diff options
Diffstat (limited to 'interface-definitions')
83 files changed, 3163 insertions, 950 deletions
diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index 6651fc642..6b712a70f 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -3,7 +3,7 @@ <node name="container" owner="${vyos_conf_scripts_dir}/container.py"> <properties> <help>Container applications</help> - <priority>1280</priority> + <priority>450</priority> </properties> <children> <tagNode name="name"> @@ -110,7 +110,7 @@ <constraint> <regex>[ !#-%&(-~]+</regex> </constraint> - <constraintErrorMessage>Entrypoint must be ascii characters, use &quot; and &apos for double and single quotes respectively</constraintErrorMessage> + <constraintErrorMessage>Entrypoint must be ASCII characters, use &quot; and &apos for double and single quotes respectively</constraintErrorMessage> </properties> </leafNode> <leafNode name="host-name"> @@ -133,7 +133,7 @@ <constraint> <regex>[ !#-%&(-~]+</regex> </constraint> - <constraintErrorMessage>Command must be ascii characters, use &quot; and &apos for double and single quotes respectively</constraintErrorMessage> + <constraintErrorMessage>Command must be ASCII characters, use &quot; and &apos for double and single quotes respectively</constraintErrorMessage> </properties> </leafNode> <leafNode name="arguments"> @@ -142,9 +142,29 @@ <constraint> <regex>[ !#-%&(-~]+</regex> </constraint> - <constraintErrorMessage>The command's arguments must be ascii characters, use &quot; and &apos for double and single quotes respectively</constraintErrorMessage> + <constraintErrorMessage>The command's arguments must be ASCII characters, use &quot; and &apos for double and single quotes respectively</constraintErrorMessage> </properties> </leafNode> + <tagNode name="label"> + <properties> + <help>Add label variables</help> + <constraint> + <regex>[a-z0-9](?:[a-z0-9.-]*[a-z0-9])?</regex> + </constraint> + <constraintErrorMessage>Label variable name must be alphanumeric and can contain hyphen, dots and underscores</constraintErrorMessage> + </properties> + <children> + <leafNode name="value"> + <properties> + <help>Set label option value</help> + <valueHelp> + <format>txt</format> + <description>Set label option value</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> <leafNode name="memory"> <properties> <help>Memory (RAM) available to this container</help> @@ -213,6 +233,7 @@ <help>Publish port to the container</help> </properties> <children> + #include <include/listen-address.xml.i> <leafNode name="source"> <properties> <help>Source host port</help> @@ -334,6 +355,42 @@ </properties> <defaultValue>rw</defaultValue> </leafNode> + <leafNode name="propagation"> + <properties> + <help>Volume bind propagation</help> + <completionHelp> + <list>shared slave private rshared rslave rprivate</list> + </completionHelp> + <valueHelp> + <format>shared</format> + <description>Sub-mounts of the original mount are exposed to replica mounts</description> + </valueHelp> + <valueHelp> + <format>slave</format> + <description>Allow replica mount to see sub-mount from the original mount but not vice versa</description> + </valueHelp> + <valueHelp> + <format>private</format> + <description>Sub-mounts within a mount are not visible to replica mounts or the original mount</description> + </valueHelp> + <valueHelp> + <format>rshared</format> + <description>Allows sharing of mount points and their nested mount points between both the original and replica mounts</description> + </valueHelp> + <valueHelp> + <format>rslave</format> + <description>Allows mount point and their nested mount points between original an replica mounts</description> + </valueHelp> + <valueHelp> + <format>rprivate</format> + <description>No mount points within original or replica mounts in any direction</description> + </valueHelp> + <constraint> + <regex>(shared|slave|private|rshared|rslave|rprivate)</regex> + </constraint> + </properties> + <defaultValue>rprivate</defaultValue> + </leafNode> </children> </tagNode> </children> diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/dhcp-relay.xml.in index 2a2597dd5..42715c9bb 100644 --- a/interface-definitions/dhcp-relay.xml.in +++ b/interface-definitions/dhcp-relay.xml.in @@ -9,6 +9,7 @@ <priority>910</priority> </properties> <children> + #include <include/generic-disable-node.xml.i> #include <include/generic-interface-multi-broadcast.xml.i> <leafNode name="listen-interface"> <properties> diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index 1830cc1ad..583de7ba9 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -129,7 +129,7 @@ <properties> <help>Bootstrap file name</help> <constraint> - <regex>[-_a-zA-Z0-9./]+</regex> + <regex>[[:ascii:]]{1,253}</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/dhcpv6-relay.xml.in b/interface-definitions/dhcpv6-relay.xml.in index 947adef75..a80317609 100644 --- a/interface-definitions/dhcpv6-relay.xml.in +++ b/interface-definitions/dhcpv6-relay.xml.in @@ -9,6 +9,7 @@ <priority>900</priority> </properties> <children> + #include <include/generic-disable-node.xml.i> <tagNode name="listen-interface"> <properties> <help>Interface for DHCPv6 Relay Agent to listen for requests</help> diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in index 48c101d73..a0720f3aa 100644 --- a/interface-definitions/dns-dynamic.xml.in +++ b/interface-definitions/dns-dynamic.xml.in @@ -4,149 +4,102 @@ <children> <node name="dns"> <properties> - <help>Domain Name System related services</help> + <help>Domain Name System (DNS) related services</help> </properties> <children> - <node name="dynamic" owner="${vyos_conf_scripts_dir}/dynamic_dns.py"> + <node name="dynamic" owner="${vyos_conf_scripts_dir}/dns_dynamic.py"> <properties> <help>Dynamic DNS</help> </properties> <children> - <tagNode name="interface"> + <tagNode name="address"> <properties> - <help>Interface to send Dynamic DNS updates for</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces</script> - </completionHelp> + <help>Obtain IP address to send Dynamic DNS update for</help> <valueHelp> <format>txt</format> - <description>Interface name</description> + <description>Use interface to obtain the IP address</description> </valueHelp> + <valueHelp> + <format>web</format> + <description>Use HTTP(S) web request to obtain the IP address</description> + </valueHelp> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces</script> + <list>web</list> + </completionHelp> <constraint> #include <include/constraint/interface-name.xml.i> + <regex>web</regex> </constraint> </properties> <children> - <tagNode name="rfc2136"> + <node name="web-options"> <properties> - <help>RFC2136 Update name</help> + <help>Options when using HTTP(S) web request to obtain the IP address</help> </properties> <children> - <leafNode name="key"> + #include <include/url.xml.i> + <leafNode name="skip"> <properties> - <help>File containing the secret key shared with remote DNS server</help> + <help>Pattern to skip from the HTTP(S) respose</help> <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> + <format>txt</format> + <description>Pattern to skip from the HTTP(S) respose to extract the external IP address</description> </valueHelp> </properties> </leafNode> - <leafNode name="record"> - <properties> - <help>Record to be updated</help> - <multi/> - </properties> - </leafNode> - <leafNode name="server"> - <properties> - <help>Server to be updated</help> - </properties> - </leafNode> - <leafNode name="ttl"> + </children> + </node> + <tagNode name="rfc2136"> + <properties> + <help>RFC2136 nsupdate configuration</help> + <valueHelp> + <format>txt</format> + <description>RFC2136 nsupdate service name</description> + </valueHelp> + </properties> + <children> + #include <include/generic-description.xml.i> + #include <include/dns/dynamic-service-host-name-server.xml.i> + <leafNode name="key"> <properties> - <help>Time To Live (default: 600)</help> + <help>File containing the TSIG secret key shared with remote DNS server</help> <valueHelp> - <format>u32:1-86400</format> - <description>DNS forwarding cache size</description> + <format>filename</format> + <description>File in /config/auth directory</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-86400"/> + <validator name="file-path" argument="--strict --parent-dir /config/auth"/> </constraint> </properties> - <defaultValue>600</defaultValue> </leafNode> + #include <include/dns/time-to-live.xml.i> <leafNode name="zone"> <properties> - <help>Zone to be updated</help> + <help>Forwarding zone to be updated</help> + <valueHelp> + <format>txt</format> + <description>RFC2136 Zone to be updated</description> + </valueHelp> + <constraint> + <validator name="fqdn"/> + </constraint> </properties> </leafNode> </children> </tagNode> <tagNode name="service"> <properties> - <help>Service being used for Dynamic DNS</help> - <completionHelp> - <list>afraid changeip cloudflare dnspark dslreports dyndns easydns namecheap noip sitelutions zoneedit</list> - </completionHelp> + <help>Dynamic DNS configuration</help> <valueHelp> <format>txt</format> - <description>Dynanmic DNS service with a custom name</description> - </valueHelp> - <valueHelp> - <format>afraid</format> - <description>afraid.org Services</description> - </valueHelp> - <valueHelp> - <format>changeip</format> - <description>changeip.com Services</description> - </valueHelp> - <valueHelp> - <format>cloudflare</format> - <description>cloudflare.com Services</description> - </valueHelp> - <valueHelp> - <format>dnspark</format> - <description>dnspark.com Services</description> - </valueHelp> - <valueHelp> - <format>dslreports</format> - <description>dslreports.com Services</description> - </valueHelp> - <valueHelp> - <format>dyndns</format> - <description>dyndns.com Services</description> - </valueHelp> - <valueHelp> - <format>easydns</format> - <description>easydns.com Services</description> - </valueHelp> - <valueHelp> - <format>namecheap</format> - <description>namecheap.com Services</description> - </valueHelp> - <valueHelp> - <format>noip</format> - <description>noip.com Services</description> - </valueHelp> - <valueHelp> - <format>sitelutions</format> - <description>sitelutions.com Services</description> - </valueHelp> - <valueHelp> - <format>zoneedit</format> - <description>zoneedit.com Services</description> + <description>Dynamic DNS service name</description> </valueHelp> - <constraint> - <regex>(custom|afraid|changeip|cloudflare|dnspark|dslreports|dyndns|easydns|namecheap|noip|sitelutions|zoneedit|\w+)</regex> - </constraint> - <constraintErrorMessage>You can use only predefined list of services or word characters (_, a-z, A-Z, 0-9) as service name</constraintErrorMessage> </properties> <children> - <leafNode name="host-name"> - <properties> - <help>Hostname to register with Dynamic DNS service</help> - <constraint> - #include <include/constraint/host-name.xml.i> - </constraint> - <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="login"> - <properties> - <help>Login/Username for Dynamic DNS service</help> - </properties> - </leafNode> + #include <include/generic-description.xml.i> + #include <include/dns/dynamic-service-host-name-server.xml.i> + #include <include/generic-username.xml.i> #include <include/generic-password.xml.i> <leafNode name="protocol"> <properties> @@ -159,7 +112,6 @@ </constraint> </properties> </leafNode> - #include <include/server-ipv4-fqdn.xml.i> <leafNode name="zone"> <properties> <help>DNS zone to update (not used by all protocols)</help> @@ -169,33 +121,49 @@ </valueHelp> </properties> </leafNode> - </children> - </tagNode> - <node name="use-web"> - <properties> - <help>Use HTTP(S) web request to obtain external IP address instead of the IP address associated with the interface</help> - </properties> - <children> - <leafNode name="skip"> + <leafNode name="ip-version"> <properties> - <help>Pattern to skip from the respose</help> + <help>IP address version to use</help> <valueHelp> - <format>txt</format> - <description>Pattern to skip from the respose of the given URL to extract the external IP address</description> + <format>_ipv4</format> + <description>Use only IPv4 address</description> + </valueHelp> + <valueHelp> + <format>_ipv6</format> + <description>Use only IPv6 address</description> </valueHelp> + <valueHelp> + <format>both</format> + <description>Use both IPv4 and IPv6 address</description> + </valueHelp> + <completionHelp> + <list>ipv4 ipv6 both</list> + </completionHelp> + <constraint> + <regex>(ipv[46]|both)</regex> + </constraint> + <constraintErrorMessage>IP Version must be literal 'ipv4', 'ipv6' or 'both'</constraintErrorMessage> </properties> + <defaultValue>ipv4</defaultValue> </leafNode> - #include <include/url.xml.i> </children> - </node> - <leafNode name="ipv6-enable"> - <properties> - <help>Explicitly use IPv6 address instead of IPv4 address to update the Dynamic DNS IP address</help> - <valueless/> - </properties> - </leafNode> + </tagNode> </children> </tagNode> + <leafNode name="timeout"> + <properties> + <help>Time in seconds to wait between DNS updates</help> + <valueHelp> + <format>u32:60-3600</format> + <description>Time in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 60-3600"/> + </constraint> + <constraintErrorMessage>Timeout must be between 60 and 3600 seconds</constraintErrorMessage> + </properties> + <defaultValue>300</defaultValue> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index ced1c9c31..86dc47a47 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -5,7 +5,7 @@ <children> <node name="dns"> <properties> - <help>Domain Name System related services</help> + <help>Domain Name System (DNS) related services</help> </properties> <children> <node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py"> diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 69901e5d3..127f4b7e7 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -6,66 +6,7 @@ <help>Firewall</help> </properties> <children> - <leafNode name="all-ping"> - <properties> - <help>Policy for handling of all IPv4 ICMP echo requests</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of all IPv4 ICMP echo requests</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of