diff options
| author | Robert Bays <robert@vyatta.com> | 2012-06-26 13:32:41 -0700 |
|---|---|---|
| committer | Robert Bays <robert@vyatta.com> | 2012-09-03 10:18:38 -0700 |
| commit | f3207bc0f15c9b94ed86c117e48c85c398dec8ea (patch) | |
| tree | 50f9f82fbe0d92bcb275598968573296d56ad11a /templates/firewall | |
| parent | 0da6be07418ae3f821368aa54adcd7913a2fc7b3 (diff) | |
| download | vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.tar.gz vyatta-cfg-firewall-f3207bc0f15c9b94ed86c117e48c85c398dec8ea.zip | |
initial checkin for pbr functionality
Diffstat (limited to 'templates/firewall')
125 files changed, 8 insertions, 810 deletions
diff --git a/templates/firewall/ipv6-modify/node.def b/templates/firewall/ipv6-modify/node.def deleted file mode 100644 index 035ddd1..0000000 --- a/templates/firewall/ipv6-modify/node.def +++ /dev/null @@ -1,30 +0,0 @@ -tag: -priority: 210 - -type: txt - -syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ - "Firewall name must be 28 characters or less" -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall rule set name cannot start with \"-\"" -syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ - "Firewall rule set name cannot contain ';'" -syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ - "Firewall rule set name cannot start with 'VZONE'" - -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-modify "$VAR(@)" ; - then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; - then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-modify ; - then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-modify - fi - fi - else - exit 1; - fi - -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-modify - -help: IPv6 modify rule-set name diff --git a/templates/firewall/ipv6-modify/node.tag/default-action/node.def b/templates/firewall/ipv6-modify/node.tag/default-action/node.def deleted file mode 100644 index c4e73f6..0000000 --- a/templates/firewall/ipv6-modify/node.tag/default-action/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt - -help: Default-action for rule-set - -default: "drop" - -syntax:expression: $VAR(@) in "drop", "accept"; - "default-action must be either drop or accept" - -val_help: drop; Drop if no prior rules are hit (default) -val_help: accept; Accept if no prior rules are hit diff --git a/templates/firewall/ipv6-modify/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/description/node.def deleted file mode 100644 index e8e221b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule-set description diff --git a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def b/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def deleted file mode 100644 index e540d3f..0000000 --- a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to log packets hitting default-action diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.def deleted file mode 100644 index c31dfbd..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.def +++ /dev/null @@ -1,9 +0,0 @@ -tag: - -type: u32 - -help: Rule number (1-9999) - -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "firewall rule number must be between 1 and 9999" - -val_help: u32:1-9999; Rule number diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def deleted file mode 100644 index 59b404a..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt - -help: Rule action - -syntax:expression: $VAR(@) in "drop", "accept", "modify"; - "action must be one of drop, accept, or modify" - -allowed: echo "drop accept modify" - -val_help: drop; Rule action to drop -val_help: accept; Rule action to accept -val_help: modify; Rule action to modify diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def deleted file mode 100644 index 90bf88b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule description diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def deleted file mode 100644 index 2ace3b3..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: txt - -help: Destination IPv6 address, prefix or range - -val_help: ipv6; IPv6 address to match -val_help: ipv6net; IPv6 prefix to match -val_help: ipv6range; IPv6 range to match -val_help: !ipv6; Match everything except the specified address -val_help: !ipv6net; Match everything except the specified prefix -val_help: !ipv6range; Match everything except the specified range - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def deleted file mode 100644 index dc227b7..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Destination parameters diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def deleted file mode 100644 index 2b2d8c7..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt - -help: Destination port - -val_help: <port name>; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple destination ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def deleted file mode 100644 index 70565eb..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to disable rule diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def deleted file mode 100644 index 7032b30..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def +++ /dev/null @@ -1 +0,0 @@ -help: ICMPv6 type and code information diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def deleted file mode 100644 index d11da4e..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def +++ /dev/null @@ -1,134 +0,0 @@ -type: txt - -help: ICMPv6 type/code - -val_help: destination-unreachable; ICMPv6 type/code name -val_help: _ no-route; ICMPv6 type/code name -val_help: _ communication-prohibited; ICMPv6 type/code name -val_help: _ address-unreachable; ICMPv6 type/code name -val_help: _ port-unreachable; ICMPv6 type/code name -val_help: packet-too-big; ICMPv6 type/code name -val_help: time-exceeded; ICMPv6 type/code name -val_help: _ ttl-zero-during-transit; ICMPv6 type/code name -val_help: _ ttl-zero-during-reassembly; ICMPv6 type/code name -val_help: parameter-problem; ICMPv6 type/code name -val_help: _ bad-header; ICMPv6 type/code name -val_help: _ unknown-header-type; ICMPv6 type/code name -val_help: _ unknown-option; ICMPv6 type/code name -val_help: echo-request; ICMPv6 type/code name -val_help: ping; ICMPv6 type/code name -val_help: echo-reply; ICMPv6 type/code name -val_help: pong; ICMPv6 type/code name -val_help: router-solicitation; ICMPv6 type/code name -val_help: router-advertisement; ICMPv6 type/code name -val_help: neighbour-solicitation; ICMPv6 type/code name -val_help: neighbor-solicitation; ICMPv6 type/code name -val_help: neighbour-advertisement; ICMPv6 type/code name -val_help: neighbor-advertisement; ICMPv6 type/code name -val_help: u32:0-255; ICMPv6 type number -val_help: <0-255>/<0-255>; ICMPv6 type and code