diff options
| author | Shirish Sandesara <shirish.sandesara@vyatta.com> | 2013-05-21 16:05:51 -0700 |
|---|---|---|
| committer | Shirish Sandesara <shirish.sandesara@vyatta.com> | 2013-05-21 16:05:51 -0700 |
| commit | d7c00cc04591a96c8378175ac0a9f24c0107fd6b (patch) | |
| tree | ee9a1cd391318085693fff5fcd08e431c2c08a47 | |
| parent | d4360229313871c3f5e3dd13fb8b91afdfd0a83e (diff) | |
| download | vyatta-cfg-quagga-d7c00cc04591a96c8378175ac0a9f24c0107fd6b.tar.gz vyatta-cfg-quagga-d7c00cc04591a96c8378175ac0a9f24c0107fd6b.zip | |
adding v6 nodes for pbr
18 files changed, 114 insertions, 0 deletions
diff --git a/templates/policy/route6/node.def b/templates/policy/route6/node.def new file mode 100644 index 00000000..088e4d2a --- /dev/null +++ b/templates/policy/route6/node.def @@ -0,0 +1,5 @@ +tag: +type: txt +help: IPv6 pbr route-map (group made of rules) name + +delete: /opt/vyatta/sbin/vyatta-dp-pbr.pl --cmd=delete-group --group=$VAR(@) diff --git a/templates/policy/route6/node.tag/rule/node.def b/templates/policy/route6/node.tag/rule/node.def new file mode 100644 index 00000000..7964f3f4 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.def @@ -0,0 +1,19 @@ +tag: + +type: u32 + +help: Rule number (1-998) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 998; "pbr rule number must be between 1 and 998" + +val_help: u32:1-998; Rule number + + +end: if [ ${COMMIT_ACTION} = 'DELETE' ] ; + then + /opt/vyatta/sbin/vyatta-dp-pbr.pl --cmd=delete --group="$VAR(../@)" --rule="$VAR(@)"; + else + /opt/vyatta/sbin/vyatta-dp-pbr.pl --cmd=update --group="$VAR(../@)" --rule="$VAR(@)"; + fi + + diff --git a/templates/policy/route6/node.tag/rule/node.tag/action/node.def b/templates/policy/route6/node.tag/rule/node.tag/action/node.def new file mode 100644 index 00000000..17b595ac --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,11 @@ +type: txt + +help: Rule action [REQUIRED] + +syntax:expression: $VAR(@) in "allow", "deny"; + "action must be allow or deny" + +allowed: echo "deny allow" + +val_help: deny ; Rule action to deny +val_help: allow ; Rule action to allow diff --git a/templates/policy/route6/node.tag/rule/node.tag/destination/address/node.def b/templates/policy/route6/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 00000000..087960fb --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination IP address, subnet, or range + +val_help: ipv6; IP address to match +val_help: ipv6net; Subnet to match +val_help: ipv6range; IP range to match +val_help: !ipv6; Match everything except the specified address +val_help: !ipv6net; Match everything except the specified subnet +val_help: !ipv6range; Match everything except the specified range diff --git a/templates/policy/route6/node.tag/rule/node.tag/destination/node.def b/templates/policy/route6/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 00000000..dc227b70 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Destination parameters diff --git a/templates/policy/route6/node.tag/rule/node.tag/destination/port/node.def b/templates/policy/route6/node.tag/rule/node.tag/destination/port/node.def new file mode 100644 index 00000000..58e196bd --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/destination/port/node.def @@ -0,0 +1,9 @@ +type: txt + +help: Destination port + +val_help: <port name>; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple destination ports can be specified as a comma-separated list. + 'telnet,http,123,1001-1005' diff --git a/templates/policy/route6/node.tag/rule/node.tag/icmp/code/node.def b/templates/policy/route6/node.tag/rule/node.tag/icmp/code/node.def new file mode 100644 index 00000000..84f77b4d --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/icmp/code/node.def @@ -0,0 +1,5 @@ +type: u32; "ICMP code must be between 0 and 255" + +help: ICMP code (0-255) + +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/policy/route6/node.tag/rule/node.tag/icmp/node.def b/templates/policy/route6/node.tag/rule/node.tag/icmp/node.def new file mode 100644 index 00000000..33a8e894 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/icmp/node.def @@ -0,0 +1 @@ +help: ICMP type and