summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-06-06 17:19:01 +0200
committerGitHub <noreply@github.com>2024-06-06 17:19:01 +0200
commit85da43aa26470e0657ba68437a297ed11045d132 (patch)
treee094a3c15cb0556bd8579745ae75fd093c1d7aa8 /interface-definitions/include/firewall
parent1c57ed83b7838f4153f5b655c6a2b47bc12547ba (diff)
parent770edf016838523c248e3c8a36c5f327a0b98415 (diff)
downloadvyos-1x-85da43aa26470e0657ba68437a297ed11045d132.tar.gz
vyos-1x-85da43aa26470e0657ba68437a297ed11045d132.zip
Merge pull request #3578 from nicolas-fort/raw-hook
T3900: Add support for raw tables in firewall
Diffstat (limited to 'interface-definitions/include/firewall')
-rw-r--r--interface-definitions/include/firewall/action-and-notrack.xml.i10
-rw-r--r--interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i25
-rw-r--r--interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i25
-rw-r--r--interface-definitions/include/firewall/common-rule-inet.xml.i239
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i309
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv4.xml.i57
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i50
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv6.xml.i57
-rw-r--r--interface-definitions/include/firewall/connection-status.xml.i28
-rw-r--r--interface-definitions/include/firewall/fragment.xml.i21
-rw-r--r--interface-definitions/include/firewall/global-options.xml.i8
-rw-r--r--interface-definitions/include/firewall/icmp.xml.i34
-rw-r--r--interface-definitions/include/firewall/icmpv6.xml.i34
-rw-r--r--interface-definitions/include/firewall/ipv4-hook-output.xml.i27
-rw-r--r--interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i34
-rw-r--r--interface-definitions/include/firewall/ipv6-hook-output.xml.i27
-rw-r--r--interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i51
-rw-r--r--interface-definitions/include/firewall/limit.xml.i33
-rw-r--r--interface-definitions/include/firewall/protocol.xml.i34
-rw-r--r--interface-definitions/include/firewall/recent.xml.i44
-rw-r--r--interface-definitions/include/firewall/time.xml.i70
-rw-r--r--interface-definitions/include/firewall/timeout-common-protocols.xml.i171
22 files changed, 722 insertions, 666 deletions
diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i
index 5f81a1451..de11f7dd5 100644
--- a/interface-definitions/include/firewall/action-and-notrack.xml.i
+++ b/interface-definitions/include/firewall/action-and-notrack.xml.i
@@ -3,13 +3,17 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept jump notrack reject return drop queue</list>
+ <list>accept continue jump notrack reject return drop queue</list>
</completionHelp>
<valueHelp>
<format>accept</format>
<description>Accept matching entries</description>
</valueHelp>
<valueHelp>
+ <format>continue</format>
+ <description>Continue parsing next rule</description>
+ </valueHelp>
+ <valueHelp>
<format>jump</format>
<description>Jump to another chain</description>
</valueHelp>
@@ -31,10 +35,10 @@
</valueHelp>
<valueHelp>
<format>notrack</format>
- <description>Igone connection tracking</description>
+ <description>Ignore connection tracking</description>
</valueHelp>
<constraint>
- <regex>(accept|jump|notrack|reject|return|drop|queue)</regex>
+ <regex>(accept|continue|jump|notrack|reject|return|drop|queue)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
new file mode 100644
index 000000000..a47cadd55
--- /dev/null
+++ b/interface-definitions/include/firewall/add-addr-to-group-ipv4.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv4.xml.i -->
+<node name="add-address-to-group">
+ <properties>
+ <help>Add ip address to dynamic address-group</help>
+ </properties>
+ <children>
+ <node name="source-address">
+ <properties>
+ <help>Add source ip addresses to dynamic address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-address-groups.xml.i>
+ </children>
+ </node>
+ <node name="destination-address">
+ <properties>
+ <help>Add destination ip addresses to dynamic address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-address-groups.xml.i>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
new file mode 100644
index 000000000..2cb077450
--- /dev/null
+++ b/interface-definitions/include/firewall/add-addr-to-group-ipv6.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/add-addr-to-group-ipv6.xml.i -->
+<node name="add-address-to-group">
+ <properties>
+ <help>Add ipv6 address to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ <node name="source-address">
+ <properties>
+ <help>Add source ipv6 addresses to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+ </children>
+ </node>
+ <node name="destination-address">
+ <properties>
+ <help>Add destination ipv6 addresses to dynamic ipv6-address-group</help>
+ </properties>
+ <children>
+ #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index bef1c3da5..55ffa3a8b 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -1,235 +1,24 @@
<!-- include start from firewall/common-rule-inet.xml.i -->
#include <include/firewall/action.xml.i>
-#include <include/generic-description.xml.i>
-#include <include/firewall/dscp.xml.i>
