diff options
author | Christian Breunig <christian@breunig.cc> | 2024-01-19 21:01:52 +0100 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2024-01-22 07:47:17 +0100 |
commit | 2ec023752bdd400835eb69a8f1f9d2873cef61fa (patch) | |
tree | 136e81b7fac983ff74601efdd90dfb4255fb35d6 /interface-definitions | |
parent | 5c6d4b17d90cdfdf1541d81fb081575c54b168a7 (diff) | |
download | vyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.tar.gz vyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.zip |
firewall: T5729: T5681: T5217: backport subsystem from current branch
This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
Diffstat (limited to 'interface-definitions')
17 files changed, 113 insertions, 42 deletions
diff --git a/interface-definitions/include/firewall/action-forward.xml.i b/interface-definitions/include/firewall/action-forward.xml.i index 87da72c97..4e59f3c6f 100644 --- a/interface-definitions/include/firewall/action-forward.xml.i +++ b/interface-definitions/include/firewall/action-forward.xml.i @@ -3,7 +3,7 @@ <properties> <help>Rule action</help> <completionHelp> - <list>accept continue jump reject return drop queue offload</list> + <list>accept continue jump reject return drop queue offload synproxy</list> </completionHelp> <valueHelp> <format>accept</format> @@ -37,9 +37,13 @@ <format>offload</format> <description>Offload packet via flowtable</description> </valueHelp> + <valueHelp> + <format>synproxy</format> + <description>Synproxy connections</description> + </valueHelp> <constraint> - <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex> + <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex> </constraint> </properties> </leafNode> -<!-- include end -->
\ No newline at end of file +<!-- include end --> diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i index 43fd211b4..84af576c8 100644 --- a/interface-definitions/include/firewall/action-l2.xml.i +++ b/interface-definitions/include/firewall/action-l2.xml.i @@ -1,4 +1,4 @@ -<!-- include start from firewall/action-l2.xml.i --> +<!-- include start from firewall/action.xml.i --> <leafNode name="action"> <properties> <help>Rule action</help> @@ -34,4 +34,4 @@ </constraint> </properties> </leafNode> -<!-- include end -->
\ No newline at end of file +<!-- include end --> diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i index 5dd1bfaff..e1f0c6cb6 100644 --- a/interface-definitions/include/firewall/action.xml.i +++ b/interface-definitions/include/firewall/action.xml.i @@ -3,7 +3,7 @@ <properties> <help>Rule action</help> <completionHelp> - <list>accept continue jump reject return drop queue offload</list> + <list>accept continue jump reject return drop queue offload synproxy</list> </completionHelp> <valueHelp> <format>accept</format> @@ -37,8 +37,12 @@ <format>offload</format> <description>Offload packet via flowtable</description> </valueHelp> + <valueHelp> + <format>synproxy</format> + <description>Synproxy connections</description> + </valueHelp> <constraint> - <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex> + <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i index dcdd970ac..6de770c79 100644 --- a/interface-definitions/include/firewall/common-rule-bridge.xml.i +++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i @@ -9,7 +9,12 @@ #include <include/firewall/mac-address.xml.i> </children> </node> -#include <include/generic-disable-node.xml.i> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> <leafNode name="jump-target"> <properties> <help>Set jump target. Action jump must be defined to use this setting</help> diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i index 3b5cb724d..6f56ecc85 100644 --- a/interface-definitions/include/firewall/common-rule-inet.xml.i +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -7,7 +7,12 @@ #include <include/firewall/connection-mark.xml.i> #include <include/firewall/conntrack-helper.xml.i> #include <include/firewall/nft-queue.xml.i> -#include <include/generic-disable-node.xml.i> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> <node name="fragment"> <properties> <help>IP fragment match</help> @@ -179,8 +184,10 @@ </leafNode> </children> </node> +#include <include/firewall/synproxy.xml.i> #include <include/firewall/state.xml.i> #include <include/firewall/tcp-flags.xml.i> +#include <include/firewall/tcp-mss.xml.i> <node name="time"> <properties> <help>Time to match rule</help> @@ -249,4 +256,4 @@ </leafNode> </children> </node> -<!-- include end -->
\ No newline at end of file +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i index b253ee048..0d749aa27 100644 --- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -260,6 +260,7 @@ </children> </node> #include <include/firewall/tcp-flags.xml.i> +#include <include/firewall/tcp-mss.xml.i> <node name="time"> <properties> <help>Time to match rule</help> diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i index 577165976..858c7aeeb 100644 --- a/interface-definitions/include/firewall/default-action-bridge.xml.i +++ b/interface-definitions/include/firewall/default-action-bridge.xml.i @@ -1,7 +1,7 @@ -<!-- include start from firewall/default-action-bridge.xml.i --> +<!-- include start from firewall/default-action.xml.i --> <leafNode name="default-action"> <properties> - <help>Default action for rule-set</help> + <help>Default-action for rule-set</help> <completionHelp> <list>drop jump return accept continue</list> </completionHelp> @@ -31,4 +31,4 @@ </properties> <defaultValue>drop</defaultValue> </leafNode> -<!-- include end -->