all IPv4 ICMP echo requests</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <leafNode name="broadcast-ping"> - <properties> - <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="config-trap"> - <properties> - <help>SNMP trap generation on firewall configuration changes</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable sending SNMP trap on firewall configuration change</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable sending SNMP trap on firewall configuration change</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> + #include <include/firewall/global-options.xml.i> <node name="group"> <properties> <help>Firewall group</help> @@ -343,640 +284,28 @@ </tagNode> </children> </node> - <tagNode name="interface"> + <node name="ipv4"> <properties> - <help>Interface name to apply firewall configuration</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces</script> - </completionHelp> - <constraint> - #include <include/constraint/interface-name-with-wildcard.xml.i> - </constraint> + <help>IPv4 firewall</help> </properties> <children> - <node name="in"> - <properties> - <help>Forwarded packets on inbound interface</help> - </properties> - <children> - #include <include/firewall/name.xml.i> - </children> - </node> - <node name="out"> - <properties> - <help>Forwarded packets on outbound interface</help> - </properties> - <children> - #include <include/firewall/name.xml.i> - </children> - </node> - <node name="local"> - <properties> - <help>Packets destined for this router</help> - </properties> - <children> - #include <include/firewall/name.xml.i> - </children> - </node> - </children> - </tagNode> - <leafNode name="ip-src-route"> - <properties> - <help>Policy for handling IPv4 packets with source route option</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of IPv4 packets with source route option</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of IPv4 packets with source route option</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <tagNode name="ipv6-name"> - <properties> - <help>IPv6 firewall rule-set name</help> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> - </properties> - <children> - #include <include/firewall/default-action.xml.i> - #include <include/firewall/enable-default-log.xml.i> - #include <include/generic-description.xml.i> - <leafNode name="default-jump-target"> - <properties> - <help>Set jump target. Action jump must be defined in default-action to use this setting</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <tagNode name="rule"> - <properties> - <help>Firewall rule number (IPv6)</help> - <valueHelp> - <format>u32:1-999999</format> - <description>Number for this Firewall rule</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-999999"/> - </constraint> - <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> - </properties> - <children> - #include <include/firewall/action.xml.i> - #include <include/generic-description.xml.i> - <node name="destination"> - <properties> - <help>Destination parameters</help> - </properties> - <children> - #include <include/firewall/address-ipv6.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group-ipv6.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask-ipv6.xml.i> - </children> - </node> - <node name="source"> - <properties> - <help>Source parameters</help> - </properties> - <children> - #include <include/firewall/address-ipv6.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group-ipv6.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask-ipv6.xml.i> - </children> - </node> - #include <include/firewall/common-rule.xml.i> - #include <include/firewall/dscp.xml.i> - #include <include/firewall/packet-options.xml.i> - #include <include/firewall/hop-limit.xml.i> - #include <include/firewall/connection-mark.xml.i> - <node name="icmpv6"> - <properties> - <help>ICMPv6 type and code information</help> - </properties> - <children> - <leafNode name="code"> - <properties> - <help>ICMPv6 code</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMPv6 code (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="type"> - <properties> - <help>ICMPv6 type</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMPv6 type (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - #include <include/firewall/icmpv6-type-name.xml.i> - </children> - </node> - <leafNode name="jump-target"> - <properties> - <help>Set jump target. Action jump must be defined to use this setting</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - #include <include/firewall/nft-queue.xml.i> - </children> - </tagNode> - </children> - </tagNode> - <leafNode name="ipv6-receive-redirects"> - <properties> - <help>Policy for handling received ICMPv6 redirect messages</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of received ICMPv6 redirect messages</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of received ICMPv6 redirect messages</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="ipv6-src-route"> - <properties> - <help>Policy for handling IPv6 packets with routing extension header</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of IPv6 packets with routing header type 2</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of IPv6 packets with routing header</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="log-martians"> - <properties> - <help>Policy for logging IPv4 packets with invalid addresses</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable logging of IPv4 packets with invalid addresses</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable logging of Ipv4 packets with invalid addresses</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <tagNode name="name"> - <properties> - <help>IPv4 firewall rule-set name</help> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> - </properties> - <children> - #include <include/firewall/default-action.xml.i> - #include <include/firewall/enable-default-log.xml.i> - #include <include/generic-description.xml.i> - <leafNode name="default-jump-target"> - <properties> - <help>Set jump target. Action jump must be defined in default-action to use this setting</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <tagNode name="rule"> - <properties> - <help>Firewall rule number (IPv4)</help> - <valueHelp> - <format>u32:1-999999</format> - <description>Number for this Firewall rule</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-999999"/> - </constraint> - <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> - </properties> - <children> - #include <include/firewall/action.xml.i> - #include <include/generic-description.xml.i> - <node name="destination"> - <properties> - <help>Destination parameters</help> - </properties> - <children> - #include <include/firewall/address.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask.xml.i> - </children> - </node> - <node name="source"> - <properties> - <help>Source parameters</help> - </properties> - <children> - #include <include/firewall/address.xml.i> - #include <include/firewall/fqdn.xml.i> - #include <include/firewall/geoip.xml.i> - #include <include/firewall/source-destination-group.xml.i> - #include <include/firewall/port.xml.i> - #include <include/firewall/address-mask.xml.i> - </children> - </node> - #include <include/firewall/common-rule.xml.i> - #include <include/firewall/dscp.xml.i> - #include <include/firewall/packet-options.xml.i> - #include <include/firewall/connection-mark.xml.i> - <node name="icmp"> - <properties> - <help>ICMP type and code information</help> - </properties> - <children> - <leafNode name="code"> - <properties> - <help>ICMP code</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMP code (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="type"> - <properties> - <help>ICMP type</help> - <valueHelp> - <format>u32:0-255</format> - <description>ICMP type (0-255)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - #include <include/firewall/icmp-type-name.xml.i> - </children> - </node> - <leafNode name="jump-target"> - <properties> - <help>Set jump target. Action jump must be defined to use this setting</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - #include <include/firewall/ttl.xml.i> - #include <include/firewall/nft-queue.xml.i> - </children> - </tagNode> - </children> - </tagNode> - <leafNode name="receive-redirects"> - <properties> - <help>Policy for handling received IPv4 ICMP redirect messages</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable processing of received IPv4 ICMP redirect messages</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable processing of received IPv4 ICMP redirect messages</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <leafNode name="resolver-cache"> - <properties> - <help>Retains last successful value if domain resolution fails</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="resolver-interval"> - <properties> - <help>Domain resolver update interval</help> - <valueHelp> - <format>u32:10-3600</format> - <description>Interval (seconds)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 10-3600"/> - </constraint> - </properties> - <defaultValue>300</defaultValue> - </leafNode> - <leafNode name="send-redirects"> - <properties> - <help>Policy for sending IPv4 ICMP redirect messages</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable sending IPv4 ICMP redirect messages</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable sending IPv4 ICMP redirect messages</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <leafNode name="source-validation"> - <properties> - <help>Policy for source validation by reversed path, as specified in RFC3704</help> - <completionHelp> - <list>strict loose disable</list> - </completionHelp> - <valueHelp> - <format>strict</format> - <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description> - </valueHelp> - <valueHelp> - <format>loose</format> - <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>No source validation</description> - </valueHelp> - <constraint> - <regex>(strict|loose|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <node name="state-policy"> - <properties> - <help>Global firewall state-policy</help> - </properties> - <children> - <node name="established"> - <properties> - <help>Global firewall policy for packets part of an established connection</help> - </properties> - <children> - #include <include/firewall/action-accept-drop-reject.xml.i> - #include <include/firewall/log.xml.i> - #include <include/firewall/rule-log-level.xml.i> - </children> - </node> - <node name="invalid"> - <properties> - <help>Global firewall policy for packets part of an invalid connection</help> - </properties> - <children> - #include <include/firewall/action-accept-drop-reject.xml.i> - #include <include/firewall/log.xml.i> - #include <include/firewall/rule-log-level.xml.i> - </children> - </node> - <node name="related"> - <properties> - <help>Global firewall policy for packets part of a related connection</help> - </properties> - <children> - #include <include/firewall/action-accept-drop-reject.xml.i> - #include <include/firewall/log.xml.i> - #include <include/firewall/rule-log-level.xml.i> - </children> - </node> + #include <include/firewall/ipv4-hook-forward.xml.i> + #include <include/firewall/ipv4-hook-input.xml.i> + #include <include/firewall/ipv4-hook-output.xml.i> + #include <include/firewall/ipv4-custom-name.xml.i> </children> </node> - <leafNode name="syn-cookies"> - <properties> - <help>Policy for using TCP SYN cookies with IPv4</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable use of TCP SYN cookies with IPv4</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable use of TCP SYN cookies with IPv4</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>enable</defaultValue> - </leafNode> - <leafNode name="twa-hazards-protection"> + <node name="ipv6"> <properties> - <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable RFC1337 TIME-WAIT hazards protection</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable RFC1337 TIME-WAIT hazards protection</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> - </properties> - <defaultValue>disable</defaultValue> - </leafNode> - <tagNode name="zone"> - <properties> - <help>Zone-policy</help> - <valueHelp> - <format>txt</format> - <description>Zone name</description> - </valueHelp> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> + <help>IPv6 firewall</help> </properties> <children> - #include <include/generic-description.xml.i> - #include <include/firewall/enable-default-log.xml.i> - <leafNode name="default-action"> - <properties> - <help>Default-action for traffic coming into this zone</help> - <completionHelp> - <list>drop reject</list> - </completionHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <valueHelp> - <format>reject</format> - <description>Drop and notify source</description> - </valueHelp> - <constraint> - <regex>(drop|reject)</regex> - </constraint> - </properties> - <defaultValue>drop</defaultValue> - </leafNode> - <tagNode name="from"> - <properties> - <help>Zone from which to filter traffic</help> - <completionHelp> - <path>zone-policy zone</path> - </completionHelp> - </properties> - <children> - <node name="firewall"> - <properties> - <help>Firewall options</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </tagNode> - <leafNode name="interface"> - <properties> - <help>Interface associated with zone</help> - <valueHelp> - <format>txt</format> - <description>Interface associated with zone</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces</script> - </completionHelp> - <multi/> - </properties> - </leafNode> - <node name="intra-zone-filtering"> - <properties> - <help>Intra-zone filtering</help> - </properties> - <children> - <leafNode name="action"> - <properties> - <help>Action for intra-zone traffic</help> - <completionHelp> - <list>accept drop</list> - </completionHelp> - <valueHelp> - <format>accept</format> - <description>Accept traffic</description> - </valueHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <constraint> - <regex>(accept|drop)</regex> - </constraint> - </properties> - </leafNode> - <node name="firewall"> - <properties> - <help>Use