-#include <include/firewall/packet-options.xml.i>
-#include <include/firewall/firewall-mark.xml.i>
-#include <include/firewall/connection-mark.xml.i>
#include <include/firewall/conntrack-helper.xml.i>
-#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/connection-status.xml.i>
+#include <include/generic-description.xml.i>
#include <include/generic-disable-node.xml.i>
-<node name="fragment">
- <properties>
- <help>IP fragment match</help>
- </properties>
- <children>
- <leafNode name="match-frag">
- <properties>
- <help>Second and further fragments of fragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-non-frag">
- <properties>
- <help>Head fragments or unfragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="limit">
- <properties>
- <help>Rate limit using a token bucket filter</help>
- </properties>
- <children>
- <leafNode name="burst">
- <properties>
- <help>Maximum number of packets to allow in excess of rate</help>
- <valueHelp>
- <format>u32:0-4294967295</format>
- <description>Maximum number of packets to allow in excess of rate</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-4294967295"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="rate">
- <properties>
- <help>Maximum average matching rate</help>
- <valueHelp>
- <format>txt</format>
- <description>integer/unit (Example: 5/minute)</description>
- </valueHelp>
- <constraint>
- <regex>\d+/(second|minute|hour|day)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/limit.xml.i>
#include <include/firewall/log.xml.i>
#include <include/firewall/log-options.xml.i>
-<node name="connection-status">
- <properties>
- <help>Connection status</help>
- </properties>
- <children>
- <leafNode name="nat">
- <properties>
- <help>NAT connection status</help>
- <completionHelp>
- <list>destination source</list>
- </completionHelp>
- <valueHelp>
- <format>destination</format>
- <description>Match connections that are subject to destination NAT</description>
- </valueHelp>
- <valueHelp>
- <format>source</format>
- <description>Match connections that are subject to source NAT</description>
- </valueHelp>
- <constraint>
- <regex>(destination|source)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-<leafNode name="protocol">
- <properties>
- <help>Protocol to match (protocol name, number, or "all")</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_protocols.sh</script>
- <list>all tcp_udp</list>
- </completionHelp>
- <valueHelp>
- <format>all</format>
- <description>All IP protocols</description>
- </valueHelp>
- <valueHelp>
- <format>tcp_udp</format>
- <description>Both TCP and UDP</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-255</format>
- <description>IP protocol number</description>
- </valueHelp>
- <valueHelp>
- <format>&lt;protocol&gt;</format>
- <description>IP protocol name</description>
- </valueHelp>
- <valueHelp>
- <format>!&lt;protocol&gt;</format>
- <description>IP protocol name</description>
- </valueHelp>
- <constraint>
- <validator name="ip-protocol"/>
- </constraint>
- </properties>
-</leafNode>
-<node name="recent">
- <properties>
- <help>Parameters for matching recently seen sources</help>
- </properties>
- <children>
- <leafNode name="count">
- <properties>
- <help>Source addresses seen more than N times</help>
- <valueHelp>
- <format>u32:1-255</format>
- <description>Source addresses seen more than N times</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="time">
- <properties>
- <help>Source addresses seen in the last second/minute/hour</help>
- <completionHelp>
- <list>second minute hour</list>
- </completionHelp>
- <valueHelp>
- <format>second</format>
- <description>Source addresses seen COUNT times in the last second</description>
- </valueHelp>
- <valueHelp>
- <format>minute</format>
- <description>Source addresses seen COUNT times in the last minute</description>
- </valueHelp>
- <valueHelp>
- <format>hour</format>
- <description>Source addresses seen COUNT times in the last hour</description>
- </valueHelp>
- <constraint>
- <regex>(second|minute|hour)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-#include <include/firewall/synproxy.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
#include <include/firewall/state.xml.i>
+#include <include/firewall/synproxy.xml.i>
#include <include/firewall/tcp-flags.xml.i>
#include <include/firewall/tcp-mss.xml.i>
-<node name="time">
- <properties>
- <help>Time to match rule</help>
- </properties>
- <children>
- <leafNode name="startdate">
- <properties>
- <help>Date to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="starttime">
- <properties>
- <help>Time of day to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stopdate">
- <properties>
- <help>Date to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stoptime">
- <properties>
- <help>Time of day to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="weekdays">
- <properties>
- <help>Comma separated weekdays to match rule on</help>
- <valueHelp>
- <format>txt</format>
- <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-6</format>
