diff options
Diffstat (limited to 'interface-definitions')
86 files changed, 3955 insertions, 1241 deletions
diff --git a/interface-definitions/containers.xml.in b/interface-definitions/containers.xml.in index 6fc53c105..124b1f65e 100644 --- a/interface-definitions/containers.xml.in +++ b/interface-definitions/containers.xml.in @@ -3,6 +3,7 @@ <node name="container" owner="${vyos_conf_scripts_dir}/containers.py"> <properties> <help>Container applications</help> + <priority>1280</priority> </properties> <children> <tagNode name="name"> diff --git a/interface-definitions/cron.xml.in b/interface-definitions/cron.xml.in index ad2cb36ad..58dcf64ac 100644 --- a/interface-definitions/cron.xml.in +++ b/interface-definitions/cron.xml.in @@ -1,7 +1,4 @@ <?xml version="1.0"?> - -<!-- Cron configuration --> - <interfaceDefinition> <node name="system"> <children> diff --git a/interface-definitions/dhcpv6-server.xml.in b/interface-definitions/dhcpv6-server.xml.in index a3cca06da..5d6c64685 100644 --- a/interface-definitions/dhcpv6-server.xml.in +++ b/interface-definitions/dhcpv6-server.xml.in @@ -360,6 +360,18 @@ </constraint> </properties> </leafNode> + <leafNode name="ipv6-prefix"> + <properties> + <help>Client IPv6 prefix for this static mapping</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 prefix for this static mapping</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> </children> </tagNode> </children> diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in new file mode 100644 index 000000000..f07c619a8 --- /dev/null +++ b/interface-definitions/firewall.xml.in @@ -0,0 +1,782 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="nfirewall" owner="${vyos_conf_scripts_dir}/firewall.py"> + <properties> + <priority>199</priority> + <help>Firewall</help> + </properties> + <children> + <leafNode name="all-ping"> + <properties> + <help>Policy for handling of all IPv4 ICMP echo requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of all IPv4 ICMP echo requests</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="broadcast-ping"> + <properties> + <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="config-trap"> + <properties> + <help>SNMP trap generation on firewall configuration changes</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending SNMP trap on firewall configuration change</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending SNMP trap on firewall configuration change</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <node name="group"> + <properties> + <help>Firewall group</help> + </properties> + <children> + <tagNode name="address-group"> + <properties> + <help>Firewall address-group</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>Address-group member</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4range</format> + <description>IPv4 range to match (e.g. 10.0.0.1-10.0.0.200)</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-range"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/generic-description.xml.i> + </children> + </tagNode> + <tagNode name="ipv6-address-group"> + <properties> + <help>Firewall ipv6-address-group</help> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>Address-group member</help> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv6-address"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/generic-description.xml.i> + </children> + </tagNode> + <tagNode name="ipv6-network-group"> + <properties> + <help>Network-group member</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <leafNode name="network"> + <properties> + <help>Network-group member</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 address to match</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="network-group"> + <properties> + <help>Firewall network-group</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <leafNode name="network"> + <properties> + <help>Network-group member</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 Subnet to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="port-group"> + <properties> + <help>Firewall port-group</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <leafNode name="port"> + <properties> + <help>Port-group member</help> + <valueHelp> + <format>txt</format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format>u32:1-65535</format> + <description>Numbered port</description> + </valueHelp> + <valueHelp> + <format>start-end</format> + <description>Numbered port range (e.g. 1001-1050)</description> + </valueHelp> + <multi/> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <leafNode name="ip-src-route"> + <properties> + <help>Policy for handling IPv4 packets with source route option</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv4 packets with source route option</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv4 packets with source route option</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="ipv6-name"> + <properties> + <help>IPv6 firewall rule-set name</help> + </properties> + <children> + #include <include/firewall/name-default-action.xml.i> + #include <include/firewall/name-default-log.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule number (1-9999)</help> + </properties> + <children> + #include <include/firewall/action.xml.i> + #include <include/generic-description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address-ipv6.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + #include <include/firewall/common-rule.xml.i> + <node name="hop-limit"> + <properties> + <help>Hop Limit</help> + </properties> + <children> + <leafNode name="eq"> + <properties> + <help>Value to match a hop limit equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit equal to value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="gt"> + <properties> + <help>Value to match a hop limit greater than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit greater than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="lt"> + <properties> + <help>Value to match a hop limit less than or equal to it</help> + <valueHelp> + <format>u32:0-255</format> + <description>Hop limit less than value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="icmpv6"> + <properties> + <help>ICMPv6 type and code information</help> + </properties> + <children> + <leafNode name="type"> + <properties> + <help>ICMP type-name</help> + <completionHelp> + <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list> + </completionHelp> + <valueHelp> + <format>any</format> + <description>Any ICMP type/code</description> + </valueHelp> + <valueHelp> + <format>echo-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>pong</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>destination-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>protocol-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>port-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>fragmentation-needed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-route-failed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>communication-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-precedence-violation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>precedence-cutoff</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-quench</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>echo-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ping</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-advertisement</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-solicitation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>time-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-transit</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-reassembly</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>parameter-problem</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ip-header-bad</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>required-option-missing</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <constraint> + <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + <node name="p2p"> + <properties> + <help>P2P application packets</help> + </properties> + <children> + <leafNode name="all"> + <properties> + <help>AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="applejuice"> + <properties> + <help>AppleJuice application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="bittorrent"> + <properties> + <help>BitTorrent application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="directconnect"> + <properties> + <help>Direct Connect application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="edonkey"> + <properties> + <help>eDonkey/eMule application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="gnutella"> + <properties> + <help>Gnutella application packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="kazaa"> + <properties> + <help>KaZaA application packets</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="ipv6-receive-redirects"> + <properties> + <help>Policy for handling received ICMPv6 redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received ICMPv6 redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="ipv6-src-route"> + <properties> + <help>Policy for handling IPv6 packets with routing extension header</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of IPv6 packets with routing header type 2</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of IPv6 packets with routing header</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="log-martians"> + <properties> + <help>Policy for logging IPv4 packets with invalid addresses</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable logging of IPv4 packets with invalid addresses</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable logging of Ipv4 packets with invalid addresses</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <tagNode name="name"> + <properties> + <help>IPv4 firewall rule-set name</help> + </properties> + <children> + #include <include/firewall/name-default-action.xml.i> + #include <include/firewall/name-default-log.xml.i> + #include <include/generic-description.xml.i> + <tagNode name="rule"> + <properties> + <help>Rule number (1-9999)</help> + </properties> + <children> + #include <include/firewall/action.xml.i> + #include <include/generic-description.xml.i> + <node name="destination"> + <properties> + <help>Destination parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + <node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + #include <include/firewall/port.xml.i> + </children> + </node> + #include <include/firewall/common-rule.xml.i> + <node name="icmp"> + <properties> + <help>ICMP type and code information</help> + </properties> + <children> + <leafNode name="code"> + <properties> + <help>ICMP code (0-255)</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP code (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>ICMP type (0-255)</help> + <valueHelp> + <format>u32:0-255</format> + <description>ICMP type (0-255)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> + </leafNode> + #include <include/firewall/icmp-type-name.xml.i> + </children> + </node> + </children> + </tagNode> + </children> + </tagNode> + <leafNode name="receive-redirects"> + <properties> + <help>Policy for handling received IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable processing of received IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="send-redirects"> + <properties> + <help>Policy for sending IPv4 ICMP redirect messages</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable sending IPv4 ICMP redirect messages</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="source-validation"> + <properties> + <help>Policy for source validation by reversed path, as specified in RFC3704</help> + <completionHelp> + <list>strict loose disable</list> + </completionHelp> + <valueHelp> + <format>strict</format> + <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>loose</format> + <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>No source validation</description> + </valueHelp> + <constraint> + <regex>^(strict|loose|disable)$</regex> + </constraint> + </properties> + </leafNode> + <node name="state-policy"> + <properties> + <help>Global firewall state-policy</help> + </properties> + <children> + <node name="established"> + <properties> + <help>Global firewall policy for packets part of an established connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + <node name="invalid"> + <properties> + <help>Global firewall policy for packets part of an invalid connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + <node name="related"> + <properties> + <help>Global firewall policy for packets part of a related connection</help> + </properties> + <children> + #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> + </children> + </node> + </children> + </node> + <leafNode name="syn-cookies"> + <properties> + <help>Policy for using TCP SYN cookies with IPv4</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable use of TCP SYN cookies with IPv4</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="twa-hazards-protection"> + <properties> + <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable RFC1337 TIME-WAIT hazards protection</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index b613e30c1..b65a89b56 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -1,7 +1,7 @@ <?xml version="1.0"?> <!-- HTTPS configuration --> <interfaceDefinition> - <syntaxVersion component='https' version='2'></syntaxVersion> + <syntaxVersion component='https' version='3'></syntaxVersion> <node name="service"> <children> <node name="https" owner="${vyos_conf_scripts_dir}/https.py"> @@ -123,22 +123,7 @@ <help>TLS certificates</help> </properties> <children> - <node name="system-generated-certificate" owner="${vyos_conf_scripts_dir}/vyos_cert.py"> - <properties> - <help>Use an automatically generated self-signed certificate</help> - </properties> - <children> - <leafNode name="lifetime"> - <properties> - <help>Lifetime in days; default is 365</help> - <valueHelp> - <format>1-65535</format> - <description>Number of days</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> + #include <include/pki/certificate.xml.i> <node name="certbot" owner="${vyos_conf_scripts_dir}/le_cert.py"> <properties> <help>Request or apply a letsencrypt certificate for domain-name</help> diff --git a/interface-definitions/include/accel-ppp/ppp-interface-cache.xml.i b/interface-definitions/include/accel-ppp/ppp-interface-cache.xml.i new file mode 100644 index 000000000..9f223d7ed --- /dev/null +++ b/interface-definitions/include/accel-ppp/ppp-interface-cache.xml.i @@ -0,0 +1,14 @@ +<!-- include start from accel-ppp/ppp-interface-cache.xml.i --> +<leafNode name="interface-cache"> + <properties> + <help>PPP interface cache</help> + <valueHelp> + <format>1-256000</format> + <description>Count of interfaces to keep in cache</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-256000"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i b/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i new file mode 100644 index 000000000..cd40a1f96 --- /dev/null +++ b/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i @@ -0,0 +1,30 @@ +<!-- include start from accel-ppp/ppp-options-ipv6.xml.i --> +<leafNode name="ipv6"> + <properties> + <help>IPv6 (IPCP6) negotiation algorithm</help> + <constraint> + <regex>^(deny|allow|prefer|require)$</regex> + </constraint> + <constraintErrorMessage>invalid value</constraintErrorMessage> + <valueHelp> + <format>deny</format> + <description>Do not negotiate IPv6</description> + </valueHelp> + <valueHelp> + <format>allow</format> + <description>Negotiate IPv6 only if client requests</description> + </valueHelp> + <valueHelp> + <format>prefer</format> + <description>Ask client for IPv6 negotiation, do not fail if it rejects</description> + </valueHelp> + <valueHelp> + <format>require</format> + <description>Require IPv6 negotiation</description> + </valueHelp> + <completionHelp> + <list>deny allow prefer require</list> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i index e65088c43..fdcff36bf 100644 --- a/interface-definitions/include/accel-ppp/radius-additions.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i @@ -88,11 +88,7 @@ </properties> <defaultValue>3</defaultValue> </leafNode> - <leafNode name="nas-identifier"> - <properties> - <help>NAS-Identifier attribute sent to RADIUS</help> - </properties> - </leafNode> + #include <include/radius-nas-identifier.xml.i> <leafNode name="nas-ip-address"> <properties> <help>NAS-IP-Address attribute sent to RADIUS</help> diff --git a/interface-definitions/include/auth-local-users.xml.i b/interface-definitions/include/auth-local-users.xml.i new file mode 100644 index 000000000..8ef09554e --- /dev/null +++ b/interface-definitions/include/auth-local-users.xml.i @@ -0,0 +1,22 @@ +<!-- include start from auth-local-users.xml.i --> +<node name="local-users"> + <properties> + <help>Local user authentication</help> + </properties> + <children> + <tagNode name="username"> + <properties> + <help>Username used for authentication</help> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + <leafNode name="password"> + <properties> + <help>Password used for authentication</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/bgp/afi-common.xml.i b/interface-definitions/include/bgp/afi-common.xml.i index 20b0dda66..62beff40c 100644 --- a/interface-definitions/include/bgp/afi-common.xml.i +++ b/interface-definitions/include/bgp/afi-common.xml.i @@ -88,6 +88,18 @@ </constraint> </properties> </leafNode> +<leafNode name="maximum-prefix-out"> + <properties> + <help>Maximum number of prefixes to be sent to this peer</help> + <valueHelp> + <format>u32:1-4294967295</format> + <description>Prefix limit</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-4294967295"/> + </constraint> + </properties> +</leafNode> #include <include/bgp/afi-nexthop-self.xml.i> <leafNode name="remove-private-as"> <properties> diff --git a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i index 1673f25a5..aaa69e6c8 100644 --- a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i +++ b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i @@ -11,17 +11,6 @@ <valueless/> </properties> </leafNode> -<leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description> - </valueHelp> - <constraint> - <regex>^((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}$</regex> - </constraint> - </properties> -</leafNode> +#include <include/bgp/route-distinguisher.xml.i> #include <include/bgp/route-target.xml.i> <!