the specified firewall chain</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> - <leafNode name="local-zone"> - <properties> - <help>Zone to be local-zone</help> - <valueless/> - </properties> - </leafNode> + #include <include/firewall/ipv6-hook-forward.xml.i> + #include <include/firewall/ipv6-hook-input.xml.i> + #include <include/firewall/ipv6-hook-output.xml.i> + #include <include/firewall/ipv6-custom-name.xml.i> </children> - </tagNode> + </node> </children> </node> </interfaceDefinition> diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in index c5e46ed38..4f55916fa 100644 --- a/interface-definitions/high-availability.xml.in +++ b/interface-definitions/high-availability.xml.in @@ -30,6 +30,22 @@ </constraint> </properties> </leafNode> + <leafNode name="version"> + <properties> + <help>Default VRRP version to use, IPv6 always uses VRRP version 3</help> + <valueHelp> + <format>2</format> + <description>VRRP version 2</description> + </valueHelp> + <valueHelp> + <format>3</format> + <description>VRRP version 3</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 2-3"/> + </constraint> + </properties> + </leafNode> </children> </node> <tagNode name="group"> @@ -320,9 +336,10 @@ </node> <tagNode name="virtual-server"> <properties> - <help>Load-balancing virtual server address</help> + <help>Load-balancing virtual server alias</help> </properties> <children> + #include <include/address-ipv4-ipv6-single.xml.i> <leafNode name="algorithm"> <properties> <help>Schedule algorithm (default - least-connection)</help> diff --git a/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i b/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i index e5918b765..b93ba67d8 100644 --- a/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i +++ b/interface-definitions/include/accel-ppp/client-ip-pool-subnet-single.xml.i @@ -8,8 +8,9 @@ </valueHelp> <constraint> <validator name="ipv4-prefix"/> + <validator name="ipv4-host"/> </constraint> - <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage> + <constraintErrorMessage>Not a valid IP address or prefix</constraintErrorMessage> </properties> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/address-ipv4-ipv6-single.xml.i b/interface-definitions/include/address-ipv4-ipv6-single.xml.i new file mode 100644 index 000000000..dc3d6fc1b --- /dev/null +++ b/interface-definitions/include/address-ipv4-ipv6-single.xml.i @@ -0,0 +1,18 @@ +<!-- include start from interface/address-ipv4-ipv6.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address</description> + </valueHelp> + <constraint> + <validator name="ip-address"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/bgp/afi-export-import.xml.i b/interface-definitions/include/bgp/afi-export-import.xml.i index 86817cdb3..5223af0ae 100644 --- a/interface-definitions/include/bgp/afi-export-import.xml.i +++ b/interface-definitions/include/bgp/afi-export-import.xml.i @@ -32,6 +32,7 @@ </valueHelp> <completionHelp> <path>vrf name</path> + <list>default</list> </completionHelp> <multi/> </properties> diff --git a/interface-definitions/include/bgp/afi-label.xml.i b/interface-definitions/include/bgp/afi-label.xml.i index 9535d19e8..2c5eed18b 100644 --- a/interface-definitions/include/bgp/afi-label.xml.i +++ b/interface-definitions/include/bgp/afi-label.xml.i @@ -29,6 +29,19 @@ </constraint> </properties> </leafNode> + <node name="allocation-mode"> + <properties> + <help>Label allocation mode</help> + </properties> + <children> + <leafNode name="per-nexthop"> + <properties> + <help>Allocate a label per connected next-hop in the VRF</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> </children> </node> </children> diff --git a/interface-definitions/include/bgp/afi-vpn-label.xml.i b/interface-definitions/include/bgp/afi-vpn-label.xml.i new file mode 100644 index 000000000..6c7e73d9b --- /dev/null +++ b/interface-definitions/include/bgp/afi-vpn-label.xml.i @@ -0,0 +1,14 @@ +<!-- include start from bgp/afi-vpn-label.xml.i --> +<leafNode name="label"> + <properties> + <help>MPLS label value assigned to route</help> + <valueHelp> + <format>u32:0-1048575</format> + <description>MPLS label value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-1048575"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index d69fd7dab..504385b53 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -355,15 +355,7 @@ <help>Apply local policy routing to interface</help> </properties> <children> - <leafNode name="interface"> - <properties> - <help>Interface</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces</script> - </completionHelp> - <multi/> - </properties> - </leafNode> + #include <include/generic-interface-multi.xml.i> </children> </node> </children> @@ -386,18 +378,7 @@ </properties> <children> #include <include/bgp/route-distinguisher.xml.i> - <leafNode name="label"> - <properties> - <help>MPLS label value assigned to route</help> - <valueHelp> - <format>u32:0-1048575</format> - <description>MPLS label value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-1048575"/> - </constraint> - </properties> - </leafNode> + #include <include/bgp/afi-vpn-label.xml.i> </children> </tagNode> </children> @@ -766,18 +747,7 @@ </properties> <children> #include <include/bgp/route-distinguisher.xml.i> - <leafNode name="label"> - <properties> - <help>MPLS label value assigned to route</help> - <valueHelp> - <format>u32:0-1048575</format> - <description>MPLS label value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-1048575"/> - </constraint> - </properties> - </leafNode> + #include <include/bgp/afi-vpn-label.xml.i> </children> </tagNode> </children> @@ -840,12 +810,7 @@ <help>Specify handling for BUM packets</help> </properties> <children> - <leafNode name="disable"> - <properties> - <help>Do not flood any BUM packets</help> - <valueless/> - </properties> - </leafNode> + #include <include/generic-disable-node.xml.i> <leafNode name="head-end-replication"> <properties> <help>Flood BUM packets using head-end replication</help> @@ -873,6 +838,36 @@ </node> </children> </node> +<tagNode name="interface"> + <properties> + <help>Configure interface related parameters, e.g. MPLS</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Interface name</description> + </valueHelp> + <constraint> + #include <include/constraint/interface-name.xml.i> + </constraint> + </properties> + <children> + <node name="mpls"> + <properties> + <help>MPLS options</help> + </properties> + <children> + <leafNode name="forwarding"> + <properties> + <help>Enable MPLS forwarding for eBGP directly connected peers</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> +</tagNode> <node name="listen"> <properties> <help>Listen for and accept BGP dynamic neighbors from range</help> @@ -1128,25 +1123,26 @@ <valueless/> </properties> </leafNode> - <node name="med"> + <leafNode name="med"> <properties> <help>MED attribute comparison parameters</help> + <completionHelp> + <list>confed missing-as-worst</list> + </completionHelp> + <valueHelp> + <format>confed</format> + <description>Compare MEDs among confederation paths</description> + </valueHelp> + <valueHelp> + <format>missing-as-worst</format> + <description>Treat missing route as a MED as the least preferred one</description> + </valueHelp> + <constraint> + <regex>(confed|missing-as-worst)</regex> + </constraint> + <multi/> </properties> - <children> - <leafNode name="confed"> - <properties> - <help>Compare MEDs among confederation paths</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="missing-as-worst"> - <properties> - <help>Treat missing route as a MED as the least preferred one</help> - <valueless/> - </properties> - </leafNode> - </children> - </node> + </leafNode> <node name="peer-type"> <properties> <help>Peer type</help> @@ -1545,7 +1541,9 @@ </properties> <children> #include <include/bgp/neighbor-afi-ipv4-unicast.xml.i> + #include <include/bgp/neighbor-afi-ipv4-vpn.xml.i> #include <include/bgp/neighbor-afi-ipv6-unicast.xml.i> + #include <include/bgp/neighbor-afi-ipv6-vpn.xml.i> #include <include/bgp/neighbor-afi-l2vpn-evpn.xml.i> </children> </node> diff --git a/interface-definitions/include/constraint/interface-name-with-wildcard-and-inverted.xml.i b/interface-definitions/include/constraint/interface-name-with-wildcard-and-inverted.xml.i new file mode 100644 index 000000000..6a39041a3 --- /dev/null +++ b/interface-definitions/include/constraint/interface-name-with-wildcard-and-inverted.xml.i @@ -0,0 +1,4 @@ +<!-- include start from constraint/interface-name-with-wildcard-and-inverted.xml.i --> +<regex>(\!?)(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|(\!?)lo</regex> +<validator name="file-path --lookup-path /sys/class/net --directory"/> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i b/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i new file mode 100644 index 000000000..ee1af2a36 --- /dev/null +++ b/interface-definitions/include/dns/dynamic-service-host-name-server.xml.i @@ -0,0 +1,34 @@ +<!-- include start from dns/dynamic-service-host-name-server.xml.i --> +<leafNode name="host-name"> + <properties> + <help>Hostname to register with Dynamic DNS service</help> + <constraint> + #include <include/constraint/host-name.xml.i> + </constraint> + <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage> + <multi/> + </properties> +</leafNode> +<leafNode name="server"> + <properties> + <help>Remote Dynamic DNS server to send updates to</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address of the remote server</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address of the remote server</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>Fully qualified domain name of the remote server</description> + </valueHelp> + <constraint> + <validator name="ip-address"/> + <validator name="fqdn"/> + </constraint> + <constraintErrorMessage>Remote server must be IP address or fully qualified domain name</constraintErrorMessage> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i new file mode 100644 index 000000000..5f81a1451 --- /dev/null +++ b/interface-definitions/include/firewall/action-and-notrack.xml.i @@ -0,0 +1,41 @@ +<!-- include start from firewall/action-and-notrack.xml.i --> +<leafNode name="action"> + <properties> + <help>Rule action</help> + <completionHelp> + <list>accept jump notrack reject return drop queue</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Accept matching entries</description> + </valueHelp> + <valueHelp> + <format>jump</format> + <description>Jump to another chain</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Reject matching entries</description> + </valueHelp> + <valueHelp> + <format>return</format> + <description>Return from the current chain and continue at the next rule of the last chain</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Drop matching entries</description> + </valueHelp> + <valueHelp> + <format>queue</format> + <description>Enqueue packet to userspace</description> + </valueHelp> + <valueHelp> + <format>notrack</format> + <description>Igone connection tracking</description> + </valueHelp> + <constraint> + <regex>(accept|jump|notrack|reject|return|drop|queue)</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i new file mode 100644 index 000000000..7a2eb86d4 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -0,0 +1,374 @@ +<!-- include start from firewall/common-rule-inet.xml.i --> +#include <include/firewall/action.xml.i> +#include <include/generic-description.xml.i> +#include <include/firewall/dscp.xml.i> +#include <include/firewall/packet-options.xml.i> +#include <include/firewall/connection-mark.xml.i> +#include <include/firewall/nft-queue.xml.i> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> +<node name="fragment"> + <properties> + <help>IP fragment match</help> + </properties> + <children> + <leafNode name="match-frag"> + <properties> + <help>Second and further fragments of fragmented packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-non-frag"> + <properties> + <help>Head fragments or unfragmented packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec"> + <properties> + <help>Inbound IPsec packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none"> + <properties> + <help>Inbound non-IPsec packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="limit"> + <properties> + <help>Rate limit using a token bucket filter</help> + </properties> + <children> + <leafNode name="burst"> + <properties> + <help>Maximum number of packets to allow in excess of rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Maximum number of packets to allow in excess of rate</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rate"> + <properties> + <help>Maximum average matching rate</help> + <valueHelp> + <format>txt</format> + <description>integer/unit (Example: 5/minute)</description> + </valueHelp> + <constraint> + <regex>\d+/(second|minute|hour|day)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> +</leafNode> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> +</leafNode> +#include <include/firewall/rule-log-options.xml.i> +<node name="connection-status"> + <properties> + <help>Connection status</help> + </properties> + <children> + <leafNode name="nat"> + <properties> + <help>NAT connection status</help> + <completionHelp> + <list>destination source</list> + </completionHelp> + <valueHelp> + <format>destination</format> + <description>Match connections that are subject to destination NAT</description> + </valueHelp> + <valueHelp> + <format>source</format> + <description>Match connections that are subject to source NAT</description> + </valueHelp> + <constraint> + <regex>(destination|source)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + <list>all tcp_udp</list> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>u32:0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format><protocol></format> + <description>IP protocol name</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol name</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<node name="recent"> + <properties> + <help>Parameters for matching recently seen sources</help> + </properties> + <children> + <leafNode