- <description>Day number (0 = Sunday ... 6 = Saturday)</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/time.xml.i>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index e7468bfba..960c960db 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -1,9 +1,22 @@
<!-- include start from firewall/common-rule-ipv4-raw.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv4.xml.i>
#include <include/firewall/action-and-notrack.xml.i>
#include <include/generic-description.xml.i>
#include <include/firewall/dscp.xml.i>
-#include <include/firewall/ttl.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/icmp.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/protocol.xml.i>
#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/time.xml.i>
+#include <include/firewall/ttl.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -18,228 +31,6 @@
#include <include/firewall/source-destination-group.xml.i>
</children>
</node>
-#include <include/generic-disable-node.xml.i>
-<node name="fragment">
- <properties>
- <help>IP fragment match</help>
- </properties>
- <children>
- <leafNode name="match-frag">
- <properties>
- <help>Second and further fragments of fragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-non-frag">
- <properties>
- <help>Head fragments or unfragmented packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="icmp">
- <properties>
- <help>ICMP type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMP code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMP type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmp-type-name.xml.i>
- </children>
-</node>
-<node name="ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- </properties>
- <children>
- <leafNode name="match-ipsec">
- <properties>
- <help>Inbound IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="match-none">
- <properties>
- <help>Inbound non-IPsec packets</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
-</node>
-<node name="limit">
- <properties>
- <help>Rate limit using a token bucket filter</help>
- </properties>
- <children>
- <leafNode name="burst">
- <properties>
- <help>Maximum number of packets to allow in excess of rate</help>
- <valueHelp>
- <format>u32:0-4294967295</format>
- <description>Maximum number of packets to allow in excess of rate</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-4294967295"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="rate">
- <properties>
- <help>Maximum average matching rate</help>
- <valueHelp>
- <format>txt</format>
- <description>integer/unit (Example: 5/minute)</description>
- </valueHelp>
- <constraint>
- <regex>\d+/(second|minute|hour|day)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-<leafNode name="log">
- <properties>
- <help>Option to log packets matching rule</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable log</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable log</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
-</leafNode>
-#include <include/firewall/log-options.xml.i>
-<node name="connection-status">
- <properties>
- <help>Connection status</help>
- </properties>
- <children>
- <leafNode name="nat">
- <properties>
- <help>NAT connection status</help>
- <completionHelp>
- <list>destination source</list>
- </completionHelp>
- <valueHelp>
- <format>destination</format>
- <description>Match connections that are subject to destination NAT</description>
- </valueHelp>
- <valueHelp>
- <format>source</format>
- <description>Match connections that are subject to source NAT</description>
- </valueHelp>
- <constraint>
- <regex>(destination|source)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
-<leafNode name="protocol">
- <properties>
- <help>Protocol to match (protocol name, number, or "all")</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_protocols.sh</script>
- <list>all tcp_udp</list>
- </completionHelp>
- <valueHelp>
- <format>all</format>
- <description>All IP protocols</description>
- </valueHelp>
- <valueHelp>
- <format>tcp_udp</format>
- <description>Both TCP and UDP</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-255</format>
- <description>IP protocol number</description>
- </valueHelp>
- <valueHelp>
- <format>&lt;protocol&gt;</format>
- <description>IP protocol name</description>
- </valueHelp>
- <valueHelp>
- <format>!&lt;protocol&gt;</format>
- <description>IP protocol name</description>
- </valueHelp>
- <constraint>
- <validator name="ip-protocol"/>
- </constraint>
- </properties>
-</leafNode>
-<node name="recent">
- <properties>
- <help>Parameters for matching recently seen sources</help>
- </properties>
- <children>
- <leafNode name="count">
- <properties>
- <help>Source addresses seen more than N times</help>
- <valueHelp>
- <format>u32:1-255</format>
- <description>Source addresses seen more than N times</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="time">
- <properties>
- <help>Source addresses seen in the last second/minute/hour</help>
- <completionHelp>
- <list>second minute hour</list>
- </completionHelp>
- <valueHelp>
- <format>second</format>
- <description>Source addresses seen COUNT times in the last second</description>
- </valueHelp>
- <valueHelp>
- <format>minute</format>