code information diff --git a/templates/policy/route6/node.tag/rule/node.tag/icmp/type/node.def b/templates/policy/route6/node.tag/rule/node.tag/icmp/type/node.def new file mode 100644 index 00000000..ce69c452 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/icmp/type/node.def @@ -0,0 +1,5 @@ +type: u32; "ICMP type must be between 0 and 255" + +help: ICMP type (0-255) + +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/policy/route6/node.tag/rule/node.tag/node.def b/templates/policy/route6/node.tag/rule/node.tag/node.def new file mode 100644 index 00000000..e4043b92 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/node.def @@ -0,0 +1 @@ +help: V6 pbr rule number diff --git a/templates/policy/route6/node.tag/rule/node.tag/protocol/node.def b/templates/policy/route6/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 00000000..24735ad4 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,9 @@ +type: txt + +help: Protocol to match (tcp, udp or icmp) + + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + echo -n "tcp udp icmp" diff --git a/templates/policy/route6/node.tag/rule/node.tag/source/address/node.def b/templates/policy/route6/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 00000000..503b9bd8 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source IP address, subnet, or range +val_help: ipv6; IP address to match +val_help: ipv6net; Subnet to match +val_help: ipv6range; IP range to match +val_help: !ipv6; Match everything except the specified address +val_help: !ipv6net; Match everything except the specified subnet +val_help: !ipv6range; Match everything except the specified range diff --git a/templates/policy/route6/node.tag/rule/node.tag/source/node.def b/templates/policy/route6/node.tag/rule/node.tag/source/node.def new file mode 100644 index 00000000..84cdc1f3 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Source parameters diff --git a/templates/policy/route6/node.tag/rule/node.tag/source/port/node.def b/templates/policy/route6/node.tag/rule/node.tag/source/port/node.def new file mode 100644 index 00000000..e69685ab --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/source/port/node.def @@ -0,0 +1,7 @@ +type: txt +help: Source port +val_help: <port name>; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple source ports can be specified as a comma-separated list. + 'telnet,http,123,1001-1005' diff --git a/templates/policy/route6/node.tag/rule/node.tag/state/node.def b/templates/policy/route6/node.tag/rule/node.tag/state/node.def new file mode 100644 index 00000000..588e4763 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/state/node.def @@ -0,0 +1,2 @@ +help: Enable state firewall rule + diff --git a/templates/policy/route6/node.tag/rule/node.tag/table/node.def b/templates/policy/route6/node.tag/rule/node.tag/table/node.def new file mode 100644 index 00000000..18b9c103 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/table/node.def @@ -0,0 +1,5 @@ +type: u32 +help: V6 Policy Based Routing Table id +syntax:expression: $VAR(@) > 0 && $VAR(@) <201 ; "table id must be greater than 0 and less than or equeal to 200" +val_help: u32:1-200; + diff --git a/templates/policy/route6/node.tag/rule/node.tag/tcp/flags/node.def b/templates/policy/route6/node.tag/rule/node.tag/tcp/flags/node.def new file mode 100644 index 00000000..f6235173 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/tcp/flags/node.def @@ -0,0 +1,13 @@ +type: txt +help: TCP flags to match +syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ +"Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset" + +comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL +When specifying more than one flag, flags should be comma-separated. +For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with +the SYN flag set, and the ACK, FIN and RST flags unset + diff --git a/templates/policy/route6/node.tag/rule/node.tag/tcp/node.def b/templates/policy/route6/node.tag/rule/node.tag/tcp/node.def new file mode 100644 index 00000000..a57ef521 --- /dev/null +++ b/templates/policy/route6/node.tag/rule/node.tag/tcp/node.def @@ -0,0 +1,2 @@ +help: TCP flags to match + |