diff options
| author | Robert Bays <robert@vyatta.com> | 2012-06-26 13:32:41 -0700 |
|---|---|---|
| committer | Robert Bays <robert@vyatta.com> | 2012-09-03 10:18:38 -0700 |
| commit | f3207bc0f15c9b94ed86c117e48c85c398dec8ea (patch) | |
| tree | 50f9f82fbe0d92bcb275598968573296d56ad11a | |
| parent | 0da6be07418ae3f821368aa54adcd7913a2fc7b3 (diff) | |
| download | vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.tar.gz vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.zip | |
initial checkin for pbr functionality
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | debian/vyatta-cfg-firewall.install | 1 | ||||
| -rw-r--r-- | gen-interface-policy-templates.pl | 185 | ||||
| -rwxr-xr-x | gen-interface-templates.pl | 15 | ||||
| -rwxr-xr-x | lib/Vyatta/IpTables/Rule.pm | 29 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 199 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/default-action/node.def | 11 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/description/node.def | 3 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.def | 9 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def | 12 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def | 2 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/ipv6-name/node.def | 8 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/default-action/node.def | 11 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/description/node.def | 3 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.def | 9 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/action/node.def | 10 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def | 2 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/name/node.def | 8 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.def (renamed from templates/firewall/ipv6-modify/node.def) | 20 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/description/node.def | 3 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/enable-default-log/node.def (renamed from templates/firewall/modify/node.tag/enable-default-log/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.def | 9 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def | 10 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def) | 8 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def | 3 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def | 4 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def) | 8 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def) | 2 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.def (renamed from templates/firewall/modify/node.def) | 22 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/description/node.def | 3 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/enable-default-log/node.def | 1 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.def | 9 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/action/node.def | 10 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/description/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/description/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/destination/address/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/destination/group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/destination/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/destination/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/destination/port/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/disable/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/disable/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/fragment/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/icmp/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/ipsec/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/limit/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/limit/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/log/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/log/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/protocol/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def) | 1 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/recent/count/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/recent/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/recent/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/recent/time/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/set/mark/node.def | 3 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/set/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/modify/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/set/table/node.def | 4 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/address/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/source/port/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/state/established/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/state/new/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/state/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/state/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/state/related/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/tcp/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def (renamed from templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def) | 2 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/utc/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def) | 0 | ||||
| -rw-r--r-- | templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def (renamed from templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def) | 0 |
142 files changed, 473 insertions, 184 deletions
diff --git a/Makefile.am b/Makefile.am index 0226d8a..e70c377 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,6 +25,7 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ all-local: ./gen-interface-templates.pl + ./gen-interface-policy-templates.pl clean-local: rm -rf generated-templates diff --git a/debian/vyatta-cfg-firewall.install b/debian/vyatta-cfg-firewall.install index 57693ee..b29f443 100644 --- a/debian/vyatta-cfg-firewall.install +++ b/debian/vyatta-cfg-firewall.install @@ -3,6 +3,7 @@ opt/vyatta/sbin opt/vyatta/etc opt/vyatta/share/perl5 opt/vyatta/share/vyatta-cfg/templates/firewall +opt/vyatta/share/vyatta-cfg/templates/policy opt/vyatta/share/vyatta-cfg/templates/interfaces/bonding opt/vyatta/share/vyatta-cfg/templates/interfaces/bridge opt/vyatta/share/vyatta-cfg/templates/interfaces/ethernet diff --git a/gen-interface-policy-templates.pl b/gen-interface-policy-templates.pl new file mode 100644 index 0000000..9c7df42 --- /dev/null +++ b/gen-interface-policy-templates.pl @@ -0,0 +1,185 @@ +#!