- <description>Source addresses seen COUNT times in the last minute</description>
- </valueHelp>
- <valueHelp>
- <format>hour</format>
- <description>Source addresses seen COUNT times in the last hour</description>
- </valueHelp>
- <constraint>
- <regex>(second|minute|hour)</regex>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
<node name="source">
<properties>
<help>Source parameters</help>
@@ -254,74 +45,4 @@
#include <include/firewall/source-destination-group.xml.i>
</children>
</node>
-#include <include/firewall/tcp-flags.xml.i>
-#include <include/firewall/tcp-mss.xml.i>
-<node name="time">
- <properties>
- <help>Time to match rule</help>
- </properties>
- <children>
- <leafNode name="startdate">
- <properties>
- <help>Date to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="starttime">
- <properties>
- <help>Time of day to start matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stopdate">
- <properties>
- <help>Date to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter date using following notation - YYYY-MM-DD</description>
- </valueHelp>
- <constraint>
- <regex>(\d{4}\-\d{2}\-\d{2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="stoptime">
- <properties>
- <help>Time of day to stop matching rule</help>
- <valueHelp>
- <format>txt</format>
- <description>Enter time using using 24 hour notation - hh:mm:ss</description>
- </valueHelp>
- <constraint>
- <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="weekdays">
- <properties>
- <help>Comma separated weekdays to match rule on</help>
- <valueHelp>
- <format>txt</format>
- <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:0-6</format>
- <description>Day number (0 = Sunday ... 6 = Saturday)</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
-</node>
-<!-- include end -->
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
index 158c7a662..803b94b06 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
@@ -1,29 +1,8 @@
<!-- include start from firewall/common-rule-ipv4.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv4.xml.i>
#include <include/firewall/common-rule-inet.xml.i>
+#include <include/firewall/icmp.xml.i>
#include <include/firewall/ttl.xml.i>
-<node name="add-address-to-group">
- <properties>
- <help>Add ip address to dynamic address-group</help>
- </properties>
- <children>
- <node name="source-address">
- <properties>
- <help>Add source ip addresses to dynamic address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-address-groups.xml.i>
- </children>
- </node>
- <node name="destination-address">
- <properties>
- <help>Add destination ip addresses to dynamic address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-address-groups.xml.i>
- </children>
- </node>
- </children>
-</node>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -39,38 +18,6 @@
#include <include/firewall/source-destination-dynamic-group.xml.i>
</children>
</node>
-<node name="icmp">
- <properties>
- <help>ICMP type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMP code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMP type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmp-type-name.xml.i>
- </children>
-</node>
<leafNode name="jump-target">
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
diff --git a/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
new file mode 100644
index 000000000..958167b89
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv6-raw.xml.i
@@ -0,0 +1,50 @@
+<!-- include start from firewall/common-rule-ipv6-raw.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv6.xml.i>
+#include <include/firewall/action-and-notrack.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/fragment.xml.i>
+#include <include/generic-disable-node.xml.i>
+#include <include/firewall/icmpv6.xml.i>
+#include <include/firewall/limit.xml.i>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/log-options.xml.i>
+#include <include/firewall/match-ipsec.xml.i>
+#include <include/firewall/protocol.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+#include <include/firewall/recent.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+#include <include/firewall/time.xml.i>
+#include <include/firewall/hop-limit.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/address-mask-ipv6.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+ </children>
+</node>
+<node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/address-ipv6.xml.i>
+ #include <include/firewall/address-mask-ipv6.xml.i>
+ #include <include/firewall/fqdn.xml.i>
+ #include <include/firewall/geoip.xml.i>
+ #include <include/firewall/mac-address.xml.i>
+ #include <include/firewall/port.xml.i>
+ #include <include/firewall/source-destination-group-ipv6.xml.i>
+ #include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
index 78eeb361e..bb176fe71 100644
--- a/interface-definitions/include/firewall/common-rule-ipv6.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
@@ -1,29 +1,8 @@
<!-- include start from firewall/common-rule-ipv6.xml.i -->
+#include <include/firewall/add-addr-to-group-ipv6.xml.i>
#include <include/firewall/common-rule-inet.xml.i>
#include <include/firewall/hop-limit.xml.i>
