summaryrefslogtreecommitdiff
path: root/interface-definitions/firewall.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/firewall.xml.in')
-rw-r--r--interface-definitions/firewall.xml.in704
1 files changed, 14 insertions, 690 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 1cdc7b819..127f4b7e7 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -6,66 +6,7 @@
<help>Firewall</help>
</properties>
<children>
- <leafNode name="all-ping">
- <properties>
- <help>Policy for handling of all IPv4 ICMP echo requests</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of all IPv4 ICMP echo requests</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of all IPv4 ICMP echo requests</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <leafNode name="broadcast-ping">
- <properties>
- <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="config-trap">
- <properties>
- <help>SNMP trap generation on firewall configuration changes</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable sending SNMP trap on firewall configuration change</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable sending SNMP trap on firewall configuration change</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
+ #include <include/firewall/global-options.xml.i>
<node name="group">
<properties>
<help>Firewall group</help>
@@ -343,645 +284,28 @@
</tagNode>
</children>
</node>
- <tagNode name="interface">
+ <node name="ipv4">
<properties>
- <help>Interface name to apply firewall configuration</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces</script>
- </completionHelp>
- <constraint>
- #include <include/constraint/interface-name-with-wildcard.xml.i>
- </constraint>
+ <help>IPv4 firewall</help>
</properties>
<children>
- <node name="in">
- <properties>
- <help>Forwarded packets on inbound interface</help>
- </properties>
- <children>
- #include <include/firewall/name.xml.i>
- </children>
- </node>
- <node name="out">
- <properties>
- <help>Forwarded packets on outbound interface</help>
- </properties>
- <children>
- #include <include/firewall/name.xml.i>
- </children>
- </node>
- <node name="local">
- <properties>
- <help>Packets destined for this router</help>
- </properties>
- <children>
- #include <include/firewall/name.xml.i>
- </children>
- </node>
- </children>
- </tagNode>
- <leafNode name="ip-src-route">
- <properties>
- <help>Policy for handling IPv4 packets with source route option</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of IPv4 packets with source route option</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of IPv4 packets with source route option</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <tagNode name="ipv6-name">
- <properties>
- <help>IPv6 firewall rule-set name</help>
- <constraint>
- <regex>[a-zA-Z0-9][\w\-\.]*</regex>
- </constraint>
- </properties>
- <children>
- #include <include/firewall/default-action.xml.i>
- #include <include/firewall/enable-default-log.xml.i>
- #include <include/generic-description.xml.i>
- <leafNode name="default-jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <tagNode name="rule">
- <properties>
- <help>Firewall rule number (IPv6)</help>
- <valueHelp>
- <format>u32:1-999999</format>
- <description>Number for this Firewall rule</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-999999"/>
- </constraint>
- <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
- </properties>
- <children>
- #include <include/firewall/action.xml.i>
- #include <include/generic-description.xml.i>
- <node name="destination">
- <properties>
- <help>Destination parameters</help>
- </properties>
- <children>
- #include <include/firewall/address-ipv6.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group-ipv6.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask-ipv6.xml.i>
- </children>
- </node>
- <node name="source">
- <properties>
- <help>Source parameters</help>
- </properties>
- <children>
- #include <include/firewall/address-ipv6.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group-ipv6.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask-ipv6.xml.i>
- </children>
- </node>
- #include <include/firewall/common-rule.xml.i>
- #include <include/firewall/dscp.xml.i>
- #include <include/firewall/packet-options.xml.i>
- #include <include/firewall/hop-limit.xml.i>
- #include <include/firewall/connection-mark.xml.i>
- <node name="icmpv6">
- <properties>
- <help>ICMPv6 type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMPv6 code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMPv6 type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMPv6 type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmpv6-type-name.xml.i>
- </children>
- </node>
- <leafNode name="jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined to use this setting</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- #include <include/firewall/nft-queue.xml.i>
- </children>
- </tagNode>
- </children>
- </tagNode>
- <leafNode name="ipv6-receive-redirects">
- <properties>
- <help>Policy for handling received ICMPv6 redirect messages</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of received ICMPv6 redirect messages</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of received ICMPv6 redirect messages</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="ipv6-src-route">