/usr/bin/perl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Bob Gilligan (gilligan@vyatta.com) +# Date: March 2009 +# Description: Script to automatically generate per-interface firewall +# templates. +# +# **** End License **** +# +use strict; +use warnings; + +# Set to 1 to enable debug output. +# +my $debug = 0; + +# This hash maps the root of the tree of firewall templates for each interface +# into the variable reference that each of the node.def files in that tree +# will need to use to get the interface name. The keys of this hash are +# the partial pathname under the config template tree "interfaces/". +# +my %interface_hash = ( + 'adsl/node.tag/pvc/node.tag/bridged-ethernet' => + '$VAR(../../../../@)', + 'adsl/node.tag/pvc/node.tag/classical-ipoa' => '$VAR(../../../../@)', + 'adsl/node.tag/pvc/node.tag/pppoa/node.tag' => 'pppoa$VAR(../../@)', + 'adsl/node.tag/pvc/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../@)', + + 'bonding/node.tag' => '$VAR(../../@)', + 'bonding/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', + + 'ethernet/node.tag' => '$VAR(../../@)', + 'ethernet/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../@)', + 'ethernet/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', + 'ethernet/node.tag/vif/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../@)', + 'pseudo-ethernet/node.tag' => '$VAR(../../@)', + 'pseudo-ethernet/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', + + 'wireless/node.tag' => '$VAR(../../@)', + 'wireless/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', + + 'input/node.tag' => '$VAR(../../@)', + 'tunnel/node.tag' => '$VAR(../../@)', + 'bridge/node.tag' => '$VAR(../../@)', + 'openvpn/node.tag' => '$VAR(../../@)', + + 'multilink/node.tag/vif/node.tag' => '$VAR(../../../@)', + + 'serial/node.tag/cisco-hdlc/vif/node.tag' => + '$VAR(../../../../@).$VAR(../../@)', + 'serial/node.tag/frame-relay/vif/node.tag' => + '$VAR(../../../../@).$VAR(../../@)', + 'serial/node.tag/ppp/vif/node.tag' => + '$VAR(../../../../@).$VAR(../../@)', + + 'wirelessmodem/node.tag' => '$VAR(../../@)', +); + +# The subdirectory where the generated templates will go +my $template_subdir = "generated-templates/interfaces"; + +# The name of the subdir under each interface holding the firewall tree +my $firewall_subdir = "policy"; + +# The name of the config file we will be writing. +my $node_file = "node.def"; + +sub mkdir_p { + my $path = shift; + + return 1 if ( mkdir($path) ); + + my $pos = rindex( $path, "/" ); + return unless $pos != -1; + return unless mkdir_p( substr( $path, 0, $pos ) ); + return mkdir($path); +} + +# Generate the template file located at the root of the firewall tree +# under an interface. This template just provides a help message. +# +sub gen_firewall_template { + my ($if_tree) = @_; + my $path = "${template_subdir}/${if_tree}/${firewall_subdir}"; + + ( -d $path ) or mkdir_p($path) + or die "Can't make directory $path: $!"; + + open my $tp, '>', "$path/$node_file" + or die "Can't create $path/$node_file: $!"; + print $tp "help: Policy route options\n"; + close $tp + or die "Can't write $path/$node_file: $!"; +} + +# Map a firewall ruleset type into the string that we will use to describe +# it in help messages. +# +my %table_help_hash = ( + "route" => "IPv4 policy route", + "ipv6-route" => "IPv6 policy route", +); + +my %config_association_hash = ( + "route" => "\"policy route\"", + "ipv6-route" => "\"policy ipv6-route\"", +); + +# Generate the template file at the leaf of the per-interface firewall tree. +# This template contains all the code to activate or deactivate a firewall +# ruleset on an interface for a particular ruleset type and direction. +# +sub gen_template { + my ( $if_tree, $table, $if_name ) = @_; + + if ($debug) { + print "debug: table=$table\n"; + } + + my $template_dir = + "${template_subdir}/${if_tree}/${firewall_subdir}/${table}"; + + if ($debug) { + print "debug: template_dir=$template_dir\n"; + } + + ( -d $template_dir) or mkdir_p($template_dir) + or die "Can't make directory $template_dir: $!"; + + open my $tp, '>', "${template_dir}/${node_file}" + or die "Can't open ${template_dir}/${node_file}:$!"; + + print $tp <<EOF; +type: txt +help: $table_help_hash{$table} ruleset for interface +allowed: local -a params + eval "params=(\$(cli-shell-api listActiveNodes policy $table))" + echo -n "\${params[@]}" +create: ifname=$if_name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ + update \$ifname in \$VAR(@) $config_association_hash{$table} + +update: ifname=$if_name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ + update \$ifname in \$VAR(@) $config_association_hash{$table} + + +delete: ifname=$if_name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ + delete \$ifname in \$VAR(@) $config_association_hash{$table} +EOF + + close $tp + or die "Can't write ${template_dir}/${node_file}:$!"; +} + +print "Generating policy templates...\n"; + +foreach my $if_tree ( keys %interface_hash ) { + my $if_name = $interface_hash{$if_tree}; + + if ($debug) { + print "debug: if_tree=$if_tree if_name=$if_name \n"; + } + + gen_firewall_template($if_tree); + gen_template( $if_tree, "route", $if_name ); + gen_template( $if_tree, "ipv6-route", $if_name ); +} + +print "Done.\n"; diff --git a/gen-interface-templates.pl b/gen-interface-templates.pl index 9a9dc41..817aa4d 100755 --- a/gen-interface-templates.pl +++ b/gen-interface-templates.pl @@ -160,8 +160,6 @@ my %direction_term_hash = ( my %table_help_hash = ( "name" => "IPv4 firewall", "ipv6-name" => "IPv6 firewall", - "modify" => "IPv4 modify", - "ipv6-modify" => "IPv6 modify", ); # Generate the template file at the leaf of the per-interface firewall tree. @@ -197,16 +195,16 @@ allowed: local -a params echo -n "\${params[@]}" create: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - update \$ifname $direction \$VAR(@) $table + update \$ifname $direction \$VAR(@) \"firewall $table\" update: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - update \$ifname $direction \$VAR(@) $table + update \$ifname $direction \$VAR(@) \"firewall $table\" delete: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - delete \$ifname $direction \$VAR(@) $table + delete \$ifname $direction \$VAR(@) \"firewall $table\" EOF close $tp @@ -214,7 +212,7 @@ EOF } # The firewall ruleset types -my @ruleset_tables = ( "name", "modify", "ipv6-name", "ipv6-modify" ); +my @ruleset_tables = ( "name", "ipv6-name" ); # The firewall "directions" my @ruleset_directions = ( "in", "out", "local" ); @@ -232,11 +230,6 @@ foreach my $if_tree ( keys %interface_hash ) { for my $direction (@ruleset_directions) { gen_direction_template( $if_tree, $direction ); foreach my $table (@ruleset_tables) { - if (($direction eq "local") && - (($table eq "modify") || ($table eq "ipv6-modify"))) { - # modify type rules are not used for local traffic - next; - } gen_template( $if_tree, $direction, $table, $if_name ); } } diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 72bd536..48d4d40 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -26,6 +26,7 @@ my %fields = ( _icmp_name => undef, _icmpv6_type => undef, _mod_mark => undef, + _mod_table => undef, _mod_dscp => undef, _mod_tcpmss => undef, _ipsec => undef, @@ -78,6 +79,7 @@ my %dummy_rule = ( _icmp_name => undef, _icmpv6_type => undef, _mod_mark => undef, + _mod_table => undef, _mod_dscp => undef, _mod_tcpmss => undef, _ipsec => undef, @@ -170,9 +172,10 @@ sub setup_base { $self->{_icmp_type} = $config->$val_func("icmp type"); $self->{_icmp_name} = $config->$val_func("icmp type-name"); $self->{_icmpv6_type} = $config->$val_func("icmpv6 type"); - $self->{_mod_mark} = $config->$val_func("modify mark"); - $self->{_mod_dscp} = $config->$val_func("modify dscp"); - $self->{_mod_tcpmss} = $config->$val_func("modify tcp-mss"); + $self->{_mod_mark} = $config->$val_func("set mark"); + $self->{_mod_table} = $config->$val_func("set table"); + $self->{_mod_dscp} = $config->$val_func("set dscp"); + $self->{_mod_tcpmss} = $config->$val_func("set tcp-mss"); $self->{_ipsec} = $config->$exists_func("ipsec match-ipsec"); $self->{_non_ipsec} = $config->$exists_func("ipsec match-none"); $self->{_frag} = $config->$exists_func("fragment match-frag"); @@ -248,6 +251,7 @@ sub print { print "icmpv6 type: $self->{_icmpv6_type}\n" if defined $self->{_icmpv6_type}; print "mod mark: $self->{_mod_mark}\n" if defined $self->{_mod_mark}; + print "mod table: $self->{_mod_table}\n" if defined $self->{_mod_table}; print "mod dscp: $self->{_mod_dscp}\n" if defined $self->{_mod_dscp}; print "mod tcp-mss: $self->{_mod_tcpmss}\n" if defined $self->{_mod_tcpmss}; @@ -275,6 +279,11 @@ sub is_disabled { return 0; } +sub is_route_table { + my $self = shift; + return $self->{_mod_table}; +} + sub get_state_str { my $self = shift; my @states = qw(established new related invalid); @@ -581,7 +590,7 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo my $target = ipt_get_queue_target('SNORT'); return ('Undefined target for inspect', ) if ! defined $target; $rule .= "-j $target "; - } elsif ("$self->{_action}" eq 'modify') { + } elsif ($self->{_comment} =~ m/^policy/) { # mangle actions my $count = 0; if (defined($self->{_mod_mark})) { @@ -589,6 +598,12 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $rule .= "-j MARK --set-mark $self->{_mod_mark} "; $count++; } + if (defined($self->{_mod_table})) { + # Route table + my $mark = 0x7FFFFFFF + $self->{_mod_table}; + $rule .= "-j MARK --set-mark $mark "; + $count++; + } if (defined($self->{_mod_dscp})) { # DSCP $rule .= "-j DSCP --set-dscp $self->{_mod_dscp} "; @@ -613,11 +628,9 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo # others if ($count == 0) { - return ('Action "modify" requires more specific configuration under ' - . 'the "modify" node', ); + return ('Policy route requires "action drop" or "set" parameters be defined.'); } elsif ($count > 1) { - return ('Cannot define more than one modification under ' - . 'the "modify" node', ); + return ('Cannot define more than "set" parameter per policy route'); } } else { return ("\"action\" must be defined", ); diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 0f3cf85..ea0d676 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -16,10 +16,11 @@ use Sys::Syslog qw(:standard :macros); my $debug_flag = 0; # Enable sending debug output to syslog. -my $syslog_flag = 0; +my $syslog_flag = 1; my $fw_stateful_file = '/var/run/vyatta_fw_stateful'; my $fw_tree_file = '/var/run/vyatta_fw_trees'; +my $policy_ref_file = '/var/run/vyatta_policy_ref'; my $FW_IN_HOOK = 'VYATTA_FW_IN_HOOK'; my $FW_OUT_HOOK = 'VYATTA_FW_OUT_HOOK'; @@ -32,40 +33,40 @@ my ($teardown, $teardown_ok); GetOptions("setup=s{2}" => \@setup, "teardown=s" => \$teardown, "teardown-ok=s" => \$teardown_ok, - "update-rules=s{2}" => \@updaterules, - "update-interfaces=s{5}" => \@updateints, + "update-rules=s{2}" => \@updaterules, + "update-interfaces=s{5}" => \@updateints, "debug" => \$debug_flag, "syslog" => \$syslog_flag ); # mapping from config node to iptables/ip6tables table -my %table_hash = ( 'name' => 'filter', - 'ipv6-name' => 'filter', - 'modify' => 'mangle', - 'ipv6-modify' => 'mangle' ); +my %table_hash = ( 'firewall name' => 'filter', + 'firewall ipv6-name' => 'filter', + 'policy route' => 'mangle', + 'policy ipv6-route' => 'mangle' ); # mapping from config node to iptables command. Note that this table # has the same keys as %table hash, so a loop iterating through the # keys of %table_hash can use the same keys to find the value associated # with the key in this table. -my %cmd_hash = ( 'name' => 'iptables', - 'ipv6-name' => 'ip6tables', - 'modify' => 'iptables', - 'ipv6-modify' => 'ip6tables'); +my %cmd_hash = ( 'firewall name' => 'iptables', + 'firewall ipv6-name' => 'ip6tables', + 'policy route' => 'iptables', + 'policy ipv6-route' => 'ip6tables'); # mapping from config node to IP version string. -my %ip_version_hash = ( 'name' => 'ipv4', - 'ipv6-name' => 'ipv6', - 'modify' => 'ipv4', - 'ipv6-modify' => 'ipv6'); +my %ip_version_hash = ( 'firewall name' => 'ipv4', + 'firewall ipv6-name' => 'ipv6', + 'policy route' => 'ipv4', + 'policy ipv6-route' => 'ipv6'); # mapping from firewall tree to builtin chain for input my %inhook_hash = ( 'filter' => 'FORWARD', - 'mangle' => 'PREROUTING' ); + 'mangle' => 'PREROUTING' ); # mapping from firewall tree to builtin chain for output my %outhook_hash = ( 'filter' => 'FORWARD', - 'mangle' => 'POSTROUTING' ); + 'mangle' => 'POSTROUTING' ); # mapping from firewall tree to builtin chain for local my %localhook_hash = ( 'filter' => 'INPUT' ); @@ -75,10 +76,10 @@ my %policy_hash = ( 'drop' => 'DROP', 'reject' => 'REJECT', 'accept' => 'RETURN' ); -my %other_tree = ( 'name' => 'modify', - 'modify' => 'name', - 'ipv6-name' => 'ipv6-modify', - 'ipv6-modify' => 'ipv6-name'); +my %other_tree = ( 'firewall name' => 'policy route', + 'firewall ipv6-name' => 'policy ipv6-route', + 'policy route' => 'firewall name', + 'policy ipv6-route' => 'firewall ipv6-name'); # Send output of shell commands