name="count"> + <properties> + <help>Source addresses seen more than N times</help> + <valueHelp> + <format>u32:1-255</format> + <description>Source addresses seen more than N times</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Source addresses seen in the last second/minute/hour</help> + <completionHelp> + <list>second minute hour</list> + </completionHelp> + <valueHelp> + <format>second</format> + <description>Source addresses seen COUNT times in the last second</description> + </valueHelp> + <valueHelp> + <format>minute</format> + <description>Source addresses seen COUNT times in the last minute</description> + </valueHelp> + <valueHelp> + <format>hour</format> + <description>Source addresses seen COUNT times in the last hour</description> + </valueHelp> + <constraint> + <regex>(second|minute|hour)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="state"> + <properties> + <help>Session state</help> + </properties> + <children> + <leafNode name="established"> + <properties> + <help>Established state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="invalid"> + <properties> + <help>Invalid state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="new"> + <properties> + <help>New state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="related"> + <properties> + <help>Related state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +#include <include/firewall/tcp-flags.xml.i> +<node name="time"> + <properties> + <help>Time to match rule</help> + </properties> + <children> + <leafNode name="startdate"> + <properties> + <help>Date to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="starttime"> + <properties> + <help>Time of day to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stopdate"> + <properties> + <help>Date to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stoptime"> + <properties> + <help>Time of day to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="weekdays"> + <properties> + <help>Comma separated weekdays to match rule on</help> + <valueHelp> + <format>txt</format> + <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description> + </valueHelp> + <valueHelp> + <format>u32:0-6</format> + <description>Day number (0 = Sunday ... 6 = Saturday)</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i new file mode 100644 index 000000000..a1071a09a --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -0,0 +1,331 @@ +<!-- include start from firewall/common-rule-ipv4-raw.xml.i --> +#include <include/firewall/action-and-notrack.xml.i> +#include <include/generic-description.xml.i> +#include <include/firewall/dscp.xml.i> +#include <include/firewall/ttl.xml.i> +#include <include/firewall/nft-queue.xml.i> +<node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> +<node name="fragment"> + <properties> + <help>IP fragment match</help> + </properties> + <children> + <leafNode name="match-frag"> + <properties> + <help>Second and further fragments of fragmented packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-non-frag"> + <properties> + <help>Head fragments or unfragmented packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="icmp"> + <properties> + <help>ICMP type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMP code</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMP type</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmp-type-name.xml.i> + </children> +</node> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec"> + <properties> + <help>Inbound IPsec packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none"> + <properties> + <help>Inbound non-IPsec packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="limit"> + <properties> + <help>Rate limit using a token bucket filter</help> + </properties> + <children> + <leafNode name="burst"> + <properties> + <help>Maximum number of packets to allow in excess of rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Maximum number of packets to allow in excess of rate</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rate"> + <properties> + <help>Maximum average matching rate</help> + <valueHelp> + <format>txt</format> + <description>integer/unit (Example: 5/minute)</description> + </valueHelp> + <constraint> + <regex>\d+/(second|minute|hour|day)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> +</leafNode> +#include <include/firewall/rule-log-options.xml.i> +<node name="connection-status"> + <properties> + <help>Connection status</help> + </properties> + <children> + <leafNode name="nat"> + <properties> + <help>NAT connection status</help> + <completionHelp> + <list>destination source</list> + </completionHelp> + <valueHelp> + <format>destination</format> + <description>Match connections that are subject to destination NAT</description> + </valueHelp> + <valueHelp> + <format>source</format> + <description>Match connections that are subject to source NAT</description> + </valueHelp> + <constraint> + <regex>(destination|source)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + <list>all tcp_udp</list> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>u32:0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format><protocol></format> + <description>IP protocol name</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol name</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<node name="recent"> + <properties> + <help>Parameters for matching recently seen sources</help> + </properties> + <children> + <leafNode name="count"> + <properties> + <help>Source addresses seen more than N times</help> + <valueHelp> + <format>u32:1-255</format> + <description>Source addresses seen more than N times</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Source addresses seen in the last second/minute/hour</help> + <completionHelp> + <list>second minute hour</list> + </completionHelp> + <valueHelp> + <format>second</format> + <description>Source addresses seen COUNT times in the last second</description> + </valueHelp> + <valueHelp> + <format>minute</format> + <description>Source addresses seen COUNT times in the last minute</description> + </valueHelp> + <valueHelp> + <format>hour</format> + <description>Source addresses seen COUNT times in the last hour</description> + </valueHelp> + <constraint> + <regex>(second|minute|hour)</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +#include <include/firewall/tcp-flags.xml.i> +<node name="time"> + <properties> + <help>Time to match rule</help> + </properties> + <children> + <leafNode name="startdate"> + <properties> + <help>Date to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="starttime"> + <properties> + <help>Time of day to start matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stopdate"> + <properties> + <help>Date to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter date using following notation - YYYY-MM-DD</description> + </valueHelp> + <constraint> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="stoptime"> + <properties> + <help>Time of day to stop matching rule</help> + <valueHelp> + <format>txt</format> + <description>Enter time using using 24 hour notation - hh:mm:ss</description> + </valueHelp> + <constraint> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="weekdays"> + <properties> + <help>Comma separated weekdays to match rule on</help> + <valueHelp> + <format>txt</format> + <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description> + </valueHelp> + <valueHelp> + <format>u32:0-6</format> + <description>Day number (0 = Sunday ... 6 = Saturday)</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i new file mode 100644 index 000000000..4ed179ae7 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i @@ -0,0 +1,72 @@ +<!-- include start from firewall/common-rule-ipv4.xml.i --> +#include <include/firewall/common-rule-inet.xml.i> +#include <include/firewall/ttl.xml.i> +<node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +<node name="icmp"> + <properties> + <help>ICMP type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMP code</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMP type</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmp-type-name.xml.i> + </children> +</node> +<leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> +</leafNode> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/address-mask.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i new file mode 100644 index 000000000..6219557db --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i @@ -0,0 +1,72 @@ +<!-- include start from firewall/common-rule-ipv6.xml.i --> +#include <include/firewall/common-rule-inet.xml.i> +#include <include/firewall/hop-limit.xml.i> +<node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/address-mask-ipv6.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group-ipv6.xml.i> + </children> +</node> +<node name="icmpv6"> + <properties> + <help>ICMPv6 type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMPv6 code</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMPv6 code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMPv6 type</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMPv6 type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmpv6-type-name.xml.i> + </children> +</node> +<leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv6 name</path> + </completionHelp> + </properties> +</leafNode> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/address-mask-ipv6.xml.i> + #include <include/firewall/fqdn.xml.i> + #include <include/firewall/geoip.xml.i> + #include <include/firewall/mac-address.xml.i> + #include <include/firewall/port.xml.i> + #include <include/firewall/source-destination-group-ipv6.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i new file mode 100644 index 000000000..aa62abf3d --- /dev/null +++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i @@ -0,0 +1,22 @@ +<!-- include start from firewall/default-action-base-chains.xml.i --> +<leafNode name="default-action"> + <properties> + <help>Default-action for rule-set</help> + <completionHelp> + <list>drop accept</list> + </completionHelp> + <valueHelp> + <format>drop</format> + <description>Drop if no prior rules are hit</description> + </valueHelp> + <valueHelp> + <format>accept</format> + <description>Accept if no prior rules are hit</description> + </valueHelp> + <constraint> + <regex>(drop|accept)</regex> + </constraint> + </properties> + <defaultValue>accept</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i b/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i new file mode 100644 index 000000000..7f34de3ba --- /dev/null +++ b/interface-definitions/include/firewall/firewall-hashing-parameters.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/firewall-hashing-parameters.xml.i --> +<leafNode name="hash"> + <properties> + <help>Define the parameters of the packet header to apply the hashing</help> + <completionHelp> + <list>source-address destination-address source-port destination-port random</list> + </completionHelp> + <valueHelp> + <format>source-address</format> + <description>Use source IP address for hashing</description> + </valueHelp> + <valueHelp> + <format>destination-address</format> + <description>Use destination IP address for hashing</description> + </valueHelp> + <valueHelp> + <format>source-port</format> + <description>Use source port for hashing</description> + </valueHelp> + <valueHelp> + <format>destination-port</format> + <description>Use destination port for hashing</description> + </valueHelp> + <valueHelp> + <format>random</format> + <description>Do not use information from ip header. Use random value.</description> + </valueHelp> + <constraint> + <regex>(source-address|destination-address|source-port|destination-port|random)</regex> + </constraint> + <multi/> + </properties> + <defaultValue>random</defaultValue> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i new file mode 100644 index 000000000..a63874cb0 --- /dev/null +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -0,0 +1,252 @@ +<!-- include start from firewall/global-options.xml.i --> +<node name="global-options"> + <properties> + <help>Global Options</help> + </properties> + <children> + <leafNode name="all-ping"> + <properties> + <help>Policy for handling of all IPv4 ICMP echo requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="broadcast-ping"> + <properties> + <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="ip-src-route"> + <properties> + <help>Policy for handling IPv4 packets with source route option</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv4 packets with source route option</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv4 packets with source route option</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="log-martians"> + <properties> + <help>Policy for logging IPv4 packets with invalid addresses</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable logging of IPv4 packets with invalid addresses</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable logging of Ipv4 packets with invalid addresses</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="receive-redirects"> + <properties> + <help>Policy for handling received IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="resolver-cache"> + <properties> + <help>Retains last successful value if domain resolution fails</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="resolver-interval"> + <properties> + <help>Domain resolver update interval</help> + <valueHelp> + <format>u32:10-3600</format> + <description>Interval (seconds)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 10-3600"/> + </constraint> + </properties> + <defaultValue>300</defaultValue> + </leafNode> + <leafNode name="send-redirects"> + <properties> + <help>Policy for sending IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="source-validation"> + <properties> + <help>Policy for source validation by reversed path, as specified in RFC3704</help> + <completionHelp> + <list>strict loose disable</list> + </completionHelp> + <valueHelp> + <format>strict</format> + <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>loose</format> + <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>No source validation</description> + </valueHelp> + <constraint> + <regex>(strict|loose|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="syn-cookies"> + <properties> + <help>Policy for using TCP SYN cookies with IPv4</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="twa-hazards-protection"> + <properties> + <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="ipv6-receive-redirects"> + <properties> + <help>Policy for handling received ICMPv6 redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + <leafNode name="ipv6-src-route"> + <properties> + <help>Policy for handling IPv6 packets with routing extension header</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv6 packets with routing header type 2</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv6 packets with routing header</description> + </valueHelp> + <constraint> + <regex>(enable|disable)</regex> + </constraint> + </properties> + <defaultValue>disable</defaultValue> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/inbound-interface.xml.i b/interface-definitions/include/firewall/inbound-interface.xml.i new file mode 100644 index 000000000..13df71de3 --- /dev/null +++ b/interface-definitions/include/firewall/inbound-interface.xml.i @@ -0,0 +1,10 @@ +<!