numbers - -allowed: - array=( - destination-unreachable - no-route - communication-prohibited - address-unreachable - port-unreachable - packet-too-big - time-exceeded - ttl-zero-during-transit - ttl-zero-during-reassembly - parameter-problem - bad-header - unknown-header-type - unknown-option - echo-request - ping - echo-reply - pong - router-solicitation - router-advertisement - neighbour-solicitation - neighbor-solicitation - neighbour-advertisement - neighbor-advertisement ) - echo -n ${array[@]} - -syntax:expression: exec " - array=( - destination-unreachable - no-route - communication-prohibited - address-unreachable - port-unreachable - packet-too-big - time-exceeded - ttl-zero-during-transit - ttl-zero-during-reassembly - parameter-problem - bad-header - unknown-header-type - unknown-option - echo-request - ping - echo-reply - pong - router-solicitation - router-advertisement - neighbour-solicitation - neighbor-solicitation - neighbour-advertisement - neighbor-advertisement ) - len=${#array[*]} - i=0 - while [ $i -lt $len ]; do - if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then - exit 0 - fi - let i++ - done - - param=$VAR(@) - codepart=${param##*/} - if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then - codepart=\"0\" - fi - - typepart=${param%%/*} - if [ -z \"$typepart\" ]; then - echo \"Must specify ICMPv6 type\" - exit 1 - fi - - shopt -s extglob - - leftover=${typepart##*([0-9])} - if [ -n \"$leftover\" ]; then - echo \"Invalid ICMPv6 type: $typepart\" - exit 1 - fi - - leftover=${codepart##*([0-9])} - if [ -n \"$leftover\" ]; then - echo \"Invalid ICMPv6 code: $codepart\" - exit 1 - fi - - if [ $typepart -lt 0 -o $typepart -gt 255 ]; then - echo \"ICMPv6 type must be between 0 and 255\" - exit 1 - fi - - if [ $codepart -lt 0 -o $codepart -gt 255 ]; then - echo \"ICMPv6 code must be between 0 and 255\" - exit 1 - fi -" - - - - - - - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def deleted file mode 100644 index 2d717d5..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound non-IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def deleted file mode 100644 index 9097370..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -default: 1 -help: Maximum number of packets to allow in excess of rate -syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def deleted file mode 100644 index 75460b1..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Rate limit using a token bucket filter diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def deleted file mode 100644 index cd108f4..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt -help: Maximum average matching rate -syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ -"Invalid value for rate. Rate should be specified as an integer followed by -a forward slash '/' and either of these time units - second, minute, hour or day -eg. 1/second implies rule to be matched at an average of once per second" - -comp_help:Format for rate : integer/time unit -any one of second, minute, hour or day may be used to specify time unit -eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def deleted file mode 100644 index 891cbcf..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt; "firewall logging must be enable or disable" -help: Option to log packets matching rule -syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def deleted file mode 100644 index 3ed8f0d..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -help: Packet Differentiated Services Codepoint (DSCP) -syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; - "DSCP must be between 0 and 63" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def deleted file mode 100644 index 0776b34..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Packet marking diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def deleted file mode 100644 index c61402f..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Packet modifications diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def deleted file mode 100644 index 8d2248e..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def +++ /dev/null @@ -1,21 +0,0 @@ -type: txt -help: TCP Maximum Segment Size - -syntax:expression: -exec " -if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ - if [ $VAR(@) == \"pmtu\" ]; then \ - exit 0; \ - fi; \ -else \ - if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ - ( $VAR(@) -ge \"500\" ) && \ - ( $VAR(@) -le \"1460\" ) ]]; then \ - exit 0; \ - fi; \ -fi; \ -echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ -exit 1" - -val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 60 bytes -val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def deleted file mode 100644 index bd61a90..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def deleted file mode 100644 index 8e9f704..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def deleted file mode 100644 index 1a56963..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: BitTorrent application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def deleted file mode 100644 index eb84108..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Direct Connect application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def deleted file mode 100644 index 255e618..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def +++ /dev/null @@ -1 +0,0 @@ -help: eDonkey/eMule application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def deleted file mode 100644 index f21b60b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Gnutella application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def deleted file mode 100644 index 44c3156..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def +++ /dev/null @@ -1 +0,0 @@ -help: KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def deleted file mode 100644 index 5959d3d..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def +++ /dev/null @@ -1 +0,0 @@ -help: P2P application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def deleted file mode 100644 index 5225eee..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def +++ /dev/null @@ -1,28 +0,0 @@ -type: txt - -help: IPv6 protocol to match (protocol name, number, or "all") - -syntax:expression: exec " - param=$VAR(@) - if [ \"$param\" = \"icmpv6\" ]; then - exit 0 - fi - if [ \"$param\" = \"tcp_udp\" ]; then - exit 0 - fi - /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' - " ; - "invalid protocol \"$VAR(@)\"" - -# Provide some help for command completion. Doesn't return negated -# values or protocol numbers -allowed: - protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` - protos="all icmpv6 $protos tcp_udp" - echo -n $protos - -val_help: txt; IPv6 protocol name from /etc/protocols (e.g. "tcp" or "udp") -val_help: u32:0-255; IPv6 protocol number -val_help: tcp_udp; Both TCP and UDP -val_help: all; All IPv6 protocols -val_help: !