diff options
Diffstat (limited to 'interface-definitions')
79 files changed, 1122 insertions, 797 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index c2d652278..673461036 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -314,6 +314,40 @@ </tagNode> </children> </node> + <tagNode name="interface"> + <properties> + <help>Interface name to apply firewall configuration</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + <children> + <node name="in"> + <properties> + <help>Forwarded packets on inbound interface</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + <node name="out"> + <properties> + <help>Forwarded packets on outbound interface</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + <node name="local"> + <properties> + <help>Packets destined for this router</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + </children> + </tagNode> <leafNode name="ip-src-route"> <properties> <help>Policy for handling IPv4 packets with source route option</help> @@ -345,6 +379,14 @@ #include <include/firewall/default-action.xml.i> #include <include/firewall/enable-default-log.xml.i> #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> <tagNode name="rule"> <properties> <help>Firewall rule number (IPv6)</help> @@ -383,17 +425,9 @@ </children> </node> #include <include/firewall/common-rule.xml.i> + #include <include/firewall/dscp.xml.i> #include <include/firewall/packet-length.xml.i> - <node name="hop-limit"> - <properties> - <help>Hop Limit</help> - </properties> - <children> - #include <include/firewall/eq.xml.i> - #include <include/firewall/gt.xml.i> - #include <include/firewall/lt.xml.i> - </children> - </node> + #include <include/firewall/hop-limit.xml.i> <node name="icmpv6"> <properties> <help>ICMPv6 type and code information</help> @@ -426,6 +460,14 @@ #include <include/firewall/icmpv6-type-name.xml.i> </children> </node> + <leafNode name="jump-target"> + <properties> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> </children> </tagNode> </children> @@ -501,6 +543,14 @@ #include <include/firewall/default-action.xml.i> #include <include/firewall/enable-default-log.xml.i> #include <include/generic-description.xml.i> + <leafNode name="default-jump-target"> + <properties> + <help>Set jump target. Action jump must be defined in default-action to use this setting</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> <tagNode name="rule"> <properties> <help>Firewall rule number (IPv4)</help> @@ -539,6 +589,7 @@ </children> </node> #include <include/firewall/common-rule.xml.i> + #include <include/firewall/dscp.xml.i> #include <include/firewall/packet-length.xml.i> <node name="icmp"> <properties> @@ -572,16 +623,15 @@ #include <include/firewall/icmp-type-name.xml.i> </children> </node> - <node name="ttl"> + <leafNode name="jump-target"> <properties> - <help>Time to live limit</help> + <help>Set jump target. Action jump must be defined to use this setting</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> </properties> - <children> - #include <include/firewall/eq.xml.i> - #include <include/firewall/gt.xml.i> - #include <include/firewall/lt.xml.i> - </children> - </node> + </leafNode> + #include <include/firewall/ttl.xml.i> </children> </tagNode> </children> @@ -661,6 +711,7 @@ </properties> <children> #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> #include <include/firewall/rule-log-level.xml.i> </children> </node> @@ -670,6 +721,7 @@ </properties> <children> #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> #include <include/firewall/rule-log-level.xml.i> </children> </node> @@ -679,6 +731,7 @@ </properties> <children> #include <include/firewall/action-accept-drop-reject.xml.i> + #include <include/firewall/log.xml.i> #include <include/firewall/rule-log-level.xml.i> </children> </node> @@ -724,6 +777,143 @@ </properties> <defaultValue>disable</defaultValue> </leafNode> + <tagNode name="zone"> + <properties> + <help>Zone-policy</help> + <valueHelp> + <format>txt</format> + <description>Zone name</description> + </valueHelp> + <constraint> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> + </constraint> + </properties> + <children> + #include <include/generic-description.xml.i> + #include <include/firewall/enable-default-log.xml.i> + <leafNode name="default-action"> + <properties> + <help>Default-action for traffic coming into this zone</help> + <completionHelp> + <list>drop reject</list> + </completionHelp> + <valueHelp> + <format>drop</format> + <description>Drop silently</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Drop and notify source</description> + </valueHelp> + <constraint> + <regex>(drop|reject)</regex> + </constraint> + </properties> + <defaultValue>drop</defaultValue> + </leafNode> + <tagNode name="from"> + <properties> + <help>Zone from which to filter traffic</help> + <completionHelp> + <path>zone-policy zone</path> + </completionHelp> + </properties> + <children> + <node name="firewall"> + <properties> + <help>Firewall options</help> + </properties> + <children> + <leafNode name="ipv6-name"> + <properties> + <help>IPv6 firewall ruleset</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="name"> + <properties> + <help>IPv4 firewall ruleset</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + <leafNode name="interface"> + <properties> + <help>Interface associated with zone</help> + <valueHelp> + <format>txt</format> + <description>Interface associated with zone</description> + </valueHelp> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <multi/> + </properties> + </leafNode> + <node name="intra-zone-filtering"> + <properties> + <help>Intra-zone filtering</help> + </properties> + <children> + <leafNode name="action"> + <properties> + <help>Action for intra-zone traffic</help> + <completionHelp> + <list>accept drop</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Accept traffic</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Drop silently</description> + </valueHelp> + <constraint> + <regex>(accept|drop)</regex> + </constraint> + </properties> + </leafNode> + <node name="firewall"> + <properties> + <help>Use the specified firewall chain</help> + </properties> + <children> + <leafNode name="ipv6-name"> + <properties> + <help>IPv6 firewall ruleset</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="name"> + <properties> + <help>IPv4 firewall ruleset</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + <leafNode name="local-zone"> + <properties> + <help>Zone to be local-zone</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> </children> </node> </interfaceDefinition> diff --git a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i index 01cf0e040..774741a5e 100644 --- a/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i +++ b/interface-definitions/include/accel-ppp/client-ipv6-pool.xml.i @@ -16,19 +16,19 @@ </constraint> </properties> <children> - <leafNode name="mask"> - <properties> - <help>Prefix length used for individual client</help> - <valueHelp> - <format>u32:48-128</format> - <description>Client prefix length</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 48-128"/> - </constraint> - </properties> - <defaultValue>64</defaultValue> - </leafNode> + <leafNode name="mask"> + <properties> + <help>Prefix length used for individual client</help> + <valueHelp> + <format>u32:48-128</format> + <description>Client prefix length</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 48-128"/> + </constraint> + </properties> + <defaultValue>64</defaultValue> + </leafNode> </children> </tagNode> <tagNode name="delegate"> diff --git a/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i b/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i index f44920c3f..b8dbe73b2 100644 --- a/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions-rate-limit.xml.i @@ -6,18 +6,24 @@ <children> <leafNode name="attribute"> <properties> - <help>Specifies which radius attribute contains rate information. (default is Filter-Id)</help> + <help>RADIUS attribute that contains rate information</help> </properties> <defaultValue>Filter-Id</defaultValue> </leafNode> <leafNode name="vendor"> <properties> - <help>Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius)</help> + <help>Vendor dictionary</help> + <completionHelp> + <list>alcatel cisco microsoft mikrotik</list> + </completionHelp> + <constraint> + <validator name="accel-radius-dictionary" /> + </constraint> </properties> </leafNode> <leafNode name="enable"> <properties> - <help>Enables Bandwidth shaping via RADIUS</help> + <help>Enable bandwidth shaping via RADIUS</help> <valueless /> </properties> </leafNode> diff --git a/interface-definitions/include/accel-ppp/vlan.xml.i b/interface-definitions/include/accel-ppp/vlan.xml.i new file mode 100644 index 000000000..5ef4de633 --- /dev/null +++ b/interface-definitions/include/accel-ppp/vlan.xml.i @@ -0,0 +1,20 @@ +<!