summaryrefslogtreecommitdiff
path: root/interface-definitions
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-19 21:01:52 +0100
committerChristian Breunig <christian@breunig.cc>2024-01-22 07:47:17 +0100
commit2ec023752bdd400835eb69a8f1f9d2873cef61fa (patch)
tree136e81b7fac983ff74601efdd90dfb4255fb35d6 /interface-definitions
parent5c6d4b17d90cdfdf1541d81fb081575c54b168a7 (diff)
downloadvyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.tar.gz
vyos-1x-2ec023752bdd400835eb69a8f1f9d2873cef61fa.zip
firewall: T5729: T5681: T5217: backport subsystem from current branch
This is a combined backport for all accumulated changes done to the firewall subsystem on the current branch.
Diffstat (limited to 'interface-definitions')
-rw-r--r--interface-definitions/include/firewall/action-forward.xml.i10
-rw-r--r--interface-definitions/include/firewall/action-l2.xml.i4
-rw-r--r--interface-definitions/include/firewall/action.xml.i8
-rw-r--r--interface-definitions/include/firewall/common-rule-bridge.xml.i7
-rw-r--r--interface-definitions/include/firewall/common-rule-inet.xml.i11
-rw-r--r--interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i1
-rw-r--r--interface-definitions/include/firewall/default-action-bridge.xml.i6
-rw-r--r--interface-definitions/include/firewall/default-action.xml.i2
-rw-r--r--interface-definitions/include/firewall/firewall-mark.xml.i2
-rw-r--r--interface-definitions/include/firewall/log.xml.i3
-rw-r--r--interface-definitions/include/firewall/match-interface.xml.i2
-rw-r--r--interface-definitions/include/firewall/match-vlan.xml.i12
-rw-r--r--interface-definitions/include/firewall/offload-target.xml.i2
-rw-r--r--interface-definitions/include/firewall/state.xml.i2
-rw-r--r--interface-definitions/include/firewall/synproxy.xml.i40
-rw-r--r--interface-definitions/include/firewall/tcp-flags.xml.i18
-rw-r--r--interface-definitions/include/firewall/tcp-mss.xml.i25
17 files changed, 113 insertions, 42 deletions
diff --git a/interface-definitions/include/firewall/action-forward.xml.i b/interface-definitions/include/firewall/action-forward.xml.i
index 87da72c97..4e59f3c6f 100644
--- a/interface-definitions/include/firewall/action-forward.xml.i
+++ b/interface-definitions/include/firewall/action-forward.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept continue jump reject return drop queue offload</list>
+ <list>accept continue jump reject return drop queue offload synproxy</list>
</completionHelp>
<valueHelp>
<format>accept</format>
@@ -37,9 +37,13 @@
<format>offload</format>
<description>Offload packet via flowtable</description>
</valueHelp>
+ <valueHelp>
+ <format>synproxy</format>
+ <description>Synproxy connections</description>
+ </valueHelp>
<constraint>
- <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
+ <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
</constraint>
</properties>
</leafNode>
-<!-- include end --> \ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i
index 43fd211b4..84af576c8 100644
--- a/interface-definitions/include/firewall/action-l2.xml.i
+++ b/interface-definitions/include/firewall/action-l2.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from firewall/action-l2.xml.i -->
+<!-- include start from firewall/action.xml.i -->
<leafNode name="action">
<properties>
<help>Rule action</help>
@@ -34,4 +34,4 @@
</constraint>
</properties>
</leafNode>
-<!-- include end --> \ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 5dd1bfaff..e1f0c6cb6 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept continue jump reject return drop queue offload</list>
+ <list>accept continue jump reject return drop queue offload synproxy</list>
</completionHelp>
<valueHelp>
<format>accept</format>
@@ -37,8 +37,12 @@
<format>offload</format>
<description>Offload packet via flowtable</description>
</valueHelp>
+ <valueHelp>
+ <format>synproxy</format>
+ <description>Synproxy connections</description>
+ </valueHelp>
<constraint>
- <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
+ <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
index dcdd970ac..6de770c79 100644
--- a/interface-definitions/include/firewall/common-rule-bridge.xml.i
