summaryrefslogtreecommitdiff
path: root/docs/configuration/policy/route.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/policy/route.rst')
-rw-r--r--docs/configuration/policy/route.rst421
1 files changed, 421 insertions, 0 deletions
diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst
new file mode 100644
index 00000000..ffbe85b2
--- /dev/null
+++ b/docs/configuration/policy/route.rst
@@ -0,0 +1,421 @@
+############
+Route Policy
+############
+
+Route and IPv6 route policies are defined in this section. This route policies
+can then be associated to interfaces.
+
+*************
+Configuration
+*************
+
+Route
+=====
+
+.. cfgcmd:: set policy route <text>
+
+ This command creates a new route policy, identified by <text>.
+
+.. cfgcmd:: set policy route <text> description <text>
+
+ Set description for the route policy.
+
+.. cfgcmd:: set policy route <text> enable-default-log
+
+ Option to log packets hitting default-action.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> description <text>
+
+ Set description for rule in route policy.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> action drop
+
+ Set rule action to drop.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> destination address
+ <match_criteria>
+
+ Set match criteria based on destination address, where <match_criteria>
+ could be:
+
+ * <x.x.x.x>: IP address to match.
+ * <x.x.x.x/x>: Subnet to match.
+ * <x.x.x.x>-<x.x.x.x>: IP range to match.
+ * !<x.x.x.x>: Match everything except the specified address.
+ * !<x.x.x.x/x>: Match everything except the specified subnet.
+ * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> destination group
+ <address-group|network-group|port-group> <text>
+
+ Set destination match criteria based on groups, where <text> would be the
+ group name/identifier.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> destination port
+ <match_criteria>
+
+ Set match criteria based on destination port, where <match_criteria> could
+ be:
+
+ * <port name>: Named port (any name in /etc/services, e.g., http).
+ * <1-65535>: Numbered port.
+ * <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+ Multiple destination ports can be specified as a comma-separated list. The
+ whole list can also be "negated" using '!'. For example:
+ '!22,telnet,http,123,1001-1005'
+
+.. cfgcmd:: set policy route <text> rule <1-9999> disable
+
+ Option to disable rule.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> fragment
+ <match-grag|match-non-frag>
+
+ Set IP fragment match, where:
+
+ * match-frag: Second and further fragments of fragmented packets.
+ * match-non-frag: Head fragments or unfragmented packets.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> icmp <code|type|type-name>
+
+ Set ICMP match criterias, based on code and/or types. Types could be
+ referenced by number or by name.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> ipsec
+ <match-ipsec|match-none>
+
+ Set IPSec inbound match criterias, where:
+
+ * match-ipsec: match inbound IPsec packets.
+ * match-none: match inbound non-IPsec packets.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> limit burst <0-4294967295>
+
+ Set maximum number of packets to alow in excess of rate
+
+.. cfgcmd:: set policy route <text> rule <1-9999> limit rate <text>
+
+ Set maximum average matching rate. Format for rate: integer/time_unit, where
+ time_unit could be any one of second, minute, hour or day.For example
+ 1/second implies rule to be matched at an average of once per second.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> log <enable|disable>
+
+ Option to enable or disable log matching rule.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> log <text>
+
+ Option to log matching rule.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> protocol
+ <text|0-255|tcp_udp|all|!protocol>
+
+ Set protocol to match. Protocol name in /etc/protocols or protocol number,
+ or "tcp_udp" or "all". Also, protocol could be denied by using !.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> recent <count|time>
+ <1-255|0-4294967295>
+
+ Set parameters for matching recently seen sources. This match could be used
+ by seeting count (source address seen more than <1-255> times) and/or time
+ (source address seen in the last <0-4294967295> seconds).