-- include start from accel-ppp/vlan.xml.i --> +<leafNode name="vlan"> + <properties> + <help>VLAN monitor for automatic creation of VLAN interfaces</help> + <valueHelp> + <format>u32:1-4094</format> + <description>VLAN for automatic creation</description> + </valueHelp> + <valueHelp> + <format>start-end</format> + <description>VLAN range for automatic creation (e.g. 1-4094)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 1-4094"/> + </constraint> + <constraintErrorMessage>VLAN IDs need to be in range 1-4094</constraintErrorMessage> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i index d586635c8..fef3daf3b 100644 --- a/interface-definitions/include/bgp/afi-l2vpn-common.xml.i +++ b/interface-definitions/include/bgp/afi-l2vpn-common.xml.i @@ -27,6 +27,7 @@ <constraint> <validator name="bgp-rd-rt" argument="--route-target"/> </constraint> + <multi/> </properties> </leafNode> <leafNode name="import"> @@ -39,6 +40,7 @@ <constraint> <validator name="bgp-rd-rt" argument="--route-target"/> </constraint> + <multi/> </properties> </leafNode> <leafNode name="export"> @@ -51,6 +53,7 @@ <constraint> <validator name="bgp-rd-rt" argument="--route-target"/> </constraint> + <multi/> </properties> </leafNode> </children> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index d2bcea62a..70176144d 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1135,6 +1135,19 @@ </leafNode> </children> </node> + <node name="peer-type"> + <properties> + <help>Peer type</help> + </properties> + <children> + <leafNode name="multipath-relax"> + <properties> + <help>Allow load sharing across routes learned from different peer types</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> </children> </node> <leafNode name="cluster-id"> diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i index 512cc23bd..468340cbb 100644 --- a/interface-definitions/include/firewall/action.xml.i +++ b/interface-definitions/include/firewall/action.xml.i @@ -3,22 +3,30 @@ <properties> <help>Rule action</help> <completionHelp> - <list>accept reject drop</list> + <list>accept jump reject return drop</list> </completionHelp> <valueHelp> <format>accept</format> <description>Accept matching entries</description> </valueHelp> <valueHelp> + <format>jump</format> + <description>Jump to another chain</description> + </valueHelp> + <valueHelp> <format>reject</format> <description>Reject matching entries</description> </valueHelp> <valueHelp> + <format>return</format> + <description>Return from the current chain and continue at the next rule of the last chain</description> + </valueHelp> + <valueHelp> <format>drop</format> <description>Drop matching entries</description> </valueHelp> <constraint> - <regex>(accept|reject|drop)</regex> + <regex>(accept|jump|reject|return|drop)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i index 079864122..a4f66f5cb 100644 --- a/interface-definitions/include/firewall/common-rule.xml.i +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -26,6 +26,14 @@ </leafNode> </children> </node> +<leafNode name="inbound-interface"> + <properties> + <help>Match inbound-interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> +</leafNode> <node name="ipsec"> <properties> <help>Inbound IPsec packets</help> @@ -122,6 +130,14 @@ </leafNode> </children> </node> +<leafNode name="outbound-interface"> + <properties> + <help>Match outbound-interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> +</leafNode> <leafNode name="protocol"> <properties> <help>Protocol to match (protocol name, number, or "all")</help> diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i index 92a2fcaaf..80efaf335 100644 --- a/interface-definitions/include/firewall/default-action.xml.i +++ b/interface-definitions/include/firewall/default-action.xml.i @@ -3,22 +3,30 @@ <properties> <help>Default-action for rule-set</help> <completionHelp> - <list>drop reject accept</list> + <list>drop jump reject return accept</list> </completionHelp> <valueHelp> <format>drop</format> <description>Drop if no prior rules are hit</description> </valueHelp> <valueHelp> + <format>jump</format> + <description>Jump to another chain if no prior rules are hit</description> + </valueHelp> + <valueHelp> <format>reject</format> <description>Drop and notify source if no prior rules are hit</description> </valueHelp> <valueHelp> + <format>return</format> + <description>Return from the current chain and continue at the next rule of the last chain</description> + </valueHelp> + <valueHelp> <format>accept</format> <description>Accept if no prior rules are hit</description> </valueHelp> <constraint> - <regex>(drop|reject|accept)</regex> + <regex>(drop|jump|reject|return|accept)</regex> </constraint> </properties> <defaultValue>drop</defaultValue> diff --git a/interface-definitions/include/firewall/dscp.xml.i b/interface-definitions/include/firewall/dscp.xml.i new file mode 100644 index 000000000..dd4da4894 --- /dev/null +++ b/interface-definitions/include/firewall/dscp.xml.i @@ -0,0 +1,36 @@ +<!-- include start from firewall/dscp.xml.i --> +<leafNode name="dscp"> + <properties> + <help>DSCP value</help> + <valueHelp> + <format>u32:0-63</format> + <description>DSCP value to match</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>DSCP range to match</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 0-63"/> + </constraint> + <multi/> + </properties> +</leafNode> +<leafNode name="dscp-exclude"> + <properties> + <help>DSCP value not to match</help> + <valueHelp> + <format>u32:0-63</format> + <description>DSCP value not to match</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>DSCP range not to match</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 0-63"/> + </constraint> + <multi/> + </properties> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/hop-limit.xml.i b/interface-definitions/include/firewall/hop-limit.xml.i new file mode 100644 index 000000000..d375dc985 --- /dev/null +++ b/interface-definitions/include/firewall/hop-limit.xml.i @@ -0,0 +1,12 @@ +<!-- include start from firewall/hop-limit.xml.i --> +<node name="hop-limit"> + <properties> + <help>Hop limit</help> + </properties> + <children> + #include <include/firewall/eq.xml.i> + #include <include/firewall/gt.xml.i> + #include <include/firewall/lt.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/name.xml.i b/interface-definitions/include/firewall/name.xml.i new file mode 100644 index 000000000..231b9b144 --- /dev/null +++ b/interface-definitions/include/firewall/name.xml.i @@ -0,0 +1,18 @@ +<!-- include start from firewall/name.xml.i --> +<leafNode name="name"> + <properties> + <help>Local IPv4 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> +</leafNode> +<leafNode name="ipv6-name"> + <properties> + <help>Local IPv6 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end from firewall/name.xml.i -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/packet-length.xml.i b/interface-definitions/include/firewall/packet-length.xml.i index 043f56d16..fd2eb67b0 100644 --- a/interface-definitions/include/firewall/packet-length.xml.i +++ b/interface-definitions/include/firewall/packet-length.xml.i @@ -11,8 +11,7 @@ <description>Packet length range to match</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-65535"/> - <validator name="range" argument="--min=1 --max=65535"/> + <validator name="numeric" argument="--allow-range --range 1-65535"/> </constraint> <multi/> </properties> @@ -29,8 +28,7 @@ <description>Packet length range not to match</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-65535"/> - <validator name="range" argument="--min=1 --max=65535"/> + <validator name="numeric" argument="--allow-range --range 1-65535"/> </constraint> <multi/> </properties> diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i index 5a7b5a8d3..e2ce7b9fd 100644 --- a/interface-definitions/include/firewall/tcp-flags.xml.i +++ b/interface-definitions/include/firewall/tcp-flags.xml.i @@ -126,8 +126,7 @@ <description>TCP MSS range (use '-' as delimiter)</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-16384"/> - <validator name="range" argument="--min=1 --max=16384"/> + <validator name="numeric" argument="--allow-range --range 1-16384"/> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/ttl.xml.i b/interface-definitions/include/firewall/ttl.xml.i new file mode 100644 index 000000000..9c782a9a5 --- /dev/null +++ b/interface-definitions/include/firewall/ttl.xml.i @@ -0,0 +1,12 @@ +<!-- include start from firewall/ttl.xml.i --> +<node name="ttl"> + <properties> + <help>Time to live limit</help> + </properties> + <children> + #include <include/firewall/eq.xml.i> + #include <include/firewall/gt.xml.i> + #include <include/firewall/lt.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/ids/threshold.xml.i b/interface-definitions/include/ids/threshold.xml.i new file mode 100644 index 000000000..e21e3a005 --- /dev/null +++ b/interface-definitions/include/ids/threshold.xml.i @@ -0,0 +1,38 @@ +<!-- include start from ids/threshold.xml.i --> +<leafNode name="fps"> + <properties> + <help>Flows per second</help> + <valueHelp> + <format>u32:0-4294967294</format> + <description>Flows per second</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967294"/> + </constraint> + </properties> +</leafNode> +<leafNode name="mbps"> + <properties> + <help>Megabits per second</help> + <valueHelp> + <format>u32:0-4294967294</format> + <description>Megabits per second</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967294"/> + </constraint> + </properties> +</leafNode> +<leafNode name="pps"> + <properties> + <help>Packets per second</help> + <valueHelp> + <format>u32:0-4294967294</format> + <description>Packets per second</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967294"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/adjust-mss.xml.i b/interface-definitions/include/interface/adjust-mss.xml.i index 41140ffe1..2b184a05e 100644 --- a/interface-definitions/include/interface/adjust-mss.xml.i +++ b/interface-definitions/include/interface/adjust-mss.xml.i @@ -11,11 +11,11 @@ <description>Automatically sets the MSS to the proper value</description> </valueHelp> <valueHelp> - <format>u32:500-65535</format> + <format>u32:536-65535</format> <description>TCP Maximum segment size in bytes</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 500-65535"/> + <validator name="numeric" argument="--range 536-65535"/> <regex>(clamp-mss-to-pmtu)</regex> </constraint> </properties> diff --git a/interface-definitions/include/interface/interface-firewall-vif-c.xml.i b/interface-definitions/include/interface/interface-firewall-vif-c.xml.i deleted file mode 100644 index 1bc235fcb..000000000 --- a/interface-definitions/include/interface/interface-firewall-vif-c.