From 90fee79f793f26a39a05cd8feadb3d15ff3fd13e Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Mon, 18 Jan 2010 16:22:29 -0800 Subject: Add IPv6 policy access-list. --- templates/policy/access-list6/node.def | 17 +++++++++++++++++ .../policy/access-list6/node.tag/description/node.def | 2 ++ templates/policy/access-list6/node.tag/rule/node.def | 11 +++++++++++ .../access-list6/node.tag/rule/node.tag/action/node.def | 9 +++++++++ .../node.tag/rule/node.tag/description/node.def | 2 ++ .../node.tag/rule/node.tag/source/any/node.def | 5 +++++ .../node.tag/rule/node.tag/source/exact-match/node.def | 3 +++ .../node.tag/rule/node.tag/source/network/node.def | 10 ++++++++++ .../access-list6/node.tag/rule/node.tag/source/node.def | 1 + 9 files changed, 60 insertions(+) create mode 100644 templates/policy/access-list6/node.def create mode 100644 templates/policy/access-list6/node.tag/description/node.def create mode 100644 templates/policy/access-list6/node.tag/rule/node.def create mode 100644 templates/policy/access-list6/node.tag/rule/node.tag/action/node.def create mode 100644 templates/policy/access-list6/node.tag/rule/node.tag/description/node.def create mode 100644 templates/policy/access-list6/node.tag/rule/node.tag/source/any/node.def create mode 100644 templates/policy/access-list6/node.tag/rule/node.tag/source/exact-match/node.def create mode 100644 templates/policy/access-list6/node.tag/rule/node.tag/source/network/node.def create mode 100644 templates/policy/access-list6/node.tag/rule/node.tag/source/node.def (limited to 'templates/policy/access-list6') diff --git a/templates/policy/access-list6/node.def b/templates/policy/access-list6/node.def new file mode 100644 index 00000000..01a5f90f --- /dev/null +++ b/templates/policy/access-list6/node.def @@ -0,0 +1,17 @@ +tag: + +type: txt + +help: Set IPv6 access-list filter + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,64}$" ; \ + "access-list name must be 64 characters or less" +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "access-list name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "access-list name cannot contain shell punctuation" + +end: /opt/vyatta/sbin/vyatta-policy.pl --update-access-list6 "$VAR(@)" + +comp_help: possible completions: + Set name of ipv6 access-list diff --git a/templates/policy/access-list6/node.tag/description/node.def b/templates/policy/access-list6/node.tag/description/node.def new file mode 100644 index 00000000..2ed57fe5 --- /dev/null +++ b/templates/policy/access-list6/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set a description for this IPv6 access-list diff --git a/templates/policy/access-list6/node.tag/rule/node.def b/templates/policy/access-list6/node.tag/rule/node.def new file mode 100644 index 00000000..68666a4e --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.def @@ -0,0 +1,11 @@ +tag: + +type: u32 + +help: Set a rule for this access-list6 + +syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; \ + "rule number must be between 1 and 65535" + +comp_help: possible completions: + <1-65535> Set access-list6 rule number diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/action/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/action/node.def new file mode 100644 index 00000000..00d8d511 --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,9 @@ +type: txt + +help: Set action to take on networks matching this rule [REQUIRED] + +syntax:expression: $VAR(@) in "permit", "deny"; "action must be permit or deny" + +comp_help: possible completions + permit permit matching networks + deny deny matching networks diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/description/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/description/node.def new file mode 100644 index 00000000..9fbe0f6c --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set a description for this IPv6 access-list rule diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/any/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/any/node.def new file mode 100644 index 00000000..94dac8f3 --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/any/node.def @@ -0,0 +1,5 @@ +help: Set any IPv6 address to match + +commit:expression: ($VAR(../network/) == ""); "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you may only define one filter type. (network|any)" + +commit:expression: $VAR(../../action/) != ""; "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you must specify an action" diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/exact-match/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/exact-match/node.def new file mode 100644 index 00000000..170efc33 --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/exact-match/node.def @@ -0,0 +1,3 @@ +help: Exact match of the network prefixes + +commit:expression: ($VAR(../any/) == ""); "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: exact-match can only be used with a network filter " diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/network/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/network/node.def new file mode 100644 index 00000000..085a59ec --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/network/node.def @@ -0,0 +1,10 @@ +type: ipv6net + +help: Set a network/netmask to match (requires inverse-mask be defined) + +comp_help: possible completions: + Set the IPv6 address and prefix length + +commit:expression: ($VAR(../any/) == ""); "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you may only define one filter type. (network|any)" + +commit:expression: $VAR(../../action/) != ""; "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you must specify an action" diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/node.def new file mode 100644 index 00000000..37277c3d --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Set source IPv6 network to match -- cgit v1.2.3