diff options
Diffstat (limited to 'templates-cfg/system/conntrack')
24 files changed, 152 insertions, 0 deletions
diff --git a/templates-cfg/system/conntrack/timeout/custom/node.def b/templates-cfg/system/conntrack/timeout/custom/node.def new file mode 100644 index 0000000..4421b83 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/node.def @@ -0,0 +1,3 @@ +help: Define custom timeouts per connection +end:expression: "sudo /opt/vyatta/bin/sudo-users/vyatta-conntrack-timeouts.pl" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.def new file mode 100644 index 0000000..077603e --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "Custom timeout rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def new file mode 100644 index 0000000..90bf88b --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Rule description diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..83d7514 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination IP address, subnet, or range + +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def new file mode 100644 index 0000000..dc227b7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Destination parameters diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..2b2d8c7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination port + +val_help: <port name>; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple destination ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def new file mode 100644 index 0000000..16c9224 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/icmp/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: ICMP timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; ICMP timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..7f26da6 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def @@ -0,0 +1,2 @@ +help: Customize protocol specific timers, one protocol configuration per rule + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def new file mode 100644 index 0000000..4d50136 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/other/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: Generic connection timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; Generic connection timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def new file mode 100644 index 0000000..7b9b089 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close-wait/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP CLOSE-WAIT timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP CLOSE-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def new file mode 100644 index 0000000..c37bb68 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/close/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP CLOSE timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP CLOSE timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def new file mode 100644 index 0000000..dfc575d --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/established/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP ESTABLISHED timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP ESTABLISHED timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def new file mode 100644 index 0000000..4514d6a --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/fin-wait/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP FIN-WAIT timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP FIN-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def new file mode 100644 index 0000000..5c1cc25 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/last-ack/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP LAST-ACK timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP LAST-ACK timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def new file mode 100644 index 0000000..2d58f9c --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/node.def @@ -0,0 +1 @@ +help: TCP per connection timeout options diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def new file mode 100644 index 0000000..a9c5a57 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-recv/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP SYN-RECEIVED timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP SYN-RECEIVED timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def new file mode 100644 index 0000000..af71067 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/syn-sent/node.def @@ -0,0 +1,7 @@ +type: u32 + +help: TCP SYN-SENT timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP SYN-SENT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def new file mode 100644 index 0000000..1b85ba1 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/tcp/time-wait/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: TCP TIME-WAIT timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; TCP TIME-WAIT timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def new file mode 100644 index 0000000..321f684 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/node.def @@ -0,0 +1 @@ +help: UDP per connection timeout configuration options diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def new file mode 100644 index 0000000..abfdc7e --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/other/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: UDP generic timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; UDP generic timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def new file mode 100644 index 0000000..431c94a --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/udp/stream/node.def @@ -0,0 +1,8 @@ +type: u32 + +help: UDP stream timeout for matching connection(s) in seconds + +val_help: u32:1-21474836; UDP stream timeout in seconds + +syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 21474836) ; "Value must be between 1 and 21474836" + diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..72d6a17 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source IP address, subnet, or range +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def new file mode 100644 index 0000000..84cdc1f --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Source parameters diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..adfae7a --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source port +val_help: <port name>; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple source ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' |