diff options
Diffstat (limited to 'docs/configuration/policy/route.rst')
-rw-r--r-- | docs/configuration/policy/route.rst | 421 |
1 files changed, 421 insertions, 0 deletions
diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst new file mode 100644 index 00000000..ffbe85b2 --- /dev/null +++ b/docs/configuration/policy/route.rst @@ -0,0 +1,421 @@ +############ +Route Policy +############ + +Route and IPv6 route policies are defined in this section. This route policies +can then be associated to interfaces. + +************* +Configuration +************* + +Route +===== + +.. cfgcmd:: set policy route <text> + + This command creates a new route policy, identified by <text>. + +.. cfgcmd:: set policy route <text> description <text> + + Set description for the route policy. + +.. cfgcmd:: set policy route <text> enable-default-log + + Option to log packets hitting default-action. + +.. cfgcmd:: set policy route <text> rule <1-9999> description <text> + + Set description for rule in route policy. + +.. cfgcmd:: set policy route <text> rule <1-9999> action drop + + Set rule action to drop. + +.. cfgcmd:: set policy route <text> rule <1-9999> destination address + <match_criteria> + + Set match criteria based on destination address, where <match_criteria> + could be: + + * <x.x.x.x>: IP address to match. + * <x.x.x.x/x>: Subnet to match. + * <x.x.x.x>-<x.x.x.x>: IP range to match. + * !<x.x.x.x>: Match everything except the specified address. + * !<x.x.x.x/x>: Match everything except the specified subnet. + * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. + +.. cfgcmd:: set policy route <text> rule <1-9999> destination group + <address-group|network-group|port-group> <text> + + Set destination match criteria based on groups, where <text> would be the + group name/identifier. + +.. cfgcmd:: set policy route <text> rule <1-9999> destination port + <match_criteria> + + Set match criteria based on destination port, where <match_criteria> could + be: + + * <port name>: Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * <start>-<end>: Numbered port range (e.g., 1001-1005). + + Multiple destination ports can be specified as a comma-separated list. The + whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route <text> rule <1-9999> disable + + Option to disable rule. + +.. cfgcmd:: set policy route <text> rule <1-9999> fragment + <match-grag|match-non-frag> + + Set IP fragment match, where: + + * match-frag: Second and further fragments of fragmented packets. + * match-non-frag: Head fragments or unfragmented packets. + +.. cfgcmd:: set policy route <text> rule <1-9999> icmp <code|type|type-name> + + Set ICMP match criterias, based on code and/or types. Types could be + referenced by number or by name. + +.. cfgcmd:: set policy route <text> rule <1-9999> ipsec + <match-ipsec|match-none> + + Set IPSec inbound match criterias, where: + + * match-ipsec: match inbound IPsec packets. + * match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy route <text> rule <1-9999> limit burst <0-4294967295> + + Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy route <text> rule <1-9999> limit rate <text> + + Set maximum average matching rate. Format for rate: integer/time_unit, where + time_unit could be any one of second, minute, hour or day.For example + 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy route <text> rule <1-9999> log <enable|disable> + + Option to enable or disable log matching rule. + +.. cfgcmd:: set policy route <text> rule <1-9999> log <text> + + Option to log matching rule. + +.. cfgcmd:: set policy route <text> rule <1-9999> protocol + <text|0-255|tcp_udp|all|!protocol> + + Set protocol to match. Protocol name in /etc/protocols or protocol number, + or "tcp_udp" or "all". Also, protocol could be denied by using !. + +.. cfgcmd:: set policy route <text> rule <1-9999> recent <count|time> + <1-255|0-4294967295> + + Set parameters for matching recently seen sources. This match could be used + by seeting count (source address seen more than <1-255> times) and/or time + (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy route <text> rule <1-9999> set dscp <0-63> + + Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy route <text> rule <1-9999> set mark <1-2147483647> + + Set packet modifications: Packet marking + +.. cfgcmd:: set policy route <text> rule <1-9999> set table <main|1-200> + + Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy route <text> rule <1-9999> set tcp-mss <500-1460> + + Set packet modifications: Explicitly set TCP Maximum segment size value. + +.. cfgcmd:: set policy route <text> rule <1-9999> source address + <match_criteria> + + Set match criteria based on source address, where <match_criteria> could be: + + * <x.x.x.x>: IP address to match. + * <x.x.x.x/x>: Subnet to match. + * <x.x.x.x>-<x.x.x.x>: IP range to match. + * !<x.x.x.x>: Match everything except the specified address. + * !<x.x.x.x/x>: Match everything except the specified subnet. + * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. + +.. cfgcmd:: set policy route <text> rule <1-9999> source group + <address-group|network-group|port-group> <text> + + Set source match criteria based on groups, where <text> would be the group + name/identifier. + +.. cfgcmd:: set policy route <text> rule <1-9999> source port <match_criteria> + + Set match criteria based on source port, where <match_criteria> could be: + + * <port name>: Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * <start>-<end>: Numbered port range (e.g., 1001-1005). + + Multiple source ports can be specified as a comma-separated list. The whole + list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' + +.. cfgcmd:: set policy route <text> rule <1-9999> state + <established|invalid|new|related> <disable|enable> + + Set match criteria based on session state. + +.. cfgcmd:: set policy route <text> rule <1-9999> tcp flags <text> + + Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK + FIN RST URG PSH ALL. When specifying more than one flag, flags should be + comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match + packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy route <text> rule <1-9999> time monthdays <text> + + Set monthdays to match rule on. Format for monthdays: 2,12,21. + To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy route <text> rule <1-9999> time startdate <text> + + Set date to start matching rule. Format for date: yyyy-mm-dd. To specify + time of date with startdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route <text> rule <1-9999> time starttime <text> + + Set time of day to start matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy route <text> rule <1-9999> time stopdate <text> + + Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time + of date with stopdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy route <text> rule <1-9999> time stoptime <text> + + Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy route <text> rule <1-9999> time utc + + Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy route <text> rule <1-9999> time weekdays + + Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! + at the front eg. !Mon,Thu,Sat. + + +IPv6 Route +========== + +.. cfgcmd:: set policy ipv6-route <text> + + This command creates a new IPv6 route policy, identified by <text>. + +.. cfgcmd:: set policy ipv6-route <text> description <text> + + Set description for the IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route <text> enable-default-log + + Option to log packets hitting default-action. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> action drop + + Set rule action to drop. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> description <text> + + Set description for rule in IPv6 route policy. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination address + <match_criteria> + + Set match criteria based on destination IPv6 address, where <match_criteria> + could be: + + * <h:h:h:h:h:h:h:h>: IPv6 address to match. + * <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match. + * <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match. + * !<h:h:h:h:h:h:h:h>: Match everything except the specified address. + * !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix. + * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the + specified range. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> destination port + <match_criteria> + + Set match criteria based on destination port, where <match_criteria> could + be: + + * <port name>: Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * <start>-<end>: Numbered port range (e.g., 1001-1005). + + Multiple destination ports can be specified as a comma-separated list. The + whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005'. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> disable + + Option to disable rule. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> icmpv6 type <icmpv6_typ> + + Set ICMPv6 match criterias, based on ICMPv6 type/code name. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> ipsec + <match-ipsec|match-none> + + Set IPSec inbound match criterias, where: + + * match-ipsec: match inbound IPsec packets. + * match-none: match inbound non-IPsec packets. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit burst + <0-4294967295> + + Set maximum number of packets to alow in excess of rate + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> limit rate <text> + + Set maximum average matching rate. Format for rate: integer/time_unit, where + time_unit could be any one of second, minute, hour or day.For example + 1/second implies rule to be matched at an average of once per second. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <enable|disable> + + Option to enable or disable log matching rule. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> log <text> + + Option to log matching rule. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> protocol + <text|0-255|tcp_udp|all|!protocol> + + Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or + protocol number, or "tcp_udp" or "all". Also, protocol could be denied by + using !. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> recent <count|time> + <1-255|0-4294967295> + + Set parameters for matching recently seen sources. This match could be used + by seeting count (source address seen more than <1-255> times) and/or time + (source address seen in the last <0-4294967295> seconds). + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set dscp <0-63> + + Set packet modifications: Packet Differentiated Services Codepoint (DSCP) + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set mark <1-2147483647> + + Set packet modifications: Packet marking. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set table <main|1-200> + + Set packet modifications: Routing table to forward packet with. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> set tcp-mss + <pmtu|500-1460> + + Set packet modifications: pmtu option automatically set to Path Maximum + Transfer Unit minus 60 bytes. Otherwise, expliicitly set TCP MSS value from + 500 to 1460. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source address + <match_criteria> + + Set match criteria based on IPv6 source address, where <match_criteria> + could be: + + * <h:h:h:h:h:h:h:h>: IPv6 address to match + * <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match + * <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match + * !<h:h:h:h:h:h:h:h>: Match everything except the specified address + * !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix + * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the + specified range + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source mac-address + <MAC_address|!MAC_address> + + Set source match criteria based on MAC address. Declare specific MAC address + to match, or match everything except the specified MAC. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> source port + <match_criteria> + + Set match criteria based on source port, where <match_criteria> could be: + + * <port name>: Named port (any name in /etc/services, e.g., http). + * <1-65535>: Numbered port. + * <start>-<end>: Numbered port range (e.g., 1001-1005). + + Multiple source ports can be specified as a comma-separated list. The whole + list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005'. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> state + <established|invalid|new|related> <disable|enable> + + Set match criteria based on session state. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> tcp flags <text> + + Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK + FIN RST URG PSH ALL. When specifying more than one flag, flags should be + comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match + packets with the SYN flag set, and the ACK, FIN and RST flags unset. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time monthdays <text> + + Set monthdays to match rule on. Format for monthdays: 2,12,21. + To negate add ! at the front eg. !2,12,21 + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time startdate <text> + + Set date to start matching rule. Format for date: yyyy-mm-dd. To specify + time of date with startdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time starttime <text> + + Set time of day to start matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stopdate <text> + + Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time + of date with stopdate, append 'T' to date followed by time in 24 hour + notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to + 21st Jan 2009 with time 13:30:00. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time stoptime <text> + + Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 + hours notation. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time utc + + Interpret times for startdate, stopdate, starttime and stoptime to be UTC. + +.. cfgcmd:: set policy ipv6-route <text> rule <1-9999> time weekdays + + Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! + at the front eg. !Mon,Thu,Sat. |