- <properties>
- <help>Policy for handling IPv6 packets with routing extension header</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of IPv6 packets with routing header type 2</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of IPv6 packets with routing header</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="log-martians">
- <properties>
- <help>Policy for logging IPv4 packets with invalid addresses</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable logging of IPv4 packets with invalid addresses</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable logging of Ipv4 packets with invalid addresses</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <tagNode name="name">
- <properties>
- <help>IPv4 firewall rule-set name</help>
- <constraint>
- <regex>[a-zA-Z0-9][\w\-\.]*</regex>
- </constraint>
- </properties>
- <children>
- #include <include/firewall/default-action.xml.i>
- #include <include/firewall/enable-default-log.xml.i>
- #include <include/generic-description.xml.i>
- <leafNode name="default-jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <tagNode name="rule">
- <properties>
- <help>Firewall rule number (IPv4)</help>
- <valueHelp>
- <format>u32:1-999999</format>
- <description>Number for this Firewall rule</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 1-999999"/>
- </constraint>
- <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
- </properties>
- <children>
- #include <include/firewall/action.xml.i>
- #include <include/generic-description.xml.i>
- <node name="destination">
- <properties>
- <help>Destination parameters</help>
- </properties>
- <children>
- #include <include/firewall/address.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask.xml.i>
- </children>
- </node>
- <node name="source">
- <properties>
- <help>Source parameters</help>
- </properties>
- <children>
- #include <include/firewall/address.xml.i>
- #include <include/firewall/fqdn.xml.i>
- #include <include/firewall/geoip.xml.i>
- #include <include/firewall/source-destination-group.xml.i>
- #include <include/firewall/port.xml.i>
- #include <include/firewall/address-mask.xml.i>
- </children>
- </node>
- #include <include/firewall/common-rule.xml.i>
- #include <include/firewall/dscp.xml.i>
- #include <include/firewall/packet-options.xml.i>
- #include <include/firewall/connection-mark.xml.i>
- <node name="icmp">
- <properties>
- <help>ICMP type and code information</help>
- </properties>
- <children>
- <leafNode name="code">
- <properties>
- <help>ICMP code</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP code (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="type">
- <properties>
- <help>ICMP type</help>
- <valueHelp>
- <format>u32:0-255</format>
- <description>ICMP type (0-255)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-255"/>
- </constraint>
- </properties>
- </leafNode>
- #include <include/firewall/icmp-type-name.xml.i>
- </children>
- </node>
- <leafNode name="jump-target">
- <properties>
- <help>Set jump target. Action jump must be defined to use this setting</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- #include <include/firewall/ttl.xml.i>
- #include <include/firewall/nft-queue.xml.i>
- </children>
- </tagNode>
- </children>
- </tagNode>
- <leafNode name="receive-redirects">
- <properties>
- <help>Policy for handling received IPv4 ICMP redirect messages</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable processing of received IPv4 ICMP redirect messages</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable processing of received IPv4 ICMP redirect messages</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <leafNode name="resolver-cache">
- <properties>
- <help>Retains last successful value if domain resolution fails</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="resolver-interval">
- <properties>
- <help>Domain resolver update interval</help>
- <valueHelp>
- <format>u32:10-3600</format>
- <description>Interval (seconds)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 10-3600"/>
- </constraint>
- </properties>
- <defaultValue>300</defaultValue>
- </leafNode>
- <leafNode name="send-redirects">
- <properties>
- <help>Policy for sending IPv4 ICMP redirect messages</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable sending IPv4 ICMP redirect messages</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable sending IPv4 ICMP redirect messages</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <leafNode name="source-validation">
- <properties>
- <help>Policy for source validation by reversed path, as specified in RFC3704</help>
- <completionHelp>
- <list>strict loose disable</list>
- </completionHelp>
- <valueHelp>
- <format>strict</format>
- <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description>
- </valueHelp>
- <valueHelp>
- <format>loose</format>
- <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>No source validation</description>
- </valueHelp>
- <constraint>
- <regex>(strict|loose|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <node name="state-policy">
- <properties>
- <help>Global firewall state-policy</help>
- </properties>
- <children>
- <node name="established">
- <properties>
