From 30e0a9401a49c21318403cdc9e6c3689f757ebbf Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Wed, 1 Feb 2012 16:21:28 -0800 Subject: Initial commit for per-flow timeout CLI (cherry picked from commit f7fc0b920516ecf03a7dcf3e73f39513d8fcfc1c) --- .../system/conntrack/timeout/custom/node.def | 1 + .../system/conntrack/timeout/custom/rule/node.def | 9 +++++++++ .../custom/rule/node.tag/description/node.def | 3 +++ .../rule/node.tag/destination/address/node.def | 10 ++++++++++ .../destination/group/address-group/node.def | 9 +++++++++ .../destination/group/network-group/node.def | 8 ++++++++ .../rule/node.tag/destination/group/node.def | 1 + .../node.tag/destination/group/port-group/node.def | 8 ++++++++ .../custom/rule/node.tag/destination/node.def | 1 + .../custom/rule/node.tag/destination/port/node.def | 10 ++++++++++ .../timeout/custom/rule/node.tag/protocol/node.def | 22 ++++++++++++++++++++++ .../custom/rule/node.tag/source/address/node.def | 8 ++++++++ .../node.tag/source/group/address-group/node.def | 8 ++++++++ .../node.tag/source/group/network-group/node.def | 8 ++++++++ .../custom/rule/node.tag/source/group/node.def | 1 + .../rule/node.tag/source/group/port-group/node.def | 8 ++++++++ .../rule/node.tag/source/mac-address/node.def | 3 +++ .../timeout/custom/rule/node.tag/source/node.def | 1 + .../custom/rule/node.tag/source/port/node.def | 8 ++++++++ 19 files changed, 127 insertions(+) create mode 100644 templates-cfg/system/conntrack/timeout/custom/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def create mode 100644 templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def (limited to 'templates-cfg/system/conntrack') diff --git a/templates-cfg/system/conntrack/timeout/custom/node.def b/templates-cfg/system/conntrack/timeout/custom/node.def new file mode 100644 index 0000000..c8e5841 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/node.def @@ -0,0 +1 @@ +help: Define custom timeouts per flow diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.def new file mode 100644 index 0000000..c31dfbd --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.def @@ -0,0 +1,9 @@ +tag: + +type: u32 + +help: Rule number (1-9999) + +syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "firewall rule number must be between 1 and 9999" + +val_help: u32:1-9999; Rule number diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def new file mode 100644 index 0000000..90bf88b --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Rule description diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..83d7514 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/address/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination IP address, subnet, or range + +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..07e791c --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..bf018a0 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..865d2c5 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def new file mode 100644 index 0000000..dc227b7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Destination parameters diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..2b2d8c7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/destination/port/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Destination port + +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple destination ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..1f235f7 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/protocol/node.def @@ -0,0 +1,22 @@ +type: txt + +help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") + +val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") +val_help: u32:0-255; IP protocol number +val_help: tcp_udp; Both TCP and UDP +val_help: all; All IP protocols +val_help: !; All IP protocols except for the specified name or number + +syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ + && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ + echo invalid protocol \"$VAR(@)\" ; \ + exit 1 ; \ + fi ; " + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` + protos="all $protos tcp_udp" + echo -n $protos diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..72d6a17 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/address/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source IP address, subnet, or range +val_help: ipv4; IP address to match +val_help: ipv4net; Subnet to match +val_help: ipv4range; IP range to match +val_help: !ipv4; Match everything except the specified address +val_help: !ipv4net; Match everything except the specified subnet +val_help: !ipv4range; Match everything except the specified range diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..97c748d --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listActiveNodes firewall group address-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..bf018a0 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listActiveNodes firewall group network-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..865d2c5 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listActiveNodes firewall group port-group diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..ad07881 --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def new file mode 100644 index 0000000..84cdc1f --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Source parameters diff --git a/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..adfae7a --- /dev/null +++ b/templates-cfg/system/conntrack/timeout/custom/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Source port +val_help: ; Named port (any name in /etc/services, e.g., http) +val_help: u32:1-65535; Numbered port +val_help: range; Numbered port range (e.g., 1001-1005) +comp_help: Multiple source ports can be specified as a comma-separated list. +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' -- cgit v1.2.3