<?xml version="1.0"?> <interfaceDefinition> <node name="system"> <children> <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py"> <properties> <help>Connection Tracking Engine Options</help> <!-- Before NAT and conntrack-sync are configured --> <priority>218</priority> </properties> <children> <leafNode name="flow-accounting"> <properties> <help>Enable connection tracking flow accounting</help> <valueless/> </properties> </leafNode> <leafNode name="expect-table-size"> <properties> <help>Size of connection tracking expect table</help> <valueHelp> <format>u32:1-50000000</format> <description>Number of entries allowed in connection tracking expect table</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-50000000"/> </constraint> </properties> <defaultValue>2048</defaultValue> </leafNode> <leafNode name="hash-size"> <properties> <help>Hash size for connection tracking table</help> <valueHelp> <format>u32:1-50000000</format> <description>Size of hash to use for connection tracking table</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-50000000"/> </constraint> </properties> <defaultValue>32768</defaultValue> </leafNode> <node name="ignore"> <properties> <help>Customized rules to ignore selective connection tracking</help> </properties> <children> <node name="ipv4"> <properties> <help>IPv4 rules</help> </properties> <children> <tagNode name="rule"> <properties> <help>Rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number of conntrack ignore rule</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-999999"/> </constraint> <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage> </properties> <children> #include <include/generic-description.xml.i> <node name="destination"> <properties> <help>Destination parameters</help> </properties> <children> #include <include/firewall/source-destination-group-ipv4.xml.i> #include <include/nat-address.xml.i> #include <include/nat-port.xml.i> </children> </node> <leafNode name="inbound-interface"> <properties> <help>Interface to ignore connections tracking on</help> <completionHelp> <list>any</list> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> </leafNode> #include <include/ip-protocol.xml.i> <leafNode name="protocol"> <properties> <help>Protocol to match (protocol name, number, or "all")</help> <completionHelp> <script>${vyos_completion_dir}/list_protocols.sh</script> <list>all tcp_udp</list> </completionHelp> <valueHelp> <format>all</format> <description>All IP protocols</description> </valueHelp> <valueHelp> <format>tcp_udp</format> <description>Both TCP and UDP</description> </valueHelp> <valueHelp> <format>u32:0-255</format> <description>IP protocol number</description> </valueHelp> <valueHelp> <format><protocol></format> <description>IP protocol name</description> </valueHelp> <valueHelp> <format>!<protocol></format> <description>IP protocol name</description> </valueHelp> <constraint> <validator name="ip-protocol"/> </constraint> </properties> </leafNode> <node name="source"> <properties> <help>Source parameters</help> </properties> <children> #include <include/firewall/source-destination-group-ipv4.xml.i> #include <include/nat-address.xml.i> #include <include/nat-port.xml.i> </children> </node> #include <include/firewall/tcp-flags.xml.i> </children> </tagNode> </children> </node> <node name="ipv6"> <properties> <help>IPv6 rules</help> </properties> <children> <tagNode name="rule"> <properties> <help>Rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number of conntrack ignore rule</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-999999"/> </constraint> <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage> </properties> <children> #include <include/generic-description.xml.i> <node name="destination"> <properties> <help>Destination parameters</help> </properties> <children> #include <include/firewall/address-ipv6.xml.i> #include <include/firewall/source-destination-group-ipv6.xml.i> #include <include/nat-port.xml.i> </children> </node> <leafNode name="inbound-interface"> <properties> <help>Interface to ignore connections tracking on</help> <completionHelp> <list>any</list> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> </leafNode> #include <include/ip-protocol.xml.i> <leafNode name="protocol"> <properties> <help>Protocol to match (protocol name, number, or "all")</help> <completionHelp> <script>${vyos_completion_dir}/list_protocols.sh</script> <list>all tcp_udp</list> </completionHelp> <valueHelp> <format>all</format> <description>All IP protocols</description> </valueHelp> <valueHelp> <format>tcp_udp</format> <description>Both TCP and UDP</description> </valueHelp> <valueHelp> <format>u32:0-255</format> <description>IP protocol number</description> </valueHelp> <valueHelp> <format><protocol></format> <description>IP protocol name</description> </valueHelp> <valueHelp> <format>!<protocol></format> <description>IP protocol name</description> </valueHelp> <constraint> <validator name="ip-protocol"/> </constraint> </properties> </leafNode> <node name="source"> <properties> <help>Source parameters</help> </properties> <children> #include <include/firewall/address-ipv6.xml.i> #include <include/firewall/source-destination-group-ipv6.xml.i> #include <include/nat-port.xml.i> </children> </node> #include <include/firewall/tcp-flags.xml.i> </children> </tagNode> </children> </node> </children> </node> <node name="log"> <properties> <help>Log connection tracking events per protocol</help> </properties> <children> <node name="icmp"> <properties> <help>Log connection tracking events for ICMP</help> </properties> <children> #include <include/conntrack/log-common.xml.i> </children> </node> <node name="other"> <properties> <help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help> </properties> <children> #include <include/conntrack/log-common.xml.i> </children> </node> <node