<protocol>; All IPv6 protocols except for the specified name or number diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def deleted file mode 100644 index 69a4ebd..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -help: Source addresses seen more than N times -syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" -val_help: u32:1-255; Source addresses seen more than N times diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def deleted file mode 100644 index 3acc871..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Parameters for matching recently seen sources diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def deleted file mode 100644 index 9c49ed8..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Source addresses seen in the last N seconds diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def deleted file mode 100644 index 2fe8a42..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def +++ /dev/null @@ -1,13 +0,0 @@ - -type: txt - -help: Source IPv6 address, prefix or range - -val_help: ipv6; IPv6 address to match -val_help: ipv6net; IPv6 prefix to match -val_help: ipv6range; IPv6 range to match -val_help: !ipv6; Match everything except the specified address -val_help: !ipv6net; Match everything except the specified prefix -val_help: !ipv6range; Match everything except the specified range - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def deleted file mode 100644 index 5519871..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def deleted file mode 100644 index 84cdc1f..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Source parameters diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def deleted file mode 100644 index adfae7a..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Source port -val_help: <port name>; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple source ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def deleted file mode 100644 index a4f3120..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Established state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def deleted file mode 100644 index dc6110d..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Invalid state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def deleted file mode 100644 index 6ef1f7a..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: New state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def deleted file mode 100644 index 0e38df4..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Session state diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def deleted file mode 100644 index 2364c31..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Related state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def deleted file mode 100644 index b86e707..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: TCP flags to match -syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ -"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset" - -comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def deleted file mode 100644 index 66bc295..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP flags to match diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def deleted file mode 100644 index 14c1d5c..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Monthdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ -"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 -For negation, add ! in front eg. !2,12,21" - -comp_help: Format for monthdays - 2,12,21 -To negate add ! at the front eg. !2,12,21 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def deleted file mode 100644 index 238acd2..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Time to match rule diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def deleted file mode 100644 index 46f9eb9..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Date to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time -of date with startdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to -21st January 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def deleted file mode 100644 index ab69c45..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -help: Time of day to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def deleted file mode 100644 index 93fc8b6..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Date to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time -of date with stopdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to -31st Jan 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, -append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg -stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def deleted file mode 100644 index 4a42ca3..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Time of day to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def deleted file mode 100644 index 167f191..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Interpret times for startdate, stopdate, starttime and stoptime to be U$ diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def deleted file mode 100644 index dd2649b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Weekdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ -"Incorrect value for weekdays. Weekdays should be specified using the first -three characters of the day with the first character capitalized eg. Mon,Thu,Sat -For negation, add ! in front eg. !Mon,Thu,Sat" - -comp_help: Format for weekdays - Mon,Thu,Sat -To negate add ! at the front eg. !Mon,Thu,Sat diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index 0eb53f7..3501d9b 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -12,19 +12,19 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ "Firewall rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-name "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; then if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-name ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name" fi fi else exit 1; fi -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-name +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" help: IPv6 firewall rule-set name diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def deleted file mode 100644 index 640a89c..0000000 --- a/templates/firewall/modify/node.def +++ /dev/null @@ -1,31 +0,0 @@ -tag: -priority: 210 - -type: txt - -syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ - "Firewall name must be 28 characters or