From f3207bc0f15c9b94ed86c117e48c85c398dec8ea Mon Sep 17 00:00:00 2001 From: Robert Bays Date: Tue, 26 Jun 2012 13:32:41 -0700 Subject: initial checkin for pbr functionality --- templates/firewall/ipv6-modify/node.def | 30 ----- .../ipv6-modify/node.tag/default-action/node.def | 11 -- .../ipv6-modify/node.tag/description/node.def | 3 - .../node.tag/enable-default-log/node.def | 1 - .../firewall/ipv6-modify/node.tag/rule/node.def | 9 -- .../node.tag/rule/node.tag/action/node.def | 12 -- .../node.tag/rule/node.tag/description/node.def | 3 - .../rule/node.tag/destination/address/node.def | 13 -- .../node.tag/rule/node.tag/destination/node.def | 1 - .../rule/node.tag/destination/port/node.def | 10 -- .../node.tag/rule/node.tag/disable/node.def | 1 - .../node.tag/rule/node.tag/icmpv6/node.def | 1 - .../node.tag/rule/node.tag/icmpv6/type/node.def | 134 --------------------- .../rule/node.tag/ipsec/match-ipsec/node.def | 1 - .../rule/node.tag/ipsec/match-none/node.def | 1 - .../node.tag/rule/node.tag/ipsec/node.def | 1 - .../node.tag/rule/node.tag/limit/burst/node.def | 4 - .../node.tag/rule/node.tag/limit/node.def | 1 - .../node.tag/rule/node.tag/limit/rate/node.def | 10 -- .../node.tag/rule/node.tag/log/node.def | 3 - .../node.tag/rule/node.tag/modify/dscp/node.def | 4 - .../node.tag/rule/node.tag/modify/mark/node.def | 2 - .../node.tag/rule/node.tag/modify/node.def | 1 - .../node.tag/rule/node.tag/modify/tcp-mss/node.def | 21 ---- .../node.tag/rule/node.tag/p2p/all/node.def | 1 - .../node.tag/rule/node.tag/p2p/applejuice/node.def | 1 - .../node.tag/rule/node.tag/p2p/bittorrent/node.def | 1 - .../rule/node.tag/p2p/directconnect/node.def | 1 - .../node.tag/rule/node.tag/p2p/edonkey/node.def | 1 - .../node.tag/rule/node.tag/p2p/gnutella/node.def | 1 - .../node.tag/rule/node.tag/p2p/kazaa/node.def | 1 - .../node.tag/rule/node.tag/p2p/node.def | 1 - .../node.tag/rule/node.tag/protocol/node.def | 28 ----- .../node.tag/rule/node.tag/recent/count/node.def | 4 - .../node.tag/rule/node.tag/recent/node.def | 1 - .../node.tag/rule/node.tag/recent/time/node.def | 2 - .../node.tag/rule/node.tag/source/address/node.def | 13 -- .../rule/node.tag/source/mac-address/node.def | 3 - .../node.tag/rule/node.tag/source/node.def | 1 - .../node.tag/rule/node.tag/source/port/node.def | 8 -- .../rule/node.tag/state/established/node.def | 3 - .../node.tag/rule/node.tag/state/invalid/node.def | 3 - .../node.tag/rule/node.tag/state/new/node.def | 3 - .../node.tag/rule/node.tag/state/node.def | 1 - .../node.tag/rule/node.tag/state/related/node.def | 3 - .../node.tag/rule/node.tag/tcp/flags/node.def | 12 -- .../node.tag/rule/node.tag/tcp/node.def | 1 - .../node.tag/rule/node.tag/time/monthdays/node.def | 8 -- .../node.tag/rule/node.tag/time/node.def | 1 - .../node.tag/rule/node.tag/time/startdate/node.def | 11 -- .../node.tag/rule/node.tag/time/starttime/node.def | 7 -- .../node.tag/rule/node.tag/time/stopdate/node.def | 11 -- .../node.tag/rule/node.tag/time/stoptime/node.def | 8 -- .../node.tag/rule/node.tag/time/utc/node.def | 1 - .../node.tag/rule/node.tag/time/weekdays/node.def | 9 -- templates/firewall/ipv6-name/node.def | 8 +- templates/firewall/modify/node.def | 31 ----- .../modify/node.tag/default-action/node.def | 11 -- .../firewall/modify/node.tag/description/node.def | 3 - .../modify/node.tag/enable-default-log/node.def | 1 - templates/firewall/modify/node.tag/rule/node.def | 9 -- .../modify/node.tag/rule/node.tag/action/node.def | 10 -- .../node.tag/rule/node.tag/description/node.def | 2 - .../rule/node.tag/destination/address/node.def | 8 -- .../destination/group/address-group/node.def | 9 -- .../destination/group/network-group/node.def | 8 -- .../rule/node.tag/destination/group/node.def | 1 - .../node.tag/destination/group/port-group/node.def | 8 -- .../node.tag/rule/node.tag/destination/node.def | 1 - .../rule/node.tag/destination/port/node.def | 8 -- .../modify/node.tag/rule/node.tag/disable/node.def | 1 - .../rule/node.tag/fragment/match-frag/node.def | 1 - .../rule/node.tag/fragment/match-non-frag/node.def | 1 - .../node.tag/rule/node.tag/fragment/node.def | 1 - .../node.tag/rule/node.tag/icmp/code/node.def | 3 - .../modify/node.tag/rule/node.tag/icmp/node.def | 1 - .../node.tag/rule/node.tag/icmp/type-name/node.def | 38 ------ .../node.tag/rule/node.tag/icmp/type/node.def | 3 - .../rule/node.tag/ipsec/match-ipsec/node.def | 1 - .../rule/node.tag/ipsec/match-none/node.def | 1 - .../modify/node.tag/rule/node.tag/ipsec/node.def | 1 - .../node.tag/rule/node.tag/limit/burst/node.def | 4 - .../modify/node.tag/rule/node.tag/limit/node.def | 1 - .../node.tag/rule/node.tag/limit/rate/node.def | 10 -- .../modify/node.tag/rule/node.tag/log/node.def | 3 - .../node.tag/rule/node.tag/modify/dscp/node.def | 4 - .../node.tag/rule/node.tag/modify/mark/node.def | 2 - .../modify/node.tag/rule/node.tag/modify/node.def | 1 - .../node.tag/rule/node.tag/modify/tcp-mss/node.def | 21 ---- .../modify/node.tag/rule/node.tag/p2p/all/node.def | 1 - .../node.tag/rule/node.tag/p2p/applejuice/node.def | 1 - .../node.tag/rule/node.tag/p2p/bittorrent/node.def | 1 - .../rule/node.tag/p2p/directconnect/node.def | 1 - .../node.tag/rule/node.tag/p2p/edonkey/node.def | 1 - .../node.tag/rule/node.tag/p2p/gnutella/node.def | 1 - .../node.tag/rule/node.tag/p2p/kazaa/node.def | 1 - .../modify/node.tag/rule/node.tag/p2p/node.def | 1 - .../node.tag/rule/node.tag/protocol/node.def | 21 ---- .../node.tag/rule/node.tag/recent/count/node.def | 5 - .../modify/node.tag/rule/node.tag/recent/node.def | 1 - .../node.tag/rule/node.tag/recent/time/node.def | 2 - .../node.tag/rule/node.tag/source/address/node.def | 8 -- .../node.tag/source/group/address-group/node.def | 8 -- .../node.tag/source/group/network-group/node.def | 8 -- .../node.tag/rule/node.tag/source/group/node.def | 1 - .../rule/node.tag/source/group/port-group/node.def | 8 -- .../rule/node.tag/source/mac-address/node.def | 3 - .../modify/node.tag/rule/node.tag/source/node.def | 1 - .../node.tag/rule/node.tag/source/port/node.def | 8 -- .../rule/node.tag/state/established/node.def | 3 - .../node.tag/rule/node.tag/state/invalid/node.def | 3 - .../node.tag/rule/node.tag/state/new/node.def | 3 - .../modify/node.tag/rule/node.tag/state/node.def | 1 - .../node.tag/rule/node.tag/state/related/node.def | 3 - .../node.tag/rule/node.tag/tcp/flags/node.def | 12 -- .../modify/node.tag/rule/node.tag/tcp/node.def | 1 - .../node.tag/rule/node.tag/time/monthdays/node.def | 8 -- .../modify/node.tag/rule/node.tag/time/node.def | 1 - .../node.tag/rule/node.tag/time/startdate/node.def | 12 -- .../node.tag/rule/node.tag/time/starttime/node.def | 7 -- .../node.tag/rule/node.tag/time/stopdate/node.def | 12 -- .../node.tag/rule/node.tag/time/stoptime/node.def | 8 -- .../node.tag/rule/node.tag/time/utc/node.def | 1 - .../node.tag/rule/node.tag/time/weekdays/node.def | 9 -- templates/firewall/name/node.def | 8 +- templates/policy/ipv6-route/node.def | 30 +++++ .../ipv6-route/node.tag/description/node.def | 3 + .../node.tag/enable-default-log/node.def | 1 + templates/policy/ipv6-route/node.tag/rule/node.def | 9 ++ .../node.tag/rule/node.tag/action/node.def | 10 ++ .../node.tag/rule/node.tag/description/node.def | 3 + .../rule/node.tag/destination/address/node.def | 13 ++ .../node.tag/rule/node.tag/destination/node.def | 1 + .../rule/node.tag/destination/port/node.def | 10 ++ .../node.tag/rule/node.tag/disable/node.def | 1 + .../node.tag/rule/node.tag/icmpv6/node.def | 1 + .../node.tag/rule/node.tag/icmpv6/type/node.def | 134 +++++++++++++++++++++ .../rule/node.tag/ipsec/match-ipsec/node.def | 1 + .../rule/node.tag/ipsec/match-none/node.def | 1 + .../node.tag/rule/node.tag/ipsec/node.def | 1 + .../node.tag/rule/node.tag/limit/burst/node.def | 4 + .../node.tag/rule/node.tag/limit/node.def | 1 + .../node.tag/rule/node.tag/limit/rate/node.def | 10 ++ .../ipv6-route/node.tag/rule/node.tag/log/node.def | 3 + .../node.tag/rule/node.tag/protocol/node.def | 28 +++++ .../node.tag/rule/node.tag/recent/count/node.def | 4 + .../node.tag/rule/node.tag/recent/node.def | 1 + .../node.tag/rule/node.tag/recent/time/node.def | 2 + .../node.tag/rule/node.tag/set/dscp/node.def | 4 + .../node.tag/rule/node.tag/set/mark/node.def | 3 + .../ipv6-route/node.tag/rule/node.tag/set/node.def | 1 + .../node.tag/rule/node.tag/set/table/node.def | 4 + .../node.tag/rule/node.tag/set/tcp-mss/node.def | 21 ++++ .../node.tag/rule/node.tag/source/address/node.def | 13 ++ .../rule/node.tag/source/mac-address/node.def | 3 + .../node.tag/rule/node.tag/source/node.def | 1 + .../node.tag/rule/node.tag/source/port/node.def | 8 ++ .../rule/node.tag/state/established/node.def | 3 + .../node.tag/rule/node.tag/state/invalid/node.def | 3 + .../node.tag/rule/node.tag/state/new/node.def | 3 + .../node.tag/rule/node.tag/state/node.def | 1 + .../node.tag/rule/node.tag/state/related/node.def | 3 + .../node.tag/rule/node.tag/tcp/flags/node.def | 12 ++ .../ipv6-route/node.tag/rule/node.tag/tcp/node.def | 1 + .../node.tag/rule/node.tag/time/monthdays/node.def | 8 ++ .../node.tag/rule/node.tag/time/node.def | 1 + .../node.tag/rule/node.tag/time/startdate/node.def | 11 ++ .../node.tag/rule/node.tag/time/starttime/node.def | 7 ++ .../node.tag/rule/node.tag/time/stopdate/node.def | 11 ++ .../node.tag/rule/node.tag/time/stoptime/node.def | 8 ++ .../node.tag/rule/node.tag/time/utc/node.def | 1 + .../node.tag/rule/node.tag/time/weekdays/node.def | 9 ++ templates/policy/route/node.def | 31 +++++ .../policy/route/node.tag/description/node.def | 3 + .../route/node.tag/enable-default-log/node.def | 1 + templates/policy/route/node.tag/rule/node.def | 9 ++ .../route/node.tag/rule/node.tag/action/node.def | 10 ++ .../node.tag/rule/node.tag/description/node.def | 2 + .../rule/node.tag/destination/address/node.def | 8 ++ .../destination/group/address-group/node.def | 9 ++ .../destination/group/network-group/node.def | 8 ++ .../rule/node.tag/destination/group/node.def | 1 + .../node.tag/destination/group/port-group/node.def | 8 ++ .../node.tag/rule/node.tag/destination/node.def | 1 + .../rule/node.tag/destination/port/node.def | 8 ++ .../route/node.tag/rule/node.tag/disable/node.def | 1 + .../rule/node.tag/fragment/match-frag/node.def | 1 + .../rule/node.tag/fragment/match-non-frag/node.def | 1 + .../route/node.tag/rule/node.tag/fragment/node.def | 1 + .../node.tag/rule/node.tag/icmp/code/node.def | 3 + .../route/node.tag/rule/node.tag/icmp/node.def | 1 + .../node.tag/rule/node.tag/icmp/type-name/node.def | 38 ++++++ .../node.tag/rule/node.tag/icmp/type/node.def | 3 + .../rule/node.tag/ipsec/match-ipsec/node.def | 1 + .../rule/node.tag/ipsec/match-none/node.def | 1 + .../route/node.tag/rule/node.tag/ipsec/node.def | 1 + .../node.tag/rule/node.tag/limit/burst/node.def | 4 + .../route/node.tag/rule/node.tag/limit/node.def | 1 + .../node.tag/rule/node.tag/limit/rate/node.def | 10 ++ .../route/node.tag/rule/node.tag/log/node.def | 3 + .../route/node.tag/rule/node.tag/protocol/node.def | 22 ++++ .../node.tag/rule/node.tag/recent/count/node.def | 5 + .../route/node.tag/rule/node.tag/recent/node.def | 1 + .../node.tag/rule/node.tag/recent/time/node.def | 2 + .../route/node.tag/rule/node.tag/set/dscp/node.def | 4 + .../route/node.tag/rule/node.tag/set/mark/node.def | 3 + .../route/node.tag/rule/node.tag/set/node.def | 1 + .../node.tag/rule/node.tag/set/table/node.def | 4 + .../node.tag/rule/node.tag/set/tcp-mss/node.def | 21 ++++ .../node.tag/rule/node.tag/source/address/node.def | 8 ++ .../node.tag/source/group/address-group/node.def | 8 ++ .../node.tag/source/group/network-group/node.def | 8 ++ .../node.tag/rule/node.tag/source/group/node.def | 1 + .../rule/node.tag/source/group/port-group/node.def | 8 ++ .../rule/node.tag/source/mac-address/node.def | 3 + .../route/node.tag/rule/node.tag/source/node.def | 1 + .../node.tag/rule/node.tag/source/port/node.def | 8 ++ .../rule/node.tag/state/established/node.def | 3 + .../node.tag/rule/node.tag/state/invalid/node.def | 3 + .../node.tag/rule/node.tag/state/new/node.def | 3 + .../route/node.tag/rule/node.tag/state/node.def | 1 + .../node.tag/rule/node.tag/state/related/node.def | 3 + .../node.tag/rule/node.tag/tcp/flags/node.def | 12 ++ .../route/node.tag/rule/node.tag/tcp/node.def | 1 + .../node.tag/rule/node.tag/time/monthdays/node.def | 8 ++ .../route/node.tag/rule/node.tag/time/node.def | 1 + .../node.tag/rule/node.tag/time/startdate/node.def | 12 ++ .../node.tag/rule/node.tag/time/starttime/node.def | 7 ++ .../node.tag/rule/node.tag/time/stopdate/node.def | 12 ++ .../node.tag/rule/node.tag/time/stoptime/node.def | 8 ++ .../route/node.tag/rule/node.tag/time/utc/node.def | 1 + .../node.tag/rule/node.tag/time/weekdays/node.def | 9 ++ 232 files changed, 781 insertions(+), 810 deletions(-) delete mode 100644 templates/firewall/ipv6-modify/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/default-action/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/description/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def delete mode 100644 templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def delete mode 100644 templates/firewall/modify/node.def delete mode 100644 templates/firewall/modify/node.tag/default-action/node.def delete mode 100644 templates/firewall/modify/node.tag/description/node.def delete mode 100644 templates/firewall/modify/node.tag/enable-default-log/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/action/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/description/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/destination/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/disable/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/limit/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/log/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/modify/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/recent/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/state/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def delete mode 100644 templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def create mode 100644 templates/policy/ipv6-route/node.def create mode 100644 templates/policy/ipv6-route/node.tag/description/node.def create mode 100644 templates/policy/ipv6-route/node.tag/enable-default-log/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def create mode 100644 templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def create mode 100644 templates/policy/route/node.def create mode 100644 templates/policy/route/node.tag/description/node.def create mode 100644 templates/policy/route/node.tag/enable-default-log/node.def create mode 100644 templates/policy/route/node.tag/rule/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/action/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/description/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/destination/address/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/destination/group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/destination/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/destination/port/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/disable/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/fragment/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/icmp/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/ipsec/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/limit/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/log/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/protocol/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/recent/count/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/recent/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/recent/time/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/set/mark/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/set/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/set/table/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/address/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/source/port/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/state/established/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/state/new/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/state/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/state/related/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/tcp/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/utc/node.def create mode 100644 templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def (limited to 'templates') diff --git a/templates/firewall/ipv6-modify/node.def b/templates/firewall/ipv6-modify/node.def deleted file mode 100644 index 035ddd1..0000000 --- a/templates/firewall/ipv6-modify/node.def +++ /dev/null @@ -1,30 +0,0 @@ -tag: -priority: 210 - -type: txt - -syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ - "Firewall name must be 28 characters or less" -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall rule set name cannot start with \"-\"" -syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ - "Firewall rule set name cannot contain ';'" -syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ - "Firewall rule set name cannot start with 'VZONE'" - -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-modify "$VAR(@)" ; - then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; - then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-modify ; - then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-modify - fi - fi - else - exit 1; - fi - -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-modify - -help: IPv6 modify rule-set name diff --git a/templates/firewall/ipv6-modify/node.tag/default-action/node.def b/templates/firewall/ipv6-modify/node.tag/default-action/node.def deleted file mode 100644 index c4e73f6..0000000 --- a/templates/firewall/ipv6-modify/node.tag/default-action/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt - -help: Default-action for rule-set - -default: "drop" - -syntax:expression: $VAR(@) in "drop", "accept"; - "default-action must be either drop or accept" - -val_help: drop; Drop if no prior rules are hit (default) -val_help: accept; Accept if no prior rules are hit diff --git a/templates/firewall/ipv6-modify/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/description/node.def deleted file mode 100644 index e8e221b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule-set description diff --git a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def b/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def deleted file mode 100644 index e540d3f..0000000 --- a/templates/firewall/ipv6-modify/node.tag/enable-default-log/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to log packets hitting default-action diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.def deleted file mode 100644 index c31dfbd..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.def +++ /dev/null @@ -1,9 +0,0 @@ -tag: - -type: u32 - -help: Rule number (1-9999) - -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "firewall rule number must be between 1 and 9999" - -val_help: u32:1-9999; Rule number diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def deleted file mode 100644 index 59b404a..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/action/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt - -help: Rule action - -syntax:expression: $VAR(@) in "drop", "accept", "modify"; - "action must be one of drop, accept, or modify" - -allowed: echo "drop accept modify" - -val_help: drop; Rule action to drop -val_help: accept; Rule action to accept -val_help: modify; Rule action to modify diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def deleted file mode 100644 index 90bf88b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule description diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def deleted file mode 100644 index 2ace3b3..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: txt - -help: Destination IPv6 address, prefix or range - -val_help: ipv6; IPv6 address to match -val_help: ipv6net; IPv6 prefix to match -val_help: ipv6range; IPv6 range to match -val_help: !ipv6; Match everything except the specified address -val_help: !ipv6net; Match everything except the specified prefix -val_help: !ipv6range; Match everything except the specified range - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def deleted file mode 100644 index dc227b7..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Destination parameters diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def deleted file mode 100644 index 2b2d8c7..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/port/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt - -help: Destination port - -val_help: ; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple destination ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def deleted file mode 100644 index 70565eb..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/disable/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to disable rule diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def deleted file mode 100644 index 7032b30..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/node.def +++ /dev/null @@ -1 +0,0 @@ -help: ICMPv6 type and code information diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def deleted file mode 100644 index d11da4e..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/icmpv6/type/node.def +++ /dev/null @@ -1,134 +0,0 @@ -type: txt - -help: ICMPv6 type/code - -val_help: destination-unreachable; ICMPv6 type/code name -val_help: _ no-route; ICMPv6 type/code name -val_help: _ communication-prohibited; ICMPv6 type/code name -val_help: _ address-unreachable; ICMPv6 type/code name -val_help: _ port-unreachable; ICMPv6 type/code name -val_help: packet-too-big; ICMPv6 type/code name -val_help: time-exceeded; ICMPv6 type/code name -val_help: _ ttl-zero-during-transit; ICMPv6 type/code name -val_help: _ ttl-zero-during-reassembly; ICMPv6 type/code name -val_help: parameter-problem; ICMPv6 type/code name -val_help: _ bad-header; ICMPv6 type/code name -val_help: _ unknown-header-type; ICMPv6 type/code name -val_help: _ unknown-option; ICMPv6 type/code name -val_help: echo-request; ICMPv6 type/code name -val_help: ping; ICMPv6 type/code name -val_help: echo-reply; ICMPv6 type/code name -val_help: pong; ICMPv6 type/code name -val_help: router-solicitation; ICMPv6 type/code name -val_help: router-advertisement; ICMPv6 type/code name -val_help: neighbour-solicitation; ICMPv6 type/code name -val_help: neighbor-solicitation; ICMPv6 type/code name -val_help: neighbour-advertisement; ICMPv6 type/code name -val_help: neighbor-advertisement; ICMPv6 type/code name -val_help: u32:0-255; ICMPv6 type number -val_help: <0-255>/<0-255>; ICMPv6 type and code numbers - -allowed: - array=( - destination-unreachable - no-route - communication-prohibited - address-unreachable - port-unreachable - packet-too-big - time-exceeded - ttl-zero-during-transit - ttl-zero-during-reassembly - parameter-problem - bad-header - unknown-header-type - unknown-option - echo-request - ping - echo-reply - pong - router-solicitation - router-advertisement - neighbour-solicitation - neighbor-solicitation - neighbour-advertisement - neighbor-advertisement ) - echo -n ${array[@]} - -syntax:expression: exec " - array=( - destination-unreachable - no-route - communication-prohibited - address-unreachable - port-unreachable - packet-too-big - time-exceeded - ttl-zero-during-transit - ttl-zero-during-reassembly - parameter-problem - bad-header - unknown-header-type - unknown-option - echo-request - ping - echo-reply - pong - router-solicitation - router-advertisement - neighbour-solicitation - neighbor-solicitation - neighbour-advertisement - neighbor-advertisement ) - len=${#array[*]} - i=0 - while [ $i -lt $len ]; do - if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then - exit 0 - fi - let i++ - done - - param=$VAR(@) - codepart=${param##*/} - if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then - codepart=\"0\" - fi - - typepart=${param%%/*} - if [ -z \"$typepart\" ]; then - echo \"Must specify ICMPv6 type\" - exit 1 - fi - - shopt -s extglob - - leftover=${typepart##*([0-9])} - if [ -n \"$leftover\" ]; then - echo \"Invalid ICMPv6 type: $typepart\" - exit 1 - fi - - leftover=${codepart##*([0-9])} - if [ -n \"$leftover\" ]; then - echo \"Invalid ICMPv6 code: $codepart\" - exit 1 - fi - - if [ $typepart -lt 0 -o $typepart -gt 255 ]; then - echo \"ICMPv6 type must be between 0 and 255\" - exit 1 - fi - - if [ $codepart -lt 0 -o $codepart -gt 255 ]; then - echo \"ICMPv6 code must be between 0 and 255\" - exit 1 - fi -" - - - - - - - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def deleted file mode 100644 index 2d717d5..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/match-none/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound non-IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def deleted file mode 100644 index 9097370..