<?xml version="1.0"?>
<interfaceDefinition>
  <node name="system">
    <children>
      <node name="conntrack" owner="${vyos_conf_scripts_dir}/system_conntrack.py">
        <properties>
          <help>Connection Tracking Engine Options</help>
          <!-- Before NAT and conntrack-sync are configured -->
          <priority>218</priority>
        </properties>
        <children>
          <leafNode name="flow-accounting">
            <properties>
              <help>Enable connection tracking flow accounting</help>
              <valueless/>
            </properties>
          </leafNode>
          <leafNode name="expect-table-size">
            <properties>
              <help>Size of connection tracking expect table</help>
              <valueHelp>
                <format>u32:1-50000000</format>
                <description>Number of entries allowed in connection tracking expect table</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 1-50000000"/>
              </constraint>
            </properties>
            <defaultValue>2048</defaultValue>
          </leafNode>
          <leafNode name="hash-size">
            <properties>
              <help>Hash size for connection tracking table</help>
              <valueHelp>
                <format>u32:1-50000000</format>
                <description>Size of hash to use for connection tracking table</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 1-50000000"/>
              </constraint>
            </properties>
            <defaultValue>32768</defaultValue>
          </leafNode>
          <node name="ignore">
            <properties>
              <help>Customized rules to ignore selective connection tracking</help>
            </properties>
            <children>
              <node name="ipv4">
                <properties>
                  <help>IPv4 rules</help>
                </properties>
                <children>
                  <tagNode name="rule">
                    <properties>
                      <help>Rule number</help>
                      <valueHelp>
                        <format>u32:1-999999</format>
                        <description>Number of conntrack ignore rule</description>
                      </valueHelp>
                      <constraint>
                        <validator name="numeric" argument="--range 1-999999"/>
                      </constraint>
                      <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                    </properties>
                    <children>
                      #include <include/generic-description.xml.i>
                      <node name="destination">
                        <properties>
                          <help>Destination parameters</help>
                        </properties>
                        <children>
                          #include <include/firewall/source-destination-group-ipv4.xml.i>
                          #include <include/nat-address.xml.i>
                          #include <include/nat-port.xml.i>
                        </children>
                      </node>
                      <leafNode name="inbound-interface">
                        <properties>
                          <help>Interface to ignore connections tracking on</help>
                          <completionHelp>
                            <list>any</list>
                            <script>${vyos_completion_dir}/list_interfaces</script>
                          </completionHelp>
                        </properties>
                      </leafNode>
                      #include <include/ip-protocol.xml.i>
                      <leafNode name="protocol">
                        <properties>
                          <help>Protocol to match (protocol name, number, or "all")</help>
                          <completionHelp>
                            <script>${vyos_completion_dir}/list_protocols.sh</script>
                            <list>all tcp_udp</list>
                          </completionHelp>
                          <valueHelp>
                            <format>all</format>
                            <description>All IP protocols</description>
                          </valueHelp>
                          <valueHelp>
                            <format>tcp_udp</format>
                            <description>Both TCP and UDP</description>
                          </valueHelp>
                          <valueHelp>
                            <format>u32:0-255</format>
                            <description>IP protocol number</description>
                          </valueHelp>
                          <valueHelp>
                            <format>&lt;protocol&gt;</format>
                            <description>IP protocol name</description>
                          </valueHelp>
                          <valueHelp>
                            <format>!&lt;protocol&gt;</format>
                            <description>IP protocol name</description>
                          </valueHelp>
                          <constraint>
                            <validator name="ip-protocol"/>
                          </constraint>
                        </properties>
                      </leafNode>
                      <node name="source">
                        <properties>
                          <help>Source parameters</help>
                        </properties>
                        <children>
                          #include <include/firewall/source-destination-group-ipv4.xml.i>
                          #include <include/nat-address.xml.i>
                          #include <include/nat-port.xml.i>
                        </children>
                      </node>
                      #include <include/firewall/tcp-flags.xml.i>
                    </children>
                  </tagNode>
                </children>
              </node>
              <node name="ipv6">
                <properties>
                  <help>IPv6 rules</help>
                </properties>
                <children>
                  <tagNode name="rule">
                    <properties>
                      <help>Rule number</help>
                      <valueHelp>
                        <format>u32:1-999999</format>
                        <description>Number of conntrack ignore rule</description>
                      </valueHelp>
                      <constraint>
                        <validator name="numeric" argument="--range 1-999999"/>
                      </constraint>
                      <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                    </properties>
                    <children>
                      #include <include/generic-description.xml.i>
                      <node name="destination">
                        <properties>
                          <help>Destination parameters</help>
                        </properties>
                        <children>
                          #include <include/firewall/address-ipv6.xml.i>
                          #include <include/firewall/source-destination-group-ipv6.xml.i>
                          #include <include/nat-port.xml.i>
                        </children>
                      </node>
                      <leafNode name="inbound-interface">
