summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2024-01-05 12:13:17 +0000
committerNicolas Fort <nicolasfort1988@gmail.com>2024-01-25 12:35:46 +0000
commit6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122 (patch)
treec1260ee9efeddcf038bfcf547372efba17d26ba6 /interface-definitions/include/firewall
parentada6b103f15b5871fa28c5e194afcd2f5019b2e4 (diff)
downloadvyos-1x-6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122.tar.gz
vyos-1x-6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122.zip
T4839: firewall: Add dynamic address group in firewall configuration, and appropiate commands to populate such groups using source and destination address of the packet.
Diffstat (limited to 'interface-definitions/include/firewall')
-rw-r--r--interface-definitions/include/firewall/add-dynamic-address-groups.xml.i34
-rw-r--r--interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i34
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv4.xml.i25
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv6.xml.i25
-rw-r--r--interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i17
-rw-r--r--interface-definitions/include/firewall/source-destination-dynamic-group.xml.i17
6 files changed, 152 insertions, 0 deletions
diff --git a/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i b/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i
new file mode 100644
index 000000000..769761cb6
--- /dev/null
+++ b/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/add-dynamic-address-groups.xml.i -->
+<leafNode name="address-group">
+ <properties>
+ <help>Dynamic address-group</help>
+ <completionHelp>
+ <path>firewall group dynamic-group address-group</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<leafNode name="timeout">
+ <properties>
+ <help>Set timeout</help>
+ <valueHelp>
+ <format>&lt;number&gt;s</format>
+ <description>Timeout value in seconds</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;m</format>
+ <description>Timeout value in minutes</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;h</format>
+ <description>Timeout value in hours</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;d</format>
+ <description>Timeout value in days</description>
+ </valueHelp>
+ <constraint>
+ <regex>\d+(s|m|h|d)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i b/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i
new file mode 100644
index 000000000..7bd91c58a
--- /dev/null
+++ b/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/add-dynamic-ipv6-address-groups.xml.i -->
+<leafNode name="address-group">
+ <properties>
+ <help>Dynamic ipv6-address-group</help>
+ <completionHelp>
+ <path>firewall group dynamic-group ipv6-address-group</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<leafNode name="timeout">
+ <properties>
+ <help>Set timeout</help>
+ <valueHelp>
+ <format>&lt;number&gt;s</format>
+ <description>Timeout value in seconds</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;m</format>
+ <description>Timeout value in minutes</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;h</format>
+ <description>Timeout value in hours</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;number&gt;d</format>
+ <description>Timeout value in days</description>
+ </valueHelp>
+ <constraint>
+ <regex>\d+(s|m|h|d)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
index 4ed179ae7..158c7a662 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
@@ -1,6 +1,29 @@
<!-- include start from firewall/common-rule-ipv4.xml.i -->
#include <include/firewall/common-rule-inet.xml.i>
#include <include/firewall/ttl.xml.i>
+<node name="add-address-to-group">
+ <properties>
+ <help>Add ip address to dynamic address-group</help>
+ </properties>
+ <children>
+ <node name="source-address">
+ <properties>
+ <help>Add source ip addresses to dynamic address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-address-groups.xml.i>
+ </children>
+ </node>
+ <node name="destination-address">
+ <properties>
+ <help>Add destination ip addresses to dynamic address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-address-groups.xml.i>
+ </children>
+ </node>
+ </children>
+</node>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -13,6 +36,7 @@
#include <include/firewall/mac-address.xml.i>
#include <include/firewall/port.xml.i>
#include <include/firewall/source-destination-group.xml.i>
+ #include <include/firewall/source-destination-dynamic-group.xml.i>
</children>
</node>
<node name="icmp">
@@ -67,6 +91,7 @@
#include <include/firewall/mac-address.xml.i>
#include <include/firewall/port.xml.i>
#include <include/firewall/source-destination-group.xml.i>
+ #include <include/firewall/source-destination-dynamic-group.xml.i>
</children>
</node>
<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
index 6219557db..78eeb361e 100644
--- a/interface-definitions/include/firewall/common-rule-ipv6.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
@@ -1,6 +1,29 @@
<!-- include start from firewall/common-rule-ipv6.xml.i -->
#include <include/firewall/common-rule-inet.xml.i>
#include <include/firewall/hop-limit.xml.i>
+<node name="add-address-to-group">
+ <properties>
+ <help>Add ipv6 address to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ <node name="source-address">
+ <properties>
+ <help>Add source ipv6 addresses to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+ </children>
+ </node>
+ <node name="destination-address">
+ <properties>
+ <help>Add destination ipv6 addresses to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+ </children>
+ </node>
+ </children>
+</node>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -13,6 +36,7 @@
#include <include/firewall/mac-address.xml.i>
#include <include/firewall/port.xml.i>
#include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
</children>
</node>
<node name="icmpv6">
@@ -67,6 +91,7 @@
#include <include/firewall/mac-address.xml.i>
#include <include/firewall/port.xml.i>
#include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
</children>
</node>
<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i
new file mode 100644
index 000000000..845f8fe7c
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i
@@ -0,0 +1,17 @@
+<!-- include start from firewall/source-destination-dynamic-group-ipv6.xml.i -->
+<node name="group">
+ <properties>
+ <help>Group</help>
+ </properties>
+ <children>
+ <leafNode name="dynamic-address-group">
+ <properties>
+ <help>Group of dynamic ipv6 addresses</help>
+ <completionHelp>
+ <path>firewall group dynamic-group ipv6-address-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i b/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i
new file mode 100644
index 000000000..29ab98c68
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i
@@ -0,0 +1,17 @@
+<!-- include start from firewall/source-destination-dynamic-group.xml.i -->
+<node name="group">
+ <properties>
+ <help>Group</help>
+ </properties>
+ <children>
+ <leafNode name="dynamic-address-group">
+ <properties>
+ <help>Group of dynamic addresses</help>
+ <completionHelp>
+ <path>firewall group dynamic-group address-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-23 01:38:33 +0000