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall-vif-c.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../../@).$VAR(../../@).$VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/interface-firewall-vif.xml.i b/interface-definitions/include/interface/interface-firewall-vif.xml.i deleted file mode 100644 index a37ac5c4a..000000000 --- a/interface-definitions/include/interface/interface-firewall-vif.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall-vif.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../@).$VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/interface-firewall.xml.i b/interface-definitions/include/interface/interface-firewall.xml.i deleted file mode 100644 index b3f20c3bf..000000000 --- a/interface-definitions/include/interface/interface-firewall.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i index c1af9f9e3..916349ade 100644 --- a/interface-definitions/include/interface/vif-s.xml.i +++ b/interface-definitions/include/interface/vif-s.xml.i @@ -18,7 +18,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall-vif.xml.i> #include <include/interface/interface-policy-vif.xml.i> <leafNode name="protocol"> <properties> @@ -68,7 +67,6 @@ #include <include/interface/mtu-68-16000.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> - #include <include/interface/interface-firewall-vif-c.xml.i> #include <include/interface/interface-policy-vif-c.xml.i> </children> </tagNode> diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 57ef8d64c..73a8c98ff 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -18,7 +18,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall-vif.xml.i> #include <include/interface/interface-policy-vif.xml.i> <leafNode name="egress-qos"> <properties> diff --git a/interface-definitions/include/ipsec/authentication-id.xml.i b/interface-definitions/include/ipsec/authentication-id.xml.i index 4967782ec..4e0b848c3 100644 --- a/interface-definitions/include/ipsec/authentication-id.xml.i +++ b/interface-definitions/include/ipsec/authentication-id.xml.i @@ -1,10 +1,10 @@ <!-- include start from ipsec/authentication-id.xml.i --> -<leafNode name="id"> +<leafNode name="local-id"> <properties> - <help>ID for peer authentication</help> + <help>Local ID for peer authentication</help> <valueHelp> <format>txt</format> - <description>ID used for peer authentication</description> + <description>Local ID used for peer authentication</description> </valueHelp> </properties> </leafNode> diff --git a/interface-definitions/include/ipsec/remote-address.xml.i b/interface-definitions/include/ipsec/remote-address.xml.i new file mode 100644 index 000000000..ba96290d0 --- /dev/null +++ b/interface-definitions/include/ipsec/remote-address.xml.i @@ -0,0 +1,30 @@ +<!-- include start from ipsec/remote-address.xml.i --> +<leafNode name="remote-address"> + <properties> + <help>IPv4 or IPv6 address of the remote peer</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address of the remote peer</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address of the remote peer</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>Fully qualified domain name of the remote peer</description> + </valueHelp> + <valueHelp> + <format>any</format> + <description>Allow any IP address of the remote peer</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <validator name="fqdn"/> + <regex>(any)</regex> + </constraint> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/isis/high-low-label-value.xml.i b/interface-definitions/include/isis/high-low-label-value.xml.i index adc28417d..f30b5af3a 100644 --- a/interface-definitions/include/isis/high-low-label-value.xml.i +++ b/interface-definitions/include/isis/high-low-label-value.xml.i @@ -4,7 +4,7 @@ <help>MPLS label lower bound</help> <valueHelp> <format>u32:16-1048575</format> - <description>Label value</description> + <description>Label value (recommended minimum value: 100)</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 16-1048575"/> diff --git a/interface-definitions/include/isis/protocol-common-config.xml.i b/interface-definitions/include/isis/protocol-common-config.xml.i index 75a0355d4..57ee19300 100644 --- a/interface-definitions/include/isis/protocol-common-config.xml.i +++ b/interface-definitions/include/isis/protocol-common-config.xml.i @@ -233,12 +233,6 @@ <help>Segment-Routing (SPRING) settings</help> </properties> <children> - <leafNode name="enable"> - <properties> - <help>Enable segment-routing functionality</help> - <valueless/> - </properties> - </leafNode> <node name="global-block"> <properties> <help>Segment Routing Global Block label range</help> diff --git a/interface-definitions/include/listen-address-single.xml.i b/interface-definitions/include/listen-address-single.xml.i new file mode 100644 index 000000000..b5841cabb --- /dev/null +++ b/interface-definitions/include/listen-address-single.xml.i @@ -0,0 +1,22 @@ +<leafNode name="listen-address"> + <properties> + <help>Local IP addresses to listen on</help> + <completionHelp> + <script>${vyos_completion_dir}/list_local_ips.sh --both</script> + </completionHelp> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to listen for incoming connections</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address to listen for incoming connections</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <validator name="ipv6-link-local"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 791bbc0f8..28e3b473b 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -621,6 +621,86 @@ </constraint> </properties> </leafNode> +<node name="segment-routing"> + <properties> + <help>Segment-Routing (SPRING) settings</help> + </properties> + <children> + <node name="global-block"> + <properties> + <help>Segment Routing Global Block label range</help> + </properties> + <children> + #include <include/isis/high-low-label-value.xml.i> + </children> + </node> + <node name="local-block"> + <properties> + <help>Segment Routing Local Block label range</help> + </properties> + <children> + #include <include/isis/high-low-label-value.xml.i> + </children> + </node> + <leafNode name="maximum-label-depth"> + <properties> + <help>Maximum MPLS labels allowed for this router</help> + <valueHelp> + <format>u32:1-16</format> + <description>MPLS label depth</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-16"/> + </constraint> + </properties> + </leafNode> + <tagNode name="prefix"> + <properties> + <help>Static IPv4 prefix segment/label mapping</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 prefix segment</description> + </valueHelp> + <constraint> + <validator name="ipv4-prefix"/> + </constraint> + </properties> + <children> + <node name="index"> + <properties> + <help>Specify the index value of prefix segment/label ID</help> + </properties> + <children> + <leafNode name="value"> + <properties> + <help>Specify the index value of prefix segment/label ID</help> + <valueHelp> + <format>u32:0-65535</format> + <description>The index segment/label ID value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="explicit-null"> + <properties> + <help>Request upstream neighbor to replace segment/label with explicit null label</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="no-php-flag"> + <properties> + <help>Do not request penultimate hop popping for segment/label</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> +</node> <node name="redistribute"> <properties> <help>Redistribute information from another routing protocol</help> diff --git a/interface-definitions/include/policy/community-clear.xml.i b/interface-definitions/include/policy/community-clear.xml.i new file mode 100644 index 000000000..0fd57cdf0 --- /dev/null +++ b/interface-definitions/include/policy/community-clear.xml.i @@ -0,0 +1,8 @@ +<!-- include start from policy/community-clear.xml.i --> +<leafNode name="none"> + <properties> + <help>Completely remove communities attribute from a prefix</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/policy/community-value-list.xml.i b/interface-definitions/include/policy/community-value-list.xml.i new file mode 100644 index 000000000..8c665c5f0 --- /dev/null +++ b/interface-definitions/include/policy/community-value-list.xml.i @@ -0,0 +1,90 @@ +<!