-- include end --> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index e6b81ceb1..552e85aa4 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -372,18 +372,7 @@ </constraint> </properties> <children> - <leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, asn:xxx</description> - </valueHelp> - <constraint> - <regex>^[0-9]{1,10}:[0-9]{1,5}$</regex> - </constraint> - </properties> - </leafNode> + #include <include/bgp/route-distinguisher.xml.i> <leafNode name="label"> <properties> <help>MPLS label value assigned to route</help> @@ -772,18 +761,7 @@ </constraint> </properties> <children> - <leafNode name="rd"> - <properties> - <help>Route Distinguisher</help> - <valueHelp> - <format>txt</format> - <description>Route Distinguisher, asn:xxx</description> - </valueHelp> - <constraint> - <regex>^[0-9]{1,10}:[0-9]{1,5}$</regex> - </constraint> - </properties> - </leafNode> + #include <include/bgp/route-distinguisher.xml.i> <leafNode name="label"> <properties> <help>MPLS label value assigned to route</help> @@ -1038,6 +1016,12 @@ </leafNode> #include <include/bgp/remote-as.xml.i> #include <include/bgp/neighbor-shutdown.xml.i> + <leafNode name="solo"> + <properties> + <help>Do not send back prefixes learned from the neighbor</help> + <valueless/> + </properties> + </leafNode> <leafNode name="strict-capability-match"> <properties> <help>Enable strict capability negotiation</help> @@ -1114,6 +1098,29 @@ </leafNode> </children> </node> + <leafNode name="bandwidth"> + <properties> + <help>Link Bandwidth attribute</help> + <completionHelp> + <list>default-weight-for-missing ignore skip-missing</list> + </completionHelp> + <valueHelp> + <format>default-weight-for-missing</format> + <description>Assign low default weight (1) to paths not having link bandwidth</description> + </valueHelp> + <valueHelp> + <format>ignore</format> + <description>Ignore link bandwidth (do regular ECMP, not weighted)</description> + </valueHelp> + <valueHelp> + <format>skip-missing</format> + <description>Ignore paths without link bandwidth for ECMP (if other paths have it)</description> + </valueHelp> + <constraint> + <regex>^(default-weight-for-missing|ignore|skip-missing)$</regex> + </constraint> + </properties> + </leafNode> <leafNode name="compare-routerid"> <properties> <help>Compare the router-id for identical EBGP paths</help> @@ -1180,6 +1187,7 @@ <constraint> <validator name="numeric" argument="--range 1-4294967294"/> </constraint> + <multi/> </properties> </leafNode> </children> diff --git a/interface-definitions/include/bgp/route-distinguisher.xml.i b/interface-definitions/include/bgp/route-distinguisher.xml.i new file mode 100644 index 000000000..fdfbe7076 --- /dev/null +++ b/interface-definitions/include/bgp/route-distinguisher.xml.i @@ -0,0 +1,14 @@ +<!-- include start from bgp/route-distinguisher.xml.i --> +<leafNode name="rd"> + <properties> + <help>Route Distinguisher</help> + <valueHelp> + <format>txt</format> + <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description> + </valueHelp> + <constraint> + <regex>^((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/conntrack-module-disable.xml.i b/interface-definitions/include/conntrack-module-disable.xml.i new file mode 100644 index 000000000..f891225e0 --- /dev/null +++ b/interface-definitions/include/conntrack-module-disable.xml.i @@ -0,0 +1,8 @@ +<!-- include start from conntrack-module-disable.xml.i --> +<leafNode name="disable"> + <properties> + <help>Disable connection tracking helper</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/dhcp-interface.xml.i b/interface-definitions/include/dhcp-interface.xml.i new file mode 100644 index 000000000..939b45f15 --- /dev/null +++ b/interface-definitions/include/dhcp-interface.xml.i @@ -0,0 +1,15 @@ + <leafNode name="dhcp-interface"> + <properties> + <help>DHCP interface supplying next-hop IP address</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>DHCP interface name</description> + </valueHelp> + <constraint> + <validator name="interface-name"/> + </constraint> + </properties> + </leafNode> diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i new file mode 100644 index 000000000..9f8baa884 --- /dev/null +++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i @@ -0,0 +1,25 @@ +<!-- include start from firewall/action-accept-drop-reject.xml.i --> +<leafNode name="action"> + <properties> + <help>Action for packets</help> + <completionHelp> + <list>accept drop reject</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Action to accept</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Action to drop</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Action to reject</description> + </valueHelp> + <constraint> + <regex>^(accept|drop|reject)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i new file mode 100644 index 000000000..230f590cb --- /dev/null +++ b/interface-definitions/include/firewall/action.xml.i @@ -0,0 +1,21 @@ +<!-- include start from firewall/action.xml.i --> +<leafNode name="action"> + <properties> + <help>Rule action [REQUIRED]</help> + <completionHelp> + <list>permit deny</list> + </completionHelp> + <valueHelp> + <format>permit</format> + <description>Permit matching entries</description> + </valueHelp> + <valueHelp> + <format>deny</format> + <description>Deny matching entries</description> + </valueHelp> + <constraint> + <regex>^(permit|deny)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/address-ipv6.xml.i b/interface-definitions/include/firewall/address-ipv6.xml.i new file mode 100644 index 000000000..fa60c0c8a --- /dev/null +++ b/interface-definitions/include/firewall/address-ipv6.xml.i @@ -0,0 +1,37 @@ +<!-- include start from firewall/address-ipv6.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, subnet, or range</help> + <valueHelp> + <format>ipv6</format> + <description>IP address to match</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>Subnet to match</description> + </valueHelp> + <valueHelp> + <format>ipv6range</format> + <description>IP range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv6</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv6net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv6range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <constraint> + <validator name="ipv6"/> + <validator name="ipv6-exclude"/> + <validator name="ipv6-range"/> + <validator name="ipv6-range-exclude"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/address.xml.i b/interface-definitions/include/firewall/address.xml.i new file mode 100644 index 000000000..2e1bde5a5 --- /dev/null +++ b/interface-definitions/include/firewall/address.xml.i @@ -0,0 +1,39 @@ +<!-- include start from firewall/address.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, subnet, or range</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 prefix to match</description> + </valueHelp> + <valueHelp> + <format>ipv4range</format> + <description>IPv4 address range to match</description> + </valueHelp> + <valueHelp> + <format>!ipv4</format> + <description>Match everything except the specified address</description> + </valueHelp> + <valueHelp> + <format>!ipv4net</format> + <description>Match everything except the specified prefix</description> + </valueHelp> + <valueHelp> + <format>!ipv4range</format> + <description>Match everything except the specified range</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-prefix"/> + <validator name="ipv4-range"/> + <validator name="ipv4-address-exclude"/> + <validator name="ipv4-prefix-exclude"/> + <validator name="ipv4-range-exclude"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i new file mode 100644 index 000000000..1ee8da73d --- /dev/null +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -0,0 +1,326 @@ +<!-- include start from firewall/common-rule.xml.i --> +#include <include/firewall/action.xml.i> +#include <include/generic-description.xml.i> +<leafNode name="disable"> + <properties> + <help>Option to disable firewall rule</help> + <valueless/> + </properties> +</leafNode> +<node name="fragment"> + <properties> + <help>IP fragment match</help> + </properties> + <children> + <leafNode name="match-frag"> + <properties> + <help>Second and further fragments of fragmented packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-non-frag"> + <properties> + <help>Head fragments or unfragmented packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="ipsec"> + <properties> + <help>Inbound IPsec packets</help> + </properties> + <children> + <leafNode name="match-ipsec"> + <properties> + <help>Inbound IPsec packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none"> + <properties> + <help>Inbound non-IPsec packets</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<node name="limit"> + <properties> + <help>Rate limit using a token bucket filter</help> + </properties> + <children> + <leafNode name="burst"> + <properties> + <help>Maximum number of packets to allow in excess of rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>burst__change_me</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + <leafNode name="rate"> + <properties> + <help>Maximum average matching rate</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>rate__change_me</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<leafNode name="log"> + <properties> + <help>Option to log packets matching rule</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable log</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable log</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> +</leafNode> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol number</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> + <defaultValue>all</defaultValue> +</leafNode> +<node name="recent"> + <properties> + <help>Parameters for matching recently seen sources</help> + </properties> + <children> + <leafNode name="count"> + <properties> + <help>Source addresses seen more than N times</help> + <valueHelp> + <format>u32:1-255</format> + <description>Source addresses seen more than N times</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Source addresses seen in the last N seconds</help> + <valueHelp> + <format>u32:0-4294967295</format> + <description>Source addresses seen in the last N seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="source"> + <properties> + <help>Source parameters</help> + </properties> + <children> + #include <include/firewall/address.xml.i> + #include <include/firewall/source-destination-group.xml.i> + <leafNode name="mac-address"> + <properties> + <help>Source MAC address</help> + <valueHelp> + <format><MAC address></format> + <description>MAC address to match</description> + </valueHelp> + <valueHelp> + <format>!<MAC address></format> + <description>Match everything except the specified MAC address</description> + </valueHelp> + </properties> + </leafNode> + #include <include/firewall/port.xml.i> + </children> +</node> +<node name="state"> + <properties> + <help>Session state</help> + </properties> + <children> + <leafNode name="established"> + <properties> + <help>Established state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="invalid"> + <properties> + <help>Invalid state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="new"> + <properties> + <help>New state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="related"> + <properties> + <help>Related state</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Enable</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Disable</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<node name="tcp"> + <properties> + <help>TCP flags to match</help> + </properties> + <children> + <leafNode name="flags"> + <properties> + <help>TCP flags to match</help> + <valueHelp> + <format>txt</format> + <description>TCP flags to match</description> + </valueHelp> + <valueHelp> + <format> </format> + <description>\n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<node name="time"> + <properties> + <help>Time to match rule</help> + </properties> + <children> + <leafNode name="monthdays"> + <properties> + <help>Monthdays to match rule on</help> + </properties> + </leafNode> + <leafNode name="startdate"> + <properties> + <help>Date to start matching rule</help> + </properties> + </leafNode> + <leafNode name="starttime"> + <properties> + <help>Time of day to start matching rule</help> + </properties> + </leafNode> + <leafNode name="stopdate"> + <properties> + <help>Date to stop matching rule</help> + </properties> + </leafNode> + <leafNode name="stoptime"> + <properties> + <help>Time of day to stop matching rule</help> + </properties> + </leafNode> + <leafNode name="utc"> + <properties> + <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="weekdays"> + <properties> + <help>Weekdays to match rule on</help> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i new file mode 100644 index 000000000..b45fb619b --- /dev/null +++ b/interface-definitions/include/firewall/icmp-type-name.xml.i @@ -0,0 +1,173 @@ +<!-- include start from firewall/icmp-type-name.xml.i --> +<leafNode name="type-name"> + <properties> + <help>ICMP type-name</help> + <completionHelp> + <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply</list> + </completionHelp> + <valueHelp> + <format>any</format> + <description>Any ICMP type/code</description> + </valueHelp> + <valueHelp> + <format>echo-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>pong</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>destination-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>protocol-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>port-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>fragmentation-needed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-route-failed</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-unknown</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-host-unreachable</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>communication-prohibited</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-precedence-violation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>precedence-cutoff</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>source-quench</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS-network-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>TOS host-redirect</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>echo-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ping</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-advertisement</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>router-solicitation</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>time-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-exceeded</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-transit</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ttl-zero-during-reassembly</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>parameter-problem</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>ip-header-bad</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>required-option-missing</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>timestamp-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-request</format> + <description>ICMP type/code name</description> + </valueHelp> + <valueHelp> + <format>address-mask-reply</format> + <description>ICMP type/code name</description> + </valueHelp> + <constraint> + <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i new file mode 100644 index 000000000..46d20c1df --- /dev/null +++ b/interface-definitions/include/firewall/log.xml.i @@ -0,0 +1,15 @@ +<!-- include start from firewall/log.xml.i --> +<node name="log"> + <properties> + <help>Option to log packets</help> + </properties> + <children> + <leafNode name="enable"> + <properties> + <help>Enable logging</help> + <valueless/> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i new file mode 100644 index 000000000..1b61b076f --- /dev/null +++ b/interface-definitions/include/firewall/name-default-action.xml.i @@ -0,0 +1,25 @@ +<!-- include start from firewall/name-default-action.xml.i --> +<leafNode name="default-action"> + <properties> + <help>Default-action for rule-set</help> + <completionHelp> + <list>drop reject accept</list> + </completionHelp> + <valueHelp> + <format>drop</format> + <description>Drop if no prior rules are hit (default)</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Drop and notify source if no prior rules are hit</description> + </valueHelp> + <valueHelp> + <format>accept</format> + <description>Accept if no prior rules are hit</description> + </valueHelp> + <constraint> + <regex>^(drop|reject|accept)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i new file mode 100644 index 000000000..979395146 --- /dev/null +++ b/interface-definitions/include/firewall/name-default-log.xml.i @@ -0,0 +1,8 @@ +<!-- include start from firewall/name-default-log.xml.i --> +<leafNode name="enable-default-log"> + <properties> + <help>Option to log packets hitting default-action</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i new file mode 100644 index 000000000..59d92978b --- /dev/null +++ b/interface-definitions/include/firewall/port.xml.i @@ -0,0 +1,23 @@ +<!-- include start from firewall/port.xml.i --> +<leafNode name="port"> + <properties> + <help>Port</help> + <valueHelp> + <format>txt</format> + <description>Named port (any name in /etc/services, e.g., http)</description> + </valueHelp> + <valueHelp> + <format>u32:1-65535</format> + <description>Numbered port</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>Numbered port range (e.g. 1001-1005)</description> + </valueHelp> + <valueHelp> + <format> </format> + <description>\n\n Multiple destination ports can be specified as a comma-separated list.\n The whole list can also be negated using '!'.\n For example: '!22,telnet,http,123,1001-1005'</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/source-destination-group.xml.i b/interface-definitions/include/firewall/source-destination-group.xml.i new file mode 100644 index 000000000..30226b0d8 --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-group.xml.i @@ -0,0 +1,24 @@ +<!-- include start from firewall/source-destination-group.xml.i --> +<node name="group"> + <properties> + <help>Group</help> + </properties> + <children> + <leafNode name="address-group"> + <properties> + <help>Group of addresses</help> + </properties> + </leafNode> + <leafNode name="network-group"> + <properties> + <help>Group of networks</help> + </properties> + </leafNode> + <leafNode name="port-group"> + <properties> + <help>Group of ports</help> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/policy/description.xml.i b/interface-definitions/include/generic-description.xml.i index e2ff35d02..03fc564e6 100644 --- a/interface-definitions/include/policy/description.xml.i +++ b/interface-definitions/include/generic-description.xml.i @@ -1,4 +1,4 @@ -<!-- include start from policy/description.xml.i --> +<!-- include start from generic-description.xml.i --> <leafNode name="description"> <properties> <help>Description</help> diff --git a/interface-definitions/include/interface/authentication.xml.i b/interface-definitions/include/interface/authentication.xml.i new file mode 100644 index 000000000..c097ca9dd --- /dev/null +++ b/interface-definitions/include/interface/authentication.xml.i @@ -0,0 +1,27 @@ +<!-- include start from interface/authentication.xml.i --> +<node name="authentication"> + <properties> + <help>Authentication settings</help> + </properties> + <children> + <leafNode name="user"> + <properties> + <help>User name</help> + <valueHelp> + <format>txt</format> + <description>Username used for connection</description> + </valueHelp> + </properties> + </leafNode> + <leafNode name="password"> + <properties> + <help>Password</help> + <valueHelp> + <format>txt</format> + <description>Password used for connection</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/interface/interface-eapol.xml.i b/interface-definitions/include/interface/interface-eapol.xml.i index 92b7a3f35..270ec5b13 100644 --- a/interface-definitions/include/interface/interface-eapol.xml.i +++ b/interface-definitions/include/interface/interface-eapol.xml.i @@ -4,9 +4,8 @@ <help>Extensible Authentication Protocol over Local Area Network</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate-key.xml.i> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/interface/interface-parameters-key.xml.i b/interface-definitions/include/interface/interface-parameters-key.xml.i index 1b1d67174..6c59f7879 100644 --- a/interface-definitions/include/interface/interface-parameters-key.xml.i +++ b/interface-definitions/include/interface/interface-parameters-key.xml.i @@ -1,7 +1,7 @@ <!