less" -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall rule set name cannot start with \"-\"" -syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ - "Firewall rule set name cannot contain ';'" -syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ - "Firewall rule set name cannot start with 'VZONE'" - -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)" ; - then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; - then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok modify ; - then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown modify - fi - fi - else - exit 1; - fi - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets - -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables modify - -help: IPv4 modify rule-set name diff --git a/templates/firewall/modify/node.tag/default-action/node.def b/templates/firewall/modify/node.tag/default-action/node.def deleted file mode 100644 index c4e73f6..0000000 --- a/templates/firewall/modify/node.tag/default-action/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt - -help: Default-action for rule-set - -default: "drop" - -syntax:expression: $VAR(@) in "drop", "accept"; - "default-action must be either drop or accept" - -val_help: drop; Drop if no prior rules are hit (default) -val_help: accept; Accept if no prior rules are hit diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def deleted file mode 100644 index e8e221b..0000000 --- a/templates/firewall/modify/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule-set description diff --git a/templates/firewall/modify/node.tag/enable-default-log/node.def b/templates/firewall/modify/node.tag/enable-default-log/node.def deleted file mode 100644 index 697719d..0000000 --- a/templates/firewall/modify/node.tag/enable-default-log/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to log packets hitting default-action diff --git a/templates/firewall/modify/node.tag/rule/node.def b/templates/firewall/modify/node.tag/rule/node.def deleted file mode 100644 index 661e943..0000000 --- a/templates/firewall/modify/node.tag/rule/node.def +++ /dev/null @@ -1,9 +0,0 @@ -tag: - -type: u32 - -help: Rule number (1-9999) - -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "modify rule number must be between 1 and 9999" - -val_help: u32:1-9999; Rule number diff --git a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/modify/node.tag/rule/node.tag/action/node.def deleted file mode 100644 index 20cf5bb..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt -help: Rule action -syntax:expression: $VAR(@) in "drop", "accept", "modify"; - "action must be one of drop, accept, or modify" - -allowed: echo "drop accept modify" - -val_help: drop; Rule action to drop -val_help: accept; Rule action to accept -val_help: modify; Rule action to modify diff --git a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def b/templates/firewall/modify/node.tag/rule/node.tag/description/node.def deleted file mode 100644 index dd2f535..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Rule description diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def deleted file mode 100644 index f142aba..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Destination IP address, subnet, or range -val_help: ipv4; IP address to match -val_help: ipv4net; Subnet to match -val_help: ipv4range; IP range to match -val_help: !ipv4; Match everything except the specified address -val_help: !ipv4net; Match everything except the specified subnet -val_help: !ipv4range; Match everything except the specified range diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def deleted file mode 100644 index 07e791c..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Group of addresses - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=address;" - -allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def deleted file mode 100644 index bf018a0..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of networks - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def deleted file mode 100644 index bb11dae..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Destination group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def deleted file mode 100644 index 865d2c5..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of ports - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def deleted file mode 100644 index dc227b7..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Destination parameters diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def deleted file mode 100644 index 3299c9a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Destination port -val_help: <port name>; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple destination ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def b/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def deleted file mode 100644 index 70565eb..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to disable rule diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def deleted file mode 100644 index 2f830a1..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Second and further fragments of fragmented packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def deleted file mode 100644 index 3590869..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Head fragments or unfragmented packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def b/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def deleted file mode 100644 index c3d9f02..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def +++ /dev/null @@ -1 +0,0 @@ -help: IP fragment match diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def deleted file mode 100644 index b102b99..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: u32; "ICMP code must be between 0 and 255" -help: ICMP code (0-255) -syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def deleted file mode 100644 index 33a8e89..