summaryrefslogtreecommitdiff
path: root/templates/policy/access-list
diff options
context:
space:
mode:
authorAn-Cheng Huang <ancheng@vyatta.com>2007-10-01 13:14:31 -0700
committerAn-Cheng Huang <ancheng@vyatta.com>2007-10-01 13:14:31 -0700
commitcfa368bbc1d4c55c42c60838e04fc523625932b7 (patch)
treee439217d7e3ebb726b9954d7f823db2b47f18c9d /templates/policy/access-list
downloadvyatta-cfg-quagga-upstream.tar.gz
vyatta-cfg-quagga-upstream.zip
initial import (from eureka /cli).upstream
Diffstat (limited to 'templates/policy/access-list')
-rw-r--r--templates/policy/access-list/node.def14
-rw-r--r--templates/policy/access-list/node.tag/description/node.def2
-rw-r--r--templates/policy/access-list/node.tag/rule/node.def4
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/action/node.def3
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/description/node.def2
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def9
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/destination/host/node.def9
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/destination/inverse-mask/node.def10
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/destination/network/node.def10
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/destination/node.def1
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/source/any/node.def4
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/source/host/node.def4
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/source/inverse-mask/node.def5
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/source/network/node.def5
-rw-r--r--templates/policy/access-list/node.tag/rule/node.tag/source/node.def1
15 files changed, 83 insertions, 0 deletions
diff --git a/templates/policy/access-list/node.def b/templates/policy/access-list/node.def
new file mode 100644
index 00000000..b97eb0a6
--- /dev/null
+++ b/templates/policy/access-list/node.def
@@ -0,0 +1,14 @@
+tag:
+type: u32
+help: "access-list number must be \n \
+ <1-99> IP standard access list \n \
+ <100-199> IP extended access list \n \
+ <1300-1999> IP standard access list (expanded range) \n \
+ <2000-2699> IP extended access list (expanded range) \n "
+syntax: ($(@) >= 1 && $(@) <= 199) || ($(@) >= 1300 && $(@) <= 2699); \
+"access-list number must be \n \
+ <1-99> IP standard access list \n \
+ <100-199> IP extended access list \n \
+ <1300-1999> IP standard access list (expanded range) \n \
+ <2000-2699> IP extended access list (expanded range) \n "
+end: "/opt/vyatta/sbin/vyatta_policy.pl --update-access-list $(@)"
diff --git a/templates/policy/access-list/node.tag/description/node.def b/templates/policy/access-list/node.tag/description/node.def
new file mode 100644
index 00000000..c5b70286
--- /dev/null
+++ b/templates/policy/access-list/node.tag/description/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: "access-list description"
diff --git a/templates/policy/access-list/node.tag/rule/node.def b/templates/policy/access-list/node.tag/rule/node.def
new file mode 100644
index 00000000..fb9ca24a
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.def
@@ -0,0 +1,4 @@
+tag:
+type: u32
+help: "Specify access-list rule number"
+syntax: $(@) >= 1 && $(@) <= 65535; "rule number must be between 1 and 65535"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/action/node.def b/templates/policy/access-list/node.tag/rule/node.tag/action/node.def
new file mode 100644
index 00000000..bca61186
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/action/node.def
@@ -0,0 +1,3 @@
+type: txt
+help: "action to take on packets matching this rule"
+syntax: $(@) in "permit", "deny"; "must be permit or deny"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/description/node.def b/templates/policy/access-list/node.tag/rule/node.tag/description/node.def
new file mode 100644
index 00000000..3d61ac85
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/description/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: "description for this rule"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def b/templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def
new file mode 100644
index 00000000..6dbee23b
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def
@@ -0,0 +1,9 @@
+help: "filter any IP address"
+# TODO: won't work until 2220 is fixed
+syntax: $(../host/@) == "" && $(../network/@) == ""; "You may only define one filter type. (host|network|any)"
+# TODO: pending 2284
+syntax: ($(../../@) >= 100 && $(../../@) <= 199) || ($(../../@) >= 2000) && $(../../@) <= 2699); " \
+To set destination filter parameters, the access-list rule number must be \n \
+ <100-199> IP extended access list \n \
+ <2000-2699> IP extended access list (expanded range) \n"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/destination/host/node.def b/templates/policy/access-list/node.tag/rule/node.tag/destination/host/node.def
new file mode 100644
index 00000000..993c64ea
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/destination/host/node.def