-<node name="add-address-to-group">
- <properties>
- <help>Add ipv6 address to dynamic ipv6-address-group</help>
- </properties>
- <children>
- <node name="source-address">
- <properties>
- <help>Add source ipv6 addresses to dynamic ipv6-address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
- </children>
- </node>
- <node name="destination-address">
- <properties>
- <help>Add destination ipv6 addresses to dynamic ipv6-address-group</help>
- </properties>
- <children>
- #include <include/firewall/add-dynamic-ipv6-address-groups.xml.i>
- </children>
- </node>
- </children>
-</node>
+#include <include/firewall/icmpv6.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
@@ -39,38 +18,6 @@
#include <include/firewall/source-destination-dynamic-group-ipv6.xml.i>
</children>
</node>
-<node name="icmpv6">
- <properties>
- <help>ICMPv6 type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMPv6 code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMPv6 type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmpv6-type-name.xml.i>
- </children>
-</node>
<leafNode name="jump-target">
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
diff --git a/interface-definitions/include/firewall/connection-status.xml.i b/interface-definitions/include/firewall/connection-status.xml.i
new file mode 100644
index 000000000..5236c2f4f
--- /dev/null
+++ b/interface-definitions/include/firewall/connection-status.xml.i
@@ -0,0 +1,28 @@
+<!-- include start from firewall/connection-status.xml.i -->
+<node name="connection-status">
+ <properties>
+ <help>Connection status</help>
+ </properties>
+ <children>
+ <leafNode name="nat">
+ <properties>
+ <help>NAT connection status</help>
+ <completionHelp>
+ <list>destination source</list>
+ </completionHelp>
+ <valueHelp>
+ <format>destination</format>
+ <description>Match connections that are subject to destination NAT</description>
+ </valueHelp>
+ <valueHelp>
+ <format>source</format>
+ <description>Match connections that are subject to source NAT</description>
+ </valueHelp>
+ <constraint>
+ <regex>(destination|source)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/fragment.xml.i b/interface-definitions/include/firewall/fragment.xml.i
new file mode 100644
index 000000000..1f4c11055
--- /dev/null
+++ b/interface-definitions/include/firewall/fragment.xml.i
@@ -0,0 +1,21 @@
+<!-- include start from firewall/fragment.xml.i -->
+<node name="fragment">
+ <properties>
+ <help>IP fragment match</help>
+ </properties>
+ <children>
+ <leafNode name="match-frag">
+ <properties>
+ <help>Second and further fragments of fragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-non-frag">
+ <properties>
+ <help>Head fragments or unfragmented packets</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index 9cd0b3239..9039b76fd 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -244,6 +244,14 @@
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
+ <node name="timeout">
+ <properties>
+ <help>Connection timeout options</help>
+ </properties>
+ <children>
+ #include <include/firewall/timeout-common-protocols.xml.i>
+ </children>
+ </node>
<leafNode name="twa-hazards-protection">
<properties>
<help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
diff --git a/interface-definitions/include/firewall/icmp.xml.i b/interface-definitions/include/firewall/icmp.xml.i
new file mode 100644
index 000000000..deb50a410
--- /dev/null
+++ b/interface-definitions/include/firewall/icmp.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/icmp.xml.i -->
+<node name="icmp">
+ <properties>
+ <help>ICMP type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMP code</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMP type</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMP type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmp-type-name.xml.i>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/icmpv6.xml.i b/interface-definitions/include/firewall/icmpv6.xml.i
new file mode 100644
index 000000000..c0118626e
--- /dev/null
+++ b/interface-definitions/include/firewall/icmpv6.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/icmpv6.xml.i -->
+<node name="icmpv6">
+ <properties>
+ <help>ICMPv6 type and code information</help>
+ </properties>
+ <children>
+ <leafNode name="code">
+ <properties>
+ <help>ICMPv6 code</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMPv6 code (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>ICMPv6 type</help>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>ICMPv6 type (0-255)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/firewall/icmpv6-type-name.xml.i>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
index 2b537ce5e..ca47ae09b 100644
--- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -31,6 +31,33 @@
</tagNode>
</children>
</node>
+ <node name="raw">
+ <properties>
+ <help>IPv4 firewall output raw</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/firewall/default-log.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv4 Firewall output raw rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv4-raw.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