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/burst/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -default: 1 -help: Maximum number of packets to allow in excess of rate -syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def deleted file mode 100644 index 75460b1..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Rate limit using a token bucket filter diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def deleted file mode 100644 index cd108f4..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/limit/rate/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt -help: Maximum average matching rate -syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ -"Invalid value for rate. Rate should be specified as an integer followed by -a forward slash '/' and either of these time units - second, minute, hour or day -eg. 1/second implies rule to be matched at an average of once per second" - -comp_help:Format for rate : integer/time unit -any one of second, minute, hour or day may be used to specify time unit -eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def deleted file mode 100644 index 891cbcf..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt; "firewall logging must be enable or disable" -help: Option to log packets matching rule -syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def deleted file mode 100644 index 3ed8f0d..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/dscp/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -help: Packet Differentiated Services Codepoint (DSCP) -syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; - "DSCP must be between 0 and 63" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def deleted file mode 100644 index 0776b34..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/mark/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Packet marking diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def deleted file mode 100644 index c61402f..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Packet modifications diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def deleted file mode 100644 index 8d2248e..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def +++ /dev/null @@ -1,21 +0,0 @@ -type: txt -help: TCP Maximum Segment Size - -syntax:expression: -exec " -if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ - if [ $VAR(@) == \"pmtu\" ]; then \ - exit 0; \ - fi; \ -else \ - if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ - ( $VAR(@) -ge \"500\" ) && \ - ( $VAR(@) -le \"1460\" ) ]]; then \ - exit 0; \ - fi; \ -fi; \ -echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ -exit 1" - -val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 60 bytes -val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def deleted file mode 100644 index bd61a90..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/all/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def deleted file mode 100644 index 8e9f704..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/applejuice/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def deleted file mode 100644 index 1a56963..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/bittorrent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: BitTorrent application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def deleted file mode 100644 index eb84108..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/directconnect/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Direct Connect application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def deleted file mode 100644 index 255e618..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/edonkey/node.def +++ /dev/null @@ -1 +0,0 @@ -help: eDonkey/eMule application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def deleted file mode 100644 index f21b60b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/gnutella/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Gnutella application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def deleted file mode 100644 index 44c3156..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/kazaa/node.def +++ /dev/null @@ -1 +0,0 @@ -help: KaZaA application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def deleted file mode 100644 index 5959d3d..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/p2p/node.def +++ /dev/null @@ -1 +0,0 @@ -help: P2P application packets diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def deleted file mode 100644 index 5225eee..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def +++ /dev/null @@ -1,28 +0,0 @@ -type: txt - -help: IPv6 protocol to match (protocol name, number, or "all") - -syntax:expression: exec " - param=$VAR(@) - if [ \"$param\" = \"icmpv6\" ]; then - exit 0 - fi - if [ \"$param\" = \"tcp_udp\" ]; then - exit 0 - fi - /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' - " ; - "invalid protocol \"$VAR(@)\"" - -# Provide some help for command completion. Doesn't return negated -# values or protocol numbers -allowed: - protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` - protos="all icmpv6 $protos tcp_udp" - echo -n $protos - -val_help: txt; IPv6 protocol name from /etc/protocols (e.g. "tcp" or "udp") -val_help: u32:0-255; IPv6 protocol number -val_help: tcp_udp; Both TCP and UDP -val_help: all; All IPv6 protocols -val_help: !; All IPv6 protocols except for the specified name or number diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def deleted file mode 100644 index 69a4ebd..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -help: Source addresses seen more than N times -syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" -val_help: u32:1-255; Source addresses seen more than N times diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def deleted file mode 100644 index 3acc871..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Parameters for matching recently seen sources diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def deleted file mode 100644 index 9c49ed8..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/time/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Source addresses seen in the last N seconds diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def deleted file mode 100644 index 2fe8a42..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def +++ /dev/null @@ -1,13 +0,0 @@ - -type: txt - -help: Source IPv6 address, prefix or range - -val_help: ipv6; IPv6 address to match -val_help: ipv6net; IPv6 prefix to match -val_help: ipv6range; IPv6 range to match -val_help: !ipv6; Match everything except the specified address -val_help: !ipv6net; Match everything except the specified prefix -val_help: !ipv6range; Match everything except the specified range - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def deleted file mode 100644 index 5519871..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def deleted file mode 100644 index 84cdc1f..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Source parameters diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def deleted file mode 100644 index adfae7a..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Source port -val_help: ; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple source ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def deleted file mode 100644 index a4f3120..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/established/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Established state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def deleted file mode 100644 index dc6110d..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/invalid/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Invalid state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def deleted file mode 100644 index 6ef1f7a..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/new/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: New state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def deleted file mode 100644 index 0e38df4..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Session state diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def deleted file mode 100644 index 2364c31..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/state/related/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Related state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def deleted file mode 100644 index b86e707..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/flags/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: TCP flags to match -syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ -"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset" - -comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def deleted file mode 100644 index 66bc295..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP flags to match diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def deleted file mode 100644 index 14c1d5c..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/monthdays/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Monthdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ -"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 -For negation, add ! in front eg. !2,12,21" - -comp_help: Format for monthdays - 2,12,21 -To negate add ! at the front eg. !2,12,21 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def deleted file mode 100644 index 238acd2..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Time to match rule diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def deleted file mode 100644 index 46f9eb9..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/startdate/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Date to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time -of date with startdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to -21st January 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def deleted file mode 100644 index ab69c45..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/starttime/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -help: Time of day to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def deleted file mode 100644 index 93fc8b6..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stopdate/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt -help: Date to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time -of date with stopdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to -31st Jan 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, -append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg -stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def deleted file mode 100644 index 4a42ca3..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/stoptime/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Time of day to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - - diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def deleted file mode 100644 index 167f191..