to syslog for debugging and so that @@ -294,8 +295,8 @@ sub is_conntrack_enabled { return 0 if scalar(@lines) < 1; foreach my $line (@lines) { - if ($line =~ /^([^\s]+)\s([^\s]+)$/) { - my ($tree, $chain) = ($1, $2); + if ($line =~ /^([^\s]+)\s([^\s]+)\s([^\s]+)$/) { + my ($tree, $chain) = ("$1 $2", $3); return 1 if $cmd_hash{$tree} eq $iptables_cmd; } else { die "Error: unexpected format [$line]\n"; @@ -311,8 +312,8 @@ sub is_tree_in_use { my @lines = read_refcnt_file($fw_tree_file); my %tree_hash; foreach my $line (@lines) { - if ($line =~ /^([^\s]+)\s([^\s]+)$/) { - my ($tmp_tree, $tmp_chain) = ($1, $2); + if ($line =~ /^([^\s]+)\s([^\s]+)\s([^\s]+)$/) { + my ($tmp_tree, $tmp_chain) = ("$1 $2", $3); $tree_hash{$tmp_tree}++; } else { die "Error: unexpected format [$line]\n"; @@ -324,6 +325,118 @@ sub is_tree_in_use { return $rc; } +sub add_route_table { + my ($table, $rule) = @_; + my $rule_found = 0; + my $table_count = -1; + my @newlines = (); + my @lines = read_refcnt_file($policy_ref_file); + + log_msg("add_route_table: $rule, $table"); + foreach my $line (@lines) { + my @tokens = split(/ /, $line); + if ($tokens[0] =~ m/$table:(\d+)/) { + $table_count = $1; + my $ref = $table_count + 1; + $tokens[0] =~ s/$table:(\d+)/$table:$ref/g; + + for (my $i = 1; $i <= $#tokens; $i++) { + if ($tokens[$i] =~ m/$rule:(\d+)/) { + my $ref = $1 + 1; + $tokens[$i] =~ s/$rule:(\d+)/$rule:$ref/g; + $rule_found = 1; + } + } + + if (!$rule_found) { + push (@tokens, "$rule:1"); + } + + } + push(@newlines, join(" ", @tokens)); + } + + if ($table_count < 0) { + push(@newlines, "$table:1 $rule:1"); + } + + if ($table_count < 1) { + my $mark = 0x7FFFFFFF + $table; + system("ip rule add pref $table fwmark $mark table $table"); + } + + write_refcnt_file($policy_ref_file, @newlines); +} + +sub remove_route_table { + my ($table, $rule) = @_; + my $remove_rule = 0; + my @newlines = (); + my @lines = read_refcnt_file($policy_ref_file); + + log_msg("add_route_table: $rule, $table"); + foreach my $line (@lines) { + my @tokens = split(/ /, $line); + if ($tokens[0] =~ m/$table:(\d+)/) { + my $ref = $1 - 1; + $tokens[0] =~ s/$table:(\d+)/$table:$ref/g; + + for (my $i = 1; $i <= $#tokens; $i++) { + if ($tokens[$i] =~ m/$rule:(\d+)/) { + my $ref = $1 - 1; + $tokens[$i] =~ s/$rule:(\d+)/$rule:$ref/g; + } + } + + if ($ref < 1) { + my $mark = 0x7FFFFFFF + $table; + system("ip rule del pref $table fwmark $mark table $table"); + } + } + + push(@newlines, join(" ", @tokens)); + } + + write_refcnt_file($policy_ref_file, @newlines); +} + +sub flush_route_table { + my ($rule) = @_; + my $remove_rule = 0; + my @newlines = (); + my @lines = read_refcnt_file($policy_ref_file); + + log_msg("flush_route_table: $rule"); + foreach my $line (@lines) { + my @tokens = split(/ /, $line); + my $table = 0; + my $tref = 0; + my $rref = 0; + + $tokens[0] =~ m/(\d+):(\d+)/; + $table = $1; + $tref = $2; + + for (my $i = 1; $i <= $#tokens; $i++) { + if ($tokens[$i] =~ m/$rule:(\d+)/) { + $rref = $1; + $tokens[$i] =~ s/$rule:(\d+)/$rule:0/g; + } + } + + $tref -= $rref; + $tokens[0] =~ s/$table:(\d+)/$table:$tref/g; + + if ($tref < 1) { + my $mark = 0x7FFFFFFF + $table; + system("ip rule del pref $table fwmark $mark table $table"); + } + + push(@newlines, join(" ", @tokens)); + } + + write_refcnt_file($policy_ref_file, @newlines); +} sub update_rules { my ($tree, $name) = @_; # name, modify, ipv6-name or ipv6-modify @@ -334,15 +447,16 @@ sub update_rules { log_msg "update_rules: $tree $name $table $iptables_cmd"; - $config->setLevel("firewall $tree"); + $config->setLevel("$tree"); %nodes = $config->listNodeStatus(); # by default, nothing needs to be tracked. my $chain_stateful = 0; - $config->setLevel("firewall $tree $name"); + $config->setLevel("$tree $name"); my $policy = $config->returnValue('default-action'); + $policy = 'accept' if ($table eq "mangle"); $policy = 'drop' if ! defined $policy; my $old_policy = $config->returnOrigValue('default-action'); my $policy_log = $config->exists('enable-default-log'); @@ -355,11 +469,11 @@ sub update_rules { if ($nodes{$name} eq 'static') { # not changed. check if stateful. log_msg "$tree $name = static"; - $config->setLevel("firewall $tree $name rule"); + $config->setLevel("$tree $name rule"); my @rules = $config->listOrigNodes(); foreach (sort numerically @rules) { my $node = new Vyatta::IpTables::Rule; - $node->setupOrig("firewall $tree $name rule $_"); + $node->setupOrig("$tree $name rule $_"); $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $chain_stateful = 1; @@ -390,6 +504,10 @@ sub update_rules { log_msg "$tree $name = deleted"; + if ("$tree" eq "policy route") { + flush_route_table($name); + } + # delete the chain if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { # disallow deleting a chain if it's still referenced @@ -416,7 +534,7 @@ sub update_rules { } # set our config level to rule and get the rule numbers - $config->setLevel("firewall $tree $name rule"); + $config->setLevel("$tree $name rule"); # Let's find the status of the rule nodes my %rulehash = (); @@ -433,7 +551,7 @@ sub update_rules { foreach my $rule (sort numerically keys %rulehash) { if ("$rulehash{$rule}" eq 'static') { my $node = new Vyatta::IpTables::Rule; - $node->setupOrig("firewall $tree $name rule $rule"); + $node->setupOrig("$tree $name rule $rule"); $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $chain_stateful = 1; @@ -443,12 +561,16 @@ sub update_rules { } elsif ("$rulehash{$rule}" eq 'added') { # create a new iptables object of the current rule my $node = new Vyatta::IpTables::Rule; - $node->setup("firewall $tree $name rule $rule"); + $node->setup("$tree $name rule $rule"); $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $chain_stateful = 1; } + if ($node->is_route_table) { + add_route_table($node->is_route_table, $name); + } + my ($err_str, @rule_strs) = $node->rule(); if (defined($err_str)) { if ($nodes{$name} eq 'added') { @@ -478,10 +600,10 @@ sub update_rules { } elsif ("$rulehash{$rule}" eq 'changed') { # create a new iptables object of the current rule my $oldnode = new Vyatta::IpTables::Rule; - $oldnode->setupOrig("firewall $tree $name rule $rule"); + $oldnode->setupOrig("$tree $name rule $rule"); $oldnode->set_ip_version($ip_version_hash{$tree}); my $node = new Vyatta::IpTables::Rule; - $node->setup("firewall $tree $name rule $rule"); + $node->setup("$tree $name rule $rule"); $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $chain_stateful = 1; @@ -509,7 +631,7 @@ sub update_rules { } } elsif ("$rulehash{$rule}" eq 