-- include start from policy/community-value-list.xml.i --> +<completionHelp> + <list> + local-as + no-advertise + no-export + internet + graceful-shutdown + accept-own + route-filter-translated-v4 + route-filter-v4 + route-filter-translated-v6 + route-filter-v6 + llgr-stale + no-llgr + accept-own-nexthop + blackhole + no-peer + </list> +</completionHelp> +<valueHelp> + <format><AS:VAL></format> + <description>Community number in <0-65535:0-65535> format</description> +</valueHelp> +<valueHelp> + <format>local-as</format> + <description>Well-known communities value NO_EXPORT_SUBCONFED 0xFFFFFF03</description> +</valueHelp> +<valueHelp> + <format>no-advertise</format> + <description>Well-known communities value NO_ADVERTISE 0xFFFFFF02</description> +</valueHelp> +<valueHelp> + <format>no-export</format> + <description>Well-known communities value NO_EXPORT 0xFFFFFF01</description> +</valueHelp> +<valueHelp> + <format>internet</format> + <description>Well-known communities value 0</description> +</valueHelp> +<valueHelp> + <format>graceful-shutdown</format> + <description>Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000</description> +</valueHelp> +<valueHelp> + <format>accept-own</format> + <description>Well-known communities value ACCEPT_OWN 0xFFFF0001</description> +</valueHelp> +<valueHelp> + <format>route-filter-translated-v4</format> + <description>Well-known communities value ROUTE_FILTER_TRANSLATED_v4 0xFFFF0002</description> +</valueHelp> +<valueHelp> + <format>route-filter-v4</format> + <description>Well-known communities value ROUTE_FILTER_v4 0xFFFF0003</description> +</valueHelp> +<valueHelp> + <format>route-filter-translated-v6</format> + <description>Well-known communities value ROUTE_FILTER_TRANSLATED_v6 0xFFFF0004</description> +</valueHelp> +<valueHelp> + <format>route-filter-v6</format> + <description>Well-known communities value ROUTE_FILTER_v6 0xFFFF0005</description> +</valueHelp> +<valueHelp> + <format>llgr-stale</format> + <description>Well-known communities value LLGR_STALE 0xFFFF0006</description> +</valueHelp> +<valueHelp> + <format>no-llgr</format> + <description>Well-known communities value NO_LLGR 0xFFFF0007</description> +</valueHelp> +<valueHelp> + <format>accept-own-nexthop</format> + <description>Well-known communities value accept-own-nexthop 0xFFFF0008</description> +</valueHelp> +<valueHelp> + <format>blackhole</format> + <description>Well-known communities value BLACKHOLE 0xFFFF029A</description> +</valueHelp> +<valueHelp> + <format>no-peer</format> + <description>Well-known communities value NOPEER 0xFFFFFF04</description> +</valueHelp> +<multi/> +<constraint> + <regex>local-as|no-advertise|no-export|internet|graceful-shutdown|accept-own|route-filter-translated-v4|route-filter-v4|route-filter-translated-v6|route-filter-v6|llgr-stale|no-llgr|accept-own-nexthop|blackhole|no-peer</regex> + <validator name="bgp-regular-community"/> +</constraint> + <!-- include end --> diff --git a/interface-definitions/include/policy/extended-community-value-list.xml.i b/interface-definitions/include/policy/extended-community-value-list.xml.i new file mode 100644 index 000000000..c79f78c67 --- /dev/null +++ b/interface-definitions/include/policy/extended-community-value-list.xml.i @@ -0,0 +1,15 @@ +<!-- include start from policy/community-value-list.xml.i --> +<valueHelp> + <format>ASN:NN</format> + <description>based on autonomous system number in format <0-65535:0-4294967295></description> +</valueHelp> +<valueHelp> + <format>IP:NN</format> + <description>Based on a router-id IP address in format <IP:0-65535></description> +</valueHelp> +<constraint> + <validator name="bgp-extended-community"/> +</constraint> +<constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> +<multi/> + <!-- include end --> diff --git a/interface-definitions/include/policy/large-community-value-list.xml.i b/interface-definitions/include/policy/large-community-value-list.xml.i new file mode 100644 index 000000000..33b1f13a2 --- /dev/null +++ b/interface-definitions/include/policy/large-community-value-list.xml.i @@ -0,0 +1,10 @@ +<!-- include start from policy/community-value-list.xml.i --> +<valueHelp> + <description>Community in format <0-4294967295:0-4294967295:0-4294967295></description> + <format><GA:LDP1:LDP2></format> +</valueHelp> +<multi/> +<constraint> + <validator name="bgp-large-community"/> +</constraint> + <!-- include end --> diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i index cfeba1a6c..662206336 100644 --- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i +++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i @@ -198,6 +198,10 @@ <validator name="numeric" argument="--range 1-200"/> <regex>(main)</regex> </constraint> + <completionHelp> + <list>main</list> + <path>protocols static table</path> + </completionHelp> </properties> </leafNode> <leafNode name="tcp-mss"> diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i index 5a17dbc95..35fccca50 100644 --- a/interface-definitions/include/policy/route-common-rule.xml.i +++ b/interface-definitions/include/policy/route-common-rule.xml.i @@ -198,6 +198,10 @@ <validator name="numeric" argument="--range 1-200"/> <regex>(main)</regex> </constraint> + <completionHelp> + <list>main</list> + <path>protocols static table</path> + </completionHelp> </properties> </leafNode> <leafNode name="tcp-mss"> diff --git a/interface-definitions/include/qos/limiter-actions.xml.i b/interface-definitions/include/qos/limiter-actions.xml.i new file mode 100644 index 000000000..a993423aa --- /dev/null +++ b/interface-definitions/include/qos/limiter-actions.xml.i @@ -0,0 +1,66 @@ +<!-- include start from qos/limiter-actions.xml.i --> +<leafNode name="exceed-action"> + <properties> + <help>Default action for packets exceeding the limiter (default: drop)</help> + <completionHelp> + <list>continue drop ok reclassify pipe</list> + </completionHelp> + <valueHelp> + <format>continue</format> + <description>Don't do anything, just continue with the next action in line</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Drop the packet immediately</description> + </valueHelp> + <valueHelp> + <format>ok</format> + <description>Accept the packet</description> + </valueHelp> + <valueHelp> + <format>reclassify</format> + <description>Treat the packet as non-matching to the filter this action is attached to and continue with the next filter in line (if any)</description> + </valueHelp> + <valueHelp> + <format>pipe</format> + <description>Pass the packet to the next action in line</description> + </valueHelp> + <constraint> + <regex>(continue|drop|ok|reclassify|pipe)</regex> + </constraint> + </properties> + <defaultValue>drop</defaultValue> +</leafNode> +<leafNode name="notexceed-action"> + <properties> + <help>Default action for packets not exceeding the limiter (default: ok)</help> + <completionHelp> + <list>continue drop ok reclassify pipe</list> + </completionHelp> + <valueHelp> + <format>continue</format> + <description>Don't do anything, just continue with the next action in line</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Drop the packet immediately</description> + </valueHelp> + <valueHelp> + <format>ok</format> + <description>Accept the packet</description> + </valueHelp> + <valueHelp> + <format>reclassify</format> + <description>Treat the packet as non-matching to the filter this action is attached to and continue with the next filter in line (if any)</description> + </valueHelp> + <valueHelp> + <format>pipe</format> + <description>Pass the packet to the next action in line</description> + </valueHelp> + <constraint> + <regex>(continue|drop|ok|reclassify|pipe)</regex> + </constraint> + </properties> + <defaultValue>ok</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/url.xml.i b/interface-definitions/include/url.xml.i new file mode 100644 index 000000000..caa6f67bd --- /dev/null +++ b/interface-definitions/include/url.xml.i @@ -0,0 +1,15 @@ +<!-- include start from url.xml.i --> +<leafNode name="url"> + <properties> + <help>Remote URL</help> + <valueHelp> + <format>url</format> + <description>Remote URL</description> + </valueHelp> + <constraint> + <regex>^https?:\/\/?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*(\:[0-9]+)*(\/.*)?</regex> + </constraint> + <constraintErrorMessage>Incorrect URL format</constraintErrorMessage> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i index 059a89f24..065925319 100644 --- a/interface-definitions/include/version/firewall-version.xml.i +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/firewall-version.xml.i --> -<syntaxVersion component='firewall' version='7'></syntaxVersion> +<syntaxVersion component='firewall' version='8'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/ids-version.xml.i b/interface-definitions/include/version/ids-version.xml.i new file mode 100644 index 000000000..9133be02b --- /dev/null +++ b/interface-definitions/include/version/ids-version.xml.i @@ -0,0 +1,3 @@ +<!-- include start from include/version/ids-version.xml.i --> +<syntaxVersion component='ids' version='1'></syntaxVersion> +<!-- include end --> diff --git a/interface-definitions/include/version/ipsec-version.xml.i b/interface-definitions/include/version/ipsec-version.xml.i index 59295cc91..1c978e8e6 100644 --- a/interface-definitions/include/version/ipsec-version.xml.i +++ b/interface-definitions/include/version/ipsec-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/ipsec-version.xml.i --> -<syntaxVersion component='ipsec' version='9'></syntaxVersion> +<syntaxVersion component='ipsec' version='10'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/isis-version.xml.i b/interface-definitions/include/version/isis-version.xml.i index 4a8fef39c..7bf12e81a 100644 --- a/interface-definitions/include/version/isis-version.xml.i +++ b/interface-definitions/include/version/isis-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/isis-version.xml.i --> -<syntaxVersion component='isis' version='1'></syntaxVersion> +<syntaxVersion component='isis' version='2'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/policy-version.xml.i b/interface-definitions/include/version/policy-version.xml.i index 426173a19..89bde20c7 100644 --- a/interface-definitions/include/version/policy-version.xml.i +++ b/interface-definitions/include/version/policy-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/policy-version.xml.i --> -<syntaxVersion component='policy' version='3'></syntaxVersion> +<syntaxVersion component='policy' version='4'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/pppoe-server-version.xml.i b/interface-definitions/include/version/pppoe-server-version.xml.i index ec81487f8..6bdd8d75c 100644 --- a/interface-definitions/include/version/pppoe-server-version.xml.i +++ b/interface-definitions/include/version/pppoe-server-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/pppoe-server-version.xml.i --> -<syntaxVersion component='pppoe-server' version='5'></syntaxVersion> +<syntaxVersion component='pppoe-server' version='6'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 8b6c6ef62..41e4a68a8 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -56,7 +56,6 @@ #include <include/interface/disable.xml.i> #include <include/interface/vrf.