diff options
| author | An-Cheng Huang <ancheng@vyatta.com> | 2008-05-09 18:26:22 -0700 |
|---|---|---|
| committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-05-09 18:26:22 -0700 |
| commit | 648b2b2ac928461c8a83a43e0f455edb96552ddd (patch) | |
| tree | 23bae9090956ce3a9ff184829831d6415272be44 /templates | |
| parent | bf5ed000329de5cccb9af7a8d46a3c4ef3079486 (diff) | |
| download | vyatta-cfg-firewall-648b2b2ac928461c8a83a43e0f455edb96552ddd.tar.gz vyatta-cfg-firewall-648b2b2ac928461c8a83a43e0f455edb96552ddd.zip | |
add mangle table support to firewall configuration. initial implementation
allows MARK and DSCP jump targets.
Diffstat (limited to 'templates')
25 files changed, 93 insertions, 0 deletions
diff --git a/templates/firewall/mangle/node.def b/templates/firewall/mangle/node.def new file mode 100644 index 0000000..491fe71 --- /dev/null +++ b/templates/firewall/mangle/node.def @@ -0,0 +1,4 @@ +tag: +type: txt +syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\"" +help: Set firewall rule set name diff --git a/templates/firewall/mangle/node.tag/description/node.def b/templates/firewall/mangle/node.tag/description/node.def new file mode 100644 index 0000000..678e325 --- /dev/null +++ b/templates/firewall/mangle/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set firewall description diff --git a/templates/firewall/mangle/node.tag/rule/node.def b/templates/firewall/mangle/node.tag/rule/node.def new file mode 100644 index 0000000..010f808 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.def @@ -0,0 +1,4 @@ +tag: +type: u32 +help: Set firewall rule number (1-1024) +syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "firewall rule number must be between 1 and 1024" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/action/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..0842019 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,4 @@ +type: txt +help: Set firewall rule action +syntax:expression: $VAR(@) in "drop", "reject", "accept", "modify"; + "action must be one of drop, reject, accept, or modify" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/description/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/description/node.def new file mode 100644 index 0000000..9c0c2bb --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set rule description diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..e25da77 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,9 @@ +type: txt +help: Set destination IP address, subnet, or range +comp_help: Possible completions: + <x.x.x.x> IP address to match + <x.x.x.x/x> Subnet to match + <x.x.x.x>-<x.x.x.x> IP range to match + !<x.x.x.x> Match everything except the specified address + !<x.x.x.x/x> Match everything except the specified subnet + !<x.x.x.x>-<x.x.x.x> Match everything except the specified range diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/destination/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 0000000..500e0bb --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Set firewall destination parameters diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..65170b2 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/destination/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set destination port +comp_help: Destination port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/icmp/code/node.def new file mode 100644 index 0000000..71bacfc --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/icmp/code/node.def @@ -0,0 +1,3 @@ +type: u32; "ICMP code must be between 0 and 255" +help: Set ICMP code (0-255) +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/icmp/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/icmp/node.def new file mode 100644 index 0000000..dcf9fcc --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/icmp/node.def @@ -0,0 +1 @@ +help: Set rule ICMP type and code information diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/icmp/type/node.def new file mode 100644 index 0000000..6275a64 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/icmp/type/node.def @@ -0,0 +1,3 @@ +type: u32; "ICMP type must be between 0 and 255" +help: Set ICMP type (0-255) +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/log/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/log/node.def new file mode 100644 index 0000000..5023547 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/log/node.def @@ -0,0 +1,3 @@ +type: txt; "firwall logging must be enable or disable" +help: Set firewall logging +syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/modify/dscp/node.def new file mode 100644 index 0000000..b20f58c --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/modify/dscp/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Set packet Differentiated Services Codepoint (DSCP) +syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; + "DSCP must be between 0 and 63" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/modify/mark/node.def new file mode 100644 index 0000000..0830b9b --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/modify/mark/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Set packet marking diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/modify/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/modify/node.def new file mode 100644 index 0000000..f629b92 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/modify/node.def @@ -0,0 +1 @@ +help: Set packet modifications diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..3a912fb --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set protocol to match (protocol name in /etc/protocols or protocol number or "all") +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'" ; "invalid protocol \"$VAR(@)\"" +comp_help:Possible completions: + <text> An IP protocol name from /etc/protocols (e.g. "tcp" or "udp") + <0-255> An IP protocol number + all All IP protocols + !<protocol> All IP protocols except for the specified name or number (negation) diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..a11b2ba --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,9 @@ +type: txt +help: Set source IP address, subnet, or range +comp_help: Possible completions: + <x.x.x.x> IP address to match + <x.x.x.x/x> Subnet to match + <x.x.x.x>-<x.x.x.x> IP range to match + !<x.x.x.x> Match everything except the specified address + !<x.x.x.x/x> Match everything except the specified subnet + !<x.x.x.x>-<x.x.x.x> Match everything except the specified range diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..fd10e26 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/source/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/source/node.def new file mode 100644 index 0000000..16ab3ad --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Set firewall source parameters diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..e65cbfd --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set source port +comp_help: Source port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/state/established/node.def new file mode 100644 index 0000000..802e35d --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/state/established/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set established state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/state/invalid/node.def new file mode 100644 index 0000000..ddba99f --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/state/invalid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set invalid state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/state/new/node.def new file mode 100644 index 0000000..23854e7 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/state/new/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set new state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/state/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/state/node.def new file mode 100644 index 0000000..3b7b383 --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/state/node.def @@ -0,0 +1 @@ +help: Set session state diff --git a/templates/firewall/mangle/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/mangle/node.tag/rule/node.tag/state/related/node.def new file mode 100644 index 0000000..acddc3b --- /dev/null +++ b/templates/firewall/mangle/node.tag/rule/node.tag/state/related/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set related state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" |