- <help>Global firewall policy for packets part of an established connection</help>
- </properties>
- <children>
- #include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
- #include <include/firewall/rule-log-level.xml.i>
- </children>
- </node>
- <node name="invalid">
- <properties>
- <help>Global firewall policy for packets part of an invalid connection</help>
- </properties>
- <children>
- #include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
- #include <include/firewall/rule-log-level.xml.i>
- </children>
- </node>
- <node name="related">
- <properties>
- <help>Global firewall policy for packets part of a related connection</help>
- </properties>
- <children>
- #include <include/firewall/action-accept-drop-reject.xml.i>
- #include <include/firewall/log.xml.i>
- #include <include/firewall/rule-log-level.xml.i>
- </children>
- </node>
+ #include <include/firewall/ipv4-hook-forward.xml.i>
+ #include <include/firewall/ipv4-hook-input.xml.i>
+ #include <include/firewall/ipv4-hook-output.xml.i>
+ #include <include/firewall/ipv4-custom-name.xml.i>
</children>
</node>
- <leafNode name="syn-cookies">
- <properties>
- <help>Policy for using TCP SYN cookies with IPv4</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable use of TCP SYN cookies with IPv4</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable use of TCP SYN cookies with IPv4</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>enable</defaultValue>
- </leafNode>
- <leafNode name="twa-hazards-protection">
+ <node name="ipv6">
<properties>
- <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable RFC1337 TIME-WAIT hazards protection</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable RFC1337 TIME-WAIT hazards protection</description>
- </valueHelp>
- <constraint>
- <regex>(enable|disable)</regex>
- </constraint>
- </properties>
- <defaultValue>disable</defaultValue>
- </leafNode>
- <tagNode name="zone">
- <properties>
- <help>Zone-policy</help>
- <valueHelp>
- <format>txt</format>
- <description>Zone name</description>
- </valueHelp>
- <constraint>
- <regex>[a-zA-Z0-9][\w\-\.]*</regex>
- </constraint>
+ <help>IPv6 firewall</help>
</properties>
<children>
- #include <include/generic-description.xml.i>
- #include <include/firewall/enable-default-log.xml.i>
- <leafNode name="default-action">
- <properties>
- <help>Default-action for traffic coming into this zone</help>
- <completionHelp>
- <list>drop reject</list>
- </completionHelp>
- <valueHelp>
- <format>drop</format>
- <description>Drop silently</description>
- </valueHelp>
- <valueHelp>
- <format>reject</format>
- <description>Drop and notify source</description>
- </valueHelp>
- <constraint>
- <regex>(drop|reject)</regex>
- </constraint>
- </properties>
- <defaultValue>drop</defaultValue>
- </leafNode>
- <tagNode name="from">
- <properties>
- <help>Zone from which to filter traffic</help>
- <completionHelp>
- <path>zone-policy zone</path>
- </completionHelp>
- </properties>
- <children>
- <node name="firewall">
- <properties>
- <help>Firewall options</help>
- </properties>
- <children>
- <leafNode name="ipv6-name">
- <properties>
- <help>IPv6 firewall ruleset</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="name">
- <properties>
- <help>IPv4 firewall ruleset</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </tagNode>
- <leafNode name="interface">
- <properties>
- <help>Interface associated with zone</help>
- <valueHelp>
- <format>txt</format>
- <description>Interface associated with zone</description>
- </valueHelp>
- <valueHelp>
- <format>vrf</format>
- <description>VRF associated with zone</description>
- </valueHelp>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces</script>
- <path>vrf name</path>
- </completionHelp>
- <multi/>
- </properties>
- </leafNode>
- <node name="intra-zone-filtering">
- <properties>
- <help>Intra-zone filtering</help>
- </properties>
- <children>
- <leafNode name="action">
- <properties>
- <help>Action for intra-zone traffic</help>
- <completionHelp>
- <list>accept drop</list>
- </completionHelp>
- <valueHelp>
- <format>accept</format>
- <description>Accept traffic</description>
- </valueHelp>
- <valueHelp>
- <format>drop</format>
- <description>Drop silently</description>
- </valueHelp>
- <constraint>
- <regex>(accept|drop)</regex>
- </constraint>
- </properties>
- </leafNode>
- <node name="firewall">
- <properties>
- <help>Use the specified firewall chain</help>
- </properties>
- <children>
- <leafNode name="ipv6-name">
- <properties>
- <help>IPv6 firewall ruleset</help>
- <completionHelp>
- <path>firewall ipv6-name</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="name">
- <properties>
- <help>IPv4 firewall ruleset</help>
- <completionHelp>
- <path>firewall name</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
- <leafNode name="local-zone">
- <properties>
- <help>Zone to be local-zone</help>
- <valueless/>
- </properties>
- </leafNode>
+ #include <include/firewall/ipv6-hook-forward.xml.i>
+ #include <include/firewall/ipv6-hook-input.xml.i>
+ #include <include/firewall/ipv6-hook-output.xml.i>
+ #include <include/firewall/ipv6-custom-name.xml.i>
</children>
- </tagNode>
+ </node>
</children>
</node>
</interfaceDefinition>
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 07:40:02 +0000