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: ICMP type and code information diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def deleted file mode 100644 index b71c23a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def +++ /dev/null @@ -1,38 +0,0 @@ -type: txt -help: ICMP type-name -allowed: -array=(any echo-reply destination-unreachable network-unreachable - host-unreachable protocol-unreachable port-unreachable - fragmentation-needed source-route-failed network-unknown host-unknown - network-prohibited host-prohibited TOS-network-unreachable - TOS-host-unreachable communication-prohibited host-precedence-violation - precedence-cutoff source-quench redirect network-redirect host-redirect - TOS-network-redirect TOS-host-redirect echo-request router-advertisement - router-solicitation time-exceeded ttl-zero-during-transit - ttl-zero-during-reassembly parameter-problem ip-header-bad - required-option-missing timestamp-request timestamp-reply - address-mask-request address-mask-reply) -echo -n ${array[@]} - -syntax:expression: exec " -array=(any echo-reply destination-unreachable network-unreachable - host-unreachable protocol-unreachable port-unreachable - fragmentation-needed source-route-failed network-unknown host-unknown - network-prohibited host-prohibited TOS-network-unreachable - TOS-host-unreachable communication-prohibited host-precedence-violation - precedence-cutoff source-quench redirect network-redirect host-redirect - TOS-network-redirect TOS-host-redirect echo-request router-advertisement - router-solicitation time-exceeded ttl-zero-during-transit - ttl-zero-during-reassembly parameter-problem ip-header-bad - required-option-missing timestamp-request timestamp-reply - address-mask-request address-mask-reply) -len=${#array[*]} -i=0 -while [ $i -lt $len ]; do - if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then - exit 0 - fi - let i++ -done -echo Invalid ICMP type-name [$VAR(@)] -exit 1 " diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def deleted file mode 100644 index 9d879e1..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: u32; "ICMP type must be between 0 and 255" -help: ICMP type (0-255) -syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def deleted file mode 100644 index 2d717d5..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound non-IPsec packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def deleted file mode 100644 index 9097370..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -default: 1 -help: Maximum number of packets to allow in excess of rate -syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def deleted file mode 100644 index 75460b1..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Rate limit using a token bucket filter diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def deleted file mode 100644 index cd108f4..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt -help: Maximum average matching rate -syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ -"Invalid value for rate. Rate should be specified as an integer followed by -a forward slash '/' and either of these time units - second, minute, hour or day -eg. 1/second implies rule to be matched at an average of once per second" - -comp_help:Format for rate : integer/time unit -any one of second, minute, hour or day may be used to specify time unit -eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/modify/node.tag/rule/node.tag/log/node.def deleted file mode 100644 index 891cbcf..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt; "firewall logging must be enable or disable" -help: Option to log packets matching rule -syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def deleted file mode 100644 index 3ed8f0d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -help: Packet Differentiated Services Codepoint (DSCP) -syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; - "DSCP must be between 0 and 63" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def deleted file mode 100644 index 0776b34..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Packet marking diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def deleted file mode 100644 index c61402f..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Packet modifications diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def deleted file mode 100644 index 7a61966..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def +++ /dev/null @@ -1,21 +0,0 @@ -type: txt -help: TCP Maximum Segment Size - -syntax:expression: -exec " -if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ - if [ $VAR(@) == \"pmtu\" ]; then \ - exit 0; \ - fi; \ -else \ - if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ - ( $VAR(@) -ge \"500\" ) && \ - ( $VAR(@) -le \"1460\" ) ]]; then \ - exit 0; \ - fi; \ -fi; \ -echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ -exit 1" - -val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 40 bytes -val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def deleted file mode 100644 index bd61a90..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def deleted file mode 100644 index 8e9f704..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def deleted file mode 100644 index 1a56963..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: BitTorrent application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def deleted file mode 100644 index eb84108..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Direct Connect application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def deleted file mode 100644 index 255e618..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def +++ /dev/null @@ -1 +0,0 @@ -help: eDonkey/eMule application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def deleted file mode 100644 index f21b60b..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Gnutella application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def deleted file mode 100644 index 44c3156..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def +++ /dev/null @@ -1 +0,0 @@ -help: KaZaA application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def deleted file mode 100644 index 5959d3d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def +++ /dev/null @@ -1 +0,0 @@ -help: P2P application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def deleted file mode 100644 index c456f95..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def +++ /dev/null @@ -1,21 +0,0 @@ -type: txt -help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") - -val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") -val_help: u32:0-255; IP protocol number -val_help: tcp_udp; Both TCP and UDP -val_help: all; All IP protocols -val_help: !<protocol>; All IP protocols except for the specified name or number - -syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \ - && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ - echo invalid protocol \"$VAR(@)\" ; \ - exit 1 ; \ - fi ; " - -# Provide some help for command completion. Doesn't return negated -# values or protocol numbers -allowed: - protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` - protos="all $protos tcp_udp" - echo -n $protos diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def deleted file mode 100644 index defd974..