diff options
author | Bob Gilligan <gilligan@vyatta.com> | 2009-02-23 11:59:10 -0800 |
---|---|---|
committer | Bob Gilligan <gilligan@vyatta.com> | 2009-02-23 11:59:10 -0800 |
commit | d766dd656ad8af7219ff604609215a76596d13a8 (patch) | |
tree | 68d4ffa3c80cac29dfedcf86280d48b7ddcd759b | |
parent | ca464052ad78c6d840c9982fb5d9f1f016f7e3c9 (diff) | |
download | vyatta-cfg-firewall-d766dd656ad8af7219ff604609215a76596d13a8.tar.gz vyatta-cfg-firewall-d766dd656ad8af7219ff604609215a76596d13a8.zip |
Add "ipv6-modify" firewall configuration sub-tree.
55 files changed, 354 insertions, 6 deletions
diff --git a/templates/firewall/ipv6-modify/node.def b/templates/firewall/ipv6-modify/node.def new file mode 100644 index 0000000..c0c324d --- /dev/null +++ b/templates/firewall/ipv6-modify/node.def @@ -0,0 +1,7 @@ +tag: + +type: txt + +syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\"" + +help: Set IPv6 modify rule set name diff --git a/templates/firewall/ipv6-modify/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/description/node.def new file mode 100644 index 0000000..cbd090b --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Set IPv6 modify rule set description diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.def new file mode 100644 index 0000000..674abd2 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.def @@ -0,0 +1,7 @@ +tag: + +type: u32 + +help: Set IPv6 modify rule number (1-1024) + +syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "firewall rule number must be between 1 and 1024" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..ac60488 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,6 @@ +type: txt + +help: Set firewall rule action + +syntax:expression: $VAR(@) in "drop", "reject", "accept", "modify"; + "action must be one of drop, reject, accept, or modify" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def new file mode 100644 index 0000000..b49b91e --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Set rule description diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..5c7f5e9 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,14 @@ +type: txt + +help: Set source IPv6 address, prefix or range to match + +comp_help: Possible completions: + <x:x:x:x:x:x:x:x> IPv6 address to match + <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match + <x:x:x:x:x:x>-<x:x:x:x:x:x> Range of IPv6 addresses + !<x:x:x:x:x:x:x:x> Everything except IPv6 address + !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + !<x:x:x:x:x:x>-<x:x:x:x:x:x> Everything except range + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)" + diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 0000000..500e0bb --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Set firewall destination parameters diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..b292864 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Set destination port + +comp_help: Destination port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def new file mode 100644 index 0000000..498a027 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def @@ -0,0 +1 @@ +help: Set firewall rule disabled
\ No newline at end of file diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def new file mode 100644 index 0000000..d4dc9c0 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def @@ -0,0 +1 @@ +help: Set rule ICMPv6 type and code information diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def new file mode 100644 index 0000000..13ff654 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def @@ -0,0 +1,135 @@ +type: txt + +help: Set ICMPv6 type/code + +comp_help: Possible completions: + destination-unreachable ICMPv6 type/code name + no-route ICMPv6 type/code name + communication-prohibited ICMPv6 type/code name + address-unreachable ICMPv6 type/code name + port-unreachable ICMPv6 type/code name + packet-too-big ICMPv6 type/code name + time-exceeded ICMPv6 type/code name + ttl-zero-during-transit ICMPv6 type/code name + ttl-zero-during-reassembly ICMPv6 type/code name + parameter-problem ICMPv6 type/code name + bad-header ICMPv6 type/code name + unknown-header-type ICMPv6 type/code name + unknown-option ICMPv6 type/code name + echo-request ICMPv6 type/code name + ping ICMPv6 type/code name + echo-reply ICMPv6 type/code name + pong ICMPv6 type/code name + router-solicitation ICMPv6 type/code name + router-advertisement ICMPv6 type/code name + neighbour-solicitation ICMPv6 type/code name + neighbor-solicitation ICMPv6 type/code name + neighbour-advertisement ICMPv6 type/code name + neighbor-advertisement ICMPv6 type/code name + <0 - 255> ICMPv6 type number + <0 - 255>/<0 - 255> ICMPv6 type and code numbers + +allowed: + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + echo -n ${array[@]} + +syntax:expression: exec " + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + len=${#array[*]} + i=0 + while [ $i -lt $len ]; do + if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then + exit 0 + fi + let i++ + done + + param=$VAR(@) + codepart=${param##*/} + if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then + codepart=\"0\" + fi + + typepart=${param%%/*} + if [ -z \"$typepart\" ]; then + echo \"Must specify ICMPv6 type\" + exit 1 + fi + + shopt -s extglob + + leftover=${typepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 type: $typepart\" + exit 1 + fi + + leftover=${codepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 code: $codepart\" + exit 1 + fi + + if [ $typepart -lt 0 -o $typepart -gt 255 ]; then + echo \"ICMPv6 type must be between 0 and 255\" + exit 1 + fi + + if [ $codepart -lt 0 -o $codepart -gt 255 ]; then + echo \"ICMPv6 code must be between 0 and 255\" + exit 1 + fi +" + + + + + + + diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def new file mode 100644 index 0000000..8d4bf12 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def @@ -0,0 +1 @@ +help: Match inbound IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def new file mode 100644 index 0000000..cfcbc8a --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def @@ -0,0 +1 @@ +help: Match inbound non-IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def new file mode 100644 index 0000000..c905e2d --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def @@ -0,0 +1 @@ +help: Set inbound IPsec packet matching diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def new file mode 100644 index 0000000..5023547 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def @@ -0,0 +1,3 @@ +type: txt; "firwall logging must be enable or disable" +help: Set firewall logging +syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def new file mode 100644 index 0000000..b20f58c --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Set packet Differentiated Services Codepoint (DSCP) +syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; + "DSCP must be between 0 and 63" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def new file mode 100644 index 0000000..0830b9b --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Set packet marking diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def new file mode 100644 index 0000000..f629b92 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def @@ -0,0 +1 @@ +help: Set packet modifications diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def new file mode 100644 index 0000000..3359454 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def @@ -0,0 +1 @@ +help: Match AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def new file mode 100644 index 0000000..35c2182 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def @@ -0,0 +1 @@ +help: Match AppleJuice application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def new file mode 100644 index 0000000..a6330de --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def @@ -0,0 +1 @@ +help: Match BitTorrent application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def new file mode 100644 index 0000000..ab11805 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def @@ -0,0 +1 @@ +help: Match Direct Connect application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def new file mode 100644 index 0000000..25a97e5 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def @@ -0,0 +1 @@ +help: Match eDonkey/eMule application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def new file mode 100644 index 0000000..52d9d6c --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def @@ -0,0 +1 @@ +help: Match Gnutella application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def new file mode 100644 index 0000000..a6eab48 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def @@ -0,0 +1 @@ +help: Match KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def new file mode 100644 index 0000000..9013fe5 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def @@ -0,0 +1 @@ +help: Set P2P application packet matching diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..d43ffdd --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,26 @@ +type: txt + +help: Set IPv6 protocol to match (protocol name, number, or "all") + +syntax:expression: exec " + param=$VAR(@) + if [ \"$param\" = \"icmpv6\" ]; then + exit 0 + fi + /opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)' + " ; + "invalid protocol \"$VAR(@)\"" + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` + protos="all icmpv6 $protos" + echo -n $protos + +comp_help:Possible completions: + <text> An IPv6 protocol name (e.g. "tcp" or "udp") + <1-255> An IPv6 protocol number + all All IPv6 protocols + !<text> All IPv6 protocols except for the specified name + !<1-255> All IPv6 protocols except for the specified number
\ No newline at end of file diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def new file mode 100644 index 0000000..a07010f --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Set to N to only match source addresses seen more than N times diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def new file mode 100644 index 0000000..e1be0a3 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def @@ -0,0 +1 @@ +help: Set parameters for matching recently seen sources diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def new file mode 100644 index 0000000..b84a0b7 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Set to N to only match source addresses seen in the last N seconds diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..81f2b03 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,14 @@ + +type: txt + +help: Set source IPv6 address, prefix or range to match + +comp_help: Possible completions: + <x:x:x:x:x:x:x:x> IPv6 address to match + <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match + <x:x:x:x:x:x>-<x:x:x:x:x:x> Range of IPv6 addresses + !<x:x:x:x:x:x:x:x> Everything except IPv6 address + !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + !<x:x:x:x:x:x>-<x:x:x:x:x:x> Everything except range + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)"