                        <properties>
                          <help>Interface to ignore connections tracking on</help>
                          <completionHelp>
                            <list>any</list>
                            <script>${vyos_completion_dir}/list_interfaces</script>
                          </completionHelp>
                        </properties>
                      </leafNode>
                      #include <include/ip-protocol.xml.i>
                      <leafNode name="protocol">
                        <properties>
                          <help>Protocol to match (protocol name, number, or "all")</help>
                          <completionHelp>
                            <script>${vyos_completion_dir}/list_protocols.sh</script>
                            <list>all tcp_udp</list>
                          </completionHelp>
                          <valueHelp>
                            <format>all</format>
                            <description>All IP protocols</description>
                          </valueHelp>
                          <valueHelp>
                            <format>tcp_udp</format>
                            <description>Both TCP and UDP</description>
                          </valueHelp>
                          <valueHelp>
                            <format>u32:0-255</format>
                            <description>IP protocol number</description>
                          </valueHelp>
                          <valueHelp>
                            <format>&lt;protocol&gt;</format>
                            <description>IP protocol name</description>
                          </valueHelp>
                          <valueHelp>
                            <format>!&lt;protocol&gt;</format>
                            <description>IP protocol name</description>
                          </valueHelp>
                          <constraint>
                            <validator name="ip-protocol"/>
                          </constraint>
                        </properties>
                      </leafNode>
                      <node name="source">
                        <properties>
                          <help>Source parameters</help>
                        </properties>
                        <children>
                          #include <include/firewall/address-ipv6.xml.i>
                          #include <include/firewall/source-destination-group-ipv6.xml.i>
                          #include <include/nat-port.xml.i>
                        </children>
                      </node>
                      #include <include/firewall/tcp-flags.xml.i>
                    </children>
                  </tagNode>
                </children>
              </node>

            </children>
          </node>
          <node name="log">
            <properties>
              <help>Log connection tracking events per protocol</help>
            </properties>
            <children>
              <node name="icmp">
                <properties>
                  <help>Log connection tracking events for ICMP</help>
                </properties>
                <children>
                  #include <include/conntrack/log-common.xml.i>
                </children>
              </node>
              <node name="other">
                <properties>
                  <help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help>
                </properties>
                <children>
                  #include <include/conntrack/log-common.xml.i>
                </children>
              </node>
              <node name="tcp">
                <properties>
                  <help>Log connection tracking events for TCP</help>
                </properties>
                <children>
                  #include <include/conntrack/log-common.xml.i>
                </children>
              </node>
              <node name="udp">
                <properties>
                  <help>Log connection tracking events for UDP</help>
                </properties>
                <children>
                  #include <include/conntrack/log-common.xml.i>
                </children>
              </node>
            </children>
          </node>
          <node name="modules">
            <properties>
              <help>Connection tracking modules</help>
            </properties>
            <children>
              <leafNode name="ftp">
                <properties>
                  <help>FTP connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="h323">
                <properties>
                  <help>H.323 connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="nfs">
                <properties>
                  <help>NFS connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="pptp">
                <properties>
                  <help>PPTP connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="rtsp">
                <properties>
                  <help>RTSP connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="sip">
                <properties>
                  <help>SIP connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="sqlnet">
                <properties>
                  <help>SQLnet connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
              <leafNode name="tftp">
                <properties>
                  <help>TFTP connection tracking</help>
                  <valueless/>
                </properties>
              </leafNode>
            </children>
          </node>
          <leafNode name="table-size">
            <properties>
              <help>Size of connection tracking table</help>
              <valueHelp>
                <format>u32:1-50000000</format>
                <description>Number of entries allowed in connection tracking table</description>
              </valueHelp>
              <constraint>
                <validator name="numeric" argument="--range 1-50000000"/>
              </constraint>
            </properties>
            <defaultValue>262144</defaultValue>
          </leafNode>
          <node name="tcp">
            <properties>
              <help>TCP options</help>
            </properties>
            <children>
              <leafNode name="half-open-connections">
                <properties>
                  <help>Maximum number of TCP half-open connections</help>
                  <valueHelp>
                    <format>u32:1-2147483647</format>
                    <description>Generic connection timeout in seconds</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-2147483647"/>
                  </constraint>
                </properties>
                <defaultValue>512</defaultValue>
              </leafNode>
              <leafNode name="loose">
                <properties>
                  <help>Policy to track previously established connections</help>
                  <completionHelp>
                    <list>enable disable</list>
                  </completionHelp>
                  <valueHelp>
                    <format>enable</format>
                    <description>Allow tracking of previously established connections</description>
                  </valueHelp>
                  <valueHelp>
