summaryrefslogtreecommitdiff
path: root/interface-definitions
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions')
-rw-r--r--interface-definitions/firewall.xml.in9
-rw-r--r--interface-definitions/include/firewall/action-l2.xml.i37
-rw-r--r--interface-definitions/include/firewall/action.xml.i8
-rw-r--r--interface-definitions/include/firewall/bridge-custom-name.xml.i39
-rw-r--r--interface-definitions/include/firewall/bridge-hook-forward.xml.i34
-rw-r--r--interface-definitions/include/firewall/common-rule-bridge.xml.i57
-rw-r--r--interface-definitions/include/firewall/default-action-bridge.xml.i34
-rw-r--r--interface-definitions/include/firewall/default-action.xml.i8
-rw-r--r--interface-definitions/include/firewall/match-vlan.xml.i41
9 files changed, 263 insertions, 4 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 127f4b7e7..8e462f3eb 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -284,6 +284,15 @@
</tagNode>
</children>
</node>
+ <node name="bridge">
+ <properties>
+ <help>Bridge firewall</help>
+ </properties>
+ <children>
+ #include <include/firewall/bridge-hook-forward.xml.i>
+ #include <include/firewall/bridge-custom-name.xml.i>
+ </children>
+ </node>
<node name="ipv4">
<properties>
<help>IPv4 firewall</help>
diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i
new file mode 100644
index 000000000..84af576c8
--- /dev/null
+++ b/interface-definitions/include/firewall/action-l2.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/action.xml.i -->
+<leafNode name="action">
+ <properties>
+ <help>Rule action</help>
+ <completionHelp>
+ <list>accept continue jump return drop queue</list>
+ </completionHelp>
+ <valueHelp>
+ <format>accept</format>
+ <description>Accept matching entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>continue</format>
+ <description>Continue parsing next rule</description>
+ </valueHelp>
+ <valueHelp>
+ <format>jump</format>
+ <description>Jump to another chain</description>
+ </valueHelp>
+ <valueHelp>
+ <format>return</format>
+ <description>Return from the current chain and continue at the next rule of the last chain</description>
+ </valueHelp>
+ <valueHelp>
+ <format>drop</format>
+ <description>Drop matching entries</description>
+ </valueHelp>
+ <valueHelp>
+ <format>queue</format>
+ <description>Enqueue packet to userspace</description>
+ </valueHelp>
+ <constraint>
+ <regex>(accept|continue|jump|return|drop|queue)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 7c6e33839..9391a7bee 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,13 +3,17 @@
<properties>
<help>Rule action</help>
<completionHelp>
- <list>accept jump reject return drop queue</list>
+ <list>accept continue jump reject return drop queue</list>
</completionHelp>
<valueHelp>
<format>accept</format>
<description>Accept matching entries</description>
</valueHelp>
<valueHelp>
+ <format>continue</format>
+ <description>Continue parsing next rule</description>
+ </valueHelp>
+ <valueHelp>
<format>jump</format>
<description>Jump to another chain</description>
</valueHelp>
@@ -30,7 +34,7 @@
<description>Enqueue packet to userspace</description>
</valueHelp>
<constraint>
- <regex>(accept|jump|reject|return|drop|queue)</regex>
+ <regex>(accept|continue|jump|reject|return|drop|queue)</regex>
</constraint>
</properties>
</leafNode>
diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i
new file mode 100644
index 000000000..a85fd5a19
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i
@@ -0,0 +1,39 @@
+<!-- include start from firewall/bridge-custom-name.xml.i -->
+<tagNode name="name">
+ <properties>
+ <help>Bridge custom firewall</help>
+ <constraint>
+ <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/firewall/default-action.xml.i>
+ #include <include/firewall/enable-default-log.xml.i>
+ #include <include/generic-description.xml.i>
+ <leafNode name="default-jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+ <completionHelp>
+ <path>firewall bridge name</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <tagNode name="rule">
+ <properties>
+ <help>Bridge Firewall forward filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-bridge.xml.i>
+ </children>
+ </tagNode>
+ </children>
+</tagNode>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
new file mode 100644
index 000000000..23d757070
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/bridge-hook-forward.xml.i -->
+<node name="forward">
+ <properties>
+ <help>Bridge forward firewall</help>
+ </properties>
+ <children>
+ <node name="filter">
+ <properties>
+ <help>Bridge firewall forward filter</help>
+ </properties>
+ <children>
+ #include <include/firewall/default-action-base-chains.xml.i>
+ #include <include/generic-description.xml.i>
+ <tagNode name="rule">
+ <properties>
+ <help>Bridge Firewall forward filter rule number</help>
+ <valueHelp>
+ <format>u32:1-999999</format>
+ <description>Number for this firewall rule</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-999999"/>