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -9,7 +9,12 @@
#include <include/firewall/mac-address.xml.i>
</children>
</node>
-#include <include/generic-disable-node.xml.i>
+<leafNode name="disable">
+ <properties>
+ <help>Option to disable firewall rule</help>
+ <valueless/>
+ </properties>
+</leafNode>
<leafNode name="jump-target">
<properties>
<help>Set jump target. Action jump must be defined to use this setting</help>
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 3b5cb724d..6f56ecc85 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -7,7 +7,12 @@
#include <include/firewall/connection-mark.xml.i>
#include <include/firewall/conntrack-helper.xml.i>
#include <include/firewall/nft-queue.xml.i>
-#include <include/generic-disable-node.xml.i>
+<leafNode name="disable">
+ <properties>
+ <help>Option to disable firewall rule</help>
+ <valueless/>
+ </properties>
+</leafNode>
<node name="fragment">
<properties>
<help>IP fragment match</help>
@@ -179,8 +184,10 @@
</leafNode>
</children>
</node>
+#include <include/firewall/synproxy.xml.i>
#include <include/firewall/state.xml.i>
#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
@@ -249,4 +256,4 @@
</leafNode>
</children>
</node>
-<!-- include end --> \ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index b253ee048..0d749aa27 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -260,6 +260,7 @@
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
<node name="time">
<properties>
<help>Time to match rule</help>
diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i
index 577165976..858c7aeeb 100644
--- a/interface-definitions/include/firewall/default-action-bridge.xml.i
+++ b/interface-definitions/include/firewall/default-action-bridge.xml.i
@@ -1,7 +1,7 @@
-<!-- include start from firewall/default-action-bridge.xml.i -->
+<!-- include start from firewall/default-action.xml.i -->
<leafNode name="default-action">
<properties>
- <help>Default action for rule-set</help>
+ <help>Default-action for rule-set</help>
<completionHelp>
<list>drop jump return accept continue</list>
</completionHelp>
@@ -31,4 +31,4 @@
</properties>
<defaultValue>drop</defaultValue>
</leafNode>
-<!-- include end --> \ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
index 6a49d800e..53a161495 100644
--- a/interface-definitions/include/firewall/default-action.xml.i
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -1,7 +1,7 @@
<!-- include start from firewall/default-action.xml.i -->
<leafNode name="default-action">
<properties>
- <help>Default action for rule-set</help>
+ <help>Default-action for rule-set</help>
<completionHelp>
<list>drop jump reject return accept continue</list>
</completionHelp>
diff --git a/interface-definitions/include/firewall/firewall-mark.xml.i b/interface-definitions/include/firewall/firewall-mark.xml.i
index a4cee12d8..36a939ba3 100644
--- a/interface-definitions/include/firewall/firewall-mark.xml.i
+++ b/interface-definitions/include/firewall/firewall-mark.xml.i
@@ -23,4 +23,4 @@
</constraint>
</properties>
</leafNode>
-<!-- include end -->
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i
index 795ed77be..21548f3fb 100644
--- a/interface-definitions/include/firewall/log.xml.i
+++ b/interface-definitions/include/firewall/log.xml.i
@@ -4,4 +4,5 @@
<help>Log packets hitting this rule</help>
<valueless/>
</properties>
-</leafNode> \ No newline at end of file
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
index 9f720ab37..5da6f51fb 100644
--- a/interface-definitions/include/firewall/match-interface.xml.i
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -40,4 +40,4 @@
</valueHelp>
</properties>
</leafNode>
-<!-- include end -->
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i
index d0820f7d8..44ad02c99 100644
--- a/interface-definitions/include/firewall/match-vlan.xml.i
+++ b/interface-definitions/include/firewall/match-vlan.xml.i
@@ -6,14 +6,14 @@
<children>
<leafNode name="id">
<properties>
- <help>VLAN id</help>
+ <help>Vlan id</help>
<valueHelp>
<format>u32:0-4096</format>
- <description>VLAN id</description>
+ <description>Vlan id</description>
</valueHelp>
<valueHelp>
<format>&lt;start-end&gt;</format>
