000..1b61b076f --- /dev/null +++ b/interface-definitions/include/firewall/name-default-action.xml.i @@ -0,0 +1,25 @@ + + + + Default-action for rule-set + + drop reject accept + + + drop + Drop if no prior rules are hit (default) + + + reject + Drop and notify source if no prior rules are hit + + + accept + Accept if no prior rules are hit + + + ^(drop|reject|accept)$ + + + + diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i new file mode 100644 index 000000000..979395146 --- /dev/null +++ b/interface-definitions/include/firewall/name-default-log.xml.i @@ -0,0 +1,8 @@ + + + + Option to log packets hitting default-action + + + + diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i new file mode 100644 index 000000000..59d92978b --- /dev/null +++ b/interface-definitions/include/firewall/port.xml.i @@ -0,0 +1,23 @@ + + + + Port + + txt + Named port (any name in /etc/services, e.g., http) + + + u32:1-65535 + Numbered port + + + <start-end> + Numbered port range (e.g. 1001-1005) + + + + \n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005' + + + + diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i new file mode 100644 index 000000000..30226b0d8 --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-group.xml.i @@ -0,0 +1,24 @@ + + + + Group + + + + + Group of addresses + + + + + Group of networks + + + + + Group of ports + + + + + -- cgit v1.2.3