index c38918375..17ecfe824 100644
--- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
@@ -4,40 +4,6 @@
<help>IPv4 prerouting firewall</help>
</properties>
<children>
- <node name="filter">
- <properties>
- <help>IPv4 firewall prerouting filter</help>
- </properties>
- <children>
- #include <include/firewall/default-action-base-chains.xml.i>
- #include <include/generic-description.xml.i>
- <tagNode name="rule">
- <properties>
- <help>IPv4 Firewall prerouting filter rule number</help>
- <valueHelp>
- <format>u32:1-999999</format>
- <description>Number for this firewall rule</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-999999"/>
- </constraint>
- <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
- </properties>
- <children>
- #include <include/firewall/common-rule-ipv4.xml.i>
- #include <include/firewall/inbound-interface.xml.i>
- <leafNode name="jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined to use this setting</help>
- <completionHelp>
- <path>firewall ipv4 name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- </children>
- </node>
<node name="raw">
<properties>
<help>IPv4 firewall prerouting raw</help>
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
index ffe1c72b8..f877cfaaf 100644
--- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -31,6 +31,33 @@
</tagNode>
</children>
</node>
+ <node name="raw">
+ <properties>
+ <help>IPv6 firewall output raw</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/firewall/default-log.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall output raw rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6-raw.xml.i>
+ #include <include/firewall/outbound-interface.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
new file mode 100644
index 000000000..3f384828d
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-prerouting.xml.i
@@ -0,0 +1,51 @@
+<!-- include start from firewall/ipv6-hook-prerouting.xml.i -->
+<node name="prerouting">
+ <properties>
+ <help>IPv6 prerouting firewall</help>
+ </properties>
+ <children>
+ <node name="raw">
+ <properties>
+ <help>IPv6 firewall prerouting raw</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <leafNode name="default-jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv6 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>IPv6 Firewall prerouting raw rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-ipv6-raw.xml.i>
+ #include <include/firewall/inbound-interface.xml.i>
+ <leafNode name="jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined to use this setting</help>
+ <completionHelp>
+ <path>firewall ipv6 name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/limit.xml.i b/interface-definitions/include/firewall/limit.xml.i
new file mode 100644
index 000000000..21068dec2
--- /dev/null
+++ b/interface-definitions/include/firewall/limit.xml.i
@@ -0,0 +1,33 @@
+<!-- include start from firewall/limit.xml.i -->
+<node name="limit">
+ <properties>
+ <help>Rate limit using a token bucket filter</help>
+ </properties>
+ <children>
+ <leafNode name="burst">
+ <properties>
+ <help>Maximum number of packets to allow in excess of rate</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Maximum number of packets to allow in excess of rate</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="rate">
+ <properties>
+ <help>Maximum average matching rate</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>integer/unit (Example: 5/minute)</description>
+ </valueHelp>
+ <constraint>
+ <regex>\d+/(second|minute|hour|day)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/protocol.xml.i b/interface-definitions/include/firewall/protocol.xml.i
new file mode 100644
index 000000000..e391cae41
--- /dev/null
+++ b/interface-definitions/include/firewall/protocol.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/protocol.xml.i -->
+<leafNode name="protocol">
+ <properties>
+ <help>Protocol to match (protocol name, number, or "all")</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_protocols.sh</script>
+ <list>all tcp_udp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>all</format>
+ <description>All IP protocols</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp_udp</format>
+ <description>Both TCP and UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-255</format>
+ <description>IP protocol number</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;protocol&gt;</format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>!&lt;protocol&gt;</format>
+ <description>IP protocol name</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-protocol"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/recent.xml.i b/interface-definitions/include/firewall/recent.xml.i
new file mode 100644
index 000000000..38f40b916
--- /dev/null
+++ b/interface-definitions/include/firewall/recent.xml.i
@@ -0,0 +1,44 @@
+<!-- include start from firewall/recent.xml.i -->
+<node name="recent">
+ <properties>
+ <help>Parameters for matching recently seen sources</help>
+ </properties>
+ <children>
+ <leafNode name="count">
+ <properties>