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="hash-policy"> <properties> diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index 48ee1efbc..1e11cd4c6 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -41,7 +41,6 @@ #include <include/interface/disable.xml.i> #include <include/interface/vrf.xml.i> #include <include/interface/mtu-68-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="forwarding-delay"> <properties> diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in index 01438de31..fb36741f7 100644 --- a/interface-definitions/interfaces-dummy.xml.in +++ b/interface-definitions/interfaces-dummy.xml.in @@ -19,7 +19,6 @@ #include <include/interface/address-ipv4-ipv6.xml.i> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="ip"> <properties> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index c821f04b2..77f130e1c 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -31,7 +31,6 @@ </leafNode> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="duplex"> <properties> @@ -94,6 +93,12 @@ <valueless/> </properties> </leafNode> + <leafNode name="rfs"> + <properties> + <help>Enable Receive Flow Steering</help> + <valueless/> + </properties> + </leafNode> <leafNode name="sg"> <properties> <help>Enable Scatter-Gather</help> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index 6e8a8fee2..b959c787d 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -23,7 +23,6 @@ #include <include/interface/ipv6-options.xml.i> #include <include/interface/mac.xml.i> #include <include/interface/mtu-1450-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="parameters"> <properties> diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in index 2164bfa4e..d01c760f8 100644 --- a/interface-definitions/interfaces-input.xml.in +++ b/interface-definitions/interfaces-input.xml.in @@ -19,7 +19,6 @@ <children> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/redirect.xml.i> </children> diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index 6a85064cd..bde68dd5a 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -32,7 +32,6 @@ <defaultValue>5000</defaultValue> </leafNode> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="encapsulation"> <properties> diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index adb48813f..5c9f4cd76 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -21,7 +21,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/ipv4-options.xml.i> #include <include/interface/ipv6-options.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/mirror.xml.i> <node name="security"> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 6cbd91ff4..3876e31da 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -34,7 +34,6 @@ </children> </node> #include <include/interface/description.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="device-type"> <properties> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 9674cfc0e..84f76a7ee 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -19,7 +19,6 @@ #include <include/pppoe-access-concentrator.xml.i> #include <include/interface/authentication.xml.i> #include <include/interface/dial-on-demand.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/no-default-route.xml.i> #include <include/interface/default-route-distance.xml.i> diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index 53e6445fa..4eb9bf111 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -28,7 +28,6 @@ #include <include/source-interface-ethernet.xml.i> #include <include/interface/mac.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="mode"> <properties> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 98ff878ba..fe49d337a 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -29,7 +29,6 @@ #include <include/source-address-ipv4-ipv6.xml.i> #include <include/interface/tunnel-remote.xml.i> #include <include/source-interface.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="6rd-prefix"> <properties> diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in index aa83a04b2..eeaea0dc3 100644 --- a/interface-definitions/interfaces-vti.xml.in +++ b/interface-definitions/interfaces-vti.xml.in @@ -25,7 +25,6 @@ #include <include/interface/mirror.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> </children> </tagNode> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index faa3dd5e0..4902ff36d 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -54,7 +54,6 @@ #include <include/interface/mac.xml.i> #include <include/interface/mtu-1200-16000.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="mtu"> <defaultValue>1450</defaultValue> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 4a1b4ac68..23f50d146 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -21,7 +21,6 @@ #include <include/interface/disable.xml.i> #include <include/port-number.xml.i> #include <include/interface/mtu-68-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/mirror.xml.i> <leafNode name="mtu"> diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index daee770a9..9e7fc29bc 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -20,7 +20,6 @@ </properties> <children> #include <include/interface/address-ipv4-ipv6-dhcp.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="capabilities"> <properties> diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in index 3071e6091..b0b8367dc 100644 --- a/interface-definitions/interfaces-wwan.xml.in +++ b/interface-definitions/interfaces-wwan.xml.in @@ -39,7 +39,6 @@ #include <include/interface/ipv4-options.xml.i> #include <include/interface/ipv6-options.xml.i> #include <include/interface/dial-on-demand.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy-local-route.xml.in index d969613b1..8619e839e 100644 --- a/interface-definitions/policy-local-route.xml.in +++ b/interface-definitions/policy-local-route.xml.in @@ -6,6 +6,7 @@ <node name="local-route" owner="${vyos_conf_scripts_dir}/policy-local-route.py"> <properties> <help>IPv4 policy route of local traffic</help> + <priority>500</priority> </properties> <children> <tagNode name="rule"> @@ -96,6 +97,7 @@ <node name="local-route6" owner="${vyos_conf_scripts_dir}/policy-local-route.py"> <properties> <help>IPv6 policy route of local traffic</help> + <priority>500</priority> </properties> <children> <tagNode name="rule"> diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in index c2a9a8d94..f480f3bd5 100644 --- a/interface-definitions/policy-route.xml.in +++ b/interface-definitions/policy-route.xml.in @@ -47,6 +47,9 @@ </children> </node> #include <include/policy/route-common-rule-ipv6.xml.i> + #include <include/firewall/dscp.xml.i> + #include <include/firewall/packet-length.xml.i> + #include <include/firewall/hop-limit.xml.i> </children> </tagNode> </children> @@ -96,6 +99,9 @@ </children> </node> #include <include/policy/route-common-rule.xml.i> + #include <include/firewall/dscp.xml.i> + #include <include/firewall/packet-length.xml.i> + #include <include/firewall/ttl.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index e794c4b90..6c60276d5 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -1118,67 +1118,120 @@ <valueless/> </properties> </leafNode> - <node name="comm-list"> + <node name="community"> <properties> - <help>BGP communities matching a community-list</help> + <help>BGP community attribute</help> </properties> <children> - <leafNode name="comm-list"> + <leafNode name="add"> + <properties> + <help>Add communities to a prefix</help> + #include <include/policy/community-value-list.xml.i> + </properties> + </leafNode> + <leafNode name="replace"> + <properties> + <help>Set communities for a prefix</help> + #include <include/policy/community-value-list.xml.i> + </properties> + </leafNode> + #include <include/policy/community-clear.xml.i> + <leafNode name="delete"> <properties> - <help>BGP communities with a community-list</help> + <help>Remove communities defined in a list from a prefix</help> <completionHelp> <path>policy community-list</path> </completionHelp> <valueHelp> + <description>Community-list</description> <format>txt</format> - <description>BGP communities with a community-list</description> </valueHelp> </properties> </leafNode> + </children> + </node> + <node name="large-community"> + <properties> + <help>BGP large community attribute</help> + </properties> + <children> + <leafNode name="add"> + <properties> + <help>Add large communities to a prefix ;</help> + #include <include/policy/large-community-value-list.xml.i> + </properties> + </leafNode> + <leafNode name="replace"> + <properties> + <help>Set large communities for a prefix</help> + #include <include/policy/large-community-value-list.xml.i> + </properties> + </leafNode> + #include <include/policy/community-clear.xml.i> <leafNode name="delete"> <properties> - <help>Delete BGP communities matching the community-list</help> - <valueless/> + <help>Remove communities defined in a list from a prefix</help> + <completionHelp> + <path>policy large-community-list</path> + </completionHelp> + <valueHelp> + <description>Community-list</description> + <format>txt</format> + </valueHelp> </properties> </leafNode> </children> </node> - <leafNode name="community"> + <node