diff options
| author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-07-26 20:53:22 -0700 |
|---|---|---|
| committer | Stig Thormodsrud <stig@vyatta.com> | 2010-07-27 15:58:36 -0700 |
| commit | a6aa2159244af565c93a0d771326141b2bb90be2 (patch) | |
| tree | 8eb95932c54148205cef94a242bc7a16309e91d2 | |
| parent | 17e233fa5b7a6b2e2e14a3e14c824ca056c2e11f (diff) | |
| download | vyatta-cfg-firewall-a6aa2159244af565c93a0d771326141b2bb90be2.tar.gz vyatta-cfg-firewall-a6aa2159244af565c93a0d771326141b2bb90be2.zip | |
Convert firewall rules to val_help:
Convert some (but not all) of existing rules using comp_help:
to use val_help:
(cherry picked from commit 77e13fa992a50cc5721bbad64235bff8f8ecd50d)
20 files changed, 36 insertions, 67 deletions
diff --git a/templates/firewall/all-ping/node.def b/templates/firewall/all-ping/node.def index 3b7de60..07fc349 100644 --- a/templates/firewall/all-ping/node.def +++ b/templates/firewall/all-ping/node.def @@ -6,9 +6,8 @@ type: txt help: Policy for handling of all IPv4 ICMP echo requests -comp_help:Possible completions: - disable\tDisable processing of all IPv4 ICMP echo requests - enable\tEnable processing of all IPv4 ICMP echo requests +val_help: disable; Disable processing of all IPv4 ICMP echo requests +val_help: enable; Enable processing of all IPv4 ICMP echo requests default: "enable" diff --git a/templates/firewall/broadcast-ping/node.def b/templates/firewall/broadcast-ping/node.def index bded462..e779a8b 100644 --- a/templates/firewall/broadcast-ping/node.def +++ b/templates/firewall/broadcast-ping/node.def @@ -7,9 +7,8 @@ type: txt help: Policy for handling broadcast IPv4 ICMP echo and timestamp requests -comp_help:Possible completions: - disable\tDisable processing of broadcast IPv4 ICMP echo/timestamp requests - enable\tEnable processing of broadcast IPv4 ICMP echo/timestamp requests +val_help: disable; Disable processing of broadcast IPv4 ICMP echo/timestamp requests +val_help: enable; Enable processing of broadcast IPv4 ICMP echo/timestamp requests default: "disable" diff --git a/templates/firewall/conntrack-expect-table-size/node.def b/templates/firewall/conntrack-expect-table-size/node.def index 1fb060c..889dbdb 100644 --- a/templates/firewall/conntrack-expect-table-size/node.def +++ b/templates/firewall/conntrack-expect-table-size/node.def @@ -17,8 +17,7 @@ help: Size of connection tracking expect table default: 4096 -comp_help:Possible completions: - <1 - 50000000>\tNumber of entries allowed in connection tracking expect table +val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000" diff --git a/templates/firewall/conntrack-hash-size/node.def b/templates/firewall/conntrack-hash-size/node.def index 6f9f85a..d4c2027 100644 --- a/templates/firewall/conntrack-hash-size/node.def +++ b/templates/firewall/conntrack-hash-size/node.def @@ -3,8 +3,7 @@ type: u32 default: 4096 -comp_help:Possible completions: - <1 - 50000000>\tSize of hash to use for connection tracking table +val_help: u32:1-50000000; Size of hash to use for connection tracking table syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000" diff --git a/templates/firewall/conntrack-options/sip/port/node.def b/templates/firewall/conntrack-options/sip/port/node.def index 7fe05fb..b72f1ca 100644 --- a/templates/firewall/conntrack-options/sip/port/node.def +++ b/templates/firewall/conntrack-options/sip/port/node.def @@ -1,10 +1,8 @@ multi: +type: u32 help: Port number that SIP traffic is carried on -comp_help: Possible completions: - 1 - 65535\tSIP port number - -type: u32 +val_help: u32:1-65535; SIP port number syntax:expression: ($VAR(@) >= 1 && $VAR(@) <=65535) ; "Port number must be in range 1 to 65535" diff --git a/templates/firewall/conntrack-table-size/node.def b/templates/firewall/conntrack-table-size/node.def index 6974c7a..adb994a 100644 --- a/templates/firewall/conntrack-table-size/node.def +++ b/templates/firewall/conntrack-table-size/node.def @@ -21,8 +21,7 @@ help: Size of connection tracking table default: 32768 -comp_help:Possible completions: - <1 - 50000000>\tNumber of entries allowed in connection tracking table +val_help: u32:1-50000000; Number of entries allowed in connection tracking table syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be between 1 and 50,000,000" diff --git a/templates/firewall/conntrack-tcp-loose/node.def b/templates/firewall/conntrack-tcp-loose/node.def index a2b2aba..86489b7 100644 --- a/templates/firewall/conntrack-tcp-loose/node.def +++ b/templates/firewall/conntrack-tcp-loose/node.def @@ -16,9 +16,8 @@ type: txt help: Policy to track previously established connections -comp_help:Possible completions: - enable\tAllow tracking of previously established connections - disable\tDo not allow tracking of previously established connections +val_help: enable; Allow tracking of previously established connections +val_help: disable; Do not allow tracking of previously established connections default: "enable" diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index a19d9ff..9c118ff 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -24,6 +24,3 @@ create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=delete-set \ --set-name="$VAR(@)" - -comp_help: possible completions: - <txt> Set the name of the firewall address-group diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def index 2e8edcd..c62f4dd 100644 --- a/templates/firewall/group/address-group/node.tag/address/node.def +++ b/templates/firewall/group/address-group/node.tag/address/node.def @@ -1,6 +1,8 @@ multi: type: txt help: Address-group member +val_help: ipv4; IPv4 address to match +val_help: ipv4range; IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-member \ @@ -54,7 +56,3 @@ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ --member="$VAR(@)" - -comp_help: possible completions: - <x.x.x.x> IPv4 address to match - <x.x.x.x>-<x.x.x.x> IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index e407b0a..c09176f 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -24,6 +24,3 @@ create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=delete-set \ --set-name="$VAR(@)" - -comp_help: possible completions: - <txt> Set the name of the firewall network-group diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def index 8899450..4db4d49 100644 --- a/templates/firewall/group/network-group/node.tag/network/node.def +++ b/templates/firewall/group/network-group/node.tag/network/node.def @@ -1,6 +1,7 @@ multi: type: ipv4net help: Network-group member +val_help: ipv4net; IPv4 Subnet to match syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-member \ @@ -29,6 +30,3 @@ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ --member="$VAR(@)" - -comp_help: possible completions: - <x.x.x.x/x> IPv4 Subnet to match diff --git a/templates/firewall/group/node.def b/templates/firewall/group/node.def index 81afdd6..78edbb2 100644 --- a/templates/firewall/group/node.def +++ b/templates/firewall/group/node.def @@ -1,4 +1 @@ help: Firewall group - -comp_help: possible completions: - <txt> Set the name of the firewall group diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def index ee655ee..0500ac1 100644 --- a/templates/firewall/group/port-group/node.def +++ b/templates/firewall/group/port-group/node.def @@ -24,6 +24,3 @@ create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=delete-set \ --set-name="$VAR(@)" - -comp_help: possible completions: - <txt> Set the name of the firewall port-group diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def index ae7d944..c6f3173 100644 --- a/templates/firewall/group/port-group/node.tag/port/node.def +++ b/templates/firewall/group/port-group/node.tag/port/node.def @@ -2,6 +2,10 @@ multi: type: txt help: Port-group member +val_help: <name>; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: <start>-<end>; Numbered port range (e.g. 1001-1050) + syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-member \ --set-name=$VAR(../@) \ @@ -54,8 +58,3 @@ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ --member="$VAR(@)" - -comp_help: possible completions: - <port name> Named port (any name in /etc/services, e.g., http) - <1-65535> Numbered port - <start>-<end> Numbered port range (e.g. 1001-1050) diff --git a/templates/firewall/ip-src-route/node.def b/templates/firewall/ip-src-route/node.def index af8162c..5fa3b19 100644 --- a/templates/firewall/ip-src-route/node.def +++ b/templates/firewall/ip-src-route/node.def @@ -8,9 +8,8 @@ type: txt help: Policy for handling IPv4 packets with source route option -comp_help:Possible completions: - enable\tEnable processing of IPv4 packets with source route option - disable\tDisable processing of IPv4 packets with source route option +val_help: enable; Enable processing of IPv4 packets with source route option +val_help: disable; Disable processing of IPv4 packets with source route option default: "disable" diff --git a/templates/firewall/ipv6-modify/node.tag/default-action/node.def b/templates/firewall/ipv6-modify/node.tag/default-action/node.def index 34ed318..c4e73f6 100644 --- a/templates/firewall/ipv6-modify/node.tag/default-action/node.def +++ b/templates/firewall/ipv6-modify/node.tag/default-action/node.def @@ -7,6 +7,5 @@ default: "drop" syntax:expression: $VAR(@) in "drop", "accept"; "default-action must be either drop or accept" -comp_help: possible completions: - drop Drop if no prior rules are hit (default) - accept Accept if no prior rules are hit +val_help: drop; Drop if no prior rules are hit (default) +val_help: accept; Accept if no prior rules are hit diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def index 25a9069..59b404a 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def @@ -7,7 +7,6 @@ syntax:expression: $VAR(@) in "drop", "accept", "modify"; allowed: echo "drop accept modify" -comp_help: Possible completions: - drop Set rule action to drop - accept Set rule action to accept - modify Set rule action to modify +val_help: drop; Rule action to drop +val_help: accept; Rule action to accept +val_help: modify; Rule action to modify diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def index f2abdc4..d4a0bd3 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def @@ -7,8 +7,7 @@ syntax:expression: $VAR(@) in "drop", "reject", "accept", "inspect"; allowed: echo "drop reject accept inspect" -comp_help: Possible completions: - drop Set rule action to drop - reject Set rule action to reject - accept Set rule action to accept - inspect Set rule action to inspect +val_help: drop; Rule action to drop +val_help: reject; Rule action to reject +val_help: accept; Rule action to accept +val_help: inspect; Rule action to inspect diff --git a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/modify/node.tag/rule/node.tag/action/node.def index ccf5675..20cf5bb 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/action/node.def @@ -5,7 +5,6 @@ syntax:expression: $VAR(@) in "drop", "accept", "modify"; allowed: echo "drop accept modify" -comp_help: Possible completions: - drop Set rule action to drop - accept Set rule action to accept - modify Set rule action to modify +val_help: drop; Rule action to drop +val_help: accept; Rule action to accept +val_help: modify; Rule action to modify diff --git a/templates/firewall/name/node.tag/rule/node.tag/action/node.def b/templates/firewall/name/node.tag/rule/node.tag/action/node.def index d2af3c7..971b1a4 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/action/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/action/node.def @@ -7,8 +7,7 @@ syntax:expression: $VAR(@) in "drop", "reject", "accept", "inspect"; allowed: echo "drop reject accept inspect" -comp_help: Possible completions: - drop Set rule action to drop - reject Set rule action to reject - accept Set rule action to accept - inspect Set rule action to inspect +val_help: drop ; Rule action to drop +val_help: reject ; Rule action to reject +val_help: accept ; Rule action to accept +val_help: inspect ; Rule action to inspect |