summaryrefslogtreecommitdiff
path: root/interface-definitions/include
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2022-01-15 12:48:48 +0100
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2022-01-17 12:28:12 +0100
commit64668771d5f14fc4b68fff382d166238c164bdde (patch)
tree8138b4ae97d8edaf0ddf227b20cabb5c28af57f2 /interface-definitions/include
parentdf5a862beb84145dfc8434efde7d7fee783199cf (diff)
downloadvyos-1x-64668771d5f14fc4b68fff382d166238c164bdde.tar.gz
vyos-1x-64668771d5f14fc4b68fff382d166238c164bdde.zip
firewall: policy: T4178: Migrate and refactor tcp flags
* Add support for ECN and CWR flags
Diffstat (limited to 'interface-definitions/include')
-rw-r--r--interface-definitions/include/firewall/common-rule.xml.i51
-rw-r--r--interface-definitions/include/firewall/tcp-flags.xml.i119
-rw-r--r--interface-definitions/include/policy/route-common-rule-ipv6.xml.i51
-rw-r--r--interface-definitions/include/policy/route-common-rule.xml.i51
4 files changed, 122 insertions, 150 deletions
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 6e8203c88..5ffbd639c 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -264,56 +264,7 @@
</leafNode>
</children>
</node>
-<node name="tcp">
- <properties>
- <help>TCP flags to match</help>
- </properties>
- <children>
- <leafNode name="flags">
- <properties>
- <help>TCP flags to match</help>
- <valueHelp>
- <format>txt</format>
- <description>Multiple comma-separated flags</description>
- </valueHelp>
- <valueHelp>
- <format>syn</format>
- <description>Syncronise flag</description>
- </valueHelp>
- <valueHelp>
- <format>ack</format>
- <description>Acknowledge flag</description>
- </valueHelp>
- <valueHelp>
- <format>fin</format>
- <description>Finish flag</description>
- </valueHelp>
- <valueHelp>
- <format>rst</format>
- <description>Reset flag</description>
- </valueHelp>
- <valueHelp>
- <format>urg</format>
- <description>Urgent flag</description>
- </valueHelp>
- <valueHelp>
- <format>psh</format>
- <description>Push flag</description>
- </valueHelp>
- <valueHelp>
- <format> </format>
- <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
- </valueHelp>
- <completionHelp>
- <list>syn ack fin rst urg psh</list>
- </completionHelp>
- <constraint>
- <validator name="tcp-flag"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/tcp-flags.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
new file mode 100644
index 000000000..b99896687
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -0,0 +1,119 @@
+<!-- include start from firewall/tcp-flags.xml.i -->
+<node name="tcp">
+ <properties>
+ <help>TCP flags to match</help>
+ </properties>
+ <children>
+ <node name="flags">
+ <properties>
+ <help>TCP flags to match</help>
+ </properties>
+ <children>
+ <leafNode name="syn">
+ <properties>
+ <help>Synchronise flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="ack">
+ <properties>
+ <help>Acknowledge flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="fin">
+ <properties>
+ <help>Finish flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="rst">
+ <properties>
+ <help>Reset flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="urg">
+ <properties>
+ <help>Urgent flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="psh">
+ <properties>
+ <help>Push flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="ecn">
+ <properties>
+ <help>Explicit Congestion Notification flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="cwr">
+ <properties>
+ <help>Congestion Window Reduced flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <node name="not">
+ <properties>
+ <help>Match flags not set</help>
+ </properties>
+ <children>
+ <leafNode name="syn">
+ <properties>
+ <help>Synchronise flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="ack">
+ <properties>
+ <help>Acknowledge flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="fin">
+ <properties>
+ <help>Finish flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="rst">
+ <properties>
+ <help>Reset flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="urg">
+ <properties>
+ <help>Urgent flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="psh">
+ <properties>
+ <help>Push flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="ecn">
+ <properties>
+ <help>Explicit Congestion Notification flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="cwr">
+ <properties>
+ <help>Congestion Window Reduced flag</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
index b8fee4b7b..735edbd48 100644
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -320,56 +320,7 @@
</leafNode>
</children>
</node>
-<node name="tcp">
- <properties>
- <help>TCP flags to match</help>
- </properties>
- <children>
- <leafNode name="flags">
- <properties>
- <help>TCP flags to match</help>
- <valueHelp>
- <format>txt</format>
- <description>Multiple comma-separated flags</description>
- </valueHelp>
- <valueHelp>
- <format>syn</format>
- <description>Syncronise flag</description>
- </valueHelp>
- <valueHelp>
- <format>ack</format>
- <description>Acknowledge flag</description>
- </valueHelp>
- <valueHelp>
- <format>fin</format>
- <description>Finish flag</description>
- </valueHelp>
- <valueHelp>
- <format>rst</format>
- <description>Reset flag</description>
- </valueHelp>
- <valueHelp>
- <format>urg</format>
- <description>Urgent flag</description>
- </valueHelp>
- <valueHelp>
- <format>psh</format>
- <description>Push flag</description>
- </valueHelp>
- <valueHelp>
- <format> </format>
- <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
- </valueHelp>
- <completionHelp>
- <list>syn ack fin rst urg psh</list>
- </completionHelp>
- <constraint>
- <validator name="tcp-flag"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/tcp-flags.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
index 17b47474d..4452f78fc 100644
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -320,56 +320,7 @@
</leafNode>
</children>
</node>
-<node name="tcp">
- <properties>
- <help>TCP flags to match</help>
- </properties>
- <children>
- <leafNode name="flags">
- <properties>
- <help>TCP flags to match</help>
- <valueHelp>
- <format>txt</format>
- <description>Multiple comma-separated flags</description>
- </valueHelp>
- <valueHelp>
- <format>syn</format>
- <description>Syncronise flag</description>
- </valueHelp>
- <valueHelp>
- <format>ack</format>
- <description>Acknowledge flag</description>
- </valueHelp>
- <valueHelp>
- <format>fin</format>
- <description>Finish flag</description>
- </valueHelp>
- <valueHelp>
- <format>rst</format>
- <description>Reset flag</description>
- </valueHelp>
- <valueHelp>
- <format>urg</format>
- <description>Urgent flag</description>
- </valueHelp>
- <valueHelp>
- <format>psh</format>
- <description>Push flag</description>
- </valueHelp>
- <valueHelp>
- <format> </format>
- <description>\n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description>
- </valueHelp>
- <completionHelp>
- <list>syn ack fin rst urg psh</list>
- </completionHelp>
- <constraint>
- <validator name="tcp-flag"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
-</node>
+#include <include/firewall/tcp-flags.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>