-- include start from interface/interface-parameters-key.xml.i --> <leafNode name="key"> <properties> - <help>Tunnel key</help> + <help>Tunnel key (only GRE tunnels)</help> <valueHelp> <format>u32</format> <description>Tunnel key</description> diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 0355054a4..9e89cbbf6 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -22,9 +22,10 @@ <leafNode name="egress-qos"> <properties> <help>VLAN egress QoS</help> - <completionHelp> - <script>echo Format for qos mapping, e.g.: '0:1 1:6 7:6'</script> - </completionHelp> + <valueHelp> + <format>txt</format> + <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> + </valueHelp> <constraint> <regex>[:0-7 ]+$</regex> </constraint> @@ -34,9 +35,10 @@ <leafNode name="ingress-qos"> <properties> <help>VLAN ingress QoS</help> - <completionHelp> - <script>echo Format for qos mapping '0:1 1:6 7:6'</script> - </completionHelp> + <valueHelp> + <format>txt</format> + <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> + </valueHelp> <constraint> <regex>[:0-7 ]+$</regex> </constraint> diff --git a/interface-definitions/include/ip-protocol.xml.i b/interface-definitions/include/ip-protocol.xml.i new file mode 100644 index 000000000..ce9345024 --- /dev/null +++ b/interface-definitions/include/ip-protocol.xml.i @@ -0,0 +1,17 @@ +<!-- include start from ip-protocol.xml.i --> +<leafNode name="protocol"> + <properties> + <help>Protocol</help> + <valueHelp> + <format>txt</format> + <description>Protocol name</description> + </valueHelp> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + </completionHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<!-- include end from ip-protocol.xml.i --> diff --git a/interface-definitions/include/ipsec/authentication-id.xml.i b/interface-definitions/include/ipsec/authentication-id.xml.i new file mode 100644 index 000000000..4967782ec --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-id.xml.i @@ -0,0 +1,11 @@ +<!-- include start from ipsec/authentication-id.xml.i --> +<leafNode name="id"> + <properties> + <help>ID for peer authentication</help> + <valueHelp> + <format>txt</format> + <description>ID used for peer authentication</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i b/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i new file mode 100644 index 000000000..af2669335 --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-pre-shared-secret.xml.i @@ -0,0 +1,11 @@ +<!-- include start from ipsec/authentication-pre-shared-secret.xml.i --> +<leafNode name="pre-shared-secret"> + <properties> + <help>Pre-shared secret key</help> + <valueHelp> + <format>txt</format> + <description>Pre-shared secret key</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/authentication-rsa.xml.i b/interface-definitions/include/ipsec/authentication-rsa.xml.i new file mode 100644 index 000000000..0a364e838 --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-rsa.xml.i @@ -0,0 +1,30 @@ +<!-- include start from ipsec/authentication-rsa.xml.i --> +<node name="rsa"> + <properties> + <help>RSA keys</help> + </properties> + <children> + <leafNode name="local-key"> + <properties> + <help>Name of PKI key-pair with local private key</help> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="passphrase"> + <properties> + <help>Local private key passphrase</help> + </properties> + </leafNode> + <leafNode name="remote-key"> + <properties> + <help>Name of PKI key-pair with remote public key</help> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/authentication-x509.xml.i b/interface-definitions/include/ipsec/authentication-x509.xml.i new file mode 100644 index 000000000..db675c0bf --- /dev/null +++ b/interface-definitions/include/ipsec/authentication-x509.xml.i @@ -0,0 +1,11 @@ +<!-- include start from ipsec/authentication-x509.xml.i --> +<node name="x509"> + <properties> + <help>X.509 certificate</help> + </properties> + <children> + #include <include/pki/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/esp-group.xml.i b/interface-definitions/include/ipsec/esp-group.xml.i new file mode 100644 index 000000000..5e5d8197b --- /dev/null +++ b/interface-definitions/include/ipsec/esp-group.xml.i @@ -0,0 +1,10 @@ +<!-- include start from ipsec/esp-group.xml.i --> +<leafNode name="esp-group"> + <properties> + <help>Encapsulating Security Payloads (ESP) group name</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/ike-group.xml.i b/interface-definitions/include/ipsec/ike-group.xml.i new file mode 100644 index 000000000..f7649ed30 --- /dev/null +++ b/interface-definitions/include/ipsec/ike-group.xml.i @@ -0,0 +1,10 @@ +<!-- include start from ipsec/ike-group.xml.i --> +<leafNode name="ike-group"> + <properties> + <help>Internet Key Exchange (IKE) group name</help> + <completionHelp> + <path>vpn ipsec ike-group</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/local-address.xml.i b/interface-definitions/include/ipsec/local-address.xml.i new file mode 100644 index 000000000..2de6ecb1f --- /dev/null +++ b/interface-definitions/include/ipsec/local-address.xml.i @@ -0,0 +1,27 @@ +<!-- include start from ipsec/local-address.xml.i --> +<leafNode name="local-address"> + <properties> + <help>IPv4 or IPv6 address of a local interface to use for VPN</help> + <completionHelp> + <list>any</list> + </completionHelp> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address of a local interface for VPN</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address of a local interface for VPN</description> + </valueHelp> + <valueHelp> + <format>any</format> + <description>Allow any IPv4 address present on the system to be used for VPN</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <regex>^(any)$</regex> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/local-traffic-selector.xml.i b/interface-definitions/include/ipsec/local-traffic-selector.xml.i new file mode 100644 index 000000000..d30a6d11a --- /dev/null +++ b/interface-definitions/include/ipsec/local-traffic-selector.xml.i @@ -0,0 +1,28 @@ +<!-- include start from ipsec/local-traffic-selector.xml.i --> +<node name="local"> + <properties> + <help>Local parameters for interesting traffic</help> + </properties> + <children> + #include <include/port-number.xml.i> + <leafNode name="prefix"> + <properties> + <help>Local IPv4 or IPv6 prefix</help> + <valueHelp> + <format>ipv4</format> + <description>Local IPv4 prefix</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Local IPv6 prefix</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/isis/default-information-level.xml.i b/interface-definitions/include/isis/default-information-level.xml.i new file mode 100644 index 000000000..5ade72a4b --- /dev/null +++ b/interface-definitions/include/isis/default-information-level.xml.i @@ -0,0 +1,32 @@ +<!-- include start from isis/default-information-level.xml.i --> +<node name="level-1"> + <properties> + <help>Distribute default route into level-1</help> + </properties> + <children> + <leafNode name="always"> + <properties> + <help>Always advertise default route</help> + <valueless/> + </properties> + </leafNode> + #include <include/isis/metric.xml.i> + #include <include/route-map.xml.i> + </children> +</node> +<node name="level-2"> + <properties> + <help>Distribute default route into level-2</help> + </properties> + <children> + <leafNode name="always"> + <properties> + <help>Always advertise default route</help> + <valueless/> + </properties> + </leafNode> + #include <include/isis/metric.xml.i> + #include <include/route-map.xml.i> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/isis/metric.xml.i b/interface-definitions/include/isis/metric.xml.i new file mode 100644 index 000000000..30e2cdc10 --- /dev/null +++ b/interface-definitions/include/isis/metric.xml.i @@ -0,0 +1,14 @@ +<!-- include start from isis/metric.xml.i --> +<leafNode name="metric"> + <properties> + <help>Set default metric for circuit</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>Default metric value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i index c4a913385..af5a21f49 100644 --- a/interface-definitions/include/isis/protocol-common-config.xml.i +++ b/interface-definitions/include/isis/protocol-common-config.xml.i @@ -39,18 +39,7 @@ <help>Distribute default route for IPv4</help> </properties> <children> - <leafNode name="level-1"> - <properties> - <help>Distribute default route into level-1</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="level-2"> - <properties> - <help>Distribute default route into level-2</help> - <valueless/> - </properties> - </leafNode> + #include <include/isis/default-information-level.xml.i> </children> </node> <node name="ipv6"> @@ -58,30 +47,7 @@ <help>Distribute default route for IPv6</help> </properties> <children> - <leafNode name="level-1"> - <properties> - <help>Distribute default route into level-1</help> - <completionHelp> - <list>always</list> - </completionHelp> - <valueHelp> - <format>always</format> - <description>Always advertise default route</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="level-2"> - <properties> - <help>Distribute default route into level-2</help> - <completionHelp> - <list>always</list> - </completionHelp> - <valueHelp> - <format>always</format> - <description>Always advertise default route</description> - </valueHelp> - </properties> - </leafNode> + #include <include/isis/default-information-level.xml.i> </children> </node> </children> @@ -102,7 +68,6 @@ </valueHelp> </properties> </leafNode> -<!-- <leafNode name="md5"> <properties> <help>MD5 authentication type</help> @@ -112,7 +77,6 @@ </valueHelp> </properties> </leafNode> ---> </children> </node> <leafNode name="dynamic-hostname"> @@ -144,6 +108,12 @@ </constraint> </properties> </leafNode> +<leafNode name="log-adjacency-changes"> + <properties> + <help>Log adjacency state changes</help> + <valueless/> + </properties> +</leafNode> <leafNode name="lsp-gen-interval"> <properties> <help>Minimum interval between regenerating same LSP</help> @@ -522,6 +492,61 @@ </node> </children> </node> + <node name="ipv6"> + <properties> + <help>Redistribute IPv6 routes</help> + </properties> + <children> + <node name="bgp"> + <properties> + <help>Redistribute BGP routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="connected"> + <properties> + <help>Redistribute connected routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="kernel"> + <properties> + <help>Redistribute kernel routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="ospf6"> + <properties> + <help>Redistribute OSPFv3 routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="ripng"> + <properties> + <help>Redistribute RIPng routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + <node name="static"> + <properties> + <help>Redistribute static routes into IS-IS</help> + </properties> + <children> + #include <include/isis/redistribute-ipv6.xml.i> + </children> + </node> + </children> + </node> </children> </node> <leafNode name="set-attached-bit"> @@ -570,7 +595,7 @@ <help>Delay used while in LONG_WAIT</help> <valueHelp> <format>u32:0-60000</format> - <description>Delay used while in LONG_WAIT state (in ms)</description> + <description>Delay used while in LONG_WAIT state in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -582,7 +607,7 @@ <help>Time with no received IGP events before considering IGP stable</help> <valueHelp> <format>u32:0-60000</format> - <description>Time with no received IGP events before considering IGP stable (in ms)</description> + <description>Time with no received IGP events before considering IGP stable in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -594,7 +619,7 @@ <help>Maximum duration needed to learn all the events related to a single failure</help> <valueHelp> <format>u32:0-60000</format> - <description>Maximum duration needed to learn all the events related to a single failure (in ms)</description> + <description>Maximum duration needed to learn all the events related to a single failure in ms</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-60000"/> @@ -608,7 +633,7 @@ <help>Minimum interval between SPF calculations</help> <valueHelp> <format>u32:1-120</format> - <description>Minimum interval between consecutive SPFs in seconds</description> + <description>Interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-120"/> @@ -677,18 +702,7 @@ </constraint> </properties> </leafNode> - <leafNode name="metric"> - <properties> - <help>Set default metric for circuit</help> - <valueHelp> - <format>u32:0-16777215</format> - <description>Default metric value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-16777215"/> - </constraint> - </properties> - </leafNode> + #include <include/isis/metric.xml.i> <node name="network"> <properties> <help>Set network type</help> @@ -733,10 +747,10 @@ </leafNode> <leafNode name="psnp-interval"> <properties> - <help>Set PSNP interval in seconds</help> + <help>Set PSNP interval</help> <valueHelp> <format>u32:0-127</format> - <description>Priority value</description> + <description>PSNP interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-127"/> @@ -752,4 +766,4 @@ </children> </tagNode> #include <include/route-map.xml.i> -<!-- include end --> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/isis/redistribute-ipv6.xml.i b/interface-definitions/include/isis/redistribute-ipv6.xml.i new file mode 100644 index 000000000..7e679e38a --- /dev/null +++ b/interface-definitions/include/isis/redistribute-ipv6.xml.i @@ -0,0 +1,42 @@ +<!-- include start from isis/redistribute-ipv6.xml.i --> +<node name="level-1"> + <properties> + <help>Redistribute into level-1</help> + </properties> + <children> + <leafNode name="metric"> + <properties> + <help>Metric for redistributed routes</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>ISIS default metric</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> + </leafNode> + #include <include/route-map.xml.i> + </children> +</node> +<node name="level-2"> + <properties> + <help>Redistribute into level-2</help> + </properties> + <children> + <leafNode name="metric"> + <properties> + <help>Metric for redistributed routes</help> + <valueHelp> + <format>u32:0-16777215</format> + <description>ISIS default metric</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-16777215"/> + </constraint> + </properties> + </leafNode> + #include <include/route-map.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i new file mode 100644 index 000000000..defc8c0d5 --- /dev/null +++ b/interface-definitions/include/nat-translation-options.xml.i @@ -0,0 +1,51 @@ +<!-- include start from nat-translation-options.xml.i --> +<node name="options"> + <properties> + <help>Translation options</help> + </properties> + <children> + <leafNode name="address-mapping"> + <properties> + <help>Address mapping options</help> + <completionHelp> + <list>persistent random</list> + </completionHelp> + <valueHelp> + <format>persistent</format> + <description>Gives a client the same source or destination-address for each connection</description> + </valueHelp> + <valueHelp> + <format>random</format> + <description>Random source or destination address allocation for each connection (defaut)</description> + </valueHelp> + <constraint> + <regex>^(persistent|random)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="port-mapping"> + <properties> + <help>Port mapping options</help> + <completionHelp> + <list>random fully-random none</list> + </completionHelp> + <valueHelp> + <format>random</format> + <description>Randomize source port mapping</description> + </valueHelp> + <valueHelp> + <format>fully-random</format> + <description>Full port randomization</description> + </valueHelp> + <valueHelp> + <format>none</format> + <description>Do not apply port randomization (default)</description> + </valueHelp> + <constraint> + <regex>^(random|fully-random|none)$</regex> + </constraint> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/pki/ca-certificate.xml.i b/interface-definitions/include/pki/ca-certificate.xml.i new file mode 100644 index 000000000..14295a281 --- /dev/null +++ b/interface-definitions/include/pki/ca-certificate.xml.i @@ -0,0 +1,14 @@ +<!-- include start from pki/ca-certificate.xml.i --> +<leafNode name="ca-certificate"> + <properties> + <help>Certificate Authority in PKI configuration</help> + <valueHelp> + <format>CA name</format> + <description>Name of CA in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki ca</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/pki/certificate-key.xml.i b/interface-definitions/include/pki/certificate-key.xml.i new file mode 100644 index 000000000..7f26d25c1 --- /dev/null +++ b/interface-definitions/include/pki/certificate-key.xml.i @@ -0,0 +1,12 @@ +<!-- include start from pki/certificate-key.xml.i --> +#include <include/pki/certificate.xml.i> +<leafNode name="passphrase"> + <properties> + <help>Private key passphrase</help> + <valueHelp> + <format>txt</format> + <description>Passphrase to decrypt the private key</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/pki/certificate.xml.i b/interface-definitions/include/pki/certificate.xml.i new file mode 100644 index 000000000..436aa90ba --- /dev/null +++ b/interface-definitions/include/pki/certificate.xml.i @@ -0,0 +1,14 @@ +<!-- include start from pki/certificate.xml.i --> +<leafNode name="certificate"> + <properties> + <help>Certificate in PKI configuration</help> + <valueHelp> + <format>cert name</format> + <description>Name of certificate in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki certificate</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/pki/private-key.xml.i b/interface-definitions/include/pki/private-key.xml.i new file mode 100644 index 000000000..6099daa89 --- /dev/null +++ b/interface-definitions/include/pki/private-key.xml.i @@ -0,0 +1,30 @@ +<!-- include start from pki/private-key.xml.i --> +<node name="private"> + <properties> + <help>Private key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Private key in PKI configuration</help> + <valueHelp> + <format>key name</format> + <description>Name of private key in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="passphrase"> + <properties> + <help>Private key passphrase</help> + <valueHelp> + <format>txt</format> + <description>Passphrase to decrypt the private key</description> + </valueHelp> + </properties> + </leafNode> + </children> +</node> +<!-- include end --> diff --git a/interface-definitions/include/pki/public-key.xml.i b/interface-definitions/include/pki/public-key.xml.i new file mode 100644 index 000000000..dfc6979fd --- /dev/null +++ b/interface-definitions/include/pki/public-key.xml.i @@ -0,0 +1,14 @@ +<!-- include start from pki/public-key.xml.i --> +<leafNode name="public-key"> + <properties> + <help>Public key in PKI configuration</help> + <valueHelp> + <format>key name</format> + <description>Name of public key in PKI configuration</description> + </valueHelp> + <completionHelp> + <path>pki key-pair</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/radius-nas-identifier.xml.i b/interface-definitions/include/radius-nas-identifier.xml.i new file mode 100644 index 000000000..8e6933cc0 --- /dev/null +++ b/interface-definitions/include/radius-nas-identifier.xml.i @@ -0,0 +1,7 @@ +<!