name="tcp"> <properties> <help>Log connection tracking events for TCP</help> </properties> <children> #include <include/conntrack/log-common.xml.i> </children> </node> <node name="udp"> <properties> <help>Log connection tracking events for UDP</help> </properties> <children> #include <include/conntrack/log-common.xml.i> </children> </node> </children> </node> <node name="modules"> <properties> <help>Connection tracking modules</help> </properties> <children> <leafNode name="ftp"> <properties> <help>FTP connection tracking</help> <valueless/> </properties> </leafNode> <leafNode name="h323"> <properties> <help>H.323 connection tracking</help> <valueless/> </properties> </leafNode> <leafNode name="nfs"> <properties> <help>NFS connection tracking</help> <valueless/> </properties> </leafNode> <leafNode name="pptp"> <properties> <help>PPTP connection tracking</help> <valueless/> </properties> </leafNode> <leafNode name="sip"> <properties> <help>SIP connection tracking</help> <valueless/> </properties> </leafNode> <leafNode name="sqlnet"> <properties> <help>SQLnet connection tracking</help> <valueless/> </properties> </leafNode> <leafNode name="tftp"> <properties> <help>TFTP connection tracking</help> <valueless/> </properties> </leafNode> </children> </node> <leafNode name="table-size"> <properties> <help>Size of connection tracking table</help> <valueHelp> <format>u32:1-50000000</format> <description>Number of entries allowed in connection tracking table</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-50000000"/> </constraint> </properties> <defaultValue>262144</defaultValue> </leafNode> <node name="tcp"> <properties> <help>TCP options</help> </properties> <children> <leafNode name="half-open-connections"> <properties> <help>Maximum number of TCP half-open connections</help> <valueHelp> <format>u32:1-2147483647</format> <description>Generic connection timeout in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-2147483647"/> </constraint> </properties> <defaultValue>512</defaultValue> </leafNode> <leafNode name="loose"> <properties> <help>Policy to track previously established connections</help> <completionHelp> <list>enable disable</list> </completionHelp> <valueHelp> <format>enable</format> <description>Allow tracking of previously established connections</description> </valueHelp> <valueHelp> <format>disable</format> <description>Do not allow tracking of previously established connections</description> </valueHelp> <constraint> <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> </leafNode> <leafNode name="max-retrans"> <properties> <help>Maximum number of packets that can be retransmitted without received an ACK</help> <valueHelp> <format>u32:1-255</format> <description>Number of packets to be retransmitted</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> </constraint> </properties> <defaultValue>3</defaultValue> </leafNode> </children> </node> <node name="timeout"> <properties> <help>Connection timeout options</help> </properties> <children> <node name="custom"> <properties> <help>Define custom timeouts per connection</help> </properties> <children> <node name="ipv4"> <properties> <help>IPv4 rules</help> </properties> <children> <tagNode name="rule"> <properties> <help>Rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number of conntrack rule</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-999999"/> </constraint> <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage> </properties> <children> #include <include/generic-description.xml.i> <node name="destination"> <properties> <help>Destination parameters</help> </properties> <children> #include <include/nat-address.xml.i> #include <include/nat-port.xml.i> </children> </node> <leafNode name="inbound-interface"> <properties> <help>Interface to ignore connections tracking on</help> <completionHelp> <list>any</list> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> </leafNode> <node name="protocol"> <properties> <help>Customize protocol specific timers, one protocol configuration per rule</help> </properties> <children> #include <include/conntrack/timeout-custom-protocols.xml.i> </children> </node> <node name="source"> <properties> <help>Source parameters</help> </properties> <children> #include <include/nat-address.xml.i> #include <include/nat-port.xml.i> </children> </node> </children> </tagNode> </children> </node> <node name="ipv6"> <properties> <help>IPv6 rules</help> </properties> <children> <tagNode name="rule"> <properties> <help>Rule number</help> <valueHelp> <format>u32:1-999999</format> <description>Number of conntrack rule</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-999999"/> </constraint> <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage> </properties> <children> #include <include/generic-description.xml.i> <node name="destination"> <properties> <help>Destination parameters</help> </properties> <children> #include <include/firewall/address-ipv6.xml.i> #include <include/nat-port.xml.i> </children> </node> <leafNode name="inbound-interface"> <properties> <help>Interface to ignore connections tracking on</help> <completionHelp> <list>any</list> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> </leafNode> <node name="protocol"> <properties> <help>Customize protocol specific timers, one protocol configuration per rule</help> </properties> <children> #include <include/conntrack/timeout-custom-protocols.xml.i> </children> </node> <node name="source"> <properties> <help>Source parameters</help> </properties> <children> #include <include/firewall/address-ipv6.xml.i> #include <include/nat-port.xml.i> </children> </node> </children> </tagNode> </children> </node> </children> </node> #include <include/conntrack/timeout-common-protocols.xml.i> </children> </node> </children> </node> </children> </node> </interfaceDefinition>