'deleted') { my $node = new Vyatta::IpTables::Rule; - $node->setupOrig("firewall $tree $name rule $rule"); + $node->setupOrig("$tree $name rule $rule"); $node->set_ip_version($ip_version_hash{$tree}); my $ipt_rules = $node->get_num_ipt_rules(); @@ -517,6 +639,10 @@ sub update_rules { run_cmd("$iptables_cmd -t $table --delete $name $iptablesrule"); die "$iptables_cmd error: $! - $rule" if ($? >> 8); } + + if ($node->is_route_table) { + remove_route_table($node->is_route_table, $name); + } } } # foreach rule @@ -557,8 +683,7 @@ sub chain_configured { foreach (keys %table_hash) { next if ($mode == 1 && $_ ne $tree); next if ($mode == 2 && $_ eq $tree); - - $config->setLevel("firewall $_"); + $config->setLevel("$_"); %chains = $config->listNodeStatus(); if (grep(/^$chain$/, (keys %chains))) { diff --git a/templates/firewall/ipv6-modify/node.tag/default-action/node.def b/templates/firewall/ipv6-modify/node.tag/default-action/node.def deleted file mode 100644 index c4e73f6..0000000 --- a/templates/firewall/ipv6-modify/node.tag/default-action/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt - -help: Default-action for rule-set - -default: "drop" - -syntax:expression: $VAR(@) in "drop", "accept"; - "default-action must be either drop or accept" - -val_help: drop; Drop if no prior rules are hit (default) -val_help: accept; Accept if no prior rules are hit diff --git a/templates/firewall/ipv6-modify/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/description/node.def deleted file mode 100644 index e8e221b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule-set description diff --git a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def b/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def deleted file mode 100644 index e540d3f..0000000 --- a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to log packets hitting default-action diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.def deleted file mode 100644 index c31dfbd..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.def +++ /dev/null @@ -1,9 +0,0 @@ -tag: - -type: u32 - -help: Rule number (1-9999) - -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "firewall rule number must be between 1 and 9999" - -val_help: u32:1-9999; Rule number diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def deleted file mode 100644 index 59b404a..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt - -help: Rule action - -syntax:expression: $VAR(@) in "drop", "accept", "modify"; - "action must be one of drop, accept, or modify" - -allowed: echo "drop accept modify" - -val_help: drop; Rule action to drop -val_help: accept; Rule action to accept -val_help: modify; Rule action to modify diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def deleted file mode 100644 index 0776b34..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Packet marking diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def deleted file mode 100644 index bd61a90..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def deleted file mode 100644 index 8e9f704..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def deleted file mode 100644 index 1a56963..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: BitTorrent application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def deleted file mode 100644 index eb84108..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Direct Connect application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def deleted file mode 100644 index 255e618..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def +++ /dev/null @@ -1 +0,0 @@ -help: eDonkey/eMule application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def deleted file mode 100644 index f21b60b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Gnutella application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def deleted file mode 100644 index 44c3156..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def +++ /dev/null @@ -1 +0,0 @@ -help: KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def deleted file mode 100644 index 5959d3d..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def +++ /dev/null @@ -1 +0,0 @@ -help: P2P application packets diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index 0eb53f7..3501d9b 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -12,19 +12,19 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ "Firewall rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-name "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; then if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-name ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name" fi fi else exit 1; fi -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-name +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" help: IPv6 firewall rule-set name diff --git a/templates/firewall/modify/node.tag/default-action/node.def b/templates/firewall/modify/node.tag/default-action/node.def deleted file mode 100644 index c4e73f6..0000000 --- a/templates/firewall/modify/node.tag/default-action/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt - -help: Default-action for rule-set - -default: "drop" - -syntax:expression: $VAR(@) in "drop", "accept"; - "default-action must be either drop or accept" - -val_help: drop; Drop if no prior rules are hit (default) -val_help: accept; Accept if no prior rules are hit diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def deleted file mode 100644 index e8e221b..0000000 --- a/templates/firewall/modify/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule-set description diff --git a/templates/firewall/modify/node.tag/rule/node.def b/templates/firewall/modify/node.tag/rule/node.def deleted file mode 100644 index 661e943..0000000 --- a/templates/firewall/modify/node.tag/rule/node.def +++ /dev/null @@ -1,9 +0,0 @@ -tag: - -type: u32 - -help: Rule number (1-9999) - -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "modify rule number must be between 1 and 9999" - -val_help: u32:1-9999; Rule number diff --git a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/modify/node.tag/rule/node.tag/action/node.def deleted file mode 100644 index 20cf5bb..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt -help: Rule action -syntax:expression: $VAR(@) in "drop", "accept", "modify"; - "action must be one of drop, accept, or modify" - -allowed: echo "drop accept modify" - -val_help: drop; Rule action to drop -val_help: accept; Rule action to accept -val_help: modify; Rule action to modify diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def deleted file mode 100644 index 0776b34..