-- include start from radius-nas-identifier.xml.i --> +<leafNode name="nas-identifier"> + <properties> + <help>NAS-Identifier attribute sent to RADIUS</help> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ssh-group.xml.i b/interface-definitions/include/ssh-group.xml.i new file mode 100644 index 000000000..9c8b8692f --- /dev/null +++ b/interface-definitions/include/ssh-group.xml.i @@ -0,0 +1,12 @@ +<!-- include start from ssh-group.xml.i --> +<leafNode name="group"> + <properties> + <help>Allow members of a group to login</help> + <constraint> + <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> + </constraint> + <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ssh-user.xml.i b/interface-definitions/include/ssh-user.xml.i new file mode 100644 index 000000000..677602dd8 --- /dev/null +++ b/interface-definitions/include/ssh-user.xml.i @@ -0,0 +1,12 @@ +<!-- include start from ssh-user.xml.i --> +<leafNode name="user"> + <properties> + <help>Allow specific users to login</help> + <constraint> + <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> + </constraint> + <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i index 254ea3163..21babc015 100644 --- a/interface-definitions/include/static/static-route.xml.i +++ b/interface-definitions/include/static/static-route.xml.i @@ -31,21 +31,7 @@ </leafNode> </children> </node> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface supplying next-hop IP address</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <valueHelp> - <format>txt</format> - <description>DHCP interface name</description> - </valueHelp> - <constraint> - <validator name="interface-name"/> - </constraint> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <tagNode name="interface"> <properties> <help>Next-hop IPv4 router interface</help> diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i index 041ba9902..9ef2f7c90 100644 --- a/interface-definitions/include/vpn-ipsec-encryption.xml.i +++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i @@ -1,233 +1,233 @@ <!-- include start from vpn-ipsec-encryption.xml.i --> - <leafNode name="encryption"> - <properties> - <help>Encryption algorithm</help> - <completionHelp> - <list>null aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr aes128ccm64 aes192ccm64 aes256ccm64 aes128ccm96 aes192ccm96 aes256ccm96 aes128ccm128 aes192ccm128 aes256ccm128 aes128gcm64 aes192gcm64 aes256gcm64 aes128gcm96 aes192gcm96 aes256gcm96 aes128gcm128 aes192gcm128 aes256gcm128 aes128gmac aes192gmac aes256gmac 3des blowfish128 blowfish192 blowfish256 camellia128 camellia192 camellia256 camellia128ctr camellia192ctr camellia256ctr camellia128ccm64 camellia192ccm64 camellia256ccm64 camellia128ccm96 camellia192ccm96 camellia256ccm96 camellia128ccm128 camellia192ccm128 camellia256ccm128 serpent128 serpent192 serpent256 twofish128 twofish192 twofish256 cast128 chacha20poly1305</list> - </completionHelp> - <valueHelp> - <format>null</format> - <description>Null encryption</description> - </valueHelp> - <valueHelp> - <format>aes128</format> - <description>128 bit AES-CBC (default)</description> - </valueHelp> - <valueHelp> - <format>aes192</format> - <description>192 bit AES-CBC</description> - </valueHelp> - <valueHelp> - <format>aes256</format> - <description>256 bit AES-CBC</description> - </valueHelp> - <valueHelp> - <format>aes128ctr</format> - <description>128 bit AES-COUNTER</description> - </valueHelp> - <valueHelp> - <format>aes192ctr</format> - <description>192 bit AES-COUNTER</description> - </valueHelp> - <valueHelp> - <format>aes256ctr</format> - <description>256 bit AES-COUNTER</description> - </valueHelp> - <valueHelp> - <format>aes128ccm64</format> - <description>128 bit AES-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192ccm64</format> - <description>192 bit AES-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256ccm64</format> - <description>256 bit AES-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128ccm96</format> - <description>128 bit AES-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192ccm96</format> - <description>192 bit AES-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256ccm96</format> - <description>256 bit AES-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128ccm128</format> - <description>128 bit AES-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192ccm128</format> - <description>192 bit AES-CCM with 128 bit IC</description> - </valueHelp> - <valueHelp> - <format>aes256ccm128</format> - <description>256 bit AES-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gcm64</format> - <description>128 bit AES-GCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192gcm64</format> - <description>192 bit AES-GCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256gcm64</format> - <description>256 bit AES-GCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gcm96</format> - <description>128 bit AES-GCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192gcm96</format> - <description>192 bit AES-GCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256gcm96</format> - <description>256 bit AES-GCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gcm128</format> - <description>128 bit AES-GCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes192gcm128</format> - <description>192 bit AES-GCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes256gcm128</format> - <description>256 bit AES-GCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>aes128gmac</format> - <description>Null encryption with 128 bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes192gmac</format> - <description>Null encryption with 192 bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes256gmac</format> - <description>Null encryption with 256 bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>3des</format> - <description>168 bit 3DES-EDE-CBC</description> - </valueHelp> - <valueHelp> - <format>blowfish128</format> - <description>128 bit Blowfish-CBC</description> - </valueHelp> - <valueHelp> - <format>blowfish192</format> - <description>192 bit Blowfish-CBC</description> - </valueHelp> - <valueHelp> - <format>blowfish256</format> - <description>256 bit Blowfish-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia128</format> - <description>128 bit Camellia-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia192</format> - <description>192 bit Camellia-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia256</format> - <description>256 bit Camellia-CBC</description> - </valueHelp> - <valueHelp> - <format>camellia128ctr</format> - <description>128 bit Camellia-COUNTER</description> - </valueHelp> - <valueHelp> - <format>camellia192ctr</format> - <description>192 bit Camellia-COUNTER</description> - </valueHelp> - <valueHelp> - <format>camellia256ctr</format> - <description>256 bit Camellia-COUNTER</description> - </valueHelp> - <valueHelp> - <format>camellia128ccm64</format> - <description>128 bit Camellia-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia192ccm64</format> - <description>192 bit Camellia-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia256ccm64</format> - <description>256 bit Camellia-CCM with 64 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia128ccm96</format> - <description>128 bit Camellia-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia192ccm96</format> - <description>192 bit Camellia-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia256ccm96</format> - <description>256 bit Camellia-CCM with 96 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia128ccm128</format> - <description>128 bit Camellia-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia192ccm128</format> - <description>192 bit Camellia-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>camellia256ccm128</format> - <description>256 bit Camellia-CCM with 128 bit ICV</description> - </valueHelp> - <valueHelp> - <format>serpent128</format> - <description>128 bit Serpent-CBC</description> - </valueHelp> - <valueHelp> - <format>serpent192</format> - <description>192 bit Serpent-CBC</description> - </valueHelp> - <valueHelp> - <format>serpent256</format> - <description>256 bit Serpent-CBC</description> - </valueHelp> - <valueHelp> - <format>twofish128</format> - <description>128 bit Twofish-CBC</description> - </valueHelp> - <valueHelp> - <format>twofish192</format> - <description>192 bit Twofish-CBC</description> - </valueHelp> - <valueHelp> - <format>twofish256</format> - <description>256 bit Twofish-CBC</description> - </valueHelp> - <valueHelp> - <format>cast128</format> - <description>128 bit CAST-CBC</description> - </valueHelp> - <valueHelp> - <format>chacha20poly1305</format> - <description>256 bit ChaCha20/Poly1305 with 128 bit ICV</description> - </valueHelp> - <constraint> - <regex>^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$</regex> - </constraint> - </properties> - </leafNode> +<leafNode name="encryption"> + <properties> + <help>Encryption algorithm</help> + <completionHelp> + <list>null aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr aes128ccm64 aes192ccm64 aes256ccm64 aes128ccm96 aes192ccm96 aes256ccm96 aes128ccm128 aes192ccm128 aes256ccm128 aes128gcm64 aes192gcm64 aes256gcm64 aes128gcm96 aes192gcm96 aes256gcm96 aes128gcm128 aes192gcm128 aes256gcm128 aes128gmac aes192gmac aes256gmac 3des blowfish128 blowfish192 blowfish256 camellia128 camellia192 camellia256 camellia128ctr camellia192ctr camellia256ctr camellia128ccm64 camellia192ccm64 camellia256ccm64 camellia128ccm96 camellia192ccm96 camellia256ccm96 camellia128ccm128 camellia192ccm128 camellia256ccm128 serpent128 serpent192 serpent256 twofish128 twofish192 twofish256 cast128 chacha20poly1305</list> + </completionHelp> + <valueHelp> + <format>null</format> + <description>Null encryption</description> + </valueHelp> + <valueHelp> + <format>aes128</format> + <description>128 bit AES-CBC (default)</description> + </valueHelp> + <valueHelp> + <format>aes192</format> + <description>192 bit AES-CBC</description> + </valueHelp> + <valueHelp> + <format>aes256</format> + <description>256 bit AES-CBC</description> + </valueHelp> + <valueHelp> + <format>aes128ctr</format> + <description>128 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes192ctr</format> + <description>192 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes256ctr</format> + <description>256 bit AES-COUNTER</description> + </valueHelp> + <valueHelp> + <format>aes128ccm64</format> + <description>128 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm64</format> + <description>192 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256ccm64</format> + <description>256 bit AES-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128ccm96</format> + <description>128 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm96</format> + <description>192 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256ccm96</format> + <description>256 bit AES-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128ccm128</format> + <description>128 bit AES-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192ccm128</format> + <description>192 bit AES-CCM with 128 bit IC</description> + </valueHelp> + <valueHelp> + <format>aes256ccm128</format> + <description>256 bit AES-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm64</format> + <description>128 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm64</format> + <description>192 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm64</format> + <description>256 bit AES-GCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm96</format> + <description>128 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm96</format> + <description>192 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm96</format> + <description>256 bit AES-GCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gcm128</format> + <description>128 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes192gcm128</format> + <description>192 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes256gcm128</format> + <description>256 bit AES-GCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>aes128gmac</format> + <description>Null encryption with 128 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes192gmac</format> + <description>Null encryption with 192 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes256gmac</format> + <description>Null encryption with 256 bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>3des</format> + <description>168 bit 3DES-EDE-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish128</format> + <description>128 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish192</format> + <description>192 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>blowfish256</format> + <description>256 bit Blowfish-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia128</format> + <description>128 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia192</format> + <description>192 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia256</format> + <description>256 bit Camellia-CBC</description> + </valueHelp> + <valueHelp> + <format>camellia128ctr</format> + <description>128 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia192ctr</format> + <description>192 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia256ctr</format> + <description>256 bit Camellia-COUNTER</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm64</format> + <description>128 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm64</format> + <description>192 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm64</format> + <description>256 bit Camellia-CCM with 64 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm96</format> + <description>128 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm96</format> + <description>192 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm96</format> + <description>256 bit Camellia-CCM with 96 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia128ccm128</format> + <description>128 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia192ccm128</format> + <description>192 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>camellia256ccm128</format> + <description>256 bit Camellia-CCM with 128 bit ICV</description> + </valueHelp> + <valueHelp> + <format>serpent128</format> + <description>128 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>serpent192</format> + <description>192 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>serpent256</format> + <description>256 bit Serpent-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish128</format> + <description>128 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish192</format> + <description>192 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>twofish256</format> + <description>256 bit Twofish-CBC</description> + </valueHelp> + <valueHelp> + <format>cast128</format> + <description>128 bit CAST-CBC</description> + </valueHelp> + <valueHelp> + <format>chacha20poly1305</format> + <description>256 bit ChaCha20/Poly1305 with 128 bit ICV</description> + </valueHelp> + <constraint> + <regex>^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$</regex> + </constraint> + </properties> +</leafNode> <!-- include end --> diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i index 93d57b622..5a06b290e 100644 --- a/interface-definitions/include/vpn-ipsec-hash.xml.i +++ b/interface-definitions/include/vpn-ipsec-hash.xml.i @@ -1,65 +1,65 @@ -<!-- include start from pn-ipsec-hash.xml.i --> - <leafNode name="hash"> - <properties> - <help>Hash algorithm</help> - <completionHelp> - <list>md5 md5_128 sha1 sha1_160 sha256 sha256_96 sha384 sha512 aesxcbc aescmac aes128gmac aes192gmac aes256gmac</list> - </completionHelp> - <valueHelp> - <format>md5</format> - <description>MD5 HMAC</description> - </valueHelp> - <valueHelp> - <format>md5_128</format> - <description>MD5_128 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha1</format> - <description>SHA1 HMAC (default)</description> - </valueHelp> - <valueHelp> - <format>sha1_160</format> - <description>SHA1_160 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha256</format> - <description>SHA2_256_128 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha256_96</format> - <description>SHA2_256_96 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha384</format> - <description>SHA2_384_192 HMAC</description> - </valueHelp> - <valueHelp> - <format>sha512</format> - <description>SHA2_512_256 HMAC</description> - </valueHelp> - <valueHelp> - <format>aesxcbc</format> - <description>AES XCBC</description> - </valueHelp> - <valueHelp> - <format>aescmac</format> - <description>AES CMAC</description> - </valueHelp> - <valueHelp> - <format>aes128gmac</format> - <description>128-bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes192gmac</format> - <description>192-bit AES-GMAC</description> - </valueHelp> - <valueHelp> - <format>aes256gmac</format> - <description>256-bit AES-GMAC</description> - </valueHelp> - <constraint> - <regex>^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$</regex> - </constraint> - </properties> - </leafNode> +<!-- include start from vpn-ipsec-hash.xml.i --> +<leafNode name="hash"> + <properties> + <help>Hash algorithm</help> + <completionHelp> + <list>md5 md5_128 sha1 sha1_160 sha256 sha256_96 sha384 sha512 aesxcbc aescmac aes128gmac aes192gmac aes256gmac</list> + </completionHelp> + <valueHelp> + <format>md5</format> + <description>MD5 HMAC</description> + </valueHelp> + <valueHelp> + <format>md5_128</format> + <description>MD5_128 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha1</format> + <description>SHA1 HMAC (default)</description> + </valueHelp> + <valueHelp> + <format>sha1_160</format> + <description>SHA1_160 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha256</format> + <description>SHA2_256_128 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha256_96</format> + <description>SHA2_256_96 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha384</format> + <description>SHA2_384_192 HMAC</description> + </valueHelp> + <valueHelp> + <format>sha512</format> + <description>SHA2_512_256 HMAC</description> + </valueHelp> + <valueHelp> + <format>aesxcbc</format> + <description>AES XCBC</description> + </valueHelp> + <valueHelp> + <format>aescmac</format> + <description>AES CMAC</description> + </valueHelp> + <valueHelp> + <format>aes128gmac</format> + <description>128-bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes192gmac</format> + <description>192-bit AES-GMAC</description> + </valueHelp> + <valueHelp> + <format>aes256gmac</format> + <description>256-bit AES-GMAC</description> + </valueHelp> + <constraint> + <regex>^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$</regex> + </constraint> + </properties> +</leafNode> <!-- include end --> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 2efdaea3d..4bfc6e730 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -60,7 +60,7 @@ <properties> <help>Bonding transmit hash policy</help> <completionHelp> - <list>layer2 layer2+3 layer3+4</list> + <list>layer2 layer2+3 layer3+4 encap2+3 encap3+4</list> </completionHelp> <valueHelp> <format>layer2</format> @@ -74,10 +74,18 @@ <format>layer3+4</format> <description>combine IP address and port to make hash</description> </valueHelp> + <valueHelp> + <format>encap2+3</format> + <description>combine encapsulated MAC address and IP address to make hash</description> + </valueHelp> + <valueHelp> + <format>encap3+4</format> + <description>combine encapsulated IP address and port to make hash</description> + </valueHelp> <constraint> - <regex>^(layer2\+3|layer3\+4|layer2)$</regex> + <regex>^(layer2\+3|layer3\+4|layer2|encap2\+3|encap3\+4)$</regex> </constraint> - <constraintErrorMessage>hash-policy must be layer2 layer2+3 or layer3+4</constraintErrorMessage> + <constraintErrorMessage>hash-policy must be layer2 layer2+3 layer3+4 encap2+3 or encap3+4</constraintErrorMessage> </properties> <defaultValue>layer2</defaultValue> </leafNode> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index fff8db2d1..cb451f5be 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -9,14 +9,14 @@ <properties> <help>Ethernet Interface</help> <priority>318</priority> - <constraint> - <regex>^((eth|lan)[0-9]+|(eno|ens|enp|enx).