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/utc/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Interpret times for startdate, stopdate, starttime and stoptime to be U$ diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def deleted file mode 100644 index dd2649b..0000000 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/time/weekdays/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Weekdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ -"Incorrect value for weekdays. Weekdays should be specified using the first -three characters of the day with the first character capitalized eg. Mon,Thu,Sat -For negation, add ! in front eg. !Mon,Thu,Sat" - -comp_help: Format for weekdays - Mon,Thu,Sat -To negate add ! at the front eg. !Mon,Thu,Sat diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index 0eb53f7..3501d9b 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -12,19 +12,19 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ "Firewall rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules ipv6-name "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; then if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok ipv6-name ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown ipv6-name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name" fi fi else exit 1; fi -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables ipv6-name +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" help: IPv6 firewall rule-set name diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def deleted file mode 100644 index 640a89c..0000000 --- a/templates/firewall/modify/node.def +++ /dev/null @@ -1,31 +0,0 @@ -tag: -priority: 210 - -type: txt - -syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ - "Firewall name must be 28 characters or less" -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall rule set name cannot start with \"-\"" -syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ - "Firewall rule set name cannot contain ';'" -syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ - "Firewall rule set name cannot start with 'VZONE'" - -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)" ; - then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; - then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok modify ; - then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown modify - fi - fi - else - exit 1; - fi - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets - -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables modify - -help: IPv4 modify rule-set name diff --git a/templates/firewall/modify/node.tag/default-action/node.def b/templates/firewall/modify/node.tag/default-action/node.def deleted file mode 100644 index c4e73f6..0000000 --- a/templates/firewall/modify/node.tag/default-action/node.def +++ /dev/null @@ -1,11 +0,0 @@ -type: txt - -help: Default-action for rule-set - -default: "drop" - -syntax:expression: $VAR(@) in "drop", "accept"; - "default-action must be either drop or accept" - -val_help: drop; Drop if no prior rules are hit (default) -val_help: accept; Accept if no prior rules are hit diff --git a/templates/firewall/modify/node.tag/description/node.def b/templates/firewall/modify/node.tag/description/node.def deleted file mode 100644 index e8e221b..0000000 --- a/templates/firewall/modify/node.tag/description/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt - -help: Rule-set description diff --git a/templates/firewall/modify/node.tag/enable-default-log/node.def b/templates/firewall/modify/node.tag/enable-default-log/node.def deleted file mode 100644 index 697719d..0000000 --- a/templates/firewall/modify/node.tag/enable-default-log/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to log packets hitting default-action diff --git a/templates/firewall/modify/node.tag/rule/node.def b/templates/firewall/modify/node.tag/rule/node.def deleted file mode 100644 index 661e943..0000000 --- a/templates/firewall/modify/node.tag/rule/node.def +++ /dev/null @@ -1,9 +0,0 @@ -tag: - -type: u32 - -help: Rule number (1-9999) - -syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "modify rule number must be between 1 and 9999" - -val_help: u32:1-9999; Rule number diff --git a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def b/templates/firewall/modify/node.tag/rule/node.tag/action/node.def deleted file mode 100644 index 20cf5bb..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/action/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt -help: Rule action -syntax:expression: $VAR(@) in "drop", "accept", "modify"; - "action must be one of drop, accept, or modify" - -allowed: echo "drop accept modify" - -val_help: drop; Rule action to drop -val_help: accept; Rule action to accept -val_help: modify; Rule action to modify diff --git a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def b/templates/firewall/modify/node.tag/rule/node.tag/description/node.def deleted file mode 100644 index dd2f535..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Rule description diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def deleted file mode 100644 index f142aba..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/address/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Destination IP address, subnet, or range -val_help: ipv4; IP address to match -val_help: ipv4net; Subnet to match -val_help: ipv4range; IP range to match -val_help: !ipv4; Match everything except the specified address -val_help: !ipv4net; Match everything except the specified subnet -val_help: !ipv4range; Match everything except the specified range diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def deleted file mode 100644 index 07e791c..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/address-group/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Group of addresses - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=address;" - -allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def deleted file mode 100644 index bf018a0..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/network-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of networks - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def deleted file mode 100644 index bb11dae..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Destination group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def deleted file mode 100644 index 865d2c5..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/group/port-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of ports - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def deleted file mode 100644 index dc227b7..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Destination parameters diff --git a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def deleted file mode 100644 index 3299c9a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/destination/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Destination port -val_help: ; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple destination ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def b/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def deleted file mode 100644 index 70565eb..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/disable/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Option to disable rule diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def deleted file mode 100644 index 2f830a1..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-frag/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Second and further fragments of fragmented packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def deleted file mode 100644 index 3590869..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/match-non-frag/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Head fragments or unfragmented packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def b/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def deleted file mode 100644 index c3d9f02..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/fragment/node.def +++ /dev/null @@ -1 +0,0 @@ -help: IP fragment match diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def deleted file mode 100644 index b102b99..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/code/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: u32; "ICMP code must be between 0 and 255" -help: ICMP code (0-255) -syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def deleted file mode 100644 index 33a8e89..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: ICMP type and code information diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def deleted file mode 100644 index b71c23a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type-name/node.def +++ /dev/null @@ -1,38 +0,0 @@ -type: txt -help: ICMP type-name -allowed: -array=(any echo-reply destination-unreachable network-unreachable - host-unreachable protocol-unreachable port-unreachable - fragmentation-needed source-route-failed network-unknown host-unknown - network-prohibited host-prohibited TOS-network-unreachable - TOS-host-unreachable communication-prohibited host-precedence-violation - precedence-cutoff source-quench redirect network-redirect host-redirect - TOS-network-redirect TOS-host-redirect echo-request router-advertisement - router-solicitation time-exceeded ttl-zero-during-transit - ttl-zero-during-reassembly parameter-problem ip-header-bad - required-option-missing timestamp-request timestamp-reply - address-mask-request address-mask-reply) -echo -n ${array[@]} - -syntax:expression: exec " -array=(any echo-reply destination-unreachable network-unreachable - host-unreachable protocol-unreachable port-unreachable - fragmentation-needed source-route-failed network-unknown host-unknown - network-prohibited host-prohibited TOS-network-unreachable - TOS-host-unreachable communication-prohibited host-precedence-violation - precedence-cutoff source-quench redirect network-redirect host-redirect - TOS-network-redirect TOS-host-redirect echo-request router-advertisement - router-solicitation time-exceeded ttl-zero-during-transit - ttl-zero-during-reassembly parameter-problem ip-header-bad - required-option-missing timestamp-request timestamp-reply - address-mask-request address-mask-reply) -len=${#array[*]} -i=0 -while [ $i -lt $len ]; do - if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then - exit 0 - fi - let i++ -done -echo Invalid ICMP type-name [$VAR(@)] -exit 1 " diff --git a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def deleted file mode 100644 index 9d879e1..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/icmp/type/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: u32; "ICMP type must be between 0 and 255" -help: ICMP type (0-255) -syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def deleted file mode 100644 index 2d717d5..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/match-none/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound non-IPsec packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def deleted file mode 100644 index 96ada47..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/ipsec/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Inbound IPsec packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def deleted file mode 100644 index 9097370..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -default: 1 -help: Maximum number of packets to allow in excess of rate -syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def deleted file mode 100644 index 75460b1..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Rate limit using a token bucket filter diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def deleted file mode 100644 index cd108f4..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def +++ /dev/null @@ -1,10 +0,0 @@ -type: txt -help: Maximum average matching rate -syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ -"Invalid value for rate. Rate should be specified as an integer followed by -a forward slash '/' and either of these time units - second, minute, hour or day -eg. 1/second implies rule to be matched at an average of once per second" - -comp_help:Format for rate : integer/time unit -any one of second, minute, hour or day may be used to specify time unit -eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/modify/node.tag/rule/node.tag/log/node.def deleted file mode 100644 index 891cbcf..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt; "firewall logging must be enable or disable" -help: Option to log packets matching rule -syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def deleted file mode 100644 index 3ed8f0d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/dscp/node.def +++ /dev/null @@ -1,4 +0,0 @@ -type: u32 -help: Packet Differentiated Services Codepoint (DSCP) -syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; - "DSCP must be between 0 and 63" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def deleted file mode 100644 index 0776b34..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/mark/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Packet marking diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def deleted file mode 100644 index c61402f..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Packet modifications diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def deleted file mode 100644 index 7a61966..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def +++ /dev/null @@ -1,21 +0,0 @@ -type: txt -help: TCP Maximum Segment Size - -syntax:expression: -exec " -if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ - if [ $VAR(@) == \"pmtu\" ]; then \ - exit 0; \ - fi; \ -else \ - if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ - ( $VAR(@) -ge \"500\" ) && \ - ( $VAR(@) -le \"1460\" ) ]]; then \ - exit 0; \ - fi; \ -fi; \ -echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ -exit 1" - -val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 40 bytes -val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def deleted file mode 100644 index bd61a90..