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Packet marking diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def deleted file mode 100644 index bd61a90..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def deleted file mode 100644 index 8e9f704..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def deleted file mode 100644 index 1a56963..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: BitTorrent application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def deleted file mode 100644 index eb84108..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Direct Connect application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def deleted file mode 100644 index 255e618..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def +++ /dev/null @@ -1 +0,0 @@ -help: eDonkey/eMule application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def deleted file mode 100644 index f21b60b..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Gnutella application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def deleted file mode 100644 index 44c3156..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def +++ /dev/null @@ -1 +0,0 @@ -help: KaZaA application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def deleted file mode 100644 index 5959d3d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def +++ /dev/null @@ -1 +0,0 @@ -help: P2P application packets diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def index e8be1cd..0c3c096 100644 --- a/templates/firewall/name/node.def +++ b/templates/firewall/name/node.def @@ -12,13 +12,13 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ "Firewall rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall name" "$VAR(@)" ; then if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok name ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall name" fi fi else @@ -26,6 +26,6 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ; fi sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables name +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "firewall name" help: IPv4 firewall rule-set name diff --git a/templates/firewall/ipv6-modify/node.def b/templates/policy/ipv6-route/node.def index 035ddd1..08b4f4a 100644 --- a/templates/firewall/ipv6-modify/node.def +++ b/templates/policy/ipv6-route/node.def @@ -4,27 +4,27 @@ priority: 210 type: txt syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ - "Firewall name must be 28 characters or less" + "Policy ipv6-route rule set name must be 28 characters or less" syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall rule set name cannot start with \"-\"" + "Policy ipv6-route rule set name cannot start with \"-\"" syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ - "Firewall rule set name cannot contain ';'" + "Policy ipv6-route rule set name cannot contain ';'" syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ - "Firewall rule set name cannot start with 'VZONE'" + "Policy ipv6-route rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-modify "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy ipv6-route" "$VAR(@)" ; then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; + if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-modify ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy ipv6-route" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-modify + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy ipv6-route" fi fi else exit 1; fi -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-modify +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "policy ipv6-route" -help: IPv6 modify rule-set name +help: IPv6 policy route rule set name diff --git a/templates/policy/ipv6-route/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/description/node.def new file mode 100644 index 0000000..ceeca5d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Policy ipv6-route rule set description diff --git a/templates/firewall/modify/node.tag/enable-default-log/node.def b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def index 697719d..697719d 100644 --- a/templates/firewall/modify/node.tag/enable-default-log/node.def +++ b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def diff --git a/templates/policy/ipv6-route/node.tag/rule/node.def b/templates/policy/ipv6-route/node.tag/rule/node.def new file mode 100644 index 0000000..d5f8461 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy ipv6-route rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..10236f7 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Rule action + +syntax:expression: $VAR(@) in "drop"; + "action must be drop" + +allowed: echo "drop" + +val_help: drop; Rule action to drop diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def index 90bf88b..90bf88b 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def index 2ace3b3..2ace3b3 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def index dc227b7..dc227b7 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def index 2b2d8c7..2b2d8c7 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def index 70565eb..70565eb 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def index 7032b30..7032b30 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def index d11da4e..087c7ab 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def @@ -125,10 +125,10 @@ syntax:expression: exec " exit 1 fi " - - - - + + + + diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def index 96ada47..96ada47 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def index 2d717d5..2d717d5 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def index 96ada47..96ada47 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def index 9097370..9097370 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def index 75460b1..75460b1 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def index cd108f4..cd108f4 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def index 891cbcf..891cbcf 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def index 5225eee..5225eee 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def index 69a4ebd..69a4ebd 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def index 3acc871..3acc871 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def index 9c49ed8..9c49ed8 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def index 3ed8f0d..3ed8f0d 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def new file mode 100644 index 0000000..c8cb1b2 