+)$</regex> - </constraint> - <constraintErrorMessage>Invalid Ethernet interface name</constraintErrorMessage> <valueHelp> <format>ethN</format> <description>Ethernet interface name</description> </valueHelp> + <constraint> + <regex>^((eth|lan)[0-9]+|(eno|ens|enp|enx).+)$</regex> + </constraint> + <constraintErrorMessage>Invalid Ethernet interface name</constraintErrorMessage> </properties> <children> #include <include/interface/address-ipv4-ipv6-dhcp.xml.i> @@ -80,6 +80,12 @@ <valueless/> </properties> </leafNode> + <leafNode name="lro"> + <properties> + <help>Enable Large Receive Offload</help> + <valueless/> + </properties> + </leafNode> <leafNode name="rps"> <properties> <help>Enable Receive Packet Steering</help> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index effbdd674..7ff08ac86 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -163,12 +163,6 @@ <multi/> </properties> </leafNode> - <leafNode name="disable-ncp"> - <properties> - <help>Disable support for ncp-ciphers</help> - <valueless/> - </properties> - </leafNode> </children> </node> #include <include/interface/interface-ipv6-options.xml.i> @@ -643,16 +637,12 @@ </leafNode> </children> </node> - <leafNode name="shared-secret-key-file"> + <leafNode name="shared-secret-key"> <properties> - <help>File containing the secret key shared with remote end of tunnel</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Secret key shared with remote end of tunnel</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> <node name="tls"> @@ -660,55 +650,30 @@ <help>Transport Layer Security (TLS) options</help> </properties> <children> - <leafNode name="auth-file"> + <leafNode name="auth-key"> <properties> - <help>File containing tls static key for tls-auth</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> - </properties> - </leafNode> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing certificate revocation list (CRL) for this host</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>TLS shared secret key for tls-auth</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> - <leafNode name="dh-file"> + #include <include/pki/certificate.xml.i> + #include <include/pki/ca-certificate.xml.i> + <leafNode name="dh-params"> <properties> - <help>File containing Diffie Hellman parameters (server only)</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Diffie Hellman parameters (server only)</help> + <completionHelp> + <path>pki dh</path> + </completionHelp> </properties> </leafNode> - #include <include/certificate-key.xml.i> - <leafNode name="crypt-file"> + <leafNode name="crypt-key"> <properties> - <help>File containing encryption key to authenticate control channel</help> - <valueHelp> - <format>filename</format> - <description>File in /config/auth directory</description> - </valueHelp> - <constraint> - <validator name="file-exists" argument="--directory /config/auth"/> - </constraint> + <help>Static key to use to authenticate control channel</help> + <completionHelp> + <path>pki openvpn shared-secret</path> + </completionHelp> </properties> </leafNode> <leafNode name="tls-version-min"> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 8c2b50eba..96479e057 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -25,23 +25,7 @@ <constraintErrorMessage>Access concentrator name must be composed of uppper and lower case letters or numbers only</constraintErrorMessage> </properties> </leafNode> - <node name="authentication"> - <properties> - <help>Authentication settings</help> - </properties> - <children> - <leafNode name="user"> - <properties> - <help>User name</help> - </properties> - </leafNode> - <leafNode name="password"> - <properties> - <help>Password</help> - </properties> - </leafNode> - </children> - </node> + #include <include/interface/authentication.xml.i> #include <include/interface/interface-dial-on-demand.xml.i> <leafNode name="default-route"> <properties> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 536edcb99..b994bdafc 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -29,14 +29,7 @@ #include <include/interface/interface-ipv6-options.xml.i> #include <include/source-address-ipv4-ipv6.xml.i> #include <include/interface/tunnel-remote.xml.i> - <leafNode name="source-interface"> - <properties> - <help>Physical Interface used for underlaying traffic</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - </properties> - </leafNode> + #include <include/source-interface.xml.i> <leafNode name="6rd-prefix"> <properties> <help>6rd network prefix</help> @@ -61,21 +54,7 @@ </constraint> </properties> </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>dhcp interface</help> - <valueHelp> - <format>interface</format> - <description>DHCP interface that supplies the local IP address for this tunnel</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <constraint> - <regex>^(en|eth|br|bond|gnv|vxlan|wg|tun)[0-9]+$</regex> - </constraint> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <leafNode name="encapsulation"> <properties> <help>Encapsulation of this tunnel interface</help> @@ -227,13 +206,22 @@ <children> <leafNode name="no-pmtu-discovery"> <properties> - <help>Disable path MTU discovery</help> + <help>Disable Path MTU Discovery on this tunnel</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="ignore-df"> + <properties> + <help>Enable IPv4 DF suppression on this tunnel</help> <valueless/> </properties> </leafNode> #include <include/interface/interface-parameters-key.xml.i> #include <include/interface/interface-parameters-tos.xml.i> #include <include/interface/interface-parameters-ttl.xml.i> + <leafNode name="ttl"> + <defaultValue>64</defaultValue> + </leafNode> </children> </node> <node name="ipv6"> diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in new file mode 100644 index 000000000..10e1feb6b --- /dev/null +++ b/interface-definitions/interfaces-vti.xml.in @@ -0,0 +1,40 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="interfaces"> + <children> + <tagNode name="vti" owner="${vyos_conf_scripts_dir}/interfaces-vti.py"> + <properties> + <help>Virtual Tunnel interface</help> + <priority>381</priority> + <constraint> + <regex>^vti[0-9]+$</regex> + </constraint> + <constraintErrorMessage>VTI interface must be named vtiN</constraintErrorMessage> + <valueHelp> + <format>vtiN</format> + <description>VTI interface name</description> + </valueHelp> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>IP address</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 address and prefix length</description> + </valueHelp> + <constraint> + <validator name="ipv4-host"/> + </constraint> + <multi/> + </properties> + </leafNode> + #include <include/interface/interface-description.xml.i> + #include <include/interface/interface-disable.xml.i> + #include <include/interface/interface-mtu-68-16000.xml.i> + #include <include/interface/interface-vrf.xml.i> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 7a286eaf2..56d01dfb6 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -92,6 +92,7 @@ #include <include/source-address-ipv4-ipv6.xml.i> #include <include/source-interface.xml.i> #include <include/interface/tunnel-remote.xml.i> + #include <include/interface/interface-vrf.xml.i> #include <include/vni.xml.i> </children> </tagNode> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 378251fed..773bde09c 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -42,12 +42,12 @@ </leafNode> <leafNode name="private-key"> <properties> - <help>Private key to use on that interface</help> - <completionHelp> - <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script> - </completionHelp> + <help>Base64 encoded private key</help> + <constraint> + <regex>[0-9a-zA-Z\+/]{43}=$</regex> + </constraint> + <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> </properties> - <defaultValue>default</defaultValue> </leafNode> <tagNode name="peer"> <properties> @@ -59,7 +59,7 @@ </properties> <children> #include <include/generic-disable-node.xml.i> - <leafNode name="pubkey"> + <leafNode name="public-key"> <properties> <help>base64 encoded public key</help> <constraint> diff --git a/interface-definitions/interfaces-wirelessmodem.xml.in b/interface-definitions/interfaces-wirelessmodem.xml.in deleted file mode 100644 index 25ac2d6e0..000000000 --- a/interface-definitions/interfaces-wirelessmodem.xml.in +++ /dev/null @@ -1,83 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="interfaces"> - <children> - <tagNode name="wirelessmodem" owner="${vyos_conf_scripts_dir}/interfaces-wirelessmodem.py"> - <properties> - <help>Wireless Modem (WWAN) Interface</help> - <priority>350</priority> - <constraint> - <regex>^wlm[0-9]+$</regex> - </constraint> - <constraintErrorMessage>Wireless Modem interface must be named wlmN</constraintErrorMessage> - <valueHelp> - <format>wlmN</format> - <description>Wireless modem interface name</description> - </valueHelp> - </properties> - <children> - <leafNode name="apn"> - <properties> - <help>Access Point Name (APN)</help> - </properties> - </leafNode> - <node name="backup"> - <properties> - <help>Insert backup default route</help> - </properties> - <children> - <leafNode name="distance"> - <properties> - <help>Distance backup default route</help> - <valueHelp> - <format>1-255</format> - <description>Distance of the backup route (default: 10)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-255"/> - </constraint> - <constraintErrorMessage>Must be between (1-255)</constraintErrorMessage> - </properties> - <defaultValue>10</defaultValue> - </leafNode> - </children> - </node> - #include <include/interface/interface-description.xml.i> - #include <include/interface/interface-disable.xml.i> - #include <include/interface/interface-vrf.xml.i> - <leafNode name="device"> - <properties> - <help>Serial device </help> - <completionHelp> - <script>ls -1 /dev | grep ttyS</script> - <script>if [ -d /dev/serial/by-bus ]; then ls -1 /dev/serial/by-bus; fi</script> - </completionHelp> - <valueHelp> - <format>ttySXX</format> - <description>TTY device name, regular serial port</description> - </valueHelp> - <valueHelp> - <format>usbNbXpY</format> - <description>TTY device name, USB based</description> - </valueHelp> - <constraint> - <regex>^(ttyS[0-9]+|usb[0-9]+b.*)$</regex> - </constraint> - </properties> - </leafNode> - #include <include/interface/interface-disable-link-detect.xml.i> - #include <include/interface/interface-mtu-68-16000.xml.i> - #include <include/interface/interface-ipv4-options.xml.i> - #include <include/interface/interface-ipv6-options.xml.i> - <leafNode name="no-peer-dns"> - <properties> - <help>Do not use peer supplied DNS server information</help> - <valueless/> - </properties> - </leafNode> - #include <include/interface/interface-dial-on-demand.xml.i> - </children> - </tagNode> - </children> - </node> -</interfaceDefinition> diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in new file mode 100644 index 000000000..ea3184a11 --- /dev/null +++ b/interface-definitions/interfaces-wwan.xml.in @@ -0,0 +1,46 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="interfaces"> + <children> + <tagNode name="wwan" owner="${vyos_conf_scripts_dir}/interfaces-wwan.py"> + <properties> + <help>Wireless Modem (WWAN) Interface</help> + <priority>350</priority> + <completionHelp> + <script>cd /sys/class/net; ls -d wwan*</script> + </completionHelp> + <constraint> + <regex>^wwan[0-9]+$</regex> + </constraint> + <constraintErrorMessage>Wireless Modem interface must be named wwanN</constraintErrorMessage> + <valueHelp> + <format>wwanN</format> + <description>Wireless Wide Area Network interface name</description> + </valueHelp> + </properties> + <children> + #include <include/interface/address-ipv4-ipv6-dhcp.xml.i> + <leafNode name="apn"> + <properties> + <help>Access Point Name (APN)</help> + </properties> + </leafNode> + #include <include/interface/dhcp-options.xml.i> + #include <include/interface/dhcpv6-options.xml.i> + #include <include/interface/authentication.xml.i> + #include <include/interface/interface-description.xml.i> + #include <include/interface/interface-disable.xml.i> + #include <include/interface/interface-vrf.xml.i> + #include <include/interface/interface-disable-link-detect.xml.i> + #include <include/interface/interface-mtu-68-1500.xml.i> + <leafNode name="mtu"> + <defaultValue>1430</defaultValue> + </leafNode> + #include <include/interface/interface-ipv4-options.xml.i> + #include <include/interface/interface-ipv6-options.xml.i> + #include <include/interface/interface-dial-on-demand.xml.i> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/ipsec-settings.xml.in b/interface-definitions/ipsec-settings.xml.in deleted file mode 100644 index bc54baa27..000000000 --- a/interface-definitions/ipsec-settings.xml.in +++ /dev/null @@ -1,24 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="vpn"> - <children> - <node name="ipsec"> - <children> - <node name="options" owner="${vyos_conf_scripts_dir}/ipsec-settings.py"> - <properties> - <help>Global IPsec settings</help> - </properties> - <children> - <leafNode name="disable-route-autoinstall"> - <properties> - <valueless/> - <help>Do not automatically install routes to remote networks</help> - </properties> - </leafNode> - </children> - </node> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index 9862f49b2..3cf3ba6aa 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -50,6 +50,7 @@ </properties> </leafNode> #include <include/nat-translation-port.xml.i> + #include <include/nat-translation-options.xml.i> </children> </node> </children> @@ -101,6 +102,7 @@ </properties> </leafNode> #include <include/nat-translation-port.xml.i> + #include <include/nat-translation-options.xml.i> </children> </node> </children> diff --git a/interface-definitions/pki.xml.in b/interface-definitions/pki.xml.in new file mode 100644 index 000000000..6d137c2ce --- /dev/null +++ b/interface-definitions/pki.xml.in @@ -0,0 +1,209 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="pki" owner="${vyos_conf_scripts_dir}/pki.py"> + <properties> + <help>VyOS PKI configuration</help> + </properties> + <children> + <tagNode name="ca"> + <properties> + <help>Certificate Authority</help> + </properties> + <children> + <leafNode name="certificate"> + <properties> + <help>CA certificate in PEM format</help> + </properties> + </leafNode> + <leafNode name="description"> + <properties> + <help>Description</help> + </properties> + </leafNode> + <node name="private"> + <properties> + <help>CA private key in PEM format</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>CA private key in PEM format</help> + </properties> + </leafNode> + <leafNode name="password-protected"> + <properties> + <help>CA private key is password protected</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="crl"> + <properties> + <help>Certificate revocation list in PEM format</help> + <multi/> + </properties> + </leafNode> + <leafNode name="revoke"> + <properties> + <help>If parent CA is present, this CA certificate will be included in generated CRLs</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="certificate"> + <properties> + <help>Certificate</help> + </properties> + <children> + <leafNode name="certificate"> + <properties> + <help>Certificate in PEM format</help> + </properties> + </leafNode> + <leafNode name="description"> + <properties> + <help>Description</help> + </properties> + </leafNode> + <node name="private"> + <properties> + <help>Certificate private key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Certificate private key in PEM format</help> + </properties> + </leafNode> + <leafNode name="password-protected"> + <properties> + <help>Certificate private key is password protected</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="revoke"> + <properties> + <help>If CA is present, this certificate will be included in generated CRLs</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="dh"> + <properties> + <help>Diffie-Hellman parameters</help> + </properties> + <children> + <leafNode name="parameters"> + <properties> + <help>DH parameters in PEM format</help> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="key-pair"> + <properties> + <help>Public and private keys</help> + </properties> + <children> + <node name="public"> + <properties> + <help>Public key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Public key in PEM format</help> + </properties> + </leafNode> + </children> + </node> + <node name="private"> + <properties> + <help>Private key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Private key in PEM format</help> + </properties> + </leafNode> + <leafNode name="password-protected"> + <properties> + <help>Private key is password protected</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + <node name="openvpn"> + <properties> + <help>OpenVPN keys</help> + </properties> + <children> + <tagNode name="shared-secret"> + <properties> + <help>OpenVPN shared secret key</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>OpenVPN shared secret key data</help> + </properties> + </leafNode> + <leafNode name="version"> + <properties> + <help>OpenVPN shared secret key version</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <node name="x509"> + <properties> + <help>X509 Settings</help> + </properties> + <children> + <node name="default"> + <properties> + <help>X509 Default Values</help> + </properties> + <children> + <leafNode name="country"> + <properties> + <help>Default country</help> + </properties> + <defaultValue>GB</defaultValue> + </leafNode> + <leafNode name="state"> + <properties> + <help>Default state</help> + </properties> + <defaultValue>Some-State</defaultValue> + </leafNode> + <leafNode name="locality"> + <properties> + <help>Default locality</help> + </properties> + <defaultValue>Some-City</defaultValue> + </leafNode> + <leafNode name="organization"> + <properties> + <help>Default organization</help> + </properties> + <defaultValue>VyOS</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 900fac27e..5a3c58fa8 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -27,7 +27,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this access-list</help> @@ -41,7 +41,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <node name="destination"> <properties> <help>Destination network or address</help> @@ -87,7 +87,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this access-list6</help> @@ -101,7 +101,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <node name="source"> <properties> <help>Source IPv6 network to match</help> @@ -146,7 +146,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this as-path-list</help> @@ -160,7 +160,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against an AS path</help> @@ -183,7 +183,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this BGP community list</help> @@ -197,7 +197,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against a community-list</help> @@ -243,7 +243,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this BGP extended community list</help> @@ -257,7 +257,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against an extended community list</help> @@ -288,7 +288,7 @@ </valueHelp> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this BGP extended community list</help> @@ -302,7 +302,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="regex"> <properties> <help>Regular expression to match against a large community list</help> @@ -329,7 +329,7 @@ <constraintErrorMessage>Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this prefix-list</help> @@ -343,7 +343,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="ge"> <properties> <help>Prefix length to match a netmask greater than or equal to it</help> @@ -397,7 +397,7 @@ <constraintErrorMessage>Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this prefix-list6</help> @@ -411,7 +411,7 @@ </properties> <children> #include <include/policy/action.xml.i> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <leafNode name="ge"> <properties> <help>Prefix length to match a netmask greater than or equal to it</help> @@ -465,7 +465,7 @@ <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> <children> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> <help>Rule for this route-map</help> @@ -500,7 +500,7 @@ </valueHelp> </properties> </leafNode> - #include <include/policy/description.xml.i> + #include <include/generic-description.xml.i> <node name="match"> <properties> <help>Route parameters to match</help> @@ -912,7 +912,7 @@ </leafNode> <leafNode name="as-path-prepend"> <properties> - <help>as-path-prepend_help</help> + <help>Prepend string for a Border Gateway Protocol (BGP) AS-path attribute</help> <valueHelp> <format>txt</format> <description>BGP AS path prepend string (ex: "64501 64501")</description> @@ -925,15 +925,6 @@ <valueless/> </properties> </leafNode> - <leafNode name="bgp-extcommunity-rt"> - <properties> - <help>Set route target value</help> - <valueHelp> - <format><aa:nn></format> - <description>ExtCommunity in format: asn:value</description> - </valueHelp> - </properties> - </leafNode> <node name="comm-list"> <properties> <help>Border Gateway Protocol (BGP) communities matching a community-list</help> @@ -961,7 +952,7 @@ </node> <leafNode name="community"> <properties> - <help>community_help</help> + <help>Border Gateway Protocl (BGP) community attribute</help> <completionHelp> <list>local-AS no-advertise no-export internet additive none</list> </completionHelp> @@ -1007,24 +998,71 @@ </constraint> </properties> </leafNode> - <leafNode name="extcommunity-rt"> + <node name="extcommunity"> <properties> - <help>Set route target value</help> - <valueHelp> - <format>txt</format> - <description>ASN:nn_or_IP_address:nn VPN extended community</description> - </valueHelp> + <help>BGP extended community attribute</help> </properties> - </leafNode> - <leafNode name="extcommunity-soo"> - <properties> - <help>Set Site of Origin value</help> - <valueHelp> - <format>txt</format> - <description>ASN:nn_or_IP_address:nn VPN extended community</description> - </valueHelp> - </properties> - </leafNode> + <children> + <leafNode name="bandwidth"> + <properties> + <help>Bandwidth value in Mbps</help> + <completionHelp> + <list>cumulative num-multipaths</list> + </completionHelp> + <valueHelp> + <format>u32:1-25600</format> + <description>Bandwidth value in Mbps</description> + </valueHelp> + <valueHelp> + <format>cumulative</format> + <description>Cumulative bandwidth of all multipaths (outbound-only)</description> + </valueHelp> + <valueHelp> + <format>num-multipaths</format> + <description>Internally computed bandwidth based on number of multipaths (outbound-only)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-25600"/> + <regex>^(cumulative|num-multipaths)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="rt"> + <properties> + <help>Set route target value</help> + <valueHelp> + <format>ASN:NN</format> + <description>based on autonomous system number</description> + </valueHelp> + <valueHelp> + <format>IP:NN</format> + <description>Based on a router-id IP address</description> + </valueHelp> + <constraint> + <regex>^((?:[0-9]{1,3}\.){3}[0-9]{1,3}|\d+):\d+$</regex> + </constraint> + <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="soo"> + <properties> + <help>Set Site of Origin value</help> + <valueHelp> + <format>ASN:NN</format> + <description>based on autonomous system number</description> + </valueHelp> + <valueHelp> + <format>IP:NN</format> + <description>Based on a router-id IP address</description> + </valueHelp> + <constraint> + <regex>^((?:[0-9]{1,3}\.){3}[0-9]{1,3}|\d+):\d+$</regex> + </constraint> + <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> + </properties> + </leafNode> + </children> + </node> <leafNode name="ip-next-hop"> <properties> <help>Nexthop IP address</help> @@ -1066,6 +1104,12 @@ </constraint> </properties> </leafNode> + <leafNode name="prefer-global"> + <properties> + <help>Prefer global address as the nexthop</help> + <valueless/> + </properties> + </leafNode> </children> </node> <leafNode name="large-community"> @@ -1129,7 +1173,7 @@ </leafNode> <leafNode name="origin"> <properties> - <help>origin_help</help> + <help>Border Gateway Protocl (BGP) origin code</help> <completionHelp> <list>igp egp incomplete</list> </completionHelp> diff --git a/interface-definitions/protocols-nhrp.xml.in b/interface-definitions/protocols-nhrp.xml.in new file mode 100644 index 000000000..9dd9d3389 --- /dev/null +++ b/interface-definitions/protocols-nhrp.xml.in @@ -0,0 +1,134 @@ +<?xml version="1.0" encoding="UTF-8"?> +<interfaceDefinition> + <node name="protocols"> + <children> + <node name="nhrp" owner="${vyos_conf_scripts_dir}/protocols_nhrp.py"> + <properties> + <help>NHRP parameters</help> + <priority>680</priority> + </properties> + <children> + <tagNode name="tunnel"> + <properties> + <help>Tunnel for NHRP [REQUIRED]</help> + <constraint> + <regex>^tun[0-9]+$</regex> + </constraint> + <valueHelp> + <format>tunN</format> + <description>NHRP tunnel name</description> + </valueHelp> + </properties> + <children> + <leafNode name="cisco-authentication"> + <properties> + <help>Pass phrase for cisco authentication</help> + <valueHelp> + <format>txt</format> + <description>Pass phrase for cisco authentication</description> + </valueHelp> + </properties> + </leafNode> + <tagNode name="dynamic-map"> + <properties> + <help>Set an HUB tunnel address</help> + <valueHelp> + <format>ipv4net</format> + <description>Set the IP address and prefix length</description> + </valueHelp> + </properties> + <children> + <leafNode name="nbma-domain-name"> + <properties> + <help>Set HUB fqdn (nbma-address - fqdn) [REQUIRED]</help> + <valueHelp> + <format><fqdn></format> + <description>Set the external HUB fqdn</description> + </valueHelp> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="holding-time"> + <properties> + <help>Holding time in seconds</help> + </properties> + </leafNode> + <tagNode name="map"> + <properties> + <help>Set an HUB tunnel address</help> + </properties> + <children> + <leafNode name="cisco"> + <properties> + <help>If the statically mapped peer is running Cisco IOS, specify this</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="nbma-address"> + <properties> + <help>Set HUB address (nbma-address - external hub address or fqdn) [REQUIRED]</help> + </properties> + </leafNode> + <leafNode name="register"> + <properties> + <help>Specifies that Registration Request should be sent to this peer on startup</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="multicast"> + <properties> + <help>Set multicast for NHRP</help> + <completionHelp> + <list>dynamic nhs</list> + </completionHelp> + <constraint> + <regex>^(dynamic|nhs)$</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="non-caching"> + <properties> + <help>This can be used to reduce memory consumption on big NBMA subnets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="redirect"> + <properties> + <help>Enable sending of Cisco style NHRP Traffic Indication packets</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="shortcut-destination"> + <properties> + <help>This instructs opennhrp to reply with authorative answers on NHRP Resolution Requests destined to addresses in this interface</help> + <valueless/> + </properties> + </leafNode> + <tagNode name="shortcut-target"> + <properties> + <help>Defines an off-NBMA network prefix for which the GRE interface will act as a gateway</help> + </properties> + <children> + <leafNode name="holding-time"> + <properties> + <help>Holding time in seconds</help> + </properties> + </leafNode> + </children> + </tagNode> + <leafNode name="shortcut"> + <properties> + <help>Enable creation of shortcut routes. A received NHRP Traffic Indication will trigger the resolution and establishment of a shortcut route</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/protocols-ospfv3.xml.in b/interface-definitions/protocols-ospfv3.xml.in index 99e671b32..7b42c448d 100644 --- a/interface-definitions/protocols-ospfv3.xml.in +++ b/interface-definitions/protocols-ospfv3.xml.in @@ -25,6 +25,26 @@ </constraint> </properties> <children> + <node name="area-type"> + <properties> + <help>OSPFv3 Area type</help> + </properties> + <children> + <node name="stub"> + <properties> + <help>Stub OSPFv3 area</help> + </properties> + <children> + <leafNode name="no-summary"> + <properties> + <help>Do not inject inter-area routes into the stub</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </node> <leafNode name="export-list"> <properties> <help>Name of export-list</help> diff --git a/interface-definitions/service_conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in index 8d6b57183..584f687c7 100644 --- a/interface-definitions/service_conntrack-sync.xml.in +++ b/interface-definitions/service_conntrack-sync.xml.in @@ -133,8 +133,16 @@ <leafNode name="peer"> <properties> <help>IP address of the peer to send the UDP conntrack info too. This disable multicast.</help> + <valueHelp> + <format>ipv4</format> + <description>IP address to listen for incoming connections</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> </properties> </leafNode> + #include <include/port-number.xml.i> </children> </tagNode> #include <include/listen-address-ipv4.xml.i> diff --git a/interface-definitions/service_mdns-repeater.xml.in b/interface-definitions/service_mdns-repeater.xml.in index 33ef9a434..d02dac8a6 100644 --- a/interface-definitions/service_mdns-repeater.xml.in +++ b/interface-definitions/service_mdns-repeater.xml.in @@ -23,6 +23,12 @@ <multi/> </properties> </leafNode> + <leafNode name="vrrp-disable"> + <properties> + <help>Disables mDNS repeater on VRRP interfaces not in MASTER state</help> + <valueless/> + </properties> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index dc8af67af..7b96b5692 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -164,6 +164,7 @@ #include <include/accel-ppp/ppp-mppe.xml.i> #include <include/accel-ppp/lcp-echo-interval-failure.xml.i> #include <include/accel-ppp/lcp-echo-timeout.xml.i> + #include <include/accel-ppp/ppp-interface-cache.xml.i> <leafNode name="ipv4"> <properties> <help>IPv4 (IPCP) negotiation algorithm</help> @@ -192,34 +193,7 @@ </completionHelp> </properties> </leafNode> - <leafNode name="ipv6"> - <properties> - <help>IPv6 (IPCP6) negotiation algorithm</help> - <constraint> - <regex>^(deny|allow|prefer|require)$</regex> - </constraint> - <constraintErrorMessage>invalid value</constraintErrorMessage> - <valueHelp> - <format>deny</format> - <description>Do not negotiate IPv6</description> - </valueHelp> - <valueHelp> - <format>allow</format> - <description>Negotiate IPv6 only if client requests</description> - </valueHelp> - <valueHelp> - <format>prefer</format> - <description>Ask client for IPv6 negotiation, do not fail if it rejects</description> - </valueHelp> - <valueHelp> - <format>require</format> - <description>Require IPv6 negotiation</description> - </valueHelp> - <completionHelp> - <list>deny allow prefer require</list> - </completionHelp> - </properties> - </leafNode> + #include <include/accel-ppp/ppp-options-ipv6.xml.i> <leafNode name="ipv6-intf-id"> <properties> <help>Fixed or random interface identifier for IPv6</help> @@ -334,6 +308,45 @@ </leafNode> </children> </node> + <node name="extended-scripts"> + <properties> + <help>Extended script execution</help> + </properties> + <children> + <leafNode name="on-pre-up"> + <properties> + <help>Script to run before PPPoE session interface comes up</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-up"> + <properties> + <help>Script to run when PPPoE session interface is completely configured and started</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-down"> + <properties> + <help>Script to run when PPPoE session interface going to terminate</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + <leafNode name="on-change"> + <properties> + <help>Script to run when PPPoE session interface changed by RADIUS CoA handling</help> + <constraint> + <validator name="script"/> + </constraint> + </properties> + </leafNode> + </children> + </node> </children> </node> </children> diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in index 47ac4e25d..750ae314c 100644 --- a/interface-definitions/service_router-advert.xml.in +++ b/interface-definitions/service_router-advert.xml.in @@ -10,7 +10,7 @@ <children> <tagNode name="interface"> <properties> - <help>Interface to send DDNS updates for [REQUIRED]</help> + <help>Interface to send RA on [REQUIRED]</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> @@ -154,6 +154,72 @@ <valueless/> </properties> </leafNode> + <tagNode name="route"> + <properties> + <help>IPv6 route to be advertised in Router Advertisements (RAs)</help> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 route to be advertized</description> + </valueHelp> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + <children> + <leafNode name="valid-lifetime"> + <properties> + <help>Time in seconds that the route will remain valid (default: 1800 seconds)</help> + <completionHelp> + <list>infinity</list> + </completionHelp> + <valueHelp> + <format>1-4294967295</format> + <description>Time in seconds that the route will remain valid</description> + </valueHelp> + <valueHelp> + <format>infinity</format> + <description>Route will remain preferred forever</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295"/> + <regex>^(infinity)$</regex> + </constraint> + </properties> + <defaultValue>1800</defaultValue> + </leafNode> + <leafNode name="route-preference"> + <properties> + <help>Preference associated with the route,</help> + <completionHelp> + <list>low medium high</list> + </completionHelp> + <valueHelp> + <format>low</format> + <description>Route has low preference</description> + </valueHelp> + <valueHelp> + <format>medium</format> + <description>Route has medium preference (default)</description> + </valueHelp> + <valueHelp> + <format>high</format> + <description>Route has high preference</description> + </valueHelp> + <constraint> + <regex>^(low|medium|high)$</regex> + </constraint> + <constraintErrorMessage>Route preference must be low, medium or high</constraintErrorMessage> + </properties> + <defaultValue>medium</defaultValue> + </leafNode> + <leafNode name="no-remove-route"> + <properties> + <help>Do not announce this route with a zero second lifetime upon shutdown</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> <tagNode name="prefix"> <properties> <help>IPv6 prefix to be advertised in Router Advertisements (RAs)</help> diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index f57103eac..2654449a1 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -129,6 +129,26 @@ <constraintErrorMessage>Location is limited to 255 characters or less</constraintErrorMessage> </properties> </leafNode> + <leafNode name="oid-enable"> + <properties> + <help>Enable specific oids</help> + <valueHelp> + <format>txt</format> + <description>Enable specific oids</description> + </valueHelp> + <valueHelp> + <format>route-table</format> + <description>Enable route table oids (ipCidrRouteTable inetCidrRouteTable)</description> + </valueHelp> + <completionHelp> + <list>route-table</list> + </completionHelp> + <constraint> + <regex>^(route-table)$</regex> + </constraint> + <constraintErrorMessage>Oid must be 'route-table'</constraintErrorMessage> + </properties> + </leafNode> <leafNode name="smux-peer"> <properties> <help>Register a subtree for SMUX-based processing</help> diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 6faef9bd5..54742f1d0 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -1,5 +1,4 @@ <?xml version="1.0"?> -<!--SSH configuration --> <interfaceDefinition> <node name="service"> <properties> @@ -14,9 +13,7 @@ <children> <node name="access-control"> <properties> - <help>SSH user/group access controls. Directives are processed - in the following order: deny-users, allow-users, deny-groups and - allow-groups.</help> + <help>SSH user/group access controls</help> </properties> <children> <node name="allow"> @@ -24,26 +21,8 @@ <help>Allow user/group SSH access</help> </properties> <children> - <leafNode name="group"> - <properties> - <help>Allow members of a group to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="user"> - <properties> - <help>Allow specific users to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> + #include <include/ssh-group.xml.i> + #include <include/ssh-user.xml.i> </children> </node> <node name="deny"> @@ -51,26 +30,8 @@ <help>Deny user/group SSH access</help> </properties> <children> - <leafNode name="group"> - <properties> - <help>Disallow members of a group to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="user"> - <properties> - <help>Disallow specific users to login</help> - <constraint> - <regex>[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> - <multi/> - </properties> - </leafNode> + #include <include/ssh-group.xml.i> + #include <include/ssh-user.xml.i> </children> </node> </children> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in new file mode 100644 index 000000000..fa73df3db --- /dev/null +++ b/interface-definitions/system-conntrack.xml.in @@ -0,0 +1,348 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="system"> + <children> + <node name="conntrack" owner="${vyos_conf_scripts_dir}/conntrack.py"> + <properties> + <help>Connection Tracking Engine Options</help> + <!