- <description>VLAN id range to match</description>
+ <description>Vlan id range to match</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--allow-range --range 0-4095"/>
@@ -22,14 +22,14 @@
</leafNode>
<leafNode name="priority">
<properties>
- <help>VLAN priority(pcp)</help>
+ <help>Vlan priority(pcp)</help>
<valueHelp>
<format>u32:0-7</format>
- <description>VLAN priority</description>
+ <description>Vlan priority</description>
</valueHelp>
<valueHelp>
<format>&lt;start-end&gt;</format>
- <description>VLAN priority range to match</description>
+ <description>Vlan priority range to match</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--allow-range --range 0-7"/>
diff --git a/interface-definitions/include/firewall/offload-target.xml.i b/interface-definitions/include/firewall/offload-target.xml.i
index b1ae39100..940ed8091 100644
--- a/interface-definitions/include/firewall/offload-target.xml.i
+++ b/interface-definitions/include/firewall/offload-target.xml.i
@@ -7,4 +7,4 @@
</completionHelp>
</properties>
</leafNode>
-<!-- include end --> \ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/state.xml.i b/interface-definitions/include/firewall/state.xml.i
index 47ce3c91d..dee9722e5 100644
--- a/interface-definitions/include/firewall/state.xml.i
+++ b/interface-definitions/include/firewall/state.xml.i
@@ -27,4 +27,4 @@
<multi/>
</properties>
</leafNode>
-<!-- include end --> \ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/synproxy.xml.i b/interface-definitions/include/firewall/synproxy.xml.i
new file mode 100644
index 000000000..a65126ea9
--- /dev/null
+++ b/interface-definitions/include/firewall/synproxy.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/synproxy.xml.i -->
+<node name="synproxy">
+ <properties>
+ <help>Synproxy options</help>
+ </properties>
+ <children>
+ <node name="tcp">
+ <properties>
+ <help>TCP synproxy options</help>
+ </properties>
+ <children>
+ <leafNode name="mss">
+ <properties>
+ <help>TCP Maximum segment size</help>
+ <valueHelp>
+ <format>u32:501-65535</format>
+ <description>Maximum segment size for synproxy connections</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 501-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="window-scale">
+ <properties>
+ <help>TCP window scale for synproxy connections</help>
+ <valueHelp>
+ <format>u32:1-14</format>
+ <description>TCP window scale</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-14"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
index e2ce7b9fd..36546c2e4 100644
--- a/interface-definitions/include/firewall/tcp-flags.xml.i
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -1,7 +1,7 @@
<!-- include start from firewall/tcp-flags.xml.i -->
<node name="tcp">
<properties>
- <help>TCP flags to match</help>
+ <help>TCP options to match</help>
</properties>
<children>
<node name="flags">
@@ -114,22 +114,6 @@
</node>
</children>
</node>
- <leafNode name="mss">
- <properties>
- <help>Maximum segment size (MSS)</help>
- <valueHelp>
- <format>u32:1-16384</format>
- <description>Maximum segment size</description>
- </valueHelp>
- <valueHelp>
- <format>&lt;min&gt;-&lt;max&gt;</format>
- <description>TCP MSS range (use '-' as delimiter)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--allow-range --range 1-16384"/>
- </constraint>
- </properties>
- </leafNode>
</children>
</node>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/tcp-mss.xml.i b/interface-definitions/include/firewall/tcp-mss.xml.i
new file mode 100644
index 000000000..dc49b4272
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-mss.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/tcp-mss.xml.i -->
+<node name="tcp">
+ <properties>
+ <help>TCP options to match</help>
+ </properties>
+ <children>
+ <leafNode name="mss">
+ <properties>
+ <help>Maximum segment size (MSS)</help>
+ <valueHelp>
+ <format>u32:1-16384</format>
+ <description>Maximum segment size</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;min&gt;-&lt;max&gt;</format>
+ <description>TCP MSS range (use '-' as delimiter)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--allow-range --range 1-16384"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->