summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/include/firewall')
-rw-r--r--interface-definitions/include/firewall/action.xml.i8
-rw-r--r--interface-definitions/include/firewall/common-rule.xml.i10
-rw-r--r--interface-definitions/include/firewall/connection-mark.xml.i4
-rw-r--r--interface-definitions/include/firewall/fwmark.xml.i14
-rw-r--r--interface-definitions/include/firewall/match-interface.xml.i2
-rw-r--r--interface-definitions/include/firewall/nft-queue.xml.i34
-rw-r--r--interface-definitions/include/firewall/packet-options.xml.i (renamed from interface-definitions/include/firewall/packet-length.xml.i)29
-rw-r--r--interface-definitions/include/firewall/rule-log-level.xml.i2
-rw-r--r--interface-definitions/include/firewall/rule-log-options.xml.i89
9 files changed, 184 insertions, 8 deletions
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 468340cbb..7c6e33839 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept jump reject return drop</list>
+ <list>accept jump reject return drop queue</list>
</completionHelp>
<valueHelp>
<format>accept</format>
@@ -25,8 +25,12 @@
<format>drop</format>
<description>Drop matching entries</description>
</valueHelp>
+ <valueHelp>
+ <format>queue</format>
+ <description>Enqueue packet to userspace</description>
+ </valueHelp>
<constraint>
- <regex>(accept|jump|reject|return|drop)</regex>
+ <regex>(accept|jump|reject|return|drop|queue)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 75acefd96..7417a3c58 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -1,6 +1,14 @@
<!-- include start from firewall/common-rule.xml.i -->
#include <include/firewall/action.xml.i>
#include <include/generic-description.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/mac-address.xml.i>
+ </children>
+</node>
<leafNode name="disable">
<properties>
<help>Option to disable firewall rule</help>
@@ -111,7 +119,7 @@
</constraint>
</properties>
</leafNode>
-#include <include/firewall/rule-log-level.xml.i>
+#include <include/firewall/rule-log-options.xml.i>
<node name="connection-status">
<properties>
<help>Connection status</help>
diff --git a/interface-definitions/include/firewall/connection-mark.xml.i b/interface-definitions/include/firewall/connection-mark.xml.i
index 2cb826635..69f7fe62c 100644
--- a/interface-definitions/include/firewall/connection-mark.xml.i
+++ b/interface-definitions/include/firewall/connection-mark.xml.i
@@ -3,11 +3,11 @@
<properties>
<help>Connection mark</help>
<valueHelp>
- <format>u32:1-2147483647</format>
+ <format>u32:0-2147483647</format>
<description>Connection-mark to match</description>
</valueHelp>
<constraint>
- <validator name="numeric" argument="--range 1-2147483647"/>
+ <validator name="numeric" argument="--range 0-2147483647"/>
</constraint>
<multi/>
</properties>
diff --git a/interface-definitions/include/firewall/fwmark.xml.i b/interface-definitions/include/firewall/fwmark.xml.i
new file mode 100644
index 000000000..4607ef58f
--- /dev/null
+++ b/interface-definitions/include/firewall/fwmark.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/fwmark.xml.i -->
+<leafNode name="fwmark">
+ <properties>
+ <help>Match fwmark value</help>
+ <valueHelp>
+ <format>u32:1-2147483647</format>
+ <description>Match firewall mark value</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-2147483647"/>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
index 675a87574..3e52422cf 100644
--- a/interface-definitions/include/firewall/match-interface.xml.i
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Match interface</help>
<completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
+ <script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/nft-queue.xml.i b/interface-definitions/include/firewall/nft-queue.xml.i
new file mode 100644
index 000000000..8799eac74
--- /dev/null
+++ b/interface-definitions/include/firewall/nft-queue.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/nft-queue.xml.i -->
+<leafNode name="queue">
+ <properties>
+ <help>Queue target to use. Action queue must be defined to use this setting</help>
+ <valueHelp>
+ <format>u32:0-65535</format>
+ <description>Queue target</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--allow-range --range 0-65535"/>
+ </constraint>
+ </properties>
+</leafNode>
+<leafNode name="queue-options">
+ <properties>
+ <help>Options used for queue target. Action queue must be defined to use this setting</help>
+ <completionHelp>
+ <list>bypass fanout</list>
+ </completionHelp>
+ <valueHelp>
+ <format>bypass</format>
+ <description>Let packets go through if userspace application cannot back off</description>