-- Before NAT and conntrack-sync are configured --> + <priority>218</priority> + </properties> + <children> + <leafNode name="expect-table-size"> + <properties> + <help>Size of connection tracking expect table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Number of entries allowed in connection tracking expect table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>2048</defaultValue> + </leafNode> + <leafNode name="hash-size"> + <properties> + <help>Hash size for connection tracking table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Size of hash to use for connection tracking table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>32768</defaultValue> + </leafNode> + <node name="modules"> + <properties> + <help>Connection tracking modules settings</help> + </properties> + <children> + <node name="ftp"> + <properties> + <help>FTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="h323"> + <properties> + <help>H.323 connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="nfs"> + <properties> + <help>NFS connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="pptp"> + <properties> + <help>PPTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sip"> + <properties> + <help>SIP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="sqlnet"> + <properties> + <help>SQLnet connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + <node name="tftp"> + <properties> + <help>TFTP connection tracking settings</help> + </properties> + <children> + #include <include/conntrack-module-disable.xml.i> + </children> + </node> + </children> + </node> + <leafNode name="table-size"> + <properties> + <help>Size of connection tracking table</help> + <valueHelp> + <format>u32:1-50000000</format> + <description>Number of entries allowed in connection tracking table</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-50000000"/> + </constraint> + </properties> + <defaultValue>262144</defaultValue> + </leafNode> + <node name="tcp"> + <properties> + <help>TCP options</help> + </properties> + <children> + <leafNode name="half-open-connections"> + <properties> + <help>Maximum number of TCP half-open connections</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + <defaultValue>512</defaultValue> + </leafNode> + <leafNode name="loose"> + <properties> + <help>Policy to track previously established connections</help> + <completionHelp> + <list>enable disable</list> + </completionHelp> + <valueHelp> + <format>enable</format> + <description>Allow tracking of previously established connections</description> + </valueHelp> + <valueHelp> + <format>disable</format> + <description>Do not allow tracking of previously established connections</description> + </valueHelp> + <constraint> + <regex>^(enable|disable)$</regex> + </constraint> + </properties> + <defaultValue>enable</defaultValue> + </leafNode> + <leafNode name="max-retrans"> + <properties> + <help>TCP maximum retransmit attempts</help> + <valueHelp> + <format>u32:1-2147483647</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2147483647"/> + </constraint> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + </children> + </node> + <node name="timeout"> + <properties> + <help>Connection timeout options</help> + </properties> + <children> + <leafNode name="icmp"> + <properties> + <help>ICMP timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>ICMP timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="other"> + <properties> + <help>Generic connection timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>Generic connection timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>600</defaultValue> + </leafNode> + <node name="tcp"> + <properties> + <help>TCP connection timeout options</help> + </properties> + <children> + <leafNode name="close-wait"> + <properties> + <help>TCP CLOSE-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="close"> + <properties> + <help>TCP CLOSE timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP CLOSE timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>10</defaultValue> + </leafNode> + <leafNode name="established"> + <properties> + <help>TCP ESTABLISHED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP ESTABLISHED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>432000</defaultValue> + </leafNode> + <leafNode name="fin-wait"> + <properties> + <help>TCP FIN-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP FIN-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="last-ack"> + <properties> + <help>TCP LAST-ACK timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP LAST-ACK timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="syn-recv"> + <properties> + <help>TCP SYN-RECEIVED timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-RECEIVED timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>60</defaultValue> + </leafNode> + <leafNode name="syn-sent"> + <properties> + <help>TCP SYN-SENT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP SYN-SENT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + <leafNode name="time-wait"> + <properties> + <help>TCP TIME-WAIT timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>TCP TIME-WAIT timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>120</defaultValue> + </leafNode> + </children> + </node> + <node name="udp"> + <properties> + <help>UDP timeout options</help> + </properties> + <children> + <leafNode name="other"> + <properties> + <help>UDP generic timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP generic timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="stream"> + <properties> + <help>UDP stream timeout in seconds</help> + <valueHelp> + <format>u32:1-21474836</format> + <description>UDP stream timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21474836"/> + </constraint> + </properties> + <defaultValue>180</defaultValue> + </leafNode> + </children> + </node> + </children> + </node> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/system-sysctl.xml.in b/interface-definitions/system-sysctl.xml.in new file mode 100644 index 000000000..bf118c24b --- /dev/null +++ b/interface-definitions/system-sysctl.xml.in @@ -0,0 +1,40 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="system"> + <properties> + <help>System parameters</help> + </properties> + <children> + <node name="sysctl" owner="${vyos_conf_scripts_dir}/system_sysctl.py"> + <properties> + <help>Configure kernel parameters at runtime</help> + <priority>318</priority> + </properties> + <children> + <tagNode name="parameter"> + <properties> + <help>Sysctl key name</help> + <completionHelp> + <script>${vyos_completion_dir}/list_sysctl_parameters.sh</script> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Sysctl key name</description> + </valueHelp> + <constraint> + <validator name="sysctl"/> + </constraint> + </properties> + <children> + <leafNode name="value"> + <properties> + <help>Sysctl configuration value</help> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 426d7e71c..b28c86ae6 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -1,24 +1,16 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="vpn"> + <properties> + <help>Virtual Private Network (VPN)</help> + </properties> <children> - <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> + <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> <properties> <help>VPN IP security (IPsec) parameters</help> + <priority>901</priority> </properties> <children> - <leafNode name="auto-update"> - <properties> - <help>Set auto-update interval for IPsec daemon</help> - <valueHelp> - <format>u32:30-65535</format> - <description>Auto-update interval (s)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 30-65535"/> - </constraint> - </properties> - </leafNode> <leafNode name="disable-uniqreqids"> <properties> <help>Option to disable requirement for unique IDs in the Security Database</help> @@ -48,6 +40,7 @@ <regex>^(disable|enable)$</regex> </constraint> </properties> + <defaultValue>disable</defaultValue> </leafNode> <leafNode name="lifetime"> <properties> @@ -60,6 +53,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> <leafNode name="mode"> <properties> @@ -79,6 +73,7 @@ <regex>^(tunnel|transport)$</regex> </constraint> </properties> + <defaultValue>tunnel</defaultValue> </leafNode> <leafNode name="pfs"> <properties> @@ -88,95 +83,95 @@ </completionHelp> <valueHelp> <format>enable</format> - <description>Enable PFS. Use ike-groups dh-group (default)</description> + <description>Use Diffie-Hellman group 2 (modp1024) - default</description> </valueHelp> <valueHelp> <format>dh-group1</format> - <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description> + <description>Use Diffie-Hellman group 1 (modp768)</description> </valueHelp> <valueHelp> <format>dh-group2</format> - <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description> + <description>Use Diffie-Hellman group 2 (modp1024)</description> </valueHelp> <valueHelp> <format>dh-group5</format> - <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description> + <description>Use Diffie-Hellman group 5 (modp1536)</description> </valueHelp> <valueHelp> <format>dh-group14</format> - <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description> + <description>Use Diffie-Hellman group 14 (modp2048)</description> </valueHelp> <valueHelp> <format>dh-group15</format> - <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description> + <description>Use Diffie-Hellman group 15 (modp3072)</description> </valueHelp> <valueHelp> <format>dh-group16</format> - <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description> + <description>Use Diffie-Hellman group 16 (modp4096)</description> </valueHelp> <valueHelp> <format>dh-group17</format> - <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description> + <description>Use Diffie-Hellman group 17 (modp6144)</description> </valueHelp> <valueHelp> <format>dh-group18</format> - <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description> + <description>Use Diffie-Hellman group 18 (modp8192)</description> </valueHelp> <valueHelp> <format>dh-group19</format> - <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description> + <description>Use Diffie-Hellman group 19 (ecp256)</description> </valueHelp> <valueHelp> <format>dh-group20</format> - <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description> + <description>Use Diffie-Hellman group 20 (ecp384)</description> </valueHelp> <valueHelp> <format>dh-group21</format> - <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description> + <description>Use Diffie-Hellman group 21 (ecp521)</description> </valueHelp> <valueHelp> <format>dh-group22</format> - <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description> + <description>Use Diffie-Hellman group 22 (modp1024s160)</description> </valueHelp> <valueHelp> <format>dh-group23</format> - <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description> + <description>Use Diffie-Hellman group 23 (modp2048s224)</description> </valueHelp> <valueHelp> <format>dh-group24</format> - <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description> + <description>Use Diffie-Hellman group 24 (modp2048s256)</description> </valueHelp> <valueHelp> <format>dh-group25</format> - <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description> + <description>Use Diffie-Hellman group 25 (ecp192)</description> </valueHelp> <valueHelp> <format>dh-group26</format> - <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description> + <description>Use Diffie-Hellman group 26 (ecp224)</description> </valueHelp> <valueHelp> <format>dh-group27</format> - <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description> + <description>Use Diffie-Hellman group 27 (ecp224bp)</description> </valueHelp> <valueHelp> <format>dh-group28</format> - <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description> + <description>Use Diffie-Hellman group 28 (ecp256bp)</description> </valueHelp> <valueHelp> <format>dh-group29</format> - <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description> + <description>Use Diffie-Hellman group 29 (ecp384bp)</description> </valueHelp> <valueHelp> <format>dh-group30</format> - <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description> + <description>Use Diffie-Hellman group 30 (ecp512bp)</description> </valueHelp> <valueHelp> <format>dh-group31</format> - <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description> + <description>Use Diffie-Hellman group 31 (curve25519)</description> </valueHelp> <valueHelp> <format>dh-group32</format> - <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description> + <description>Use Diffie-Hellman group 32 (curve448)</description> </valueHelp> <valueHelp> <format>disable</format> @@ -186,6 +181,7 @@ <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex> </constraint> </properties> + <defaultValue>enable</defaultValue> </leafNode> <tagNode name="proposal"> <properties> @@ -296,7 +292,7 @@ </completionHelp> <valueHelp> <format>yes</format> - <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description> + <description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description> </valueHelp> <valueHelp> <format>no</format> @@ -337,6 +333,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>28800</defaultValue> </leafNode> <leafNode name="mobike"> <properties> @@ -483,6 +480,7 @@ <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex> </constraint> </properties> + <defaultValue>2</defaultValue> </leafNode> #include <include/vpn-ipsec-encryption.xml.i> #include <include/vpn-ipsec-hash.xml.i> @@ -500,116 +498,118 @@ <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help> </properties> </leafNode> - <node name="ipsec-interfaces"> + <leafNode name="interface"> <properties> - <help>Interface to use for VPN [REQUIRED]</help> + <help>Onterface used for IPsec communication</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <multi/> </properties> - <children> - <leafNode name="interface"> - <properties> - <help>IPsec interface [REQUIRED]</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <multi/> - </properties> - </leafNode> - </children> - </node> - <node name="logging"> + </leafNode> + <node name="log"> <properties> <help>IPsec logging</help> </properties> <children> - <leafNode name="log-level"> + <leafNode name="level"> <properties> <help>strongSwan Logger Level</help> <valueHelp> - <format>u32:0-2</format> - <description>Logger Verbosity Level (default 0)</description> + <format>u32:0</format> + <description>Very basic auditing logs e.g. SA up/SA down (default)</description> + </valueHelp> + <valueHelp> + <format>u32:1</format> + <description>Generic control flow with errors, a good default to see whats going on</description> + </valueHelp> + <valueHelp> + <format>u32:2</format> + <description>More detailed debugging control flow</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 0-2"/> </constraint> </properties> + <defaultValue>0</defaultValue> </leafNode> - <leafNode name="log-modes"> + <leafNode name="subsystem"> <properties> - <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help> + <help>Subsystem in the daemon the log comes from</help> <completionHelp> <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list> </completionHelp> <valueHelp> <format>dmn</format> - <description>Debug log option for strongSwan</description> + <description>Main daemon setup/cleanup/signal handling</description> </valueHelp> <valueHelp> <format>mgr</format> - <description>Debug log option for strongSwan</description> + <description>IKE_SA manager, handling synchronization for IKE_SA access</description> </valueHelp> <valueHelp> <format>ike</format> - <description>Debug log option for strongSwan</description> + <description>IKE_SA/ISAKMP SA</description> </valueHelp> <valueHelp> <format>chd</format> - <description>Debug log option for strongSwan</description> + <description>CHILD_SA/IPsec SA</description> </valueHelp> <valueHelp> <format>job</format> - <description>Debug log option for strongSwan</description> + <description>Jobs queuing/processing and thread pool management</description> </valueHelp> <valueHelp> <format>cfg</format> - <description>Debug log option for strongSwan</description> + <description>Configuration management and plugins</description> </valueHelp> <valueHelp> <format>knl</format> - <description>Debug log option for strongSwan</description> + <description>IPsec/Networking kernel interface</description> </valueHelp> <valueHelp> <format>net</format> - <description>Debug log option for strongSwan</description> + <description>IKE network communication</description> </valueHelp> <valueHelp> <format>asn</format> - <description>Debug log option for strongSwan</description> + <description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description> </valueHelp> <valueHelp> <format>enc</format> - <description>Debug log option for strongSwan</description> + <description>Packet encoding/decoding encryption/decryption operations</description> </valueHelp> <valueHelp> <format>lib</format> - <description>Debug log option for strongSwan</description> + <description>libstrongswan library messages</description> </valueHelp> <valueHelp> <format>esp</format> - <description>Debug log option for strongSwan</description> + <description>libipsec library messages</description> </valueHelp> <valueHelp> <format>tls</format> - <description>Debug log option for strongSwan</description> + <description> libtls library messages</description> </valueHelp> <valueHelp> <format>tnc</format> - <description>Debug log option for strongSwan</description> + <description>Trusted Network Connect</description> </valueHelp> <valueHelp> <format>imc</format> - <description>Debug log option for strongSwan</description> + <description>Integrity Measurement Collector</description> </valueHelp> <valueHelp> <format>imv</format> - <description>Debug log option for strongSwan</description> + <description>Integrity Measurement Verifier</description> </valueHelp> <valueHelp> <format>pts</format> - <description>Debug log option for strongSwan</description> + <description> Platform Trust Service</description> </valueHelp> <valueHelp> <format>any</format> - <description>Debug log option for strongSwan</description> + <description>Any subsystem</description> </valueHelp> <constraint> <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex> @@ -619,59 +619,6 @@ </leafNode> </children> </node> - <node name="nat-networks"> - <properties> - <help>Network Address Translation (NAT) networks</help> - </properties> - <children> - <tagNode name="allowed-network"> - <properties> - <help>NAT networks to allow</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to allow</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - </properties> - <children> - <leafNode name="exclude"> - <properties> - <help>NAT networks to exclude from allowed-networks</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to exclude from allowed-networks</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - <multi/> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> - <leafNode name="nat-traversal"> - <properties> - <help>Network Address Translation (NAT) traversal</help> - <completionHelp> - <list>disable enable</list> - </completionHelp> - <valueHelp> - <format>disable</format> - <description>Disable NAT-T</description> - </valueHelp> - <valueHelp> - <format>enable</format> - <description>Enable NAT-T</description> - </valueHelp> - <constraint> - <regex>^(disable|enable)$</regex> - </constraint> - </properties> - </leafNode> <node name="options"> <properties> <help>Global IPsec settings</help> @@ -690,69 +637,261 @@ <help>VPN IPSec Profile</help> </properties> <children> + #include <include/generic-disable-node.xml.i> <node name="authentication"> <properties> <help>Authentication [REQUIRED]</help> </properties> <children> - <node name="mode"> + <leafNode name="mode"> <properties> <help>Authentication mode</help> + <completionHelp> + <list>pre-shared-secret</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>Use pre shared secret key</description> + </valueHelp> + </properties> + </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> + </children> + </node> + <node name="bind"> + <properties> + <help>DMVPN crypto configuration</help> + </properties> + <children> + <leafNode name="tunnel"> + <properties> + <help>Tunnel interface associated with this configuration profile</help> + <completionHelp> + <path>interfaces