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Packet marking +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def index c61402f..c61402f 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def new file mode 100644 index 0000000..dbde887 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Routing table to forward packet with +syntax:expression: $VAR(@) >= 1 && $VAR(@) < 250; + "Table must be between 1 and 250" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def index 8d2248e..8d2248e 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def index 2fe8a42..2fe8a42 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def index 5519871..5519871 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def index 84cdc1f..84cdc1f 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def index adfae7a..adfae7a 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def index a4f3120..a4f3120 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def index dc6110d..dc6110d 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def index 6ef1f7a..6ef1f7a 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def index 0e38df4..0e38df4 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def index 2364c31..2364c31 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def index b86e707..b86e707 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def index 66bc295..66bc295 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def index 14c1d5c..14c1d5c 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def index 238acd2..238acd2 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def index 46f9eb9..250ed0f 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def @@ -2,10 +2,10 @@ type: txt help: Date to start matching rule syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time -of date with startdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to +of date with startdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to 21st January 2009 with time 13:30:00" -comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def index ab69c45..ab69c45 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def index 93fc8b6..93fc8b6 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def index 4a42ca3..b108175 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def @@ -3,6 +3,6 @@ help: Time of day to stop matching rule syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" -comp_help: Enter time using using 24 hour notation - hh:mm:ss +comp_help: Enter time using using 24 hour notation - hh:mm:ss diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def index 167f191..167f191 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def index dd2649b..dd2649b 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def diff --git a/templates/firewall/modify/node.def b/templates/policy/route/node.def index 640a89c..edfd75b 100644 --- a/templates/firewall/modify/node.def +++ b/templates/policy/route/node.def @@ -1,24 +1,24 @@ tag: -priority: 210 +priority: 471 type: txt syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ - "Firewall name must be 28 characters or less" + "Policy route rule set name must be 28 characters or less" syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall rule set name cannot start with \"-\"" + "Policy route rule set name cannot start with \"-\"" syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ - "Firewall rule set name cannot contain ';'" + "Policy route rule set name cannot contain ';'" syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ - "Firewall rule set name cannot start with 'VZONE'" + "Policy route rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy route" "$VAR(@)" ; then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; + if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok modify ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy route" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown modify + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy route" fi fi else @@ -26,6 +26,6 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)" fi sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables modify +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "policy route" -help: IPv4 modify rule-set name +help: Policy route rule set name diff --git a/templates/policy/route/node.tag/description/node.def b/templates/policy/route/node.tag/description/node.def new file mode 100644 index 0000000..6e49257 --- /dev/null +++ b/templates/policy/route/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Policy route rule set description diff --git a/templates/policy/route/node.tag/enable-default-log/node.def b/templates/policy/route/node.tag/enable-default-log/node.def new file mode 100644 index 0000000..697719d --- /dev/null +++ b/templates/policy/route/node.tag/enable-default-log/node.def @@ -0,0 +1 @@ +help: Option to log packets hitting default-action diff --git a/templates/policy/route/node.tag/rule/node.def b/templates/policy/route/node.tag/rule/node.def new file mode 100644 index 0000000..f06c3a5 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy route rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates/policy/route/node.tag/rule/node.tag/action/node.def b/templates/policy/route/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..a244a4c --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Rule action + +syntax:expression: $VAR(@) in "drop"; + "action must be drop" + +allowed: echo "drop modify" + +val_help: drop ; Rule action to drop diff --git a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def b/templates/policy/route/node.tag/rule/node.tag/description/node.def index dd2f535..dd2f535 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/description/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/address/node.def index f142aba..f142aba 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/address/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def index 07e791c..07e791c 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def index bf018a0..bf018a0 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/node.def index bb11dae..bb11dae 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def index 865d2c5..865d2c5 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/node.def index dc227b7..dc227b7 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/port/node.def index 3299c9a..3299c9a 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/port/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def b/templates/policy/route/node.tag/rule/node.tag/disable/node.def