\ No newline at end of file +<!-- include end --> diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i index 6a49d800e..53a161495 100644 --- a/interface-definitions/include/firewall/default-action.xml.i +++ b/interface-definitions/include/firewall/default-action.xml.i @@ -1,7 +1,7 @@ <!-- include start from firewall/default-action.xml.i --> <leafNode name="default-action"> <properties> - <help>Default action for rule-set</help> + <help>Default-action for rule-set</help> <completionHelp> <list>drop jump reject return accept continue</list> </completionHelp> diff --git a/interface-definitions/include/firewall/firewall-mark.xml.i b/interface-definitions/include/firewall/firewall-mark.xml.i index a4cee12d8..36a939ba3 100644 --- a/interface-definitions/include/firewall/firewall-mark.xml.i +++ b/interface-definitions/include/firewall/firewall-mark.xml.i @@ -23,4 +23,4 @@ </constraint> </properties> </leafNode> -<!-- include end --> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i index 795ed77be..21548f3fb 100644 --- a/interface-definitions/include/firewall/log.xml.i +++ b/interface-definitions/include/firewall/log.xml.i @@ -4,4 +4,5 @@ <help>Log packets hitting this rule</help> <valueless/> </properties> -</leafNode>
\ No newline at end of file +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i index 9f720ab37..5da6f51fb 100644 --- a/interface-definitions/include/firewall/match-interface.xml.i +++ b/interface-definitions/include/firewall/match-interface.xml.i @@ -40,4 +40,4 @@ </valueHelp> </properties> </leafNode> -<!-- include end --> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i index d0820f7d8..44ad02c99 100644 --- a/interface-definitions/include/firewall/match-vlan.xml.i +++ b/interface-definitions/include/firewall/match-vlan.xml.i @@ -6,14 +6,14 @@ <children> <leafNode name="id"> <properties> - <help>VLAN id</help> + <help>Vlan id</help> <valueHelp> <format>u32:0-4096</format> - <description>VLAN id</description> + <description>Vlan id</description> </valueHelp> <valueHelp> <format><start-end></format> - <description>VLAN id range to match</description> + <description>Vlan id range to match</description> </valueHelp> <constraint> <validator name="numeric" argument="--allow-range --range 0-4095"/> @@ -22,14 +22,14 @@ </leafNode> <leafNode name="priority"> <properties> - <help>VLAN priority(pcp)</help> + <help>Vlan priority(pcp)</help> <valueHelp> <format>u32:0-7</format> - <description>VLAN priority</description> + <description>Vlan priority</description> </valueHelp> <valueHelp> <format><start-end></format> - <description>VLAN priority range to match</description> + <description>Vlan priority range to match</description> </valueHelp> <constraint> <validator name="numeric" argument="--allow-range --range 0-7"/> diff --git a/interface-definitions/include/firewall/offload-target.xml.i b/interface-definitions/include/firewall/offload-target.xml.i index b1ae39100..940ed8091 100644 --- a/interface-definitions/include/firewall/offload-target.xml.i +++ b/interface-definitions/include/firewall/offload-target.xml.i @@ -7,4 +7,4 @@ </completionHelp> </properties> </leafNode> -<!-- include end -->
\ No newline at end of file +<!-- include end --> diff --git a/interface-definitions/include/firewall/state.xml.i b/interface-definitions/include/firewall/state.xml.i index 47ce3c91d..dee9722e5 100644 --- a/interface-definitions/include/firewall/state.xml.i +++ b/interface-definitions/include/firewall/state.xml.i @@ -27,4 +27,4 @@ <multi/> </properties> </leafNode> -<!-- include end -->
\ No newline at end of file +<!-- include end --> diff --git a/interface-definitions/include/firewall/synproxy.xml.i b/interface-definitions/include/firewall/synproxy.xml.i new file mode 100644 index 000000000..a65126ea9 --- /dev/null +++ b/interface-definitions/include/firewall/synproxy.xml.i @@ -0,0 +1,40 @@ +<!-- include start from firewall/synproxy.xml.i --> +<node name="synproxy"> + <properties> + <help>Synproxy options</help> + </properties> + <children> + <node name="tcp"> + <properties> + <help>TCP synproxy options</help> + </properties> + <children> + <leafNode name="mss"> + <properties> + <help>TCP Maximum segment size</help> + <valueHelp> + <format>u32:501-65535</format> + <description>Maximum segment size for synproxy connections</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 501-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="window-scale"> + <properties> + <help>TCP window scale for synproxy connections</help> + <valueHelp> + <format>u32:1-14</format> + <description>TCP window scale</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-14"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i index e2ce7b9fd..36546c2e4 100644 --- a/interface-definitions/include/firewall/tcp-flags.xml.i +++ b/interface-definitions/include/firewall/tcp-flags.xml.i @@ -1,7 +1,7 @@ <!-- include start from firewall/tcp-flags.xml.i --> <node name="tcp"> <properties> - <help>TCP flags to match</help> + <help>TCP options to match</help> </properties> <children> <node name="flags"> @@ -114,22 +114,6 @@ </node> </children> </node> - <leafNode name="mss"> - <properties> - <help>Maximum segment size (MSS)</help> - <valueHelp> - <format>u32:1-16384</format> - <description>Maximum segment size</description> - </valueHelp> - <valueHelp> - <format><min>-<max></format> - <description>TCP MSS range (use '-' as delimiter)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--allow-range --range 1-16384"/> - </constraint> - </properties> - </leafNode> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/firewall/tcp-mss.xml.i b/interface-definitions/include/firewall/tcp-mss.xml.i new file mode 100644 index 000000000..dc49b4272 --- /dev/null +++ b/interface-definitions/include/firewall/tcp-mss.xml.i @@ -0,0 +1,25 @@ +<!-- include start from firewall/tcp-mss.xml.i --> +<node name="tcp"> + <properties> + <help>TCP options to match</help> + </properties> + <children> + <leafNode name="mss"> + <properties> + <help>Maximum segment size (MSS)</help> + <valueHelp> + <format>u32:1-16384</format> + <description>Maximum segment size</description> + </valueHelp> + <valueHelp> + <format><min>-<max></format> + <description>TCP MSS range (use '-' as delimiter)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 1-16384"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> |