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set dscp <0-63>
+
+ Set packet modifications: Packet Differentiated Services Codepoint (DSCP)
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set mark <1-2147483647>
+
+ Set packet modifications: Packet marking
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set table <main|1-200>
+
+ Set packet modifications: Routing table to forward packet with.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> set tcp-mss <500-1460>
+
+ Set packet modifications: Explicitly set TCP Maximum segment size value.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> source address
+ <match_criteria>
+
+ Set match criteria based on source address, where <match_criteria> could be:
+
+ * <x.x.x.x>: IP address to match.
+ * <x.x.x.x/x>: Subnet to match.
+ * <x.x.x.x>-<x.x.x.x>: IP range to match.
+ * !<x.x.x.x>: Match everything except the specified address.
+ * !<x.x.x.x/x>: Match everything except the specified subnet.
+ * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> source group
+ <address-group|network-group|port-group> <text>
+
+ Set source match criteria based on groups, where <text> would be the group
+ name/identifier.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> source port <match_criteria>
+
+ Set match criteria based on source port, where <match_criteria> could be:
+
+ * <port name>: Named port (any name in /etc/services, e.g., http).
+ * <1-65535>: Numbered port.
+ * <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+ Multiple source ports can be specified as a comma-separated list. The whole
+ list can also be "negated" using '!'. For example:
+ '!22,telnet,http,123,1001-1005'
+
+.. cfgcmd:: set policy route <text> rule <1-9999> state
+ <established|invalid|new|related> <disable|enable>
+
+ Set match criteria based on session state.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> tcp flags <text>
+
+ Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK
+ FIN RST URG PSH ALL. When specifying more than one flag, flags should be
+ comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match
+ packets with the SYN flag set, and the ACK, FIN and RST flags unset.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time monthdays <text>
+
+ Set monthdays to match rule on. Format for monthdays: 2,12,21.
+ To negate add ! at the front eg. !2,12,21
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time startdate <text>
+
+ Set date to start matching rule. Format for date: yyyy-mm-dd. To specify
+ time of date with startdate, append 'T' to date followed by time in 24 hour
+ notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to
+ 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time starttime <text>
+
+ Set time of day to start matching rule. Format of time: hh:mm:ss using 24
+ hours notation.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time stopdate <text>
+
+ Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time
+ of date with stopdate, append 'T' to date followed by time in 24 hour
+ notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to
+ 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time stoptime <text>
+
+ Set time of day to stop matching rule. Format of time: hh:mm:ss using 24
+ hours notation.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time utc
+
+ Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
+
+.. cfgcmd:: set policy route <text> rule <1-9999> time weekdays
+
+ Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add !
+ at the front eg. !Mon,Thu,Sat.
+
+
+IPv6 Route
+==========
+
+.. cfgcmd:: set policy ipv6-route <text>
+
+ This command creates a new IPv6 route policy, identified by <text>.
+
+.. cfgcmd:: set policy ipv6-route <text> description <text>
+
+ Set description for the IPv6 route policy.
+
+.. cfgcmd:: set policy ipv6-route <text> enable-default-log
+
+ Option to log packets hitting default-action.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> action drop
+
+ Set rule action to drop.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> description <text>
+
+ Set description for rule in IPv6 route policy.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination address
+ <match_criteria>
+
+ Set match criteria based on destination IPv6 address, where <match_criteria>
+ could be:
+
+ * <h:h:h:h:h:h:h:h>: IPv6 address to match.
+ * <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match.
+ * <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match.
+ * !<h:h:h:h:h:h:h:h>: Match everything except the specified address.
+ * !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix.
+ * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the
+ specified range.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination port
+ <match_criteria>
+
+ Set match criteria based on destination port, where <match_criteria> could
+ be:
+
+ * <port name>: Named port (any name in /etc/services, e.g., http).
+ * <1-65535>: Numbered port.
+ * <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+ Multiple destination ports can be specified as a comma-separated list. The
+ whole list can also be "negated" using '!'. For example:
+ '!22,telnet,http,123,1001-1005'.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> disable
+
+ Option to disable rule.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> icmpv6 type <icmpv6_typ>
+
+ Set ICMPv6 match criterias, based on ICMPv6 type/code name.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> ipsec
+ <match-ipsec|match-none>
+
+ Set IPSec inbound match criterias, where:
+
+ * match-ipsec: match inbound IPsec packets.