index 70565eb..70565eb 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/disable/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def index 2f830a1..2f830a1 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def index 3590869..3590869 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/node.def index c3d9f02..c3d9f02 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/fragment/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def index b102b99..b102b99 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/node.def index 33a8e89..33a8e89 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def index b71c23a..b71c23a 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def index 9d879e1..9d879e1 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def index 96ada47..96ada47 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def index 2d717d5..2d717d5 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/node.def index 96ada47..96ada47 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def index 9097370..9097370 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/node.def index 75460b1..75460b1 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/limit/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def index cd108f4..cd108f4 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def b/templates/policy/route/node.tag/rule/node.tag/log/node.def index 891cbcf..891cbcf 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/log/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def b/templates/policy/route/node.tag/rule/node.tag/protocol/node.def index c456f95..6e0e9a6 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/protocol/node.def @@ -1,4 +1,5 @@ type: txt + help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/count/node.def index defd974..defd974 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/recent/count/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/node.def index 3acc871..3acc871 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/recent/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/time/node.def index 9c49ed8..9c49ed8 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/recent/time/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def index 3ed8f0d..3ed8f0d 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def diff --git a/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def b/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def new file mode 100644 index 0000000..c8cb1b2 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Packet marking +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def b/templates/policy/route/node.tag/rule/node.tag/set/node.def index c61402f..c61402f 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/set/node.def diff --git a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def new file mode 100644 index 0000000..dbde887 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Routing table to forward packet with +syntax:expression: $VAR(@) >= 1 && $VAR(@) < 250; + "Table must be between 1 and 250" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def index 7a61966..7a61966 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def b/templates/policy/route/node.tag/rule/node.tag/source/address/node.def index 72d6a17..72d6a17 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/address/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def index 97c748d..97c748d 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def index bf018a0..bf018a0 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/node.def index 7b36071..7b36071 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def index 865d2c5..865d2c5 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def index 5519871..5519871 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def b/templates/policy/route/node.tag/rule/node.tag/source/node.def index 84cdc1f..84cdc1f 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def b/templates/policy/route/node.tag/rule/node.tag/source/port/node.def index adfae7a..adfae7a 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/port/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def b/templates/policy/route/node.tag/rule/node.tag/state/established/node.def index a4f3120..a4f3120 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/state/established/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def index dc6110d..dc6110d 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def b/templates/policy/route/node.tag/rule/node.tag/state/new/node.def index 6ef1f7a..6ef1f7a 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/state/new/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def b/templates/policy/route/node.tag/rule/node.tag/state/node.def index 0e38df4..0e38df4 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/state/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def b/templates/policy/route/node.tag/rule/node.tag/state/related/node.def index 2364c31..2364c31 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/state/related/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def index b86e707..b86e707 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def b/templates/policy/route/node.tag/rule/node.tag/tcp/node.def index 66bc295..66bc295 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/tcp/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def index 14c1d5c..14c1d5c 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def b/templates/policy/route/node.tag/rule/node.tag/time/node.def index 238acd2..238acd2 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def index 25e02e8..25e02e8 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def index ab69c45..ab69c45 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def index 8fdf6e0..8fdf6e0 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def index 4a42ca3..b108175 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def @@ -3,6 +3,6 @@ help: Time of day to stop matching rule syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" -comp_help: Enter time using using 24 hour notation - hh:mm:ss +comp_help: Enter time using using 24 hour notation - hh:mm:ss diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def b/templates/policy/route/node.tag/rule/node.tag/time/utc/node.def index 89c17f7..89c17f7 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/utc/node.def diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def index dd2649b..dd2649b 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def |