name="extcommunity"> <properties> - <help>Border Gateway Protocl (BGP) community attribute</help> - <completionHelp> - <list>local-AS no-advertise no-export internet additive none</list> - </completionHelp> - <valueHelp> - <format><aa:nn></format> - <description>Community number in AA:NN format</description> - </valueHelp> - <valueHelp> - <format>local-AS</format> - <description>Well-known communities value NO_EXPORT_SUBCONFED 0xFFFFFF03</description> - </valueHelp> - <valueHelp> - <format>no-advertise</format> - <description>Well-known communities value NO_ADVERTISE 0xFFFFFF02</description> - </valueHelp> - <valueHelp> - <format>no-export</format> - <description>Well-known communities value NO_EXPORT 0xFFFFFF01</description> - </valueHelp> - <valueHelp> - <format>internet</format> - <description>Well-known communities value 0</description> - </valueHelp> - <valueHelp> - <format>additive</format> - <description>New value is appended to the existing value</description> - </valueHelp> - <valueHelp> - <format>none</format> - <description>No community attribute</description> - </valueHelp> + <help>BGP extended community attribute</help> </properties> - </leafNode> + <children> + <leafNode name="bandwidth"> + <properties> + <help>Bandwidth value in Mbps</help> + <completionHelp> + <list>cumulative num-multipaths</list> + </completionHelp> + <valueHelp> + <format>u32:1-25600</format> + <description>Bandwidth value in Mbps</description> + </valueHelp> + <valueHelp> + <format>cumulative</format> + <description>Cumulative bandwidth of all multipaths (outbound-only)</description> + </valueHelp> + <valueHelp> + <format>num-multipaths</format> + <description>Internally computed bandwidth based on number of multipaths (outbound-only)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-25600"/> + <regex>(cumulative|num-multipaths)</regex> + </constraint> + </properties> + </leafNode> + <leafNode name="bandwidth-non-transitive"> + <properties> + <help>The link bandwidth extended community is encoded as non-transitive</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="rt"> + <properties> + <help>Set route target value</help> + #include <include/policy/extended-community-value-list.xml.i> + </properties> + </leafNode> + <leafNode name="soo"> + <properties> + <help>Set Site of Origin value</help> + #include <include/policy/extended-community-value-list.xml.i> + </properties> + </leafNode> + #include <include/policy/community-clear.xml.i> + </children> + </node> <leafNode name="distance"> <properties> <help>Locally significant administrative distance</help> @@ -1229,71 +1282,6 @@ </node> </children> </node> - <node name="extcommunity"> - <properties> - <help>BGP extended community attribute</help> - </properties> - <children> - <leafNode name="bandwidth"> - <properties> - <help>Bandwidth value in Mbps</help> - <completionHelp> - <list>cumulative num-multipaths</list> - </completionHelp> - <valueHelp> - <format>u32:1-25600</format> - <description>Bandwidth value in Mbps</description> - </valueHelp> - <valueHelp> - <format>cumulative</format> - <description>Cumulative bandwidth of all multipaths (outbound-only)</description> - </valueHelp> - <valueHelp> - <format>num-multipaths</format> - <description>Internally computed bandwidth based on number of multipaths (outbound-only)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-25600"/> - <regex>(cumulative|num-multipaths)</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="rt"> - <properties> - <help>Set route target value</help> - <valueHelp> - <format>ASN:NN</format> - <description>based on autonomous system number</description> - </valueHelp> - <valueHelp> - <format>IP:NN</format> - <description>Based on a router-id IP address</description> - </valueHelp> - <constraint> - <regex>(((\b(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.){3}(?:(?:2([0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9]))\b)|(\d+)):(\d+) ?)+</regex> - </constraint> - <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> - </properties> - </leafNode> - <leafNode name="soo"> - <properties> - <help>Set Site of Origin value</help> - <valueHelp> - <format>ASN:NN</format> - <description>based on autonomous system number</description> - </valueHelp> - <valueHelp> - <format>IP:NN</format> - <description>Based on a router-id IP address</description> - </valueHelp> - <constraint> - <regex>((?:[0-9]{1,3}\.){3}[0-9]{1,3}|\d+):\d+</regex> - </constraint> - <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> - </properties> - </leafNode> - </children> - </node> <leafNode name="ip-next-hop"> <properties> <help>Nexthop IP address</help> @@ -1368,30 +1356,6 @@ </leafNode> </children> </node> - <leafNode name="large-community"> - <properties> - <help>Set BGP large community value</help> - <valueHelp> - <format>txt</format> - <description>ASN:nn:mm BGP large community</description> - </valueHelp> - <completionHelp> - <path>policy large-community-list</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="large-comm-list-delete"> - <properties> - <help>Delete BGP communities matching the large community-list</help> - <completionHelp> - <path>policy large-community-list</path> - </completionHelp> - <valueHelp> - <format>txt</format> - <description>BGP large community-list</description> - </valueHelp> - </properties> - </leafNode> <leafNode name="local-preference"> <properties> <help>BGP local preference attribute</help> diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in index e8f575a1e..e2dbcbeef 100644 --- a/interface-definitions/qos.xml.in +++ b/interface-definitions/qos.xml.in @@ -188,6 +188,7 @@ #include <include/qos/burst.xml.i> #include <include/generic-description.xml.i> #include <include/qos/match.xml.i> + #include <include/qos/limiter-actions.xml.i> <leafNode name="priority"> <properties> <help>Priority for rule evaluation</help> @@ -211,6 +212,7 @@ <children> #include <include/qos/bandwidth.xml.i> #include <include/qos/burst.xml.i> + #include <include/qos/limiter-actions.xml.i> </children> </node> #include <include/generic-description.xml.i> diff --git a/interface-definitions/service-console-server.xml.in b/interface-definitions/service-console-server.xml.in index e9591ad87..fb71538dd 100644 --- a/interface-definitions/service-console-server.xml.in +++ b/interface-definitions/service-console-server.xml.in @@ -28,6 +28,14 @@ </properties> <children> #include <include/interface/description.xml.i> + <leafNode name="alias"> + <properties> + <help>Human-readable name for this console</help> + <constraint> + <regex>[-_a-zA-Z0-9.]{1,128}</regex> + </constraint> + </properties> + </leafNode> <leafNode name="speed"> <properties> <help>Serial port baud rate</help> diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in index 86fc4dffa..a661b845d 100644 --- a/interface-definitions/service-ids-ddos-protection.xml.in +++ b/interface-definitions/service-ids-ddos-protection.xml.in @@ -107,42 +107,38 @@ <help>Attack limits thresholds</help> </properties> <children> - <leafNode name="fps"> + <node name="general"> <properties> - <help>Flows per second</help> - <valueHelp> - <format>u32:0-4294967294</format> - <description>Flows per second</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-4294967294"/> - </constraint> + <help>General threshold</help> </properties> - </leafNode> - <leafNode name="mbps"> + <children> + #include <include/ids/threshold.xml.i> + </children> + </node> + <node name="tcp"> <properties> - <help>Megabits per second</help> - <valueHelp> - <format>u32:0-4294967294</format> - <description>Megabits per second</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-4294967294"/> - </constraint> + <help>TCP threshold</help> </properties> - </leafNode> - <leafNode name="pps"> + <children> + #include <include/ids/threshold.xml.i> + </children> + </node> + <node name="udp"> <properties> - <help>Packets per second</help> - <valueHelp> - <format>u32:0-4294967294</format> - <description>Packets per second</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-4294967294"/> - </constraint> + <help>UDP threshold</help> </properties> - </leafNode> + <children> + #include <include/ids/threshold.xml.i> + </children> + </node> + <node name="icmp"> + <properties> + <help>ICMP threshold</help> + </properties> + <children> + #include <include/ids/threshold.xml.i> + </children> + </node> </children> </node> </children> diff --git a/interface-definitions/service-ipoe-server.xml.in b/interface-definitions/service-ipoe-server.xml.in index cd3aa3638..ef8569437 100644 --- a/interface-definitions/service-ipoe-server.xml.in +++ b/interface-definitions/service-ipoe-server.xml.in @@ -10,30 +10,31 @@ <children> <tagNode name="interface"> <properties> - <help>Network interface to server IPoE</help> + <help>Interface to listen dhcp or unclassified packets</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> </properties> <children> - <leafNode name="network-mode"> + <leafNode name="mode"> <properties> - <help>Network Layer IPoE serves on</help> + <help>Client connectivity mode</help> <completionHelp> - <list>L2 L3</list> + <list>l2 l3</list> </completionHelp> - <constraint> - <regex>(L2|L3)</regex> - </constraint> <valueHelp> - <format>L2</format> - <description>client share the same subnet</description> + <format>l2</format> + <description>Client located on same interface as server</description> </valueHelp> <valueHelp> - <format>L3</format> - <description>clients are behind this router</description> + <format>l3</format> + <description>Client located behind a router</description> </valueHelp> + <constraint> + <regex>(l2|l3)</regex> + </constraint> </properties> + <defaultValue>l2</defaultValue> </leafNode> <leafNode