+ <help>Source addresses seen more than N times</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Source addresses seen more than N times</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="time">
+ <properties>
+ <help>Source addresses seen in the last second/minute/hour</help>
+ <completionHelp>
+ <list>second minute hour</list>
+ </completionHelp>
+ <valueHelp>
+ <format>second</format>
+ <description>Source addresses seen COUNT times in the last second</description>
+ </valueHelp>
+ <valueHelp>
+ <format>minute</format>
+ <description>Source addresses seen COUNT times in the last minute</description>
+ </valueHelp>
+ <valueHelp>
+ <format>hour</format>
+ <description>Source addresses seen COUNT times in the last hour</description>
+ </valueHelp>
+ <constraint>
+ <regex>(second|minute|hour)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/time.xml.i b/interface-definitions/include/firewall/time.xml.i
new file mode 100644
index 000000000..7bd737450
--- /dev/null
+++ b/interface-definitions/include/firewall/time.xml.i
@@ -0,0 +1,70 @@
+<!-- include start from firewall/time.xml.i -->
+<node name="time">
+ <properties>
+ <help>Time to match rule</help>
+ </properties>
+ <children>
+ <leafNode name="startdate">
+ <properties>
+ <help>Date to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="starttime">
+ <properties>
+ <help>Time of day to start matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stopdate">
+ <properties>
+ <help>Date to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter date using following notation - YYYY-MM-DD</description>
+ </valueHelp>
+ <constraint>
+ <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="stoptime">
+ <properties>
+ <help>Time of day to stop matching rule</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+ </valueHelp>
+ <constraint>
+ <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="weekdays">
+ <properties>
+ <help>Comma separated weekdays to match rule on</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:0-6</format>
+ <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/timeout-common-protocols.xml.i b/interface-definitions/include/firewall/timeout-common-protocols.xml.i
new file mode 100644
index 000000000..037d7d2b1
--- /dev/null
+++ b/interface-definitions/include/firewall/timeout-common-protocols.xml.i
@@ -0,0 +1,171 @@
+<!-- include start from firewall/timeout-common-protocols.xml.i -->
+<leafNode name="icmp">
+ <properties>
+ <help>ICMP timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>ICMP timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+</leafNode>
+<leafNode name="other">
+ <properties>
+ <help>Generic connection timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>Generic connection timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>600</defaultValue>
+</leafNode>
+<node name="tcp">
+ <properties>
+ <help>TCP connection timeout options</help>
+ </properties>
+ <children>
+ <leafNode name="close-wait">
+ <properties>
+ <help>TCP CLOSE-WAIT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP CLOSE-WAIT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>60</defaultValue>
+ </leafNode>
+ <leafNode name="close">
+ <properties>
+ <help>TCP CLOSE timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP CLOSE timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>10</defaultValue>
+ </leafNode>
+ <leafNode name="established">
+ <properties>
+ <help>TCP ESTABLISHED timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP ESTABLISHED timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>432000</defaultValue>
+ </leafNode>
+ <leafNode name="fin-wait">
+ <properties>
+ <help>TCP FIN-WAIT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP FIN-WAIT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ <leafNode name="last-ack">
+ <properties>
+ <help>TCP LAST-ACK timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP LAST-ACK timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="syn-recv">
+ <properties>
+ <help>TCP SYN-RECEIVED timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP SYN-RECEIVED timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>60</defaultValue>
+ </leafNode>
+ <leafNode name="syn-sent">
+ <properties>
+ <help>TCP SYN-SENT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP SYN-SENT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ <leafNode name="time-wait">
+ <properties>
+ <help>TCP TIME-WAIT timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>TCP TIME-WAIT timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ </children>
+</node>
+<node name="udp">
+ <properties>
+ <help>UDP timeout options</help>
+ </properties>
+ <children>
+ <leafNode name="other">
+ <properties>
+ <help>UDP generic timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>UDP generic timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="stream">
+ <properties>
+ <help>UDP stream timeout in seconds</help>
+ <valueHelp>
+ <format>u32:1-21474836</format>
+ <description>UDP stream timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21474836"/>
+ </constraint>
+ </properties>
+ <defaultValue>180</defaultValue>
+ </leafNode>
+ </children>
+</node>