+ </constraint>
+ <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/firewall/common-rule-bridge.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
new file mode 100644
index 000000000..381e04b1e
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -0,0 +1,57 @@
+<!-- include start from firewall/common-rule-bridge.xml.i -->
+#include <include/firewall/action-l2.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+ <properties>
+ <help>Destination parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/mac-address.xml.i>
+ </children>
+</node>
+<leafNode name="disable">
+ <properties>
+ <help>Option to disable firewall rule</help>
+ <valueless/>
+ </properties>
+</leafNode>
+<leafNode name="jump-target">
+ <properties>
+ <help>Set jump target. Action jump must be defined to use this setting</help>
+ <completionHelp>
+ <path>firewall bridge name</path>
+ </completionHelp>
+ </properties>
+</leafNode>
+<leafNode name="log">
+ <properties>
+ <help>Option to log packets matching rule</help>
+ <completionHelp>
+ <list>enable disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable log</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable log</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|disable)</regex>
+ </constraint>
+ </properties>
+</leafNode>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="source">
+ <properties>
+ <help>Source parameters</help>
+ </properties>
+ <children>
+ #include <include/firewall/mac-address.xml.i>
+ </children>
+</node>
+#include <include/firewall/inbound-interface.xml.i>
+#include <include/firewall/outbound-interface.xml.i>
+#include <include/firewall/match-vlan.xml.i>
+<!-- include end --> \ No newline at end of file
diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i
new file mode 100644
index 000000000..858c7aeeb
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action-bridge.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/default-action.xml.i -->
+<leafNode name="default-action">
+ <properties>
+ <help>Default-action for rule-set</help>
+ <completionHelp>
+ <list>drop jump return accept continue</list>
+ </completionHelp>
+ <valueHelp>
+ <format>drop</format>
+ <description>Drop if no prior rules are hit</description>
+ </valueHelp>
+ <valueHelp>
+ <format>jump</format>
+ <description>Jump to another chain if no prior rules are hit</description>
+ </valueHelp>
+ <valueHelp>
+ <format>return</format>
+ <description>Return from the current chain and continue at the next rule of the last chain</description>
+ </valueHelp>
+ <valueHelp>
+ <format>accept</format>
+ <description>Accept if no prior rules are hit</description>
+ </valueHelp>
+ <valueHelp>
+ <format>continue</format>
+ <description>Continue parsing next rule</description>
+ </valueHelp>
+ <constraint>
+ <regex>(drop|jump|return|accept|continue)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>drop</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
index 80efaf335..53a161495 100644
--- a/interface-definitions/include/firewall/default-action.xml.i
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -3,7 +3,7 @@
<properties>
<help>Default-action for rule-set</help>
<completionHelp>
- <list>drop jump reject return accept</list>
+ <list>drop jump reject return accept continue</list>
</completionHelp>
<valueHelp>
<format>drop</format>
@@ -25,8 +25,12 @@
<format>accept</format>
<description>Accept if no prior rules are hit</description>
</valueHelp>
+ <valueHelp>
+ <format>continue</format>
+ <description>Continue parsing next rule</description>
+ </valueHelp>
<constraint>
- <regex>(drop|jump|reject|return|accept)</regex>
+ <regex>(drop|jump|reject|return|accept|continue)</regex>
</constraint>
</properties>
<defaultValue>drop</defaultValue>
diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i
new file mode 100644
index 000000000..44ad02c99
--- /dev/null
+++ b/interface-definitions/include/firewall/match-vlan.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/match-vlan.xml.i -->
+<node name="vlan">
+ <properties>
+ <help>VLAN parameters</help>
+ </properties>
+ <children>
+ <leafNode name="id">
+ <properties>
+ <help>Vlan id</help>
+ <valueHelp>
+ <format>u32:0-4096</format>
+ <description>Vlan id</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;start-end&gt;</format>
+ <description>Vlan id range to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--allow-range --range 0-4095"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="priority">
+ <properties>
+ <help>Vlan priority(pcp)</help>
+ <valueHelp>
+ <format>u32:0-7</format>
+ <description>Vlan priority</description>
+ </valueHelp>
+ <valueHelp>
+ <format>&lt;start-end&gt;</format>
+ <description>Vlan priority range to match</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--allow-range --range 0-7"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end --> \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 02:45:07 +0000