tunnel</path> + </completionHelp> + <valueHelp> + <format>txt</format> + <description>Associated interface to this configuration profile</description> + </valueHelp> + <multi/> + </properties> + </leafNode> + </children> + </node> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> + </children> + </tagNode> + <node name="remote-access"> + <properties> + <help>IKEv2 remote access VPN</help> + </properties> + <children> + <tagNode name="connection"> + <properties> + <help>IKEv2 VPN connection name</help> + </properties> + <children> + <node name="authentication"> + <properties> + <help>Authentication for remote access</help> </properties> <children> - <leafNode name="pre-shared-secret"> + #include <include/ipsec/authentication-id.xml.i> + #include <include/ipsec/authentication-x509.xml.i> + <leafNode name="client-mode"> <properties> - <help>Use pre-shared secret key</help> - <valueless/> + <help>Client authentication mode</help> + <completionHelp> + <list>eap-tls eap-mschapv2 eap-radius</list> + </completionHelp> + <valueHelp> + <format>eap-tls</format> + <description>Client uses EAP-TLS authentication</description> + </valueHelp> + <valueHelp> + <format>eap-mschapv2</format> + <description>Client uses EAP-MSCHAPv2 authentication</description> + </valueHelp> + <valueHelp> + <format>eap-radius</format> + <description>Client uses EAP-RADIUS authentication</description> + </valueHelp> + <constraint> + <regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex> + </constraint> </properties> + <defaultValue>eap-mschapv2</defaultValue> </leafNode> + #include <include/auth-local-users.xml.i> + <leafNode name="server-mode"> + <properties> + <help>Server authentication mode</help> + <completionHelp> + <list>pre-shared-secret x509</list> + </completionHelp> + <valueHelp> + <format>pre-shared-secret</format> + <description>pre-shared-secret_description</description> + </valueHelp> + <valueHelp> + <format>x509</format> + <description>x509_description</description> + </valueHelp> + <constraint> + <regex>^(pre-shared-secret|x509)$</regex> + </constraint> + </properties> + <defaultValue>x509</defaultValue> + </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> </children> </node> - <leafNode name="pre-shared-secret"> + #include <include/generic-description.xml.i> + #include <include/generic-disable-node.xml.i> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> + #include <include/ipsec/local-address.xml.i> + #include <include/ipsec/local-traffic-selector.xml.i> + <leafNode name="timeout"> <properties> - <help>Pre-shared secret key</help> + <help>Timeout to close connection if no data is transmitted</help> + <valueHelp> + <format>u32:10-86400</format> + <description>Timeout in seconds (default 28800)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 10-86400"/> + </constraint> + </properties> + <defaultValue>28800</defaultValue> + </leafNode> + <leafNode name="pool"> + <properties> + <help>Pool name used for IP address assignments</help> + <completionHelp> + <path>vpn ipsec remote-access pool</path> + <list>dhcp</list> + </completionHelp> <valueHelp> <format>txt</format> - <description>Pre-shared secret key</description> + <description>Pool name</description> </valueHelp> + <multi/> + </properties> + </leafNode> + <leafNode name="unique"> + <properties> + <help>Connection uniqueness policy to enforce</help> + <completionHelp> + <list>never keep replace</list> + </completionHelp> + <valueHelp> + <format>never</format> + <description>Never enforce connection uniqueness policy</description> + </valueHelp> + <valueHelp> + <format>keep</format> + <description>Rejects new connection attempts if the same user already has an active connection</description> + </valueHelp> + <valueHelp> + <format>replace</format> + <description>Delete any existing connection if a new one for the same user gets established</description> + </valueHelp> + <constraint> + <regex>^(never|keep|replace)$</regex> + </constraint> </properties> </leafNode> </children> - </node> - <node name="bind"> + </tagNode> + <node name="dhcp"> <properties> - <help>DMVPN crypto configuration</help> + <help>DHCP pool options for remote-access</help> </properties> <children> - <leafNode name="bind_child"> + <leafNode name="interface"> <properties> - <help>bind_child_help</help> - <valueless/> + <help>Interface with DHCP server to use</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + </leafNode> + <leafNode name="server"> + <properties> + <help>DHCP server address</help> + <valueHelp> + <format>ipv4</format> + <description>DHCP server IPv4 address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> </properties> </leafNode> </children> </node> - <leafNode name="esp-group"> + <tagNode name="pool"> <properties> - <help>Esp group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> + <help>IP address pool for remote-access users</help> </properties> - </leafNode> - <leafNode name="ike-group"> - <properties> - <help>Ike group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> + <children> + <leafNode name="exclude"> + <properties> + <help>Local IPv4 or IPv6 pool prefix exclusions</help> + <valueHelp> + <format>ipv4</format> + <description>Local IPv4 pool prefix exclusion</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Local IPv6 pool prefix exclusion</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + <multi/> + </properties> + </leafNode> + <leafNode name="prefix"> + <properties> + <help>Local IPv4 or IPv6 pool prefix</help> + <valueHelp> + <format>ipv4</format> + <description>Local IPv4 pool prefix</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Local IPv6 pool prefix</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + <validator name="ipv6-prefix"/> + </constraint> + </properties> + </leafNode> + <!-- Include Accel-PPP definition here, maybe time for a rename? --> + #include <include/accel-ppp/name-server.xml.i> + </children> + </tagNode> + #include <include/radius-server-ipv4.xml.i> + <node name="radius"> + <children> + #include <include/radius-nas-identifier.xml.i> + <tagNode name="server"> + <children> + #include <include/accel-ppp/radius-additions-disable-accounting.xml.i> + </children> + </tagNode> + </children> + </node> </children> - </tagNode> + </node> <node name="site-to-site"> <properties> - <help>Site to site VPN</help> + <help>Site-to-site VPN</help> </properties> <children> <tagNode name="peer"> @@ -776,20 +915,15 @@ </valueHelp> </properties> <children> + #include <include/generic-disable-node.xml.i> <node name="authentication"> <properties> <help>Peer authentication [REQUIRED]</help> </properties> <children> - <leafNode name="id"> - <properties> - <help>ID for peer authentication</help> - <valueHelp> - <format>txt</format> - <description>ID used for peer authentication</description> - </valueHelp> - </properties> - </leafNode> + #include <include/ipsec/authentication-id.xml.i> + #include <include/ipsec/authentication-rsa.xml.i> + #include <include/ipsec/authentication-x509.xml.i> <leafNode name="mode"> <properties> <help>Authentication mode</help> @@ -813,15 +947,7 @@ </constraint> </properties> </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret key</help> - <valueHelp> - <format>txt</format> - <description>Pre-shared secret key</description> - </valueHelp> - </properties> - </leafNode> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> <leafNode name="remote-id"> <properties> <help>ID for remote authentication</help> @@ -831,60 +957,12 @@ </valueHelp> </properties> </leafNode> - <leafNode name="rsa-key-name"> - <properties> - <help>RSA key name</help> - </properties> - </leafNode> <leafNode name="use-x509-id"> <properties> <help>Use certificate common name as ID</help> <valueless/> </properties> </leafNode> - <node name="x509"> - <properties> - <help>X.509 certificate</help> - </properties> - <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing the X.509 Certificate Revocation List (CRL)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <node name="key"> - <properties> - <help>Key file and password to open it</help> - </properties> - <children> - <leafNode name="file"> - <properties> - <help>File containing the private key for the X.509 certificate for this host</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="password"> - <properties> - <help>Password that protects the private key</help> - <valueHelp> - <format>txt</format> - <description>Password that protects the private key</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> </children> </node> <leafNode name="connection-type"> @@ -909,20 +987,13 @@ <leafNode name="default-esp-group"> <properties> <help>Defult ESP group name</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> </properties> </leafNode> - <leafNode name="description"> - <properties> - <help>VPN peer description</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface to listen on</help> - <valueless/> - </properties> - </leafNode> + #include <include/generic-description.xml.i> + #include <include/dhcp-interface.xml.i> <leafNode name="force-encapsulation"> <properties> <help>Force UDP Encapsulation for ESP Payloads</help> @@ -942,14 +1013,7 @@ </constraint> </properties> </leafNode> - <leafNode name="ike-group"> - <properties> - <help>Internet Key Exchange (IKE) group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> + #include <include/ipsec/ike-group.xml.i> <leafNode name="ikev2-reauth"> <properties> <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help> @@ -973,31 +1037,7 @@ </constraint> </properties> </leafNode> - <leafNode name="local-address"> - <properties> - <help>IPv4 or IPv6 address of a local interface to use for VPN</help> - <completionHelp> - <list>any</list> - </completionHelp> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address of a local interface for VPN</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>IPv6 address of a local interface for VPN</description> - </valueHelp> - <valueHelp> - <format>any</format> - <description>Allow any IPv4 address present on the system to be used for VPN</description> - </valueHelp> - <constraint> - <validator name="ipv4-address"/> - <validator name="ipv6-address"/> - <regex>^(any)$</regex> - </constraint> - </properties> - </leafNode> + #include <include/ipsec/local-address.xml.i> <tagNode name="tunnel"> <properties> <help>Peer tunnel [REQUIRED]</help> @@ -1007,114 +1047,16 @@ </valueHelp> </properties> <children> - <leafNode name="allow-nat-networks"> - <properties> - <help>Option to allow NAT networks</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable NAT networks</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable NAT networks (default)</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="allow-public-networks"> - <properties> - <help>Option to allow public networks</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable public networks</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable public networks (default)</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> #include <include/generic-disable-node.xml.i> - <leafNode name="esp-group"> - <properties> - <help>ESP group name</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> - <node name="local"> - <properties> - <help>Local parameters for interesting traffic</help> - </properties> - <children> - <leafNode name="port"> - <properties> - <help>Any TCP or UDP port</help> - <valueHelp> - <format>port name</format> - <description>Named port (any name in /etc/services, e.g., http)</description> - </valueHelp> - <valueHelp> - <format>u32:1-65535</format> - <description>Numbered port</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="prefix"> - <properties> - <help>Local IPv4 or IPv6 prefix</help> - <valueHelp> - <format>ipv4</format> - <description>Local IPv4 prefix</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>Local IPv6 prefix</description> - </valueHelp> - <constraint> - <validator name="ipv4-prefix"/> - <validator name="ipv6-prefix"/> - </constraint> - </properties> - </leafNode> - </children> - </node> - <leafNode name="protocol"> - <properties> - <help>Protocol to encrypt</help> - <valueless/> - </properties> - </leafNode> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/local-traffic-selector.xml.i> + #include <include/ip-protocol.xml.i> <node name="remote"> <properties> <help>Remote parameters for interesting traffic</help> </properties> <children> - <leafNode name="port"> - <properties> - <help>Any TCP or UDP port</help> - <valueHelp> - <format>port name</format> - <description>Named port (any name in /etc/services, e.g., http)</description> - </valueHelp> - <valueHelp> - <format>u32:1-65535</format> - <description>Numbered port</description> - </valueHelp> - </properties> - </leafNode> + #include <include/port-number.xml.i> <leafNode name="prefix"> <properties> <help>Remote IPv4 or IPv6 prefix</help> @@ -1130,6 +1072,7 @@ <validator name="ipv4-prefix"/> <validator name="ipv6-prefix"/> </constraint> + <multi/> </properties> </leafNode> </children> @@ -1143,17 +1086,13 @@ <children> <leafNode name="bind"> <properties> - <help>VTI tunnel interface associated with this configuration [REQUIRED]</help> - </properties> - </leafNode> - <leafNode name="esp-group"> - <properties> - <help>ESP group name [REQUIRED]</help> + <help>VTI tunnel interface associated with this configuration</help> <completionHelp> - <path>vpn ipsec esp-group</path> + <path>interfaces vti</path> </completionHelp> </properties> </leafNode> + #include <include/ipsec/esp-group.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index 5bdebcb05..cf31af70f 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -70,51 +70,8 @@ </completionHelp> </properties> </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret for IPsec</help> - </properties> - </leafNode> - <node name="x509"> - <properties> - <help>X.509 certificate</help> - </properties> - <children> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing the X.509 Certificate Revocation List (CRL)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-cert-file"> - <properties> - <help>File containing the X.509 certificate for the remote access VPN server (this host)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-key-file"> - <properties> - <help>File containing the private key for the X.509 certificate for the remote access VPN server (this host)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="server-key-password"> - <properties> - <help>Password that protects the private key</help> - </properties> - </leafNode> - </children> - </node> + #include <include/ipsec/authentication-pre-shared-secret.xml.i> + #include <include/ipsec/authentication-x509.xml.i> </children> </node> <leafNode name="ike-lifetime"> @@ -128,6 +85,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> <leafNode name="lifetime"> <properties> @@ -140,7 +98,10 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> </children> </node> #include <include/accel-ppp/wins-server.xml.i> @@ -159,11 +120,7 @@ <help>Description for L2TP remote-access settings</help> </properties> </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface to listen on</help> - </properties> - </leafNode> + #include <include/dhcp-interface.xml.i> <leafNode name="idle"> <properties> <help>PPP idle timeout</help> @@ -248,11 +205,7 @@ <help>Maximum number of tries to send Access-Request/Accounting-Request queries</help> </properties> </leafNode> - <leafNode name="nas-identifier"> - <properties> - <help>Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests.</help> - </properties> - </leafNode> + #include <include/radius-nas-identifier.xml.i> <node name="dae-server"> <properties> <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help> @@ -308,6 +261,7 @@ </properties> <children> #include <include/accel-ppp/lcp-echo-interval-failure.xml.i> + #include <include/accel-ppp/ppp-options-ipv6.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index 1a9d39a12..a33ff67ea 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -32,26 +32,7 @@ </completionHelp> </properties> </leafNode> - <node name="local-users"> - <properties> - <help>Local user authentication for SSL VPN server</help> - </properties> - <children> - <tagNode name="username"> - <properties> - <help>User name for authentication</help> - </properties> - <children> - #include <include/generic-disable-node.xml.i> - <leafNode name="password"> - <properties> - <help>Password for authentication</help> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> + #include <include/auth-local-users.xml.i> #include <include/radius-server-ipv4.xml.i> <node name="radius"> <children> @@ -75,7 +56,7 @@ </node> <node name="listen-ports"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/auth)</help> + <help>Specify custom ports to use for client connections</help> </properties> <children> <leafNode name="tcp"> @@ -108,12 +89,11 @@ </node> <node name="ssl"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/auth)</help> + <help>SSL Certificate, SSL Key and CA</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate-key.xml.i> </children> </node> <node name="network-settings"> diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in index 91c8cd76f..dab317f68 100644 --- a/interface-definitions/vpn_pptp.xml.in +++ b/interface-definitions/vpn_pptp.xml.in @@ -5,6 +5,7 @@ <node name="pptp" owner="${vyos_conf_scripts_dir}/vpn_pptp.py"> <properties> <help>Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN)</help> + <priority>901</priority> </properties> <children> <node name="remote-access"> diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in index e4ade844d..3576bac90 100644 --- a/interface-definitions/vpn_sstp.xml.in +++ b/interface-definitions/vpn_sstp.xml.in @@ -43,18 +43,18 @@ </properties> <children> #include <include/accel-ppp/ppp-mppe.xml.i> + #include <include/accel-ppp/ppp-options-ipv6.xml.i> #include <include/accel-ppp/lcp-echo-interval-failure.xml.i> #include <include/accel-ppp/lcp-echo-timeout.xml.i> </children> </node> <node name="ssl"> <properties> - <help>SSL Certificate, SSL Key and CA (/config/user-data/sstp)</help> + <help>SSL Certificate, SSL Key and CA</help> </properties> <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - #include <include/certificate-key.xml.i> + #include <include/pki/ca-certificate.xml.i> + #include <include/pki/certificate.xml.i> </children> </node> </children> diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 426884a11..9d513945c 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -19,7 +19,7 @@ <constraint> <validator name="vrf-name"/> </constraint> - <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\n</constraintErrorMessage> + <constraintErrorMessage>VRF instance name must be 15 characters or less and can not\nbe named as regular network interfaces.\nA name must starts from a letter.\n</constraintErrorMessage> <valueHelp> <format>txt</format> <description>VRF instance name</description> @@ -76,13 +76,13 @@ <properties> <help>Routing table associated with this instance</help> <valueHelp> - <format>100-2147483647</format> + <format>100-65535</format> <description>Routing table ID</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 100-2147483647"/> + <validator name="numeric" argument="--range 100-65535"/> </constraint> - <constraintErrorMessage>VRF routing table must be in range from 100 to 2147483647</constraintErrorMessage> + <constraintErrorMessage>VRF routing table must be in range from 100 to 65535</constraintErrorMessage> </properties> </leafNode> #include <include/vni.xml.i> |