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/all/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def deleted file mode 100644 index 8e9f704..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/applejuice/node.def +++ /dev/null @@ -1 +0,0 @@ -help: AppleJuice application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def deleted file mode 100644 index 1a56963..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/bittorrent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: BitTorrent application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def deleted file mode 100644 index eb84108..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/directconnect/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Direct Connect application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def deleted file mode 100644 index 255e618..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/edonkey/node.def +++ /dev/null @@ -1 +0,0 @@ -help: eDonkey/eMule application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def deleted file mode 100644 index f21b60b..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/gnutella/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Gnutella application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def deleted file mode 100644 index 44c3156..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/kazaa/node.def +++ /dev/null @@ -1 +0,0 @@ -help: KaZaA application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def deleted file mode 100644 index 5959d3d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/p2p/node.def +++ /dev/null @@ -1 +0,0 @@ -help: P2P application packets diff --git a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def deleted file mode 100644 index c456f95..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def +++ /dev/null @@ -1,21 +0,0 @@ -type: txt -help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") - -val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") -val_help: u32:0-255; IP protocol number -val_help: tcp_udp; Both TCP and UDP -val_help: all; All IP protocols -val_help: !; All IP protocols except for the specified name or number - -syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \ - && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ - echo invalid protocol \"$VAR(@)\" ; \ - exit 1 ; \ - fi ; " - -# Provide some help for command completion. Doesn't return negated -# values or protocol numbers -allowed: - protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` - protos="all $protos tcp_udp" - echo -n $protos diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def deleted file mode 100644 index defd974..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def +++ /dev/null @@ -1,5 +0,0 @@ -type: u32 -help: Source addresses seen more than N times -syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" -val_help: u32:1-255; Source addresses seen more than N times - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def deleted file mode 100644 index 3acc871..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Parameters for matching recently seen sources diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def deleted file mode 100644 index 9c49ed8..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/time/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Source addresses seen in the last N seconds diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def deleted file mode 100644 index 72d6a17..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/address/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Source IP address, subnet, or range -val_help: ipv4; IP address to match -val_help: ipv4net; Subnet to match -val_help: ipv4range; IP range to match -val_help: !ipv4; Match everything except the specified address -val_help: !ipv4net; Match everything except the specified subnet -val_help: !ipv4range; Match everything except the specified range diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def deleted file mode 100644 index 97c748d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/address-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of addresses - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=address;" -allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def deleted file mode 100644 index bf018a0..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/network-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of networks - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def deleted file mode 100644 index 7b36071..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Source group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def deleted file mode 100644 index 865d2c5..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/group/port-group/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Group of ports - -commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-set-type \ - --set-name=$VAR(@) \ - --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def deleted file mode 100644 index 5519871..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/node.def deleted file mode 100644 index 84cdc1f..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Source parameters diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def deleted file mode 100644 index adfae7a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/port/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Source port -val_help: ; Named port (any name in /etc/services, e.g., http) -val_help: u32:1-65535; Numbered port -val_help: range; Numbered port range (e.g., 1001-1005) -comp_help: Multiple source ports can be specified as a comma-separated list. -The whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def deleted file mode 100644 index a4f3120..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/established/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Established state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def deleted file mode 100644 index dc6110d..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/invalid/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Invalid state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def deleted file mode 100644 index 6ef1f7a..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/new/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: New state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/node.def deleted file mode 100644 index 0e38df4..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Session state diff --git a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def deleted file mode 100644 index 2364c31..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/state/related/node.def +++ /dev/null @@ -1,3 +0,0 @@ -type: txt -help: Related state -syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def b/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def deleted file mode 100644 index b86e707..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/flags/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: TCP flags to match -syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ -"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset" - -comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL -When specifying more than one flag, flags should be comma-separated. -For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with -the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def b/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def deleted file mode 100644 index 66bc295..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/tcp/node.def +++ /dev/null @@ -1 +0,0 @@ -help: TCP flags to match diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def deleted file mode 100644 index 14c1d5c..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Monthdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ -"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 -For negation, add ! in front eg. !2,12,21" - -comp_help: Format for monthdays - 2,12,21 -To negate add ! at the front eg. !2,12,21 diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/node.def deleted file mode 100644 index 238acd2..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Time to match rule diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def deleted file mode 100644 index 25e02e8..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: Date to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time -of date with startdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to -21st January 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append -'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate -value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def deleted file mode 100644 index ab69c45..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -help: Time of day to start matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def deleted file mode 100644 index 8fdf6e0..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt -help: Date to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ -"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time -of date with stopdate, append 'T' to date followed by time in 24 hour notation -hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to -31st Jan 2009 with time 13:30:00" - -comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, -append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg -stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def deleted file mode 100644 index 4a42ca3..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def +++ /dev/null @@ -1,8 +0,0 @@ -type: txt -help: Time of day to stop matching rule -syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ - "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" - -comp_help: Enter time using using 24 hour notation - hh:mm:ss - - diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def deleted file mode 100644 index 89c17f7..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/utc/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Interpret times for startdate, stopdate, starttime and stoptime to be UTC diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def deleted file mode 100644 index dd2649b..0000000 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def +++ /dev/null @@ -1,9 +0,0 @@ -type: txt -help: Weekdays to match rule on -syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ -"Incorrect value for weekdays. Weekdays should be specified using the first -three characters of the day with the first character capitalized eg. Mon,Thu,Sat -For negation, add ! in front eg. !Mon,Thu,Sat" - -comp_help: Format for weekdays - Mon,Thu,Sat -To negate add ! at the front eg. !Mon,Thu,Sat diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def index e8be1cd..0c3c096 100644 --- a/templates/firewall/name/node.def +++ b/templates/firewall/name/node.def @@ -12,13 +12,13 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ "Firewall rule set name cannot start with 'VZONE'" -end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ; +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall name" "$VAR(@)" ; then if [ ${COMMIT_ACTION} = 'DELETE' ] ; then - if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok name ; + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown name + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall name" fi fi else @@ -26,6 +26,6 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ; fi sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets -create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables name +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "firewall name" help: IPv4 firewall rule-set name diff --git a/templates/policy/ipv6-route/node.def b/templates/policy/ipv6-route/node.def new file mode 100644 index 0000000..08b4f4a --- /dev/null +++ b/templates/policy/ipv6-route/node.def @@ -0,0 +1,30 @@ +tag: +priority: 210 + +type: txt + +syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ + "Policy ipv6-route rule set name must be 28 characters or less" +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Policy ipv6-route rule set name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ + "Policy ipv6-route rule set name cannot contain ';'" +syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ + "Policy ipv6-route rule set name cannot start with 'VZONE'" + +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy ipv6-route" "$VAR(@)" ; + then + if [ ${COMMIT_ACTION} = 'DELETE' ] ; + then + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy ipv6-route" ; + then + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy ipv6-route" + fi + fi + else + exit 1; + fi + +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "policy ipv6-route" + +help: IPv6 policy route rule set name diff --git a/templates/policy/ipv6-route/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/description/node.def new file mode 100644 index 0000000..ceeca5d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Policy ipv6-route rule set description diff --git a/templates/policy/ipv6-route/node.tag/enable-default-log/node.def b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def new file mode 100644 index 0000000..697719d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/enable-default-log/node.def @@ -0,0 +1 @@ +help: Option to log packets hitting default-action diff --git a/templates/policy/ipv6-route/node.tag/rule/node.def b/templates/policy/ipv6-route/node.tag/rule/node.def new file mode 100644 index 0000000..d5f8461 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy ipv6-route rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..10236f7 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Rule action + +syntax:expression: $VAR(@) in "drop"; + "action must be drop" + +allowed: echo "drop" + +val_help: drop; Rule action to drop diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def new file mode 100644 index 0000000..90bf88b --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Rule description diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..2ace3b3 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,13 @@ +type: txt + +help: Destination IPv6 address, prefix or range + +val_help: ipv6; IPv6 address to match +val_help: ipv6net; IPv6 prefix to match +val_help: ipv6range; IPv6 range to match +val_help: !ipv6; Match everything except the specified address +val_help: !ipv6net; Match everything except the specified prefix +val_help: !ipv6range; Match everything except the specified range + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 0000000..dc227b7 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Destination parameters diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..2b2d8c7 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination port + +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple destination ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def new file mode 100644 index 0000000..70565eb --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def @@ -0,0 +1 @@ +help: Option to disable rule diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def new file mode 100644 index 0000000..7032b30 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def @@ -0,0 +1 @@ +help: ICMPv6 type and code information diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def new file mode 100644 index 0000000..087c7ab --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def @@ -0,0 +1,134 @@ +type: txt + +help: ICMPv6 type/code + +val_help: destination-unreachable; ICMPv6 type/code name +val_help: _ no-route; ICMPv6 type/code name +val_help: _ communication-prohibited; ICMPv6 type/code name +val_help: _ address-unreachable; ICMPv6 type/code name +val_help: _ port-unreachable; ICMPv6 type/code name +val_help: packet-too-big; ICMPv6 type/code name +val_help: time-exceeded; ICMPv6 type/code name +val_help: _ ttl-zero-during-transit; ICMPv6 type/code name +val_help: _ ttl-zero-during-reassembly; ICMPv6 type/code name +val_help: parameter-problem; ICMPv6 type/code name +val_help: _ bad-header; ICMPv6 type/code name +val_help: _ unknown-header-type; ICMPv6 type/code name +val_help: _ unknown-option; ICMPv6 type/code name +val_help: echo-request; ICMPv6 type/code name +val_help: ping; ICMPv6 type/code name +val_help: echo-reply; ICMPv6 type/code name +val_help: pong; ICMPv6 type/code name +val_help: router-solicitation; ICMPv6 type/code name +val_help: router-advertisement; ICMPv6 type/code name +val_help: neighbour-solicitation; ICMPv6 type/code name +val_help: neighbor-solicitation; ICMPv6 type/code name +val_help: neighbour-advertisement; ICMPv6 type/code name +val_help: neighbor-advertisement; ICMPv6 type/code name +val_help: u32:0-255; ICMPv6 type number +val_help: <0-255>/<0-255>; ICMPv6 type and code numbers + +allowed: + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + echo -n ${array[@]} + +syntax:expression: exec " + array=( + destination-unreachable + no-route + communication-prohibited + address-unreachable + port-unreachable + packet-too-big + time-exceeded + ttl-zero-during-transit + ttl-zero-during-reassembly + parameter-problem + bad-header + unknown-header-type + unknown-option + echo-request + ping + echo-reply + pong + router-solicitation + router-advertisement + neighbour-solicitation + neighbor-solicitation + neighbour-advertisement + neighbor-advertisement ) + len=${#array[*]} + i=0 + while [ $i -lt $len ]; do + if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then + exit 0 + fi + let i++ + done + + param=$VAR(@) + codepart=${param##*/} + if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then + codepart=\"0\" + fi + + typepart=${param%%/*} + if [ -z \"$typepart\" ]; then + echo \"Must specify ICMPv6 type\" + exit 1 + fi + + shopt -s extglob + + leftover=${typepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 type: $typepart\" + exit 1 + fi + + leftover=${codepart##*([0-9])} + if [ -n \"$leftover\" ]; then + echo \"Invalid ICMPv6 code: $codepart\" + exit 1 + fi + + if [ $typepart -lt 0 -o $typepart -gt 255 ]; then + echo \"ICMPv6 type must be between 0 and 255\" + exit 1 + fi + + if [ $codepart -lt 0 -o $codepart -gt 255 ]; then + echo \"ICMPv6 code must be between 0 and 255\" + exit 1 + fi +" + + + + + + + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def new file mode 100644 index 0000000..96ada47 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def @@ -0,0 +1 @@ +help: Inbound IPsec packets diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def new file mode 100644 index 0000000..2d717d5 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def @@ -0,0 +1 @@ +help: Inbound non-IPsec packets diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def new file mode 100644 index 0000000..96ada47 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def @@ -0,0 +1 @@ +help: Inbound IPsec packets diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def new file mode 100644 index 0000000..9097370 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def @@ -0,0 +1,4 @@ +type: u32 +default: 1 +help: Maximum number of packets to allow in excess of rate +syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def new file mode 100644 index 0000000..75460b1 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def @@ -0,0 +1 @@ +help: Rate limit using a token bucket filter diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def new file mode 100644 index 0000000..cd108f4 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def @@ -0,0 +1,10 @@ +type: txt +help: Maximum average matching rate +syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ +"Invalid value for rate. Rate should be specified as an integer followed by +a forward slash '/' and either of these time units - second, minute, hour or day +eg. 1/second implies rule to be matched at an average of once per second" + +comp_help:Format for rate : integer/time unit +any one of second, minute, hour or day may be used to specify time unit +eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def new file mode 100644 index 0000000..891cbcf --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def @@ -0,0 +1,3 @@ +type: txt; "firewall logging must be enable or disable" +help: Option to log packets matching rule +syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..5225eee --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,28 @@ +type: txt + +help: IPv6 protocol to match (protocol name, number, or "all") + +syntax:expression: exec " + param=$VAR(@) + if [ \"$param\" = \"icmpv6\" ]; then + exit 0 + fi + if [ \"$param\" = \"tcp_udp\" ]; then + exit 0 + fi + /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' + " ; + "invalid protocol \"$VAR(@)\"" + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` + protos="all icmpv6 $protos tcp_udp" + echo -n $protos + +val_help: txt; IPv6 protocol name from /etc/protocols (e.g. "tcp" or "udp") +val_help: u32:0-255; IPv6 protocol number +val_help: tcp_udp; Both TCP and UDP +val_help: all; All IPv6 protocols +val_help: !; All IPv6 protocols except for the specified name or number diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def new file mode 100644 index 0000000..69a4ebd --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Source addresses seen more than N times +syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" +val_help: u32:1-255; Source addresses seen more than N times diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def new file mode 100644 index 0000000..3acc871 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def @@ -0,0 +1 @@ +help: Parameters for matching recently seen sources diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def new file mode 100644 index 0000000..9c49ed8 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Source addresses seen in the last N seconds diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def new file mode 100644 index 0000000..3ed8f0d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Packet Differentiated Services Codepoint (DSCP) +syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; + "DSCP must be between 0 and 63" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def new file mode 100644 index 0000000..c8cb1b2 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Packet marking +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def new file mode 100644 index 0000000..c61402f --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def @@ -0,0 +1 @@ +help: Packet modifications diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def new file mode 100644 index 0000000..dbde887 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Routing table to forward packet with +syntax:expression: $VAR(@) >= 1 && $VAR(@) < 250; + "Table must be between 1 and 250" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def new file mode 100644 index 0000000..8d2248e --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def @@ -0,0 +1,21 @@ +type: txt +help: TCP Maximum Segment Size + +syntax:expression: +exec " +if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ + if [ $VAR(@) == \"pmtu\" ]; then \ + exit 0; \ + fi; \ +else \ + if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ + ( $VAR(@) -ge \"500\" ) && \ + ( $VAR(@) -le \"1460\" ) ]]; then \ + exit 0; \ + fi; \ +fi; \ +echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ +exit 1" + +val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 60 bytes +val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..2fe8a42 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,13 @@ + +type: txt + +help: Source IPv6 address, prefix or range + +val_help: ipv6; IPv6 address to match +val_help: ipv6net; IPv6 prefix to match +val_help: ipv6range; IPv6 range to match +val_help: !ipv6; Match everything except the specified address +val_help: !ipv6net; Match everything except the specified prefix +val_help: !ipv6range; Match everything except the specified range + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..5519871 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def new file mode 100644 index 0000000..84cdc1f --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Source parameters diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..adfae7a --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source port +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple source ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def new file mode 100644 index 0000000..a4f3120 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def @@ -0,0 +1,3 @@ +type: txt +help: Established state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def new file mode 100644 index 0000000..dc6110d --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Invalid state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def new file mode 100644 index 0000000..6ef1f7a --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def @@ -0,0 +1,3 @@ +type: txt +help: New state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def new file mode 100644 index 0000000..0e38df4 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def @@ -0,0 +1 @@ +help: Session state diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def new file mode 100644 index 0000000..2364c31 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def @@ -0,0 +1,3 @@ +type: txt +help: Related state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def new file mode 100644 index 0000000..b86e707 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def @@ -0,0 +1,12 @@ +type: txt +help: TCP flags to match +syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ +"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset" + +comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def new file mode 100644 index 0000000..66bc295 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def @@ -0,0 +1 @@ +help: TCP flags to match diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def new file mode 100644 index 0000000..14c1d5c --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def @@ -0,0 +1,8 @@ +type: txt +help: Monthdays to match rule on +syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ +"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 +For negation, add ! in front eg. !2,12,21" + +comp_help: Format for monthdays - 2,12,21 +To negate add ! at the front eg. !2,12,21 diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def new file mode 100644 index 0000000..238acd2 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def @@ -0,0 +1 @@ +help: Time to match rule diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def new file mode 100644 index 0000000..250ed0f --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Date to start matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time +of date with startdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to +21st January 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def new file mode 100644 index 0000000..ab69c45 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def @@ -0,0 +1,7 @@ +type: txt +help: Time of day to start matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def new file mode 100644 index 0000000..93fc8b6 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Date to stop matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time +of date with stopdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to +31st Jan 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, +append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg +stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def new file mode 100644 index 0000000..b108175 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def @@ -0,0 +1,8 @@ +type: txt +help: Time of day to stop matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + + diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def new file mode 100644 index 0000000..167f191 --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def @@ -0,0 +1 @@ +help: Interpret times for startdate, stopdate, starttime and stoptime to be U$ diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def new file mode 100644 index 0000000..dd2649b --- /dev/null +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def @@ -0,0 +1,9 @@ +type: txt +help: Weekdays to match rule on +syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ +"Incorrect value for weekdays. Weekdays should be specified using the first +three characters of the day with the first character capitalized eg. Mon,Thu,Sat +For negation, add ! in front eg. !Mon,Thu,Sat" + +comp_help: Format for weekdays - Mon,Thu,Sat +To negate add ! at the front eg. !Mon,Thu,Sat diff --git a/templates/policy/route/node.def b/templates/policy/route/node.def new file mode 100644 index 0000000..edfd75b --- /dev/null +++ b/templates/policy/route/node.def @@ -0,0 +1,31 @@ +tag: +priority: 471 + +type: txt + +syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ + "Policy route rule set name must be 28 characters or less" +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Policy route rule set name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ + "Policy route rule set name cannot contain ';'" +syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ + "Policy route rule set name cannot start with 'VZONE'" + +end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy route" "$VAR(@)" ; + then + if [ ${COMMIT_ACTION} = 'DELETE' ] ; + then + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy route" ; + then + sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy route" + fi + fi + else + exit 1; + fi + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets + +create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "policy route" + +help: Policy route rule set name diff --git a/templates/policy/route/node.tag/description/node.def b/templates/policy/route/node.tag/description/node.def new file mode 100644 index 0000000..6e49257 --- /dev/null +++ b/templates/policy/route/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Policy route rule set description diff --git a/templates/policy/route/node.tag/enable-default-log/node.def b/templates/policy/route/node.tag/enable-default-log/node.def new file mode 100644 index 0000000..697719d --- /dev/null +++ b/templates/policy/route/node.tag/enable-default-log/node.def @@ -0,0 +1 @@ +help: Option to log packets hitting default-action diff --git a/templates/policy/route/node.tag/rule/node.def b/templates/policy/route/node.tag/rule/node.def new file mode 100644 index 0000000..f06c3a5 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy route rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates/policy/route/node.tag/rule/node.tag/action/node.def b/templates/policy/route/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..a244a4c --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Rule action + +syntax:expression: $VAR(@) in "drop"; + "action must be drop" + +allowed: echo "drop modify" + +val_help: drop ; Rule action to drop diff --git a/templates/policy/route/node.tag/rule/node.tag/description/node.def b/templates/policy/route/node.tag/rule/node.tag/description/node.def new file mode 100644 index 0000000..dd2f535 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Rule description diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..f142aba --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,8 @@ +type: txt +help: Destination IP address, subnet, or range +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..07e791c --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..bf018a0 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..865d2c5 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 0000000..dc227b7 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Destination parameters diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..3299c9a --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/destination/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Destination port +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple destination ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/policy/route/node.tag/rule/node.tag/disable/node.def b/templates/policy/route/node.tag/rule/node.tag/disable/node.def new file mode 100644 index 0000000..70565eb --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/disable/node.def @@ -0,0 +1 @@ +help: Option to disable rule diff --git a/templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def new file mode 100644 index 0000000..2f830a1 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def @@ -0,0 +1 @@ +help: Second and further fragments of fragmented packets diff --git a/templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def new file mode 100644 index 0000000..3590869 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def @@ -0,0 +1 @@ +help: Head fragments or unfragmented packets diff --git a/templates/policy/route/node.tag/rule/node.tag/fragment/node.def b/templates/policy/route/node.tag/rule/node.tag/fragment/node.def new file mode 100644 index 0000000..c3d9f02 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/fragment/node.def @@ -0,0 +1 @@ +help: IP fragment match diff --git a/templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def new file mode 100644 index 0000000..b102b99 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def @@ -0,0 +1,3 @@ +type: u32; "ICMP code must be between 0 and 255" +help: ICMP code (0-255) +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/policy/route/node.tag/rule/node.tag/icmp/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/node.def new file mode 100644 index 0000000..33a8e89 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/node.def @@ -0,0 +1 @@ +help: ICMP type and code information diff --git a/templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def new file mode 100644 index 0000000..b71c23a --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def @@ -0,0 +1,38 @@ +type: txt +help: ICMP type-name +allowed: +array=(any echo-reply destination-unreachable network-unreachable + host-unreachable protocol-unreachable port-unreachable + fragmentation-needed source-route-failed network-unknown host-unknown + network-prohibited host-prohibited TOS-network-unreachable + TOS-host-unreachable communication-prohibited host-precedence-violation + precedence-cutoff source-quench redirect network-redirect host-redirect + TOS-network-redirect TOS-host-redirect echo-request router-advertisement + router-solicitation time-exceeded ttl-zero-during-transit + ttl-zero-during-reassembly parameter-problem ip-header-bad + required-option-missing timestamp-request timestamp-reply + address-mask-request address-mask-reply) +echo -n ${array[@]} + +syntax:expression: exec " +array=(any echo-reply destination-unreachable network-unreachable + host-unreachable protocol-unreachable port-unreachable + fragmentation-needed source-route-failed network-unknown host-unknown + network-prohibited host-prohibited TOS-network-unreachable + TOS-host-unreachable communication-prohibited host-precedence-violation + precedence-cutoff source-quench redirect network-redirect host-redirect + TOS-network-redirect TOS-host-redirect echo-request router-advertisement + router-solicitation time-exceeded ttl-zero-during-transit + ttl-zero-during-reassembly parameter-problem ip-header-bad + required-option-missing timestamp-request timestamp-reply + address-mask-request address-mask-reply) +len=${#array[*]} +i=0 +while [ $i -lt $len ]; do + if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then + exit 0 + fi + let i++ +done +echo Invalid ICMP type-name [$VAR(@)] +exit 1 " diff --git a/templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def b/templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def new file mode 100644 index 0000000..9d879e1 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def @@ -0,0 +1,3 @@ +type: u32; "ICMP type must be between 0 and 255" +help: ICMP type (0-255) +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def new file mode 100644 index 0000000..96ada47 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def @@ -0,0 +1 @@ +help: Inbound IPsec packets diff --git a/templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def new file mode 100644 index 0000000..2d717d5 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def @@ -0,0 +1 @@ +help: Inbound non-IPsec packets diff --git a/templates/policy/route/node.tag/rule/node.tag/ipsec/node.def b/templates/policy/route/node.tag/rule/node.tag/ipsec/node.def new file mode 100644 index 0000000..96ada47 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/ipsec/node.def @@ -0,0 +1 @@ +help: Inbound IPsec packets diff --git a/templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def new file mode 100644 index 0000000..9097370 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def @@ -0,0 +1,4 @@ +type: u32 +default: 1 +help: Maximum number of packets to allow in excess of rate +syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/policy/route/node.tag/rule/node.tag/limit/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/node.def new file mode 100644 index 