+ </valueHelp>
+ <valueHelp>
+ <format>fanout</format>
+ <description>Distribute packets between several queues</description>
+ </valueHelp>
+ <constraint>
+ <regex>(bypass|fanout)</regex>
+ </constraint>
+ <multi/>
+ </properties>
+</leafNode>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/packet-length.xml.i b/interface-definitions/include/firewall/packet-options.xml.i
index fd2eb67b0..cd94e69c2 100644
--- a/interface-definitions/include/firewall/packet-length.xml.i
+++ b/interface-definitions/include/firewall/packet-options.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from firewall/packet-length.xml.i -->
+<!-- include start from firewall/packet-options.xml.i -->
<leafNode name="packet-length">
<properties>
<help>Payload size in bytes, including header and data to match</help>
@@ -33,4 +33,31 @@
<multi/>
</properties>
</leafNode>
+<leafNode name="packet-type">
+ <properties>
+ <help>Packet type</help>
+ <completionHelp>
+ <list>broadcast host multicast other</list>
+ </completionHelp>
+ <valueHelp>
+ <format>broadcast</format>
+ <description>Match broadcast packet type</description>
+ </valueHelp>
+ <valueHelp>
+ <format>host</format>
+ <description>Match host packet type, addressed to local host</description>
+ </valueHelp>
+ <valueHelp>
+ <format>multicast</format>
+ <description>Match multicast packet type</description>
+ </valueHelp>
+ <valueHelp>
+ <format>other</format>
+ <description>Match packet addressed to another host</description>
+ </valueHelp>
+ <constraint>
+ <regex>(broadcast|host|multicast|other)</regex>
+ </constraint>
+ </properties>
+</leafNode>
<!-- include end -->
diff --git a/interface-definitions/include/firewall/rule-log-level.xml.i b/interface-definitions/include/firewall/rule-log-level.xml.i
index 10c8de5e3..3ac473844 100644
--- a/interface-definitions/include/firewall/rule-log-level.xml.i
+++ b/interface-definitions/include/firewall/rule-log-level.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from firewall/common-rule.xml.i -->
+<!-- include start from firewall/rule-log-level.xml.i -->
<leafNode name="log-level">
<properties>
<help>Set log-level. Log must be enable.</help>
diff --git a/interface-definitions/include/firewall/rule-log-options.xml.i b/interface-definitions/include/firewall/rule-log-options.xml.i
new file mode 100644
index 000000000..e8b0cdec3
--- /dev/null
+++ b/interface-definitions/include/firewall/rule-log-options.xml.i
@@ -0,0 +1,89 @@
+<!-- include start from firewall/rule-log-options.xml.i -->
+<node name="log-options">
+ <properties>
+ <help>Log options</help>
+ </properties>
+ <children>
+ <leafNode name="group">
+ <properties>
+ <help>Set log group</help>
+ <valueHelp>
+ <format>u32:0-65535</format>
+ <description>Log group to send messages to</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="snapshot-length">
+ <properties>
+ <help>Length of packet payload to include in netlink message</help>
+ <valueHelp>
+ <format>u32:0-9000</format>
+ <description>Length of packet payload to include in netlink message</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-9000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="queue-threshold">
+ <properties>
+ <help>Number of packets to queue inside the kernel before sending them to userspace</help>
+ <valueHelp>
+ <format>u32:0-65535</format>
+ <description>Number of packets to queue inside the kernel before sending them to userspace</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="level">
+ <properties>
+ <help>Set log-level</help>
+ <completionHelp>
+ <list>emerg alert crit err warn notice info debug</list>
+ </completionHelp>
+ <valueHelp>
+ <format>emerg</format>
+ <description>Emerg log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>alert</format>
+ <description>Alert log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>crit</format>
+ <description>Critical log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>err</format>
+ <description>Error log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>warn</format>
+ <description>Warning log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>notice</format>
+ <description>Notice log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>info</format>
+ <description>Info log level</description>
+ </valueHelp>
+ <valueHelp>
+ <format>debug</format>
+ <description>Debug log level</description>
+ </valueHelp>
+ <constraint>
+ <regex>(emerg|alert|crit|err|warn|notice|info|debug)</regex>
+ </constraint>
+ <constraintErrorMessage>level must be alert, crit, debug, emerg, err, info, notice or warn</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-17 10:29:09 +0000