-- include start from firewall/inbound-interface.xml.i --> +<node name="inbound-interface"> + <properties> + <help>Match inbound-interface</help> + </properties> + <children> + #include <include/firewall/match-interface.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i new file mode 100644 index 000000000..9d6ecfaf2 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -0,0 +1,41 @@ +<!-- include start from firewall/ipv4-custom-name.xml.i --> +<tagNode name="name"> + <properties> + <help>IPv4 custom firewall</help> + <constraint> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> + </constraint> + </properties> + <children> + #include <include/firewall/default-action.xml.i> + #include <include/firewall/enable-default-log.xml.i> + #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall custom rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> +</tagNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i new file mode 100644 index 000000000..08ee96419 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -0,0 +1,36 @@ +<!-- include start from firewall/ipv4-hook-forward.xml.i --> +<node name="forward"> + <properties> + <help>IPv4 forward firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall forward filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall forward filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i new file mode 100644 index 000000000..32b0ec94f --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv4-hook-input.xml.i --> +<node name="input"> + <properties> + <help>IPv4 input firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall input filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall input filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i new file mode 100644 index 000000000..d50d1e93b --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv4-hook-output.xml.i --> +<node name="output"> + <properties> + <help>IPv4 output firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall output filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall output filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i new file mode 100644 index 000000000..c38918375 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -0,0 +1,85 @@ +<!-- include start from firewall/ipv4-hook-prerouting.xml.i --> +<node name="prerouting"> + <properties> + <help>IPv4 prerouting firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv4 firewall prerouting filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall prerouting filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4.xml.i> + #include <include/firewall/inbound-interface.xml.i> + <leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <node name="raw"> + <properties> + <help>IPv4 firewall prerouting raw</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + <tagNode name="rule"> + <properties> + <help>IPv4 Firewall prerouting raw rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv4-raw.xml.i> + #include <include/firewall/inbound-interface.xml.i> + <leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv4 name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i new file mode 100644 index 000000000..81610babf --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i @@ -0,0 +1,41 @@ +<!-- include start from firewall/ipv6-custom-name.xml.i --> +<tagNode name="name"> + <properties> + <help>IPv6 custom firewall</help> + <constraint> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> + </constraint> + </properties> + <children> + #include <include/firewall/default-action.xml.i> + #include <include/firewall/enable-default-log.xml.i> + #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall ipv6 name</path> + </completionHelp> + </properties> + </leafNode> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall custom rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> +</tagNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i new file mode 100644 index 000000000..20ab8dbe8 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i @@ -0,0 +1,36 @@ +<!-- include start from firewall/ipv6-hook-forward.xml.i --> +<node name="forward"> + <properties> + <help>IPv6 forward firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv6 firewall forward filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall forward filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/inbound-interface.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i new file mode 100644 index 000000000..e34958f28 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv6-hook-input.xml.i --> +<node name="input"> + <properties> + <help>IPv6 input firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv6 firewall input filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall input filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/inbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i new file mode 100644 index 000000000..eb4ea7ac3 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -0,0 +1,35 @@ +<!-- include start from firewall/ipv6-hook-output.xml.i --> +<node name="output"> + <properties> + <help>IPv6 output firewall</help> + </properties> + <children> + <node name="filter"> + <properties> + <help>IPv6 firewall output filter</help> + </properties> + <children> + #include <include/firewall/default-action-base-chains.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>IPv6 Firewall output filter rule number</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number for this firewall rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage> + </properties> + <children> + #include <include/firewall/common-rule-ipv6.xml.i> + #include <include/firewall/outbound-interface.xml.i> + </children> + </tagNode> + </children> + </node> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i index 3e52422cf..7810f88ab 100644 --- a/interface-definitions/include/firewall/match-interface.xml.i +++ b/interface-definitions/include/firewall/match-interface.xml.i @@ -5,6 +5,21 @@ <completionHelp> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> + <valueHelp> + <format>txt</format> + <description>Interface name</description> + </valueHelp> + <valueHelp> + <format>txt*</format> + <description>Interface name with wildcard</description> + </valueHelp> + <valueHelp> + <format>!txt</format> + <description>Inverted interface name to match</description> + </valueHelp> + <constraint> + #include <include/constraint/interface-name-with-wildcard-and-inverted.xml.i> + </constraint> </properties> </leafNode> <leafNode name="interface-group"> @@ -13,6 +28,14 @@ <completionHelp> <path>firewall group interface-group</path> </completionHelp> + <valueHelp> + <format>txt</format> + <description>Interface-group name to match</description> + </valueHelp> + <valueHelp> + <format>!txt</format> + <description>Inverted interface-group name to match</description> + </valueHelp> </properties> </leafNode> <!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/nat-balance.xml.i b/interface-definitions/include/firewall/nat-balance.xml.i new file mode 100644 index 000000000..01793f06b --- /dev/null +++ b/interface-definitions/include/firewall/nat-balance.xml.i @@ -0,0 +1,28 @@ +<!-- include start from firewall/nat-balance.xml.i --> +<tagNode name="backend"> + <properties> + <help>Translated IP address</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + <children> + <leafNode name="weight"> + <properties> + <help>Set probability for this output value</help> + <valueHelp> + <format>u32:1-100</format> + <description>Set probability for this output value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 1-100"/> + </constraint> + </properties> + </leafNode> + </children> +</tagNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/outbound-interface.xml.i b/interface-definitions/include/firewall/outbound-interface.xml.i new file mode 100644 index 000000000..8654dfd80 --- /dev/null +++ b/interface-definitions/include/firewall/outbound-interface.xml.i @@ -0,0 +1,10 @@ +<!-- include start from firewall/outbound-interface.xml.i --> +<node name="outbound-interface"> + <properties> + <help>Match outbound-interface</help> + </properties> + <children> + #include <include/firewall/match-interface.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/interface/dhcpv6-options.xml.i b/interface-definitions/include/interface/dhcpv6-options.xml.i index 609af1a2b..5ca1d525f 100644 --- a/interface-definitions/include/interface/dhcpv6-options.xml.i +++ b/interface-definitions/include/interface/dhcpv6-options.xml.i @@ -95,6 +95,12 @@ <valueless/> </properties> </leafNode> + <leafNode name="no-release"> + <properties> + <help>Do not send a release message on client exit</help> + <valueless/> + </properties> + </leafNode> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/interface/eapol.xml.i b/interface-definitions/include/interface/eapol.xml.i index c4cdeae0c..a3206f2c7 100644 --- a/interface-definitions/include/interface/eapol.xml.i +++ b/interface-definitions/include/interface/eapol.xml.i @@ -4,7 +4,7 @@ <help>Extensible Authentication Protocol over Local Area Network</help> </properties> <children> - #include <include/pki/ca-certificate.xml.i> + #include <include/pki/ca-certificate-multi.xml.i> #include <include/pki/certificate-key.xml.i> </children> </node> diff --git a/interface-definitions/include/interface/ipv6-accept-dad.xml.i b/interface-definitions/include/interface/ipv6-accept-dad.xml.i new file mode 100644 index 000000000..7554b270a --- /dev/null +++ b/interface-definitions/include/interface/ipv6-accept-dad.xml.i @@ -0,0 +1,20 @@ +<!-- include start from interface/ipv6-accept-dad.xml.i --> +<leafNode name="accept-dad"> + <properties> + <help>Accept Duplicate Address Detection</help> + <valueHelp> + <format>0</format> + <description>Disable DAD</description> + </valueHelp> + <valueHelp> + <format>1</format> + <description>Enable DAD</description> + </valueHelp> + <valueHelp> + <format>2</format> + <description>Enable DAD - disable IPv6 if MAC-based duplicate link-local address found</description> + </valueHelp> + </properties> + <defaultValue>1</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i b/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i index babe6d20f..3b9294dd0 100644 --- a/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i +++ b/interface-definitions/include/interface/ipv6-dup-addr-detect-transmits.xml.i @@ -1,7 +1,7 @@ <!-- include start from interface/ipv6-dup-addr-detect-transmits.xml.i --> <leafNode name="dup-addr-detect-transmits"> <properties> - <help>Number of NS messages to send while performing DAD (default: 1)</help> + <help>Number of NS messages to send while performing DAD</help> <valueHelp> <format>u32:0</format> <description>Disable Duplicate Address Dectection (DAD)</description> @@ -14,5 +14,6 @@ <validator name="numeric" argument="--non-negative"/> </constraint> </properties> + <defaultValue>1</defaultValue> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/interface/ipv6-options.xml.i b/interface-definitions/include/interface/ipv6-options.xml.i index f740ce0c2..edb4a74f9 100644 --- a/interface-definitions/include/interface/ipv6-options.xml.i +++ b/interface-definitions/include/interface/ipv6-options.xml.i @@ -6,8 +6,10 @@ <children> #include <include/interface/adjust-mss.xml.i> #include <include/interface/disable-forwarding.xml.i> + #include <include/interface/ipv6-accept-dad.xml.i> #include <include/interface/ipv6-address.xml.i> #include <include/interface/ipv6-dup-addr-detect-transmits.xml.i> + #include <include/interface/source-validation.xml.i> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/interface/mac-multi.xml.i b/interface-definitions/include/interface/mac-multi.xml.i new file mode 100644 index 000000000..458372e67 --- /dev/null +++ b/interface-definitions/include/interface/mac-multi.xml.i @@ -0,0 +1,15 @@ +<!-- include start from interface/mac-multi.xml.i --> +<leafNode name="mac"> + <properties> + <help>Media Access Control (MAC) address</help> + <valueHelp> + <format>macaddr</format> + <description>Hardware (MAC) address</description> + </valueHelp> + <constraint> + <validator name="mac-address"/> + </constraint> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/macsec-key.xml.i b/interface-definitions/include/interface/macsec-key.xml.i new file mode 100644 index 000000000..5a857a612 --- /dev/null +++ b/interface-definitions/include/interface/macsec-key.xml.i @@ -0,0 +1,15 @@ +<!