diff options
Diffstat (limited to 'templates/policy/ipv6-route')
47 files changed, 412 insertions, 0 deletions
diff --git a/templates/policy/ipv6-route/node.def b/templates/policy/ipv6-route/node.def new file mode 100644 index 0000000..08b4f4a --- /dev/null +++ b/templates/policy/ipv6-route/node.def @@ -0,0 +1,30 @@ +tag: +priority: 210 + +type: txt + +syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ + "Policy ipv6-route rule set name must be 28 characters or less" +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Policy ipv6-route rule set name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ + "Policy ipv6-route rule set name cannot contain ';'" +syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ + "Policy ipv6-route rule set name cannot start with 'VZONE'" + +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy ipv6-route" "$VAR(@)" ; + then + if [ ${COMMIT_ACTION} = 'DELETE' ] ; + then + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy ipv6-route" ; + then + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy ipv6-route" + fi + fi + else + exit 1; + fi + +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "policy ipv6-route" + +help: IPv6 policy route rule set name diff --git a/templates/policy/ipv6-route/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/description/node.def new file mode 100644 index 0000000..ceeca5d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Policy ipv6-route rule set description diff --git a/templates/policy/ipv6-route/node.tag/enable-default-log/node.def b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def new file mode 100644 index 0000000..697719d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def @@ -0,0 +1 @@ +help: Option to log packets hitting default-action diff --git a/templates/policy/ipv6-route/node.tag/rule/node.def b/templates/policy/ipv6-route/node.tag/rule/node.def new file mode 100644 index 0000000..d5f8461 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy ipv6-route rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..10236f7 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Rule action + +syntax:expression: $VAR(@) in "drop"; + "action must be drop" + +allowed: echo "drop" + +val_help: drop; Rule action to drop diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def new file mode 100644 index 0000000..90bf88b --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Rule description diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..2ace3b3 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,13 @@ +type: txt + +help: Destination IPv6 address, prefix or range + +val_help: ipv6; IPv6 address to match +val_help: ipv6net; IPv6 prefix to match +val_help: ipv6range; IPv6 range to match +val_help: !ipv6; Match everything except the specified address +val_help: !ipv6net; Match everything except the specified prefix +val_help: !ipv6range; Match everything except the specified range + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 0000000..dc227b7 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Destination parameters diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..2b2d8c7 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination port + +val_help: <port name>; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple destination ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def new file mode 100644 index 0000000..70565eb --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def @@ -0,0 +1 @@ +help: Option to disable rule diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def new file mode 100644 index 0000000..7032b30 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def @@ -0,0 +1 @@ +help: ICMPv6 type and code information diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def new file mode 100644 index 0000000..087c7ab --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def @@ -0,0 +1,134 @@ +type: txt + +help: ICMPv6 type/code + +val_help: destination-unreachable; ICMPv6 type/code name +val_help: _ no-route; ICMPv6 type/code name +val_help: _ communication-prohibited; ICMPv6 type/code name +val_help: _ address-unreachable; ICMPv6 type/code name +val_help: _ port-unreachable; ICMPv6 type/code name +val_help: packet-too-big; ICMPv6 type/code name +val_help: time-exceeded; ICMPv6 type/code name +val_help: _ ttl-zero-during-transit; ICMPv6 type/code name +val_help: _ ttl-zero-during-reassembly; ICMPv6 type/code name +val_help: parameter-problem; ICMPv6 type/code name +val_help: _ bad-header; ICMPv6 type/code name +val_help: _ unknown-header-type; ICMPv6 type/code name +val_help: _ unknown-option; ICMPv6 type/code name +val_help: echo-request; ICMPv6 type/code name +val_help: ping; ICMPv6 type/code name +val_help: echo-reply; ICMPv6 type/code name +val_help: pong; ICMPv6 type/code name +val_help: router-solicitation; ICMPv6 type/code name +val_help: router-advertisement; ICMPv6 type/code name +val_help: neighbour-solicitation; ICMPv6 type/code name +val_help: neighbor-solicitation; ICMPv6 type/code name +val_help: neighbour-advertisement; ICMPv6 type/code name +val_help: neighbor-advertisement; ICMPv6 type/code name +val_help: u32:0-255; ICMPv6 type number +val_help: <0-255>/<0-255>; ICMPv6 type and code numbers + +allowed: + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + echo -n ${array[@]} + +syntax:expression: exec " + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + len=${#array[*]} + i=0 + while [ $i -lt $len ]; do + if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then + exit 0 + fi + let i++ + done + + param=$VAR(@) + codepart=${param##*/} + if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then + codepart=\"0\" + fi + + typepart=${param%%/*} + if [ -z \"$typepart\" ]; then + echo \"Must specify ICMPv6 type\" + exit 1 + fi + + shopt -s extglob + + leftover=${typepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 type: $typepart\" + exit 1 + fi + + leftover=${codepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 code: $codepart\" + exit 1 + fi + + if [ $typepart -lt 0 -o $typepart -gt 255 ]; then + echo \"ICMPv6 type must be between 0 and 255\" + exit 1 + fi + + if [ $codepart -lt 0 -o $codepart -gt 255 ]; then + echo \"ICMPv6 code must be between 0 and 255\" + exit 1 + fi +" + + + + + + + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def new file mode 100644 index 0000000..96ada47 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def @@ -0,0 +1 @@ +help: Inbound IPsec packets diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def new file mode 100644 index 0000000..2d717d5 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def @@ -0,0 +1 @@ +help: Inbound non-IPsec packets diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def new file mode 100644 index 0000000..96ada47 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def @@ -0,0 +1 @@ +help: Inbound IPsec packets diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def new file mode 100644 index 0000000..9097370 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def @@ -0,0 +1,4 @@ +type: u32 +default: 1 +help: Maximum number of packets to allow in excess of rate +syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def new file mode 100644 index 0000000..75460b1 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def @@ -0,0 +1 @@ +help: Rate limit using a token bucket filter diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def new file mode 100644 index 0000000..cd108f4 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def @@ -0,0 +1,10 @@ +type: txt +help: Maximum average matching rate +syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ +"Invalid value for rate. Rate should be specified as an integer followed by +a forward slash '/' and either of these time units - second, minute, hour or day +eg. 1/second implies rule to be matched at an average of once per second" + +comp_help:Format for rate : integer/time unit +any one of second, minute, hour or day may be used to specify time unit +eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def new file mode 100644 index 0000000..891cbcf --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def @@ -0,0 +1,3 @@ +type: txt; "firewall logging must be enable or disable" +help: Option to log packets matching rule +syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..5225eee --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,28 @@ +type: txt + +help: IPv6 protocol to match (protocol name, number, or "all") + +syntax:expression: exec " + param=$VAR(@) + if [ \"$param\" = \"icmpv6\" ]; then + exit 0 + fi + if [ \"$param\" = \"tcp_udp\" ]; then + exit 0 + fi + /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' + " ; + "invalid protocol \"$VAR(@)\"" + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` + protos="all icmpv6 $protos tcp_udp" + echo -n $protos + +val_help: txt; IPv6 protocol name from /etc/protocols (e.g. "tcp" or "udp") +val_help: u32:0-255; IPv6 protocol number +val_help: tcp_udp; Both TCP and UDP +val_help: all; All IPv6 protocols +val_help: !<protocol>; All IPv6 protocols except for the specified name or number diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def new file mode 100644 index 0000000..69a4ebd --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Source addresses seen more than N times +syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" +val_help: u32:1-255; Source addresses seen more than N times diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def new file mode 100644 index 0000000..3acc871 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def @@ -0,0 +1 @@ +help: Parameters for matching recently seen sources diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def new file mode 100644 index 0000000..9c49ed8 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Source addresses seen in the last N seconds diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def new file mode 100644 index 0000000..3ed8f0d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Packet Differentiated Services Codepoint (DSCP) +syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; + "DSCP must be between 0 and 63" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def new file mode 100644 index 0000000..c8cb1b2 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Packet marking +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def new file mode 100644 index 0000000..c61402f --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def @@ -0,0 +1 @@ +help: Packet modifications diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def new file mode 100644 index 0000000..dbde887 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Routing table to forward packet with +syntax:expression: $VAR(@) >= 1 && $VAR(@) < 250; + "Table must be between 1 and 250" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def new file mode 100644 index 0000000..8d2248e --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def @@ -0,0 +1,21 @@ +type: txt +help: TCP Maximum Segment Size + +syntax:expression: +exec " +if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ + if [ $VAR(@) == \"pmtu\" ]; then \ + exit 0; \ + fi; \ +else \ + if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ + ( $VAR(@) -ge \"500\" ) && \ + ( $VAR(@) -le \"1460\" ) ]]; then \ + exit 0; \ + fi; \ +fi; \ +echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ +exit 1" + +val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 60 bytes +val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..2fe8a42 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,13 @@ + +type: txt + +help: Source IPv6 address, prefix or range + +val_help: ipv6; IPv6 address to match +val_help: ipv6net; IPv6 prefix to match +val_help: ipv6range; IPv6 range to match +val_help: !ipv6; Match everything except the specified address +val_help: !ipv6net; Match everything except the specified prefix +val_help: !ipv6range; Match everything except the specified range + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..5519871 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def new file mode 100644 index 0000000..84cdc1f --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Source parameters diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..adfae7a --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source port +val_help: <port name>; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple source ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def new file mode 100644 index 0000000..a4f3120 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def @@ -0,0 +1,3 @@ +type: txt +help: Established state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def new file mode 100644 index 0000000..dc6110d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Invalid state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def new file mode 100644 index 0000000..6ef1f7a --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def @@ -0,0 +1,3 @@ +type: txt +help: New state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def new file mode 100644 index 0000000..0e38df4 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def @@ -0,0 +1 @@ +help: Session state diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def new file mode 100644 index 0000000..2364c31 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def @@ -0,0 +1,3 @@ +type: txt +help: Related state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def new file mode 100644 index 0000000..b86e707 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def @@ -0,0 +1,12 @@ +type: txt +help: TCP flags to match +syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ +"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset" + +comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def new file mode 100644 index 0000000..66bc295 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def @@ -0,0 +1 @@ +help: TCP flags to match diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def new file mode 100644 index 0000000..14c1d5c --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def @@ -0,0 +1,8 @@ +type: txt +help: Monthdays to match rule on +syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ +"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 +For negation, add ! in front eg. !2,12,21" + +comp_help: Format for monthdays - 2,12,21 +To negate add ! at the front eg. !2,12,21 diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def new file mode 100644 index 0000000..238acd2 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def @@ -0,0 +1 @@ +help: Time to match rule diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def new file mode 100644 index 0000000..250ed0f --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Date to start matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time +of date with startdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to +21st January 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def new file mode 100644 index 0000000..ab69c45 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def @@ -0,0 +1,7 @@ +type: txt +help: Time of day to start matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def new file mode 100644 index 0000000..93fc8b6 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Date to stop matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time +of date with stopdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to +31st Jan 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, +append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg +stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def new file mode 100644 index 0000000..b108175 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def @@ -0,0 +1,8 @@ +type: txt +help: Time of day to stop matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def new file mode 100644 index 0000000..167f191 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def @@ -0,0 +1 @@ +help: Interpret times for startdate, stopdate, starttime and stoptime to be U$ diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def new file mode 100644 index 0000000..dd2649b --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def @@ -0,0 +1,9 @@ +type: txt +help: Weekdays to match rule on +syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ +"Incorrect value for weekdays. Weekdays should be specified using the first +three characters of the day with the first character capitalized eg. Mon,Thu,Sat +For negation, add ! in front eg. !Mon,Thu,Sat" + +comp_help: Format for weekdays - Mon,Thu,Sat +To negate add ! at the front eg. !Mon,Thu,Sat |