+ * match-none: match inbound non-IPsec packets.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit burst
+ <0-4294967295>
+
+ Set maximum number of packets to alow in excess of rate
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit rate <text>
+
+ Set maximum average matching rate. Format for rate: integer/time_unit, where
+ time_unit could be any one of second, minute, hour or day.For example
+ 1/second implies rule to be matched at an average of once per second.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <enable|disable>
+
+ Option to enable or disable log matching rule.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <text>
+
+ Option to log matching rule.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> protocol
+ <text|0-255|tcp_udp|all|!protocol>
+
+ Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or
+ protocol number, or "tcp_udp" or "all". Also, protocol could be denied by
+ using !.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> recent <count|time>
+ <1-255|0-4294967295>
+
+ Set parameters for matching recently seen sources. This match could be used
+ by seeting count (source address seen more than <1-255> times) and/or time
+ (source address seen in the last <0-4294967295> seconds).
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set dscp <0-63>
+
+ Set packet modifications: Packet Differentiated Services Codepoint (DSCP)
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set mark <1-2147483647>
+
+ Set packet modifications: Packet marking.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set table <main|1-200>
+
+ Set packet modifications: Routing table to forward packet with.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set tcp-mss
+ <pmtu|500-1460>
+
+ Set packet modifications: pmtu option automatically set to Path Maximum
+ Transfer Unit minus 60 bytes. Otherwise, expliicitly set TCP MSS value from
+ 500 to 1460.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source address
+ <match_criteria>
+
+ Set match criteria based on IPv6 source address, where <match_criteria>
+ could be:
+
+ * <h:h:h:h:h:h:h:h>: IPv6 address to match
+ * <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match
+ * <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match
+ * !<h:h:h:h:h:h:h:h>: Match everything except the specified address
+ * !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix
+ * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the
+ specified range
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source mac-address
+ <MAC_address|!MAC_address>
+
+ Set source match criteria based on MAC address. Declare specific MAC address
+ to match, or match everything except the specified MAC.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source port
+ <match_criteria>
+
+ Set match criteria based on source port, where <match_criteria> could be:
+
+ * <port name>: Named port (any name in /etc/services, e.g., http).
+ * <1-65535>: Numbered port.
+ * <start>-<end>: Numbered port range (e.g., 1001-1005).
+
+ Multiple source ports can be specified as a comma-separated list. The whole
+ list can also be "negated" using '!'. For example:
+ '!22,telnet,http,123,1001-1005'.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> state
+ <established|invalid|new|related> <disable|enable>
+
+ Set match criteria based on session state.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> tcp flags <text>
+
+ Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK
+ FIN RST URG PSH ALL. When specifying more than one flag, flags should be
+ comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match
+ packets with the SYN flag set, and the ACK, FIN and RST flags unset.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time monthdays <text>
+
+ Set monthdays to match rule on. Format for monthdays: 2,12,21.
+ To negate add ! at the front eg. !2,12,21
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time startdate <text>
+
+ Set date to start matching rule. Format for date: yyyy-mm-dd. To specify
+ time of date with startdate, append 'T' to date followed by time in 24 hour
+ notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to
+ 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time starttime <text>
+
+ Set time of day to start matching rule. Format of time: hh:mm:ss using 24
+ hours notation.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stopdate <text>
+
+ Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time
+ of date with stopdate, append 'T' to date followed by time in 24 hour
+ notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to
+ 21st Jan 2009 with time 13:30:00.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stoptime <text>
+
+ Set time of day to stop matching rule. Format of time: hh:mm:ss using 24
+ hours notation.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time utc
+
+ Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
+
+.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time weekdays
+
+ Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add !
+ at the front eg. !Mon,Thu,Sat.