                    <format>disable</format>
                    <description>Do not allow tracking of previously established connections</description>
                  </valueHelp>
                  <constraint>
                    <regex>(enable|disable)</regex>
                  </constraint>
                </properties>
                <defaultValue>enable</defaultValue>
              </leafNode>
              <leafNode name="max-retrans">
                <properties>
                  <help>Maximum number of packets that can be retransmitted without received an ACK</help>
                  <valueHelp>
                    <format>u32:1-255</format>
                    <description>Number of packets to be retransmitted</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-255"/>
                  </constraint>
                </properties>
                <defaultValue>3</defaultValue>
              </leafNode>
            </children>
          </node>
          <node name="timeout">
            <properties>
              <help>Connection timeout options</help>
            </properties>
            <children>
              <node name="custom">
                <properties>
                  <help>Define custom timeouts per connection</help>
                </properties>
                <children>
                  <node name="ipv4">
                    <properties>
                      <help>IPv4 rules</help>
                    </properties>
                    <children>
                      <tagNode name="rule">
                        <properties>
                          <help>Rule number</help>
                          <valueHelp>
                            <format>u32:1-999999</format>
                            <description>Number of conntrack rule</description>
                          </valueHelp>
                          <constraint>
                            <validator name="numeric" argument="--range 1-999999"/>
                          </constraint>
                          <constraintErrorMessage>Timeout rule number must be between 1 and 999999</constraintErrorMessage>
                        </properties>
                        <children>
                          #include <include/generic-description.xml.i>
                          <node name="destination">
                            <properties>
                              <help>Destination parameters</help>
                            </properties>
                            <children>
                              #include <include/nat-address.xml.i>
                              #include <include/nat-port.xml.i>
                            </children>
                          </node>
                          <leafNode name="inbound-interface">
                            <properties>
                              <help>Interface to apply custom connection timers on</help>
                              <completionHelp>
                                <list>any</list>
                                <script>${vyos_completion_dir}/list_interfaces</script>
                              </completionHelp>
                            </properties>
                          </leafNode>
                          <node name="protocol">
                            <properties>
                              <help>Customize protocol specific timers, one protocol configuration per rule</help>
                            </properties>
                            <children>
                              #include <include/conntrack/timeout-custom-protocols.xml.i>
                            </children>
                          </node>
                          <node name="source">
                            <properties>
                              <help>Source parameters</help>
                            </properties>
                            <children>
                              #include <include/nat-address.xml.i>
                              #include <include/nat-port.xml.i>
                            </children>
                          </node>
                        </children>
                      </tagNode>
                    </children>
                  </node>
                  <node name="ipv6">
                    <properties>
                      <help>IPv6 rules</help>
                    </properties>
                    <children>
                      <tagNode name="rule">
                        <properties>
                          <help>Rule number</help>
                          <valueHelp>
                            <format>u32:1-999999</format>
                            <description>Number of conntrack rule</description>
                          </valueHelp>
                          <constraint>
                            <validator name="numeric" argument="--range 1-999999"/>
                          </constraint>
                          <constraintErrorMessage>Timeout rule number must be between 1 and 999999</constraintErrorMessage>
                        </properties>
                        <children>
                          #include <include/generic-description.xml.i>
                          <node name="destination">
                            <properties>
                              <help>Destination parameters</help>
                            </properties>
                            <children>
                              #include <include/firewall/address-ipv6.xml.i>
                              #include <include/nat-port.xml.i>
                            </children>
                          </node>
                          <leafNode name="inbound-interface">
                            <properties>
                              <help>Interface to apply custom connection timers on</help>
                              <completionHelp>
                                <list>any</list>
                                <script>${vyos_completion_dir}/list_interfaces</script>
                              </completionHelp>
                            </properties>
                          </leafNode>
                          <node name="protocol">
                            <properties>
                              <help>Customize protocol specific timers, one protocol configuration per rule</help>
                            </properties>
                            <children>
                              #include <include/conntrack/timeout-custom-protocols.xml.i>
                            </children>
                          </node>
                          <node name="source">
                            <properties>
                              <help>Source parameters</help>
                            </properties>
                            <children>
                              #include <include/firewall/address-ipv6.xml.i>
                              #include <include/nat-port.xml.i>
                            </children>
                          </node>
                        </children>
                      </tagNode>
                    </children>
                  </node>
                </children>
              </node>
            </children>
          </node>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>