name="network"> <properties> @@ -53,6 +54,7 @@ <description>One VLAN per client</description> </valueHelp> </properties> + <defaultValue>shared</defaultValue> </leafNode> <leafNode name="client-subnet"> <properties> @@ -85,30 +87,19 @@ </leafNode> <leafNode name="giaddr"> <properties> - <help>address of the relay agent (Relay Agent IP Address)</help> + <help>Relay Agent IPv4 Address</help> + <valueHelp> + <format>ipv4</format> + <description>Gateway IP address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> </properties> </leafNode> </children> </node> - <leafNode name="vlan-id"> - <properties> - <help>VLAN monitor for the automatic creation of vlans (user per vlan)</help> - <constraint> - <validator name="numeric" argument="--range 1-4096"/> - </constraint> - <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="vlan-range"> - <properties> - <help>VLAN monitor for the automatic creation of vlans (user per vlan)</help> - <constraint> - <regex>(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})-(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})</regex> - </constraint> - <multi/> - </properties> - </leafNode> + #include <include/accel-ppp/vlan.xml.i> </children> </tagNode> #include <include/name-server-ipv4-ipv6.xml.i> @@ -120,6 +111,13 @@ <tagNode name="name"> <properties> <help>Pool name</help> + <valueHelp> + <format>txt</format> + <description>Name of IP pool</description> + </valueHelp> + <constraint> + <regex>[-_a-zA-Z0-9.]+</regex> + </constraint> </properties> <children> #include <include/accel-ppp/gateway-address.xml.i> @@ -159,15 +157,15 @@ </leafNode> <tagNode name="interface"> <properties> - <help>Network interface the client mac will appear on</help> + <help>Network interface for client MAC addresses</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces.py</script> </completionHelp> </properties> <children> - <tagNode name="mac-address"> + <tagNode name="mac"> <properties> - <help>Client mac address allowed to receive an IP address</help> + <help>Media Access Control (MAC) address</help> <valueHelp> <format>macaddr</format> <description>Hardware (MAC) address</description> @@ -200,13 +198,17 @@ </leafNode> </children> </node> - <leafNode name="vlan-id"> + <leafNode name="vlan"> <properties> - <help>VLAN-ID of the client network</help> + <help>VLAN monitor for automatic creation of VLAN interfaces</help> + <valueHelp> + <format>u32:1-4094</format> + <description>Client VLAN id</description> + </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-4096"/> + <validator name="numeric" argument="--range 1-4094"/> </constraint> - <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage> + <constraintErrorMessage>VLAN IDs need to be in range 1-4094</constraintErrorMessage> </properties> </leafNode> </children> diff --git a/interface-definitions/service-monitoring-telegraf.xml.in b/interface-definitions/service-monitoring-telegraf.xml.in index 68215dba4..47f943d83 100644 --- a/interface-definitions/service-monitoring-telegraf.xml.in +++ b/interface-definitions/service-monitoring-telegraf.xml.in @@ -228,7 +228,7 @@ </constraint> </properties> </leafNode> - #include <include/listen-address.xml.i> + #include <include/listen-address-single.xml.i> <leafNode name="metric-version"> <properties> <help>Metric version control mapping from Telegraf to Prometheus format</help> diff --git a/interface-definitions/service-pppoe-server.xml.in b/interface-definitions/service-pppoe-server.xml.in index 50f42849b..b31109296 100644 --- a/interface-definitions/service-pppoe-server.xml.in +++ b/interface-definitions/service-pppoe-server.xml.in @@ -68,33 +68,7 @@ </completionHelp> </properties> <children> - <leafNode name="vlan-id"> - <properties> - <help>VLAN monitor for the automatic creation of single vlan</help> - <valueHelp> - <format>u32:1-4094</format> - <description>VLAN monitor for the automatic creation of single vlan</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-4094"/> - </constraint> - <constraintErrorMessage>VLAN ID needs to be between 1 and 4094</constraintErrorMessage> - <multi/> - </properties> - </leafNode> - <leafNode name="vlan-range"> - <properties> - <help>VLAN monitor for the automatic creation of vlans range</help> - <valueHelp> - <format>start-end</format> - <description>VLAN monitor range for the automatic creation of vlans (e.g. 1-4094)</description> - </valueHelp> - <constraint> - <validator name="range" argument="--min=1 --max=4094"/> - </constraint> - <multi/> - </properties> - </leafNode> + #include <include/accel-ppp/vlan.xml.i> </children> </tagNode> #include <include/accel-ppp/gateway-address.xml.i> diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 126183162..f3c731fe5 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -206,6 +206,37 @@ </properties> <defaultValue>22</defaultValue> </leafNode> + <node name="rekey"> + <properties> + <help>SSH session rekey limit</help> + </properties> + <children> + <leafNode name="data"> + <properties> + <help>Threshold data in megabytes</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Megabytes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + <leafNode name="time"> + <properties> + <help>Threshold time in minutes</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Minutes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + </properties> + </leafNode> + </children> + </node> <leafNode name="client-keepalive-interval"> <properties> <help>Enable transmission of keepalives from server to client</help> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in index 14f12b569..5810a97c6 100644 --- a/interface-definitions/system-conntrack.xml.in +++ b/interface-definitions/system-conntrack.xml.in @@ -259,13 +259,13 @@ </leafNode> <leafNode name="max-retrans"> <properties> - <help>TCP maximum retransmit attempts</help> + <help>Maximum number of packets that can be retransmitted without received an ACK</help> <valueHelp> - <format>u32:1-2147483647</format> - <description>Generic connection timeout in seconds</description> + <format>u32:1-255</format> + <description>Number of packets to be retransmitted</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-2147483647"/> + <validator name="numeric" argument="--range 1-255"/> </constraint> </properties> <defaultValue>3</defaultValue> diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index 79c7c4791..7dd045e6c 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -227,6 +227,19 @@ #include <include/interface/vrf.xml.i> </children> </node> + <leafNode name="timeout"> + <properties> + <help>Session timeout</help> + <valueHelp> + <format>u32:5-604800</format> + <description>Session timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 5-604800"/> + </constraint> + <constraintErrorMessage>Timeout must be between 5 and 604800 seconds</constraintErrorMessage> + </properties> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index 8cd25799b..a9fed81fe 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -36,7 +36,7 @@ <properties> <help>System keyboard layout, type ISO2</help> <completionHelp> - <list>us fr de fi no dk dvorak</list> + <list>us fr de es fi jp106 no dk dvorak</list> </completionHelp> <valueHelp> <format>us</format> @@ -51,10 +51,18 @@ <description>Germany</description> </valueHelp> <valueHelp> + <format>es</format> + <description>Spain</description> + </valueHelp> + <valueHelp> <format>fi</format> <description>Finland</description> </valueHelp> <valueHelp> + <format>jp106</format> + <description>Japan</description> + </valueHelp> + <valueHelp> <format>no</format> <description>Norway</description> </valueHelp> @@ -66,6 +74,10 @@ <format>dvorak</format> <description>Dvorak</description> </valueHelp> + <constraint> + <regex>(us|fr|de|es|fi|jp106|no|dk|dvorak)</regex> + </constraint> + <constraintErrorMessage>Invalid keyboard layout</constraintErrorMessage> </properties> <defaultValue>us</defaultValue> </leafNode> diff --git a/interface-definitions/system-update-check.xml.in b/interface-definitions/system-update-check.xml.in new file mode 100644 index 000000000..e4d7041ec --- /dev/null +++ b/interface-definitions/system-update-check.xml.in @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<interfaceDefinition> + <node name="system"> + <children> + <node name="update-check" owner="${vyos_conf_scripts_dir}/system_update_check.py"> + <properties> + <help>Check available update images</help> + <priority>9999</priority> + </properties> + <children> + <leafNode name="auto-check"> + <properties> + <help>Enable auto check for new images</help> + <valueless/> + </properties> + </leafNode> + #include <include/url.xml.i> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in index d36fbb024..4776c53dc 100644 --- a/interface-definitions/vpn-ipsec.xml.in +++ b/interface-definitions/vpn-ipsec.xml.in @@ -24,23 +24,9 @@ <children> <leafNode name="compression"> <properties> - <help>ESP compression</help> - <completionHelp> - <list>disable enable</list> - </completionHelp> - <valueHelp> - <format>disable</format> - <description>Disable ESP compression</description> - </valueHelp> - <valueHelp> - <format>enable</format> - <description>Enable ESP compression</description> - </valueHelp> - <constraint> - <regex>(disable|enable)</regex> - </constraint> + <help>Enable ESP compression</help> + <valueless/> </properties> - <defaultValue>disable</defaultValue> </leafNode> <leafNode name="lifetime"> <properties> @@ -309,20 +295,7 @@ <leafNode name="ikev2-reauth"> <properties> <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help> - <completionHelp> - <list>yes