\ No newline at end of file diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..fd10e26 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def new file mode 100644 index 0000000..16ab3ad --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Set firewall source parameters diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..e65cbfd --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set source port +comp_help: Source port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def new file mode 100644 index 0000000..802e35d --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set established state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def new file mode 100644 index 0000000..ddba99f --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set invalid state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def new file mode 100644 index 0000000..23854e7 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set new state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def new file mode 100644 index 0000000..3b7b383 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def @@ -0,0 +1 @@ +help: Set session state diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def new file mode 100644 index 0000000..acddc3b --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set related state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def new file mode 100644 index 0000000..95f6a68 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def @@ -0,0 +1,12 @@ +type: txt +help: Set TCP flags to match +syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ +"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset" + +comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def new file mode 100644 index 0000000..636f4a2 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def @@ -0,0 +1 @@ +help: Set tcp flags to match diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def new file mode 100644 index 0000000..025a2a9 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set monthdays on which to apply rule +syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ +"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 +For negation, add ! in front eg. !2,12,21" + +comp_help: Format for monthdays - 2,12,21 +To negate add ! at the front eg. !2,12,21 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def new file mode 100644 index 0000000..8061ba6 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def @@ -0,0 +1 @@ +help: Set time during which to apply rule diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def new file mode 100644 index 0000000..a971375 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Set to apply rule starting from specified date +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time +of date with startdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to +21st January 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def new file mode 100644 index 0000000..46c68c2 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set to apply rule starting from specified time +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def new file mode 100644 index 0000000..c99dd7b --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Set to apply rule till specified date +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time +of date with stopdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to +31st Jan 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, +append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg +stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def new file mode 100644 index 0000000..0514e8b --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set to apply rule till specified time +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + + diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def new file mode 100644 index 0000000..68a0689 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def @@ -0,0 +1 @@ +help: Set to interpret the times given for startdate, stopdate, starttime and stoptime to be UTC diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def new file mode 100644 index 0000000..aea3e22 --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def @@ -0,0 +1,9 @@ +type: txt +help: Set weekdays on which to apply rules on +syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ +"Incorrect value for weekdays. Weekdays should be specified using the first +three characters of the day with the first character capitalized eg. Mon,Thu,Sat +For negation, add ! in front eg. !Mon,Thu,Sat" + +comp_help: Format for weekdays - Mon,Thu,Sat +To negate add ! at the front eg. !Mon,Thu,Sat diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index b82683d..60880c4 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -4,4 +4,4 @@ type: txt syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\"" -help: Set firewall rule set name +help: Set IPv6 firewall rule set name diff --git a/templates/firewall/ipv6-name/node.tag/description/node.def b/templates/firewall/ipv6-name/node.tag/description/node.def index d181e33..faa5b85 100644 --- a/templates/firewall/ipv6-name/node.tag/description/node.def +++ b/templates/firewall/ipv6-name/node.tag/description/node.def @@ -1,3 +1,3 @@ type: txt -help: Set firewall description +help: Set IPv6 firewall rule set description diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def index 7e9046f..f01b306 100644 --- a/templates/firewall/modify/node.def +++ b/templates/firewall/modify/node.def @@ -4,4 +4,4 @@ type: txt syntax:expression: pattern $VAR(@) "^[^-]" ; "Modify rule set name cannot start with \"-\"" -help: Set modify rule set name +help: Set IPv4 modify rule set name diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def index fbf2144..ee0a94c 100644 --- a/templates/firewall/modify/node.tag/description/node.def +++ b/templates/firewall/modify/node.tag/description/node.def @@ -1,3 +1,3 @@ type: txt -help: Set modify rule set description +help: Set IPv4 modify rule set description diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def index b82683d..628d014 100644 --- a/templates/firewall/name/node.def +++ b/templates/firewall/name/node.def @@ -4,4 +4,4 @@ type: txt syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\"" -help: Set firewall rule set name +help: Set IPv4 firewall rule set name diff --git a/templates/firewall/name/node.tag/description/node.def b/templates/firewall/name/node.tag/description/node.def index d181e33..f56909a 100644 --- a/templates/firewall/name/node.tag/description/node.def +++ b/templates/firewall/name/node.tag/description/node.def @@ -1,3 +1,3 @@ type: txt -help: Set firewall description +help: Set IPv4 firewall rule set description |