0000000..75460b1 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/limit/node.def @@ -0,0 +1 @@ +help: Rate limit using a token bucket filter diff --git a/templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def b/templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def new file mode 100644 index 0000000..cd108f4 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def @@ -0,0 +1,10 @@ +type: txt +help: Maximum average matching rate +syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ +"Invalid value for rate. Rate should be specified as an integer followed by +a forward slash '/' and either of these time units - second, minute, hour or day +eg. 1/second implies rule to be matched at an average of once per second" + +comp_help:Format for rate : integer/time unit +any one of second, minute, hour or day may be used to specify time unit +eg. 1/second implies rule to be matched at an average of once per second diff --git a/templates/policy/route/node.tag/rule/node.tag/log/node.def b/templates/policy/route/node.tag/rule/node.tag/log/node.def new file mode 100644 index 0000000..891cbcf --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/log/node.def @@ -0,0 +1,3 @@ +type: txt; "firewall logging must be enable or disable" +help: Option to log packets matching rule +syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" diff --git a/templates/policy/route/node.tag/rule/node.tag/protocol/node.def b/templates/policy/route/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..6e0e9a6 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,22 @@ +type: txt + +help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") + +val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") +val_help: u32:0-255; IP protocol number +val_help: tcp_udp; Both TCP and UDP +val_help: all; All IP protocols +val_help: !; All IP protocols except for the specified name or number + +syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \ + && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ + echo invalid protocol \"$VAR(@)\" ; \ + exit 1 ; \ + fi ; " + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` + protos="all $protos tcp_udp" + echo -n $protos diff --git a/templates/policy/route/node.tag/rule/node.tag/recent/count/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/count/node.def new file mode 100644 index 0000000..defd974 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/recent/count/node.def @@ -0,0 +1,5 @@ +type: u32 +help: Source addresses seen more than N times +syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" +val_help: u32:1-255; Source addresses seen more than N times + diff --git a/templates/policy/route/node.tag/rule/node.tag/recent/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/node.def new file mode 100644 index 0000000..3acc871 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/recent/node.def @@ -0,0 +1 @@ +help: Parameters for matching recently seen sources diff --git a/templates/policy/route/node.tag/rule/node.tag/recent/time/node.def b/templates/policy/route/node.tag/rule/node.tag/recent/time/node.def new file mode 100644 index 0000000..9c49ed8 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/recent/time/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Source addresses seen in the last N seconds diff --git a/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def new file mode 100644 index 0000000..3ed8f0d --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Packet Differentiated Services Codepoint (DSCP) +syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; + "DSCP must be between 0 and 63" diff --git a/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def b/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def new file mode 100644 index 0000000..c8cb1b2 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/set/mark/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Packet marking +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647" diff --git a/templates/policy/route/node.tag/rule/node.tag/set/node.def b/templates/policy/route/node.tag/rule/node.tag/set/node.def new file mode 100644 index 0000000..c61402f --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/set/node.def @@ -0,0 +1 @@ +help: Packet modifications diff --git a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def new file mode 100644 index 0000000..dbde887 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def @@ -0,0 +1,4 @@ +type: u32 +help: Routing table to forward packet with +syntax:expression: $VAR(@) >= 1 && $VAR(@) < 250; + "Table must be between 1 and 250" diff --git a/templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def b/templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def new file mode 100644 index 0000000..7a61966 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def @@ -0,0 +1,21 @@ +type: txt +help: TCP Maximum Segment Size + +syntax:expression: +exec " +if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ + if [ $VAR(@) == \"pmtu\" ]; then \ + exit 0; \ + fi; \ +else \ + if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ + ( $VAR(@) -ge \"500\" ) && \ + ( $VAR(@) -le \"1460\" ) ]]; then \ + exit 0; \ + fi; \ +fi; \ +echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ +exit 1" + +val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 40 bytes +val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/policy/route/node.tag/rule/node.tag/source/address/node.def b/templates/policy/route/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..72d6a17 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source IP address, subnet, or range +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..97c748d --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..bf018a0 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..865d2c5 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def b/templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..5519871 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/policy/route/node.tag/rule/node.tag/source/node.def b/templates/policy/route/node.tag/rule/node.tag/source/node.def new file mode 100644 index 0000000..84cdc1f --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Source parameters diff --git a/templates/policy/route/node.tag/rule/node.tag/source/port/node.def b/templates/policy/route/node.tag/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..adfae7a --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source port +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple source ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/policy/route/node.tag/rule/node.tag/state/established/node.def b/templates/policy/route/node.tag/rule/node.tag/state/established/node.def new file mode 100644 index 0000000..a4f3120 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/state/established/node.def @@ -0,0 +1,3 @@ +type: txt +help: Established state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def b/templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def new file mode 100644 index 0000000..dc6110d --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Invalid state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/route/node.tag/rule/node.tag/state/new/node.def b/templates/policy/route/node.tag/rule/node.tag/state/new/node.def new file mode 100644 index 0000000..6ef1f7a --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/state/new/node.def @@ -0,0 +1,3 @@ +type: txt +help: New state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/route/node.tag/rule/node.tag/state/node.def b/templates/policy/route/node.tag/rule/node.tag/state/node.def new file mode 100644 index 0000000..0e38df4 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/state/node.def @@ -0,0 +1 @@ +help: Session state diff --git a/templates/policy/route/node.tag/rule/node.tag/state/related/node.def b/templates/policy/route/node.tag/rule/node.tag/state/related/node.def new file mode 100644 index 0000000..2364c31 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/state/related/node.def @@ -0,0 +1,3 @@ +type: txt +help: Related state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def new file mode 100644 index 0000000..b86e707 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def @@ -0,0 +1,12 @@ +type: txt +help: TCP flags to match +syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ +"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset" + +comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset diff --git a/templates/policy/route/node.tag/rule/node.tag/tcp/node.def b/templates/policy/route/node.tag/rule/node.tag/tcp/node.def new file mode 100644 index 0000000..66bc295 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/tcp/node.def @@ -0,0 +1 @@ +help: TCP flags to match diff --git a/templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def b/templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def new file mode 100644 index 0000000..14c1d5c --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def @@ -0,0 +1,8 @@ +type: txt +help: Monthdays to match rule on +syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ +"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 +For negation, add ! in front eg. !2,12,21" + +comp_help: Format for monthdays - 2,12,21 +To negate add ! at the front eg. !2,12,21 diff --git a/templates/policy/route/node.tag/rule/node.tag/time/node.def b/templates/policy/route/node.tag/rule/node.tag/time/node.def new file mode 100644 index 0000000..238acd2 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/node.def @@ -0,0 +1 @@ +help: Time to match rule diff --git a/templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def b/templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def new file mode 100644 index 0000000..25e02e8 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def @@ -0,0 +1,12 @@ +type: txt +help: Date to start matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time +of date with startdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to +21st January 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 + diff --git a/templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def b/templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def new file mode 100644 index 0000000..ab69c45 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def @@ -0,0 +1,7 @@ +type: txt +help: Time of day to start matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + diff --git a/templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def b/templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def new file mode 100644 index 0000000..8fdf6e0 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def @@ -0,0 +1,12 @@ +type: txt +help: Date to stop matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time +of date with stopdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to +31st Jan 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, +append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg +stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 + diff --git a/templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def b/templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def new file mode 100644 index 0000000..b108175 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def @@ -0,0 +1,8 @@ +type: txt +help: Time of day to stop matching rule +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + + diff --git a/templates/policy/route/node.tag/rule/node.tag/time/utc/node.def b/templates/policy/route/node.tag/rule/node.tag/time/utc/node.def new file mode 100644 index 0000000..89c17f7 --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/utc/node.def @@ -0,0 +1 @@ +help: Interpret times for startdate, stopdate, starttime and stoptime to be UTC diff --git a/templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def b/templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def new file mode 100644 index 0000000..dd2649b --- /dev/null +++ b/templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def @@ -0,0 +1,9 @@ +type: txt +help: Weekdays to match rule on +syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ +"Incorrect value for weekdays. Weekdays should be specified using the first +three characters of the day with the first character capitalized eg. Mon,Thu,Sat +For negation, add ! in front eg. !Mon,Thu,Sat" + +comp_help: Format for weekdays - Mon,Thu,Sat +To negate add ! at the front eg. !Mon,Thu,Sat -- cgit v1.2.3