no</list> - </completionHelp> - <valueHelp> - <format>yes</format> - <description>Enable remote host re-authentication during an IKE rekey (currently broken due to a strongswan bug)</description> - </valueHelp> - <valueHelp> - <format>no</format> - <description>Disable remote host re-authenticaton during an IKE rekey</description> - </valueHelp> - <constraint> - <regex>(yes|no)</regex> - </constraint> + <valueless/> </properties> </leafNode> <leafNode name="key-exchange"> @@ -357,25 +330,11 @@ </properties> <defaultValue>28800</defaultValue> </leafNode> - <leafNode name="mobike"> + <leafNode name="disable-mobike"> <properties> - <help>Enable MOBIKE Support (IKEv2 only)</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable MOBIKE</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable MOBIKE</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> + <help>Disable MOBIKE Support (IKEv2 only)</help> + <valueless/> </properties> - <defaultValue>enable</defaultValue> </leafNode> <leafNode name="mode"> <properties> @@ -664,6 +623,14 @@ <tagNode name="profile"> <properties> <help>VPN IPsec profile</help> + <valueHelp> + <format>txt</format> + <description>Profile name</description> + </valueHelp> + <constraint> + <regex>[a-zA-Z][0-9a-zA-Z_-]+</regex> + </constraint> + <constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage> </properties> <children> #include <include/generic-disable-node.xml.i> @@ -719,6 +686,14 @@ <tagNode name="connection"> <properties> <help>IKEv2 VPN connection name</help> + <valueHelp> + <format>txt</format> + <description>Connection name</description> + </valueHelp> + <constraint> + <regex>[a-zA-Z][0-9a-zA-Z_-]+</regex> + </constraint> + <constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage> </properties> <children> <node name="authentication"> @@ -929,23 +904,15 @@ <children> <tagNode name="peer"> <properties> - <help>VPN peer</help> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address of the peer</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>IPv6 address of the peer</description> - </valueHelp> + <help>Connection name of the peer</help> <valueHelp> <format>txt</format> - <description>Hostname of the peer</description> - </valueHelp> - <valueHelp> - <format><@text></format> - <description>ID of the peer</description> + <description>Connection name of the peer</description> </valueHelp> + <constraint> + <regex>[-_a-zA-Z0-9|@]+</regex> + </constraint> + <constraintErrorMessage>Peer connection name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage> </properties> <children> #include <include/generic-disable-node.xml.i> @@ -1031,23 +998,10 @@ </leafNode> #include <include/generic-description.xml.i> #include <include/dhcp-interface.xml.i> - <leafNode name="force-encapsulation"> + <leafNode name="force-udp-encapsulation"> <properties> - <help>Force UDP Encapsulation for ESP payloads</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Force UDP encapsulation</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Do not force UDP encapsulation</description> - </valueHelp> - <constraint> - <regex>(enable|disable)</regex> - </constraint> + <help>Force UDP encapsulation</help> + <valueless/> </properties> </leafNode> #include <include/ipsec/ike-group.xml.i> @@ -1075,6 +1029,7 @@ </properties> </leafNode> #include <include/ipsec/local-address.xml.i> + #include <include/ipsec/remote-address.xml.i> <tagNode name="tunnel"> <properties> <help>Peer tunnel</help> diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in index fd70a76dc..cb5900e0d 100644 --- a/interface-definitions/vpn-l2tp.xml.in +++ b/interface-definitions/vpn-l2tp.xml.in @@ -238,29 +238,7 @@ </leafNode> </children> </node> - <node name="rate-limit"> - <properties> - <help>Upload/Download speed limits</help> - </properties> - <children> - <leafNode name="attribute"> - <properties> - <help>Specifies which radius attribute contains rate information</help> - </properties> - </leafNode> - <leafNode name="vendor"> - <properties> - <help>Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius)</help> - </properties> - </leafNode> - <leafNode name="enable"> - <properties> - <help>Enables Bandwidth shaping via RADIUS</help> - <valueless /> - </properties> - </leafNode> - </children> - </node> + #include <include/accel-ppp/radius-additions-rate-limit.xml.i> </children> </node> </children> diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 6309863c5..3b3a83bd4 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,6 +50,16 @@ </leafNode> </children> </node> + <leafNode name="group"> + <properties> + <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> + <valueHelp> + <format>txt</format> + <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description> + </valueHelp> + <multi/> + </properties> + </leafNode> #include <include/auth-local-users.xml.i> <node name="local-users"> <children> @@ -144,10 +154,19 @@ </properties> <defaultValue>2</defaultValue> </leafNode> + <leafNode name="groupconfig"> + <properties> + <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS.</help> + </properties> + </leafNode> </children> </node> </children> </node> + #include <include/listen-address-ipv4.xml.i> + <leafNode name="listen-address"> + <defaultValue>0.0.0.0</defaultValue> + </leafNode> <node name="listen-ports"> <properties> <help>Specify custom ports to use for client connections</help> @@ -278,6 +297,26 @@ <multi/> </properties> </leafNode> + <leafNode name="tunnel-all-dns"> + <properties> + <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help> + <completionHelp> + <list>yes no</list> + </completionHelp> + <valueHelp> + <format>yes</format> + <description>Enable tunneling of all DNS traffic</description> + </valueHelp> + <valueHelp> + <format>no</format> + <description>Disable tunneling of all DNS traffic</description> + </valueHelp> + <constraint> + <regex>(yes|no)</regex> + </constraint> + </properties> + <defaultValue>no</defaultValue> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/vpn-pptp.xml.in b/interface-definitions/vpn-pptp.xml.in index 28a53acb9..5e52965fd 100644 --- a/interface-definitions/vpn-pptp.xml.in +++ b/interface-definitions/vpn-pptp.xml.in @@ -110,6 +110,7 @@ </node> #include <include/radius-server-ipv4.xml.i> #include <include/accel-ppp/radius-additions.xml.i> + #include <include/accel-ppp/radius-additions-rate-limit.xml.i> </children> </node> </children> diff --git a/interface-definitions/xml-component-version.xml.in b/interface-definitions/xml-component-version.xml.in index cf86f83d6..914e3bc69 100644 --- a/interface-definitions/xml-component-version.xml.in +++ b/interface-definitions/xml-component-version.xml.in @@ -14,6 +14,7 @@ #include <include/version/flow-accounting-version.xml.i> #include <include/version/https-version.xml.i> #include <include/version/interfaces-version.xml.i> + #include <include/version/ids-version.xml.i> #include <include/version/ipoe-server-version.xml.i> #include <include/version/ipsec-version.xml.i> #include <include/version/isis-version.xml.i> diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in deleted file mode 100644 index dc3408c3d..000000000 --- a/interface-definitions/zone-policy.xml.in +++ /dev/null @@ -1,148 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="zone-policy" owner="${vyos_conf_scripts_dir}/zone_policy.py"> - <properties> - <help>Configure zone-policy</help> - <priority>250</priority> - </properties> - <children> - <tagNode name="zone"> - <properties> - <help>Zone name</help> - <valueHelp> - <format>txt</format> - <description>Zone name</description> - </valueHelp> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> - </properties> - <children> - #include <include/generic-description.xml.i> - #include <include/firewall/enable-default-log.xml.i> - <leafNode name="default-action"> - <properties> - <help>Default-action for traffic coming into this zone</help> - <completionHelp> - <list>drop reject</list> - </completionHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <valueHelp> - <format>reject</format> - <description>Drop and notify source</description> - </valueHelp> - <constraint> - <regex>(drop|reject)</regex> - </constraint> - </properties> - <defaultValue>drop</defaultValue> - </leafNode> - <tagNode name="from"> - <properties> - <help>Zone from which to filter traffic</help> - <completionHelp> - <path>zone-policy zone</path> - </completionHelp> - </properties> - <children> - <node name="firewall"> - <properties> - <help>Firewall options</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </tagNode> - <leafNode name="interface"> - <properties> - <help>Interface associated with zone</help> - <valueHelp> - <format>txt</format> - <description>Interface associated with zone</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <multi/> - </properties> - </leafNode> - <node name="intra-zone-filtering"> - <properties> - <help>Intra-zone filtering</help> - </properties> - <children> - <leafNode name="action"> - <properties> - <help>Action for intra-zone traffic</help> - <completionHelp> - <list>accept drop</list> - </completionHelp> - <valueHelp> - <format>accept</format> - <description>Accept traffic</description> - </valueHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <constraint> - <regex>(accept|drop)</regex> - </constraint> - </properties> - </leafNode> - <node name="firewall"> - <properties> - <help>Use the specified firewall chain</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> - <leafNode name="local-zone"> - <properties> - <help>Zone to be local-zone</help> - <valueless/> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> -</interfaceDefinition> |