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def +++ /dev/null @@ -1,5 +0,0 @@ -type: u32 -help: Source addresses seen more than N times -syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" -val_help: u32:1-255; Source addresses seen more than N times - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def deleted file mode 100644 index 3acc871..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Parameters for matching recently seen sources diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def deleted file mode 100644 index 9c49ed8..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Source addresses seen in the last N seconds diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def deleted file mode 100644 index 72d6a17..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Source IP address, subnet, or range -val_help: ipv4; IP address to match -val_help: ipv4net; Subnet to match -val_help: ipv4range; IP range to match -val_help: !ipv4; Match everything except the specified address -val_help: !ipv4net; Match everything except the specified subnet -val_help: !ipv4range; Match everything except the specified range diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def deleted file mode 100644 index 97c748d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of addresses - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=address;" -allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def deleted file mode 100644 index bf018a0..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of networks - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def deleted file mode 100644 index 7b36071..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Source group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def deleted file mode 100644 index 865d2c5..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of ports - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def deleted file mode 100644 index 5519871..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/node.def deleted file mode 100644 index 84cdc1f..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Source parameters diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def deleted file mode 100644 index adfae7a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Source port -val_help: <port name>; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple source ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def deleted file mode 100644 index a4f3120..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Established state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def deleted file mode 100644 index dc6110d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Invalid state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def deleted file mode 100644 index 6ef1f7a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: New state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/node.def deleted file mode 100644 index 0e38df4..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Session state diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def deleted file mode 100644 index 2364c31..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Related state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def deleted file mode 100644 index b86e707..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: TCP flags to match -syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ -"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset" - -comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def b/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def deleted file mode 100644 index 66bc295..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP flags to match diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def deleted file mode 100644 index 14c1d5c..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Monthdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ -"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 -For negation, add ! in front eg. !2,12,21" - -comp_help: Format for monthdays - 2,12,21 -To negate add ! at the front eg. !2,12,21 diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/node.def deleted file mode 100644 index 238acd2..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Time to match rule diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def deleted file mode 100644 index 25e02e8..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: Date to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time -of date with startdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to -21st January 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def deleted file mode 100644 index ab69c45..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -help: Time of day to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def deleted file mode 100644 index 8fdf6e0..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: Date to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time -of date with stopdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to -31st Jan 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, -append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg -stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def deleted file mode 100644 index 4a42ca3..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Time of day to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def deleted file mode 100644 index 89c17f7..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Interpret times for startdate, stopdate, starttime and stoptime to be UTC diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def deleted file mode 100644 index dd2649b..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Weekdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ -"Incorrect value for weekdays. Weekdays should be specified using the first -three characters of the day with the first character capitalized eg. Mon,Thu,Sat -For negation, add ! in front eg. !Mon,Thu,Sat" - -comp_help: Format for weekdays - Mon,Thu,Sat -To negate add ! at the front eg. !Mon,Thu,Sat diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def index e8be1cd..0c3c096 100644 --- a/templates/firewall/name/node.def +++ b/templates/firewall/name/node.def @@ -12,13 +12,13 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ "Firewall rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall name" "$VAR(@)" ; then if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok name ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall name" fi fi else @@ -26,6 +26,6 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ; fi sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables name +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "firewall name" help: IPv4 firewall rule-set name |