@@ -0,0 +1,9 @@
+type: ipv4
+help: "filter a host IP address"
+syntax: $(../any/@) == "" && $(../network/@) == ""; "You may only define one filter type. (host|network|any)"
+# TODO: pending 2284
+syntax: ($(../../@) >= 100 && $(../../@) <= 199) || ($(../../@) >= 2000) && $(../../@) <= 2699); " \
+To set destination filter parameters, the access-list rule number must be \n \
+ <100-199> IP extended access list \n \
+ <2000-2699> IP extended access list (expanded range) \n"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/destination/inverse-mask/node.def b/templates/policy/access-list/node.tag/rule/node.tag/destination/inverse-mask/node.def
new file mode 100644
index 00000000..37bbc95a
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/destination/inverse-mask/node.def
@@ -0,0 +1,10 @@
+type: ipv4
+help: "filter a network IP netmask"
+syntax: $(../any/@) == "" && $(../host/@) == ""; "You may only define one filter type. (host|network|any)"
+# TODO: pending 2284
+syntax: ($(../../@) >= 100 && $(../../@) <= 199) || ($(../../@) >= 2000) && $(../../@) <= 2699); " \
+To set destination filter parameters, the access-list rule number must be \n \
+ <100-199> IP extended access list \n \
+ <2000-2699> IP extended access list (expanded range) \n"
+commit: $(../network/@) != ""; "You must specify a network before committing"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/destination/network/node.def b/templates/policy/access-list/node.tag/rule/node.tag/destination/network/node.def
new file mode 100644
index 00000000..c016170f
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/destination/network/node.def
@@ -0,0 +1,10 @@
+type: ipv4
+help: "filter a network IP address"
+syntax: $(../host/@) != "" || $(../any/@) != ""; "You may only define one filter type. (host|network|any)"
+# TODO: pending 2284
+syntax: ($(../../@) >= 100 && $(../../@) <= 199) || ($(../../@) >= 2000) && $(../../@) <= 2699); " \
+To set destination filter parameters, the access-list rule number must be \n \
+ <100-199> IP extended access list \n \
+ <2000-2699> IP extended access list (expanded range) \n"
+commit: $(../inverse-mask/@) != ""; "You must specify an inverse-mask before comitting"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/destination/node.def b/templates/policy/access-list/node.tag/rule/node.tag/destination/node.def
new file mode 100644
index 00000000..21f3005a
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/destination/node.def
@@ -0,0 +1 @@
+help: "define a destination address or network filter"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/source/any/node.def b/templates/policy/access-list/node.tag/rule/node.tag/source/any/node.def
new file mode 100644
index 00000000..34c30831
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/source/any/node.def
@@ -0,0 +1,4 @@
+help: "filter any IP address"
+# TODO: won't work until 2220 is fixed
+syntax: $(../host/@) == "" && $(../network/@) == ""; "You may only define one filter type. (host|network|any)"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/source/host/node.def b/templates/policy/access-list/node.tag/rule/node.tag/source/host/node.def
new file mode 100644
index 00000000..5b1b6257
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/source/host/node.def
@@ -0,0 +1,4 @@
+type: ipv4
+help: "filter a host IP address"
+syntax: $(../any/@) == "" && $(../network/@) == ""; "You may only define one filter type. (host|network|any)"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/source/inverse-mask/node.def b/templates/policy/access-list/node.tag/rule/node.tag/source/inverse-mask/node.def
new file mode 100644
index 00000000..8b77960d
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/source/inverse-mask/node.def
@@ -0,0 +1,5 @@
+type: ipv4
+help: "filter a network IP netmask"
+syntax: $(../any/@) == "" || $(../host/@) == ""; "You may only define one filter type. (host|network|any)"
+commit: $(../network/@) != ""; "You must specify a network before committing"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/source/network/node.def b/templates/policy/access-list/node.tag/rule/node.tag/source/network/node.def
new file mode 100644
index 00000000..f95182ac
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/source/network/node.def
@@ -0,0 +1,5 @@
+type: ipv4
+help: "filter a network IP address"
+syntax: $(../host/@) == "" && $(../any/@) == ""; "You may only define one filter type. (host|network|any)"
+commit: $(../inverse-mask/@) != ""; "You must specify an inverse-mask before comitting"
+commit: $(../../action/@) != ""; "You must specify an action before committing"
diff --git a/templates/policy/access-list/node.tag/rule/node.tag/source/node.def b/templates/policy/access-list/node.tag/rule/node.tag/source/node.def
new file mode 100644
index 00000000..69a6c7b4
--- /dev/null
+++ b/templates/policy/access-list/node.tag/rule/node.tag/source/node.def
@@ -0,0 +1 @@
+help: "define a source address or network filter"