-- include start from interface/macsec-key.xml.i --> +<leafNode name="key"> + <properties> + <help>MACsec static key</help> + <valueHelp> + <format>txt</format> + <description>16-byte (128-bit) hex-string (32 hex-digits) for gcm-aes-128 or 32-byte (256-bit) hex-string (64 hex-digits) for gcm-aes-256</description> + </valueHelp> + <constraint> + <regex>[A-Fa-f0-9]{32}</regex> + <regex>[A-Fa-f0-9]{64}</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/netns.xml.i b/interface-definitions/include/interface/netns.xml.i index 39f9118fa..fd6da8f37 100644 --- a/interface-definitions/include/interface/netns.xml.i +++ b/interface-definitions/include/interface/netns.xml.i @@ -3,7 +3,7 @@ <properties> <help>Network namespace name</help> <valueHelp> - <format>text</format> + <format>txt</format> <description>Network namespace name</description> </valueHelp> <completionHelp> diff --git a/interface-definitions/include/interface/parameters-innerproto.xml.i b/interface-definitions/include/interface/parameters-innerproto.xml.i new file mode 100644 index 000000000..9cafebd11 --- /dev/null +++ b/interface-definitions/include/interface/parameters-innerproto.xml.i @@ -0,0 +1,8 @@ +<!-- include start from interface/parameters-innerproto.xml.i --> +<leafNode name="innerproto"> + <properties> + <help>Use IPv4 as inner protocol instead of Ethernet</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/per-client-thread.xml.i b/interface-definitions/include/interface/per-client-thread.xml.i new file mode 100644 index 000000000..2fd19b5ce --- /dev/null +++ b/interface-definitions/include/interface/per-client-thread.xml.i @@ -0,0 +1,8 @@ +<!-- include start from interface/per-client-thread.xml.i --> +<leafNode name="per-client-thread"> + <properties> + <help>Process traffic from each client in a dedicated thread</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/xdp.xml.i b/interface-definitions/include/interface/xdp.xml.i deleted file mode 100644 index 10223e766..000000000 --- a/interface-definitions/include/interface/xdp.xml.i +++ /dev/null @@ -1,8 +0,0 @@ -<!-- include start from interface/xdp.xml.i --> -<leafNode name="xdp"> - <properties> - <help>Enable eXpress Data Path</help> - <valueless/> - </properties> -</leafNode> -<!-- include end --> diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i index 7b3b8804e..6234e6195 100644 --- a/interface-definitions/include/nat-rule.xml.i +++ b/interface-definitions/include/nat-rule.xml.i @@ -25,6 +25,15 @@ </node> #include <include/generic-disable-node.xml.i> #include <include/nat-exclude.xml.i> + <node name="load-balance"> + <properties> + <help>Apply NAT load balance</help> + </properties> + <children> + #include <include/firewall/firewall-hashing-parameters.xml.i> + #include <include/firewall/nat-balance.xml.i> + </children> + </node> <leafNode name="log"> <properties> <help>NAT rule logging</help> diff --git a/interface-definitions/include/ospf/graceful-restart.xml.i b/interface-definitions/include/ospf/graceful-restart.xml.i new file mode 100644 index 000000000..37d9a7f13 --- /dev/null +++ b/interface-definitions/include/ospf/graceful-restart.xml.i @@ -0,0 +1,67 @@ +<!-- include start from ospf/graceful-restart.xml.i --> +<node name="graceful-restart"> + <properties> + <help>Graceful Restart</help> + </properties> + <children> + <leafNode name="grace-period"> + <properties> + <help>Maximum length of the grace period</help> + <valueHelp> + <format>u32:1-1800</format> + <description>Maximum length of the grace period in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 5-1800"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <node name="helper"> + <properties> + <help>OSPF graceful-restart helpers</help> + </properties> + <children> + <node name="enable"> + <properties> + <help>Enable helper support</help> + </properties> + <children> + <leafNode name="router-id"> + <properties> + <help>Advertising Router-ID</help> + <valueHelp> + <format>ipv4</format> + <description>Router-ID in IP address format</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="planned-only"> + <properties> + <help>Supported only planned restart</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="supported-grace-time"> + <properties> + <help>Supported grace timer</help> + <valueHelp> + <format>u32:10-1800</format> + <description>Grace interval in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 10-1800"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index b7f22cb88..c4778e126 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -1,4 +1,24 @@ <!-- include start from ospf/protocol-common-config.xml.i --> +<node name="aggregation"> + <properties> + <help>External route aggregation</help> + </properties> + <children> + <leafNode name="timer"> + <properties> + <help>Delay timer</help> + <valueHelp> + <format>u32:5-1800</format> + <description>Timer interval in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 5-1800"/> + </constraint> + </properties> + <defaultValue>5</defaultValue> + </leafNode> + </children> +</node> <tagNode name="access-list"> <properties> <help>Access list to filter networks in routing updates</help> @@ -306,6 +326,19 @@ </children> </tagNode> #include <include/ospf/auto-cost.xml.i> +<node name="capability"> + <properties> + <help>Enable specific OSPF features</help> + </properties> + <children> + <leafNode name="opaque"> + <properties> + <help>Opaque LSA</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> #include <include/ospf/default-information.xml.i> <leafNode name="default-metric"> <properties> @@ -319,6 +352,21 @@ </constraint> </properties> </leafNode> +#include <include/ospf/graceful-restart.xml.i> +<node name="graceful-restart"> + <children> + <node name="helper"> + <children> + <leafNode name="no-strict-lsa-checking"> + <properties> + <help>Disable strict LSA check</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> +</node> <leafNode name="maximum-paths"> <properties> <help>Maximum multiple paths (ECMP)</help> @@ -816,6 +864,38 @@ </leafNode> </children> </node> +<tagNode name="summary-address"> + <properties> + <help>External summary address</help> + <valueHelp> + <format>ipv4net</format> + <description>OSPF area number in dotted decimal notation</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + </constraint> + </properties> + <children> + <leafNode name="no-advertise"> + <properties> + <help>Don not advertise summary route</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="tag"> + <properties> + <help>Router tag</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Router tag value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</tagNode> <node name="timers"> <properties> <help>Adjust routing timers</help> @@ -876,4 +956,4 @@ </node> </children> </node> -<!-- include end -->
\ No newline at end of file +<!-- include end --> diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i index a7de50638..4c3ca68e1 100644 --- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i +++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i @@ -107,6 +107,21 @@ </node> </children> </node> +#include <include/ospf/graceful-restart.xml.i> +<node name="graceful-restart"> + <children> + <node name="helper"> + <children> + <leafNode name="lsa-check-disable"> + <properties> + <help>Disable strict LSA check</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> +</node> <tagNode name="interface"> <properties> <help>Enable routing on an IPv6 interface</help> diff --git a/interface-definitions/include/policy/extended-community-value-list.xml.i b/interface-definitions/include/policy/extended-community-value-list.xml.i index c79f78c67..33a279be1 100644 --- a/interface-definitions/include/policy/extended-community-value-list.xml.i +++ b/interface-definitions/include/policy/extended-community-value-list.xml.i @@ -12,4 +12,4 @@ </constraint> <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> <multi/> - <!-- include end --> +<!-- include end --> diff --git a/interface-definitions/include/policy/tag.xml.i b/interface-definitions/include/policy/tag.xml.i new file mode 100644 index 000000000..ec25b9391 --- /dev/null +++ b/interface-definitions/include/policy/tag.xml.i @@ -0,0 +1,14 @@ +<!-- include start from policy/tag.xml.i --> +<leafNode name="tag"> + <properties> + <help>Route tag value</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Route tag</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/qos/bandwidth.xml.i b/interface-definitions/include/qos/bandwidth.xml.i index cc923f642..0e29b6499 100644 --- a/interface-definitions/include/qos/bandwidth.xml.i +++ b/interface-definitions/include/qos/bandwidth.xml.i @@ -27,7 +27,7 @@ <description>Terabits per second</description> </valueHelp> <valueHelp> - <format><number>%</format> + <format><number>%%</format> <description>Percentage of interface link speed</description> </valueHelp> <constraint> diff --git a/interface-definitions/include/radius-server-auth-port.xml.i b/interface-definitions/include/radius-server-auth-port.xml.i index 660fa540f..d9ea1d445 100644 --- a/interface-definitions/include/radius-server-auth-port.xml.i +++ b/interface-definitions/include/radius-server-auth-port.xml.i @@ -1,15 +1,6 @@ <!-- include start from radius-server-auth-port.xml.i --> +#include <include/port-number.xml.i> <leafNode name="port"> - <properties> - <help>Authentication port</help> - <valueHelp> - <format>u32:1-65535</format> - <description>Numeric IP port</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - </properties> <defaultValue>1812</defaultValue> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/radius-server-key.xml.i b/interface-definitions/include/radius-server-key.xml.i index c6301646b..dd5cdb0c6 100644 --- a/interface-definitions/include/radius-server-key.xml.i +++ b/interface-definitions/include/radius-server-key.xml.i @@ -2,6 +2,14 @@ <leafNode name="key"> <properties> <help>Shared secret key</help> + <valueHelp> + <format>txt</format> + <description>Password string (key)</description> + </valueHelp> + <constraint> + <regex>[[:ascii:]]{1,128}</regex> + </constraint> + <constraintErrorMessage>Password must be less then 128 characters</constraintErrorMessage> </properties> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/version/dns-dynamic-version.xml.i b/interface-definitions/include/version/dns-dynamic-version.xml.i new file mode 100644 index 000000000..b25fc6e76 --- /dev/null +++ b/interface-definitions/include/version/dns-dynamic-version.xml.i @@ -0,0 +1,3 @@ +<!-- include start from include/version/dns-dynamic-version.xml.i --> +<syntaxVersion component='dns-dynamic' version='1'></syntaxVersion> +<!-- include end --> diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i index c32484542..dd21bfaca 100644 --- a/interface-definitions/include/version/firewall-version.xml.i +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/firewall-version.xml.i --> -<syntaxVersion component='firewall' version='10'></syntaxVersion> +<syntaxVersion component='firewall' version='11'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/interfaces-version.xml.i b/interface-definitions/include/version/interfaces-version.xml.i index e5e81d316..3d11ce888 100644 --- a/interface-definitions/include/version/interfaces-version.xml.i +++ b/interface-definitions/include/version/interfaces-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/interfaces-version.xml.i --> -<syntaxVersion component='interfaces' version='28'></syntaxVersion> +<syntaxVersion component='interfaces' version='30'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/ntp-version.xml.i b/interface-definitions/include/version/ntp-version.xml.i index 9eafbf7f0..155c824dc 100644 --- a/interface-definitions/include/version/ntp-version.xml.i +++ b/interface-definitions/include/version/ntp-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/ntp-version.xml.i --> -<syntaxVersion component='ntp' version='2'></syntaxVersion> +<syntaxVersion component='ntp' version='3'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/vrrp-version.xml.i b/interface-definitions/include/version/vrrp-version.xml.i index 626dd6cbc..1514b19ab 100644 --- a/interface-definitions/include/version/vrrp-version.xml.i +++ b/interface-definitions/include/version/vrrp-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/vrrp-version.xml.i --> -<syntaxVersion component='vrrp' version='3'></syntaxVersion> +<syntaxVersion component='vrrp' version='4'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 14b1036b4..427e04a54 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -225,7 +225,6 @@ #include <include/interface/redirect.xml.i> #include <include/interface/vif-s.xml.i> #include <include/interface/vif.xml.i> - #include <include/interface/xdp.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index e7c196c5c..3669336fd 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -204,7 +204,6 @@ #include <include/interface/vif-s.xml.i> #include <include/interface/vif.xml.i> #include <include/interface/vrf.xml.i> - #include <include/interface/xdp.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index 330dadd95..29b563a09 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -36,6 +36,7 @@ #include <include/interface/parameters-df.xml.i> #include <include/interface/parameters-tos.xml.i> #include <include/interface/parameters-ttl.xml.i> + #include <include/interface/parameters-innerproto.xml.i> </children> </node> <node name="ipv6"> diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 6bc28e44b..766b0bede 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -52,6 +52,28 @@ <valueless/> </properties> </leafNode> + <node name="static"> + <properties> + <help>Use static keys for MACsec [static Secure Authentication Key (SAK) mode]</help> + </properties> + <children> + #include <include/interface/macsec-key.xml.i> + <tagNode name="peer"> + <properties> + <help>MACsec peer name</help> + <constraint> + <regex>[^ ]{1,100}</regex> + </constraint> + <constraintErrorMessage>MACsec peer name exceeds limit of 100 characters</constraintErrorMessage> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + #include <include/interface/mac.xml.i> + #include <include/interface/macsec-key.xml.i> + </children> + </tagNode> + </children> + </node> <node name="mka"> <properties> <help>MACsec Key Agreement protocol (MKA)</help> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 4e061c3e6..831659250 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -285,6 +285,19 @@ </constraint> </properties> </leafNode> + <node name="offload"> + <properties> + <help>Configurable offload options</help> + </properties> + <children> + <leafNode name="dco"> + <properties> + <help>Enable data channel offload on this interface</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> <leafNode name="openvpn-option"> <properties> <help>Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors.</help> @@ -739,6 +752,16 @@ </completionHelp> </properties> </leafNode> + <leafNode name="peer-fingerprint"> + <properties> + <multi/> + <help>Peer certificate SHA256 fingerprint</help> + <constraint> + <regex>[0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2}</regex> + </constraint> + <constraintErrorMessage>Peer certificate fingerprint must be a colon-separated SHA256 hex digest</constraintErrorMessage> + </properties> + </leafNode> <leafNode name="tls-version-min"> <properties> <help>Specify the minimum required TLS version</help> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 6342b21cf..3c79cef28 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -5,7 +5,7 @@ <tagNode name="wireguard" owner="${vyos_conf_scripts_dir}/interfaces-wireguard.py"> <properties> <help>WireGuard Interface</help> - <priority>459</priority> + <priority>379</priority> <constraint> <regex>wg[0-9]+</regex> </constraint> @@ -59,6 +59,7 @@ </properties> <children> #include <include/generic-disable-node.xml.i> + #include <include/generic-description.xml.i> <leafNode name="public-key"> <properties> <help>base64 encoded public key</help> @@ -119,6 +120,7 @@ </children> </tagNode> #include <include/interface/redirect.xml.i> + #include <include/interface/per-client-thread.xml.i> #include <include/interface/vrf.xml.i> </children> </tagNode> diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index a9538d577..88b858c07 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -595,6 +595,49 @@ <help>Wireless security settings</help> </properties> <children> + <node name="station-address"> + <properties> + <help>Station MAC address based authentication</help> + </properties> + <children> + <leafNode name="mode"> + <properties> + <help>Select security operation mode</help> + <completionHelp> + <list>accept deny</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Accept all clients unless found in deny list</description> + </valueHelp> + <valueHelp> + <format>deny</format> + <description>Deny all clients unless found in accept list</description> + </valueHelp> + <constraint> + <regex>(accept|deny)</regex> + </constraint> + </properties> + <defaultValue>accept</defaultValue> + </leafNode> + <node name="accept"> + <properties> + <help>Accept station MAC address</help> + </properties> + <children> + #include <include/interface/mac-multi.xml.i> + </children> + </node> + <node name="deny"> + <properties> + <help>Deny station MAC address</help> + </properties> + <children> + #include <include/interface/mac-multi.xml.i> + </children> + </node> + </children> + </node> <node name="wep"> <properties> <help>Wired Equivalent Privacy (WEP) parameters</help> @@ -778,6 +821,7 @@ </properties> <defaultValue>monitor</defaultValue> </leafNode> + #include <include/interface/per-client-thread.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vif.xml.i> #include <include/interface/vif-s.xml.i> diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index 501ff05d3..a06ceefb6 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -44,6 +44,14 @@ </leafNode> #include <include/nat-translation-port.xml.i> #include <include/nat-translation-options.xml.i> + <node name="redirect"> + <properties> + <help>Redirect to local host</help> + </properties> + <children> + #include <include/nat-translation-port.xml.i> + </children> + </node> </children> </node> </children> diff --git a/interface-definitions/netns.xml.in b/interface-definitions/netns.xml.in index 87880e96a..5d958968f 100644 --- a/interface-definitions/netns.xml.in +++ b/interface-definitions/netns.xml.in @@ -3,7 +3,7 @@ <node name="netns" owner="${vyos_conf_scripts_dir}/netns.py"> <properties> <help>Network namespace</help> - <priority>299</priority> + <priority>291</priority> </properties> <children> <tagNode name="name"> diff --git a/interface-definitions/ntp.xml.in b/interface-definitions/ntp.xml.in index 2275dd61c..4e874434b 100644 --- a/interface-definitions/ntp.xml.in +++ b/interface-definitions/ntp.xml.in @@ -57,7 +57,7 @@ </children> </tagNode> #include <include/allow-client.xml.i> - #include <include/generic-interface-multi.xml.i> + #include <include/generic-interface.xml.i> #include <include/listen-address.xml.i> #include <include/interface/vrf.xml.i> </children> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index aa39950c2..c470cfdb3 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -1052,18 +1052,7 @@ </constraint> </properties> </leafNode> - <leafNode name="tag"> - <properties> - <help>Route tag to match</help> - <valueHelp> - <format>u32:1-65535</format> - <description>Route tag</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - </properties> - </leafNode> + #include <include/policy/tag.xml.i> </children> </node> <node name="on-match"> @@ -1548,18 +1537,7 @@ </constraint> </properties> </leafNode> - <leafNode name="tag"> - <properties> - <help>Tag value for routing protocol</help> - <valueHelp> - <format>u32:1-65535</format> - <description>Tag value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-65535"/> - </constraint> - </properties> - </leafNode> + #include <include/policy/tag.xml.i> <leafNode name="weight"> <properties> <help>BGP weight attribute</help> diff --git a/interface-definitions/protocols-mpls.xml.in b/interface-definitions/protocols-mpls.xml.in index 43ca659e9..831601fc6 100644 --- a/interface-definitions/protocols-mpls.xml.in +++ b/interface-definitions/protocols-mpls.xml.in @@ -6,7 +6,7 @@ <node name="mpls" owner="${vyos_conf_scripts_dir}/protocols_mpls.py"> <properties> <help>Multiprotocol Label Switching (MPLS)</help> - <priority>400</priority> + <priority>490</priority> </properties> <children> <node name="ldp"> diff --git a/interface-definitions/service-config-sync.xml.in b/interface-definitions/service-config-sync.xml.in new file mode 100644 index 000000000..e804e17f7 --- /dev/null +++ b/interface-definitions/service-config-sync.xml.in @@ -0,0 +1,104 @@ +<?xml version="1.0" encoding="UTF-8"?> +<interfaceDefinition> + <node name="service"> + <children> + <node name="config-sync" owner="${vyos_conf_scripts_dir}/service_config_sync.py"> + <properties> + <help>Configuration synchronization</help> + </properties> + <children> + <node name="secondary"> + <properties> + <help>Secondary server parameters</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>IP address</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address to match</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>FQDN address to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <validator name="fqdn"/> + </constraint> + </properties> + </leafNode> + <leafNode name="timeout"> + <properties> + <help>Connection API timeout</help> + <valueHelp> + <format>u32:1-300</format> + <description>Connection API timeout</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-300"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="key"> + <properties> + <help>HTTP API key</help> + </properties> + </leafNode> + </children> + </node> + <leafNode name="mode"> + <properties> + <help>Synchronization mode</help> + <completionHelp> + <list>load set</list> + </completionHelp> + <valueHelp> + <format>load</format> + <description>Load and replace configuration section</description> + </valueHelp> + <valueHelp> + <format>set</format> + <description>Set configuration section</description> + </valueHelp> + <constraint> + <regex>(load|set)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="section"> + <properties> + <help>Section for synchronization</help> + <completionHelp> + <list>nat nat66 firewall</list> + </completionHelp> + <valueHelp> + <format>nat</format> + <description>NAT</description> + </valueHelp> + <valueHelp> + <format>nat66</format> + <description>NAT66</description> + </valueHelp> + <valueHelp> + <format>firewall</format> + <description>firewall</description> + </valueHelp> + <constraint> + <regex>(nat|nat66|firewall)</regex> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in index bb06189bc..78463136b 100644 --- a/interface-definitions/service-ids-ddos-protection.xml.in +++ b/interface-definitions/service-ids-ddos-protection.xml.in @@ -70,17 +70,34 @@ <multi/> </properties> </leafNode> - <node name="mode"> + <leafNode name="mode"> <properties> - <help>Traffic capture modes</help> + <help>Traffic capture mode</help> + <completionHelp> + <list>mirror sflow</list> + </completionHelp> + <valueHelp> + <format>mirror</format> + <description>Listen to mirrored traffic</description> + </valueHelp> + <valueHelp> + <format>sflow</format> + <description>Capture sFlow flows</description> + </valueHelp> + <constraint> + <regex>(mirror|sflow)</regex> + </constraint> + </properties> + </leafNode> + <node name="sflow"> + <properties> + <help>Sflow settings</help> </properties> <children> - <!-- Future modes "mirror" "netflow" "combine (both)" --> - <leafNode name="mirror"> - <properties> - <help>Listen mirrored traffic mode</help> - <valueless/> - </properties> + #include <include/listen-address-ipv4-single.xml.i> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>6343</defaultValue> </leafNode> </children> </node> diff --git a/interface-definitions/service-mdns-repeater.xml.in b/interface-definitions/service-mdns-repeater.xml.in index 4aab9a558..653dbbbe4 100644 --- a/interface-definitions/service-mdns-repeater.xml.in +++ b/interface-definitions/service-mdns-repeater.xml.in @@ -38,6 +38,7 @@ <constraint> <regex>[-_.a-zA-Z0-9]+</regex> </constraint> + <constraintErrorMessage>Service name must be alphanumeric and can contain hyphens and underscores</constraintErrorMessage> <multi/> </properties> </leafNode> diff --git a/interface-definitions/service-monitoring-zabbix-agent.xml.in b/interface-definitions/service-monitoring-zabbix-agent.xml.in new file mode 100644 index 000000000..40f2df642 --- /dev/null +++ b/interface-definitions/service-monitoring-zabbix-agent.xml.in @@ -0,0 +1,193 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="service"> + <children> + <node name="monitoring"> + <children> + <node name="zabbix-agent" owner="${vyos_conf_scripts_dir}/service_monitoring_zabbix-agent.py"> + <properties> + <help>Zabbix-agent settings</help> + </properties> + <children> + <leafNode name="directory"> + <properties> + <help>Folder containing individual Zabbix-agent configuration files</help> + <constraint> + <validator name="file-path" argument="--directory"/> + </constraint> + </properties> + </leafNode> + <leafNode name="host-name"> + <properties> + <help>Zabbix agent hostname</help> + <constraint> + #include <include/constraint/host-name.xml.i> + </constraint> + <constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage> + </properties> + </leafNode> + <node name="limits"> + <properties> + <help>Limit settings</help> + </properties> + <children> + <leafNode name="buffer-flush-interval"> + <properties> + <help>Do not keep data longer than N seconds in buffer</help> + <valueHelp> + <format>u32:1-3600</format> + <description>Seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-3600"/> + </constraint> + <constraintErrorMessage>buffer-flush-interval must be between 1 and 3600 seconds</constraintErrorMessage> + </properties> + <defaultValue>5</defaultValue> + </leafNode> + <leafNode name="buffer-size"> + <properties> + <help>Maximum number of values in a memory buffer</help> + <valueHelp> + <format>u32:2-65535</format> + <description>Maximum number of values in a memory buffer</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 2-65535"/> + </constraint> + <constraintErrorMessage>Buffer-size must be between 2 and 65535</constraintErrorMessage> + </properties> + <defaultValue>100</defaultValue> + </leafNode> + </children> + </node> + <node name="log"> + <properties> + <help>Log settings</help> + </properties> + <children> + <leafNode name="debug-level"> + <properties> + <help>Debug level</help> + <completionHelp> + <list>basic critical error warning debug extended-debug</list> + </completionHelp> + <valueHelp> + <format>basic</format> + <description>Basic information</description> + </valueHelp> + <valueHelp> + <format>critical</format> + <description>Critical information</description> + </valueHelp> + <valueHelp> + <format>error</format> + <description>Error information</description> + </valueHelp> + <valueHelp> + <format>warning</format> + <description>Warnings</description> + </valueHelp> + <valueHelp> + <format>debug</format> + <description>Debug information</description> + </valueHelp> + <valueHelp> + <format>extended-debug</format> + <description>Extended debug information</description> + </valueHelp> + <constraint> + <regex>(basic|critical|error|warning|debug|extended-debug)</regex> + </constraint> + </properties> + <defaultValue>warning</defaultValue> + </leafNode> + <leafNode name="remote-commands"> + <properties> + <help>Enable logging of executed shell commands as warnings</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="size"> + <properties> + <help>Log file size in megabytes</help> + <valueHelp> + <format>u32:0-1024</format> + <description>Megabytes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-1024"/> + </constraint> + <constraintErrorMessage>Size must be between 0 and 1024 Megabytes</constraintErrorMessage> + </properties> + <defaultValue>0</defaultValue> + </leafNode> + </children> + </node> + #include <include/listen-address.xml.i> + <leafNode name="listen-address"> + <defaultValue>0.0.0.0</defaultValue> + </leafNode> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>10050</defaultValue> + </leafNode> + <leafNode name="server"> + <properties> + <help>Remote server to connect to</help> + <valueHelp> + <format>ipv4</format> + <description>Server IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Server IPv6 address</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>Server hostname/FQDN</description> + </valueHelp> + <multi/> + </properties> + </leafNode> + <tagNode name="server-active"> + <properties> + <help>Remote server address to get active checks from</help> + <valueHelp> + <format>ipv4</format> + <description>Server IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Server IPv6 address</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>Server hostname/FQDN</description> + </valueHelp> + </properties> + <children> + #include <include/port-number.xml.i> + </children> + </tagNode> + <leafNode name="timeout"> + <properties> + <help>Item processing timeout in seconds</help> + <valueHelp> + <format>u32:1-30</format> + <description>Item processing timeout</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-30"/> + </constraint> + <constraintErrorMessage>Timeout must be between 1 and 30 seconds</constraintErrorMessage> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in index abdede979..6db4dbfc7 100644 --- a/interface-definitions/system-ip.xml.in +++ b/interface-definitions/system-ip.xml.in @@ -48,6 +48,64 @@ </leafNode> </children> </node> + <node name="tcp"> + <properties> + <help>IPv4 TCP parameters</help> + </properties> + <children> + <node name="mss"> + <properties> + <help>IPv4 TCP MSS probing options</help> + </properties> + <children> + <leafNode name="probing"> + <properties> + <help>Attempt to lower the MSS if TCP connections fail to establish</help> + <completionHelp> + <list>on-icmp-black-hole force</list> + </completionHelp> + <valueHelp> + <format>on-icmp-black-hole</format> + <description>Attempt TCP MSS probing when an ICMP black hole is detected</description> + </valueHelp> + <valueHelp> + <format>force</format> + <description>Attempt TCP MSS probing by default</description> + </valueHelp> + <constraint> + <regex>(on-icmp-black-hole|force)</regex> + </constraint> + <constraintErrorMessage>Must be on-icmp-black-hole or force</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="base"> + <properties> + <help>Base MSS to start probing from (applicable to "probing force")</help> + <valueHelp> + <format>u32:48-1460</format> + <description>Base MSS value for probing (default: 1024)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 48-1460"/> + </constraint> + </properties> + </leafNode> + <leafNode name="floor"> + <properties> + <help>Minimum MSS to stop probing at (default: 48)</help> + <valueHelp> + <format>u32:48-1460</format> + <description>Minimum MSS value to probe</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 48-1460"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </node> #include <include/system-ip-protocol.xml.i> </children> </node> diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index be4f53c3b..71db8b1d6 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -184,6 +184,13 @@ <leafNode name="home-directory"> <properties> <help>Home directory</help> + <valueHelp> + <format>txt</format> + <description>Path to home directory</description> + </valueHelp> + <constraint> + <regex>\/$|(\/[a-zA-Z_0-9-.]+)+</regex> + </constraint> </properties> </leafNode> </children> @@ -193,20 +200,7 @@ <children> <tagNode name="server"> <children> - <leafNode name="timeout"> - <properties> - <help>Session timeout</help> - <valueHelp> - <format>u32:1-30</format> - <description>Session timeout in seconds</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-30"/> - </constraint> - <constraintErrorMessage>Timeout must be between 1 and 30 seconds</constraintErrorMessage> - </properties> - <defaultValue>2</defaultValue> - </leafNode> + #include <include/radius-timeout.xml.i> <leafNode name="priority"> <properties> <help>Server priority</help> @@ -225,6 +219,50 @@ #include <include/interface/vrf.xml.i> </children> </node> + <node name="tacacs"> + <properties> + <help>TACACS+ based user authentication</help> + </properties> + <children> + <tagNode name="server"> + <properties> + <help>TACACS+ server configuration</help> + <valueHelp> + <format>ipv4</format> + <description>TACACS+ server IPv4 address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + #include <include/radius-server-key.xml.i> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>49</defaultValue> + </leafNode> + </children> + </tagNode> + <leafNode name="source-address"> + <properties> + <help>Source IP used to communicate with TACACS+ server</help> + <completionHelp> + <script>${vyos_completion_dir}/list_local_ips.sh --ipv4</script> + </completionHelp> + <valueHelp> + <format>ipv4</format> + <description>IPv4 source address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + #include <include/radius-timeout.xml.i> + #include <include/interface/vrf.xml.i> + </children> + </node> <leafNode name="max-login-session"> <properties> <help>Maximum number of all login sessions</help> diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index 0fa349e0b..b1b5f7fae 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -36,7 +36,7 @@ <properties> <help>System keyboard layout, type ISO2</help> <completionHelp> - <list>us uk fr de es fi jp106 no dk dvorak</list> + <list>us uk fr de es fi jp106 no dk se-latin1 dvorak</list> </completionHelp> <valueHelp> <format>us</format> @@ -75,11 +75,15 @@ <description>Denmark</description> </valueHelp> <valueHelp> + <format>se-latin1</format> + <description>Sweden</description> + </valueHelp> + <valueHelp> <format>dvorak</format> <description>Dvorak</description> </valueHelp> <constraint> - <regex>(us|uk|fr|de|es|fi|jp106|no|dk|dvorak)</regex> + <regex>(us|uk|fr|de|es|fi|jp106|no|dk|se-latin1|dvorak)</regex> </constraint> <constraintErrorMessage>Invalid keyboard layout</constraintErrorMessage> </properties> @@ -140,6 +144,26 @@ <valueless/> </properties> </leafNode> + <leafNode name="time-format"> + <properties> + <help>System time-format</help> + <completionHelp> + <list>12-hour 24-hour</list> + </completionHelp> + <valueHelp> + <format>12-hour</format> + <description>12 hour time format</description> + </valueHelp> + <valueHelp> + <format>24-hour</format> + <description>24 hour time format</description> + </valueHelp> + <constraint> + <regex>(12-hour|24-hour)</regex> + </constraint> + </properties> + <defaultValue>12-hour</defaultValue> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/vpp.xml.in b/interface-definitions/vpp.xml.in new file mode 100644 index 000000000..3f0758c0a --- /dev/null +++ b/interface-definitions/vpp.xml.in @@ -0,0 +1,342 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="vpp" owner="${vyos_conf_scripts_dir}/vpp.py"> + <properties> + <help>Accelerated data-plane</help> + <priority>295</priority> + </properties> + <children> + <node name="cpu"> + <properties> + <help>CPU settings</help> + </properties> + <children> + <leafNode name="corelist-workers"> + <properties> + <help>List of cores worker threads</help> + <valueHelp> + <format><id></format> + <description>CPU core id</description> + </valueHelp> + <valueHelp> + <format><idN>-<idM></format> + <description>CPU core id range (use '-' as delimiter)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 0-512"/> + </constraint> + <constraintErrorMessage>not a valid CPU core value or range</constraintErrorMessage> + <multi/> + </properties> + </leafNode> + <leafNode name="main-core"> + <properties> + <help>Main core</help> + <valueHelp> + <format>u32:0-512</format> + <description>Assign main thread to specific core</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-512"/> + </constraint> + </properties> + </leafNode> + <leafNode name="skip-cores"> + <properties> + <help>Skip cores</help> + <valueHelp> + <format>u32:0-512</format> + <description>Skip cores</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-512"/> + </constraint> + </properties> + </leafNode> + <leafNode name="workers"> + <properties> + <help>Create worker threads</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Worker threads</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-512"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <tagNode name="interface"> + <properties> + <help>Interface</help> + <valueHelp> + <format>ethN</format> + <description>Interface name</description> + </valueHelp> + <constraint> + <regex>((eth|lan)[0-9]+|(eno|ens|enp|enx).+)</regex> + </constraint> + <constraintErrorMessage>Invalid interface name</constraintErrorMessage> + </properties> + <children> + <leafNode name="num-rx-desc"> + <properties> + <help>Number of receive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of receive ring descriptors</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name="num-tx-desc"> + <properties> + <help>Number of tranceive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of tranceive ring descriptors</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name="num-rx-queues"> + <properties> + <help>Number of receive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of receive queues</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name="num-tx-queues"> + <properties> + <help>Number of tranceive ring descriptors</help> + <valueHelp> + <format>u32:256-8192</format> + <description>Number of tranceive queues</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 256-8192"/> + </constraint> + </properties> + </leafNode> + <leafNode name='pci'> + <properties> + <help>PCI address allocation</help> + <valueHelp> + <format>auto</format> + <description>Auto detect PCI address</description> + </valueHelp> + <valueHelp> + <format><xxxx:xx:xx.x></format> + <description>Set Peripheral Component Interconnect (PCI) address</description> + </valueHelp> + <constraint> + <regex>(auto|[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[0-9a-fA-F]{2}\.[0-9a-fA-F])</regex> + </constraint> + </properties> + <defaultValue>auto</defaultValue> + </leafNode> + <leafNode name="rx-mode"> + <properties> + <help>Receive packet processing mode</help> + <completionHelp> + <list>polling interrupt adaptive</list> + </completionHelp> + <valueHelp> + <format>polling</format> + <description>Constantly check for new data</description> + </valueHelp> + <valueHelp> + <format>interrupt</format> + <description>Interrupt mode</description> + </valueHelp> + <valueHelp> + <format>adaptive</format> + <description>Adaptive mode</description> + </valueHelp> + <constraint> + <regex>(polling|interrupt|adaptive)</regex> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + <node name="ip"> + <properties> + <help>IP settings</help> + </properties> + <children> + <leafNode name="heap-size"> + <properties> + <help>IPv4 heap size</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>32</defaultValue> + </leafNode> + </children> + </node> + <node name="ip6"> + <properties> + <help>IPv6 settings</help> + </properties> + <children> + <leafNode name="heap-size"> + <properties> + <help>IPv6 heap size</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Amount of memory (in Mbytes) dedicated to the destination IP lookup table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>32</defaultValue> + </leafNode> + <leafNode name="hash-buckets"> + <properties> + <help>IPv6 forwarding table hash buckets</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>IPv6 forwarding table hash buckets</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>65536</defaultValue> + </leafNode> + </children> + </node> + <node name="l2learn"> + <properties> + <help>Level 2 MAC address learning settings</help> + </properties> + <children> + <leafNode name="limit"> + <properties> + <help>Number of MAC addresses in the L2 FIB</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Number of concurent entries</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> + <defaultValue>4194304</defaultValue> + </leafNode> + </children> + </node> + <node name="logging"> + <properties> + <help>Loggint settings</help> + </properties> + <children> + <leafNode name="default-log-level"> + <properties> + <help>default-log-level</help> + <completionHelp> + <list>alert crit debug disabled emerg err info notice warn</list> + </completionHelp> + <valueHelp> + <format>alert</format> + <description>Alert</description> + </valueHelp> + <valueHelp> + <format>crit</format> + <description>Critical</description> + </valueHelp> + <valueHelp> + <format>debug</format> + <description>Debug</description> + </valueHelp> + <valueHelp> + <format>disabled</format> + <description>Disabled</description> + </valueHelp> + <valueHelp> + <format>emerg</format> + <description>Emergency</description> + </valueHelp> + <valueHelp> + <format>err</format> + <description>Error</description> + </valueHelp> + <valueHelp> + <format>info</format> + <description>Informational</description> + </valueHelp> + <valueHelp> + <format>notice</format> + <description>Notice</description> + </valueHelp> + <valueHelp> + <format>warn</format> + <description>Warning</description> + </valueHelp> + <constraint> + <regex>(alert|crit|debug|disabled|emerg|err|info|notice|warn)</regex> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="physmem"> + <properties> + <help>Memory settings</help> + </properties> + <children> + <leafNode name="max-size"> + <properties> + <help>Set memory size for protectable memory allocator (pmalloc) memory space</help> + <valueHelp> + <format><number>m</format> + <description>Megabyte</description> + </valueHelp> + <valueHelp> + <format><number>g</format> + <description>Gigabyte</description> + </valueHelp> + </properties> + </leafNode> + </children> + </node> + <node name="unix"> + <properties> + <help>Unix settings</help> + </properties> + <children> + <leafNode name="poll-sleep-usec"> + <properties> + <help>Add a fixed-sleep between main loop poll</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Number of receive queues</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + <defaultValue>0</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/xml-component-version.xml.in b/interface-definitions/xml-component-version.xml.in index e05f64643..8c9e816d1 100644 --- a/interface-definitions/xml-component-version.xml.in +++ b/interface-definitions/xml-component-version.xml.in @@ -10,6 +10,7 @@ #include <include/version/dhcp-relay-version.xml.i> #include <include/version/dhcp-server-version.xml.i> #include <include/version/dhcpv6-server-version.xml.i> + #include <include/version/dns-dynamic-version.xml.i> #include <include/version/dns-forwarding-version.xml.i> #include <include/version/firewall-version.xml.i> #include <include/version/flow-accounting-version.xml.i> |