diff options
Diffstat (limited to 'interface-definitions')
57 files changed, 620 insertions, 585 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 2e9452dfd..d39dddc77 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -314,6 +314,40 @@ </tagNode> </children> </node> + <tagNode name="interface"> + <properties> + <help>Interface name</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + <children> + <node name="in"> + <properties> + <help>Forwarded packets on inbound interface</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + <node name="out"> + <properties> + <help>Forwarded packets on outbound interface</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + <node name="local"> + <properties> + <help>Packets destined for this router</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + </children> + </tagNode> <leafNode name="ip-src-route"> <properties> <help>Policy for handling IPv4 packets with source route option</help> @@ -342,8 +376,8 @@ </constraint> </properties> <children> - #include <include/firewall/name-default-action.xml.i> - #include <include/firewall/name-default-log.xml.i> + #include <include/firewall/default-action.xml.i> + #include <include/firewall/enable-default-log.xml.i> #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> @@ -383,49 +417,9 @@ </children> </node> #include <include/firewall/common-rule.xml.i> - <node name="hop-limit"> - <properties> - <help>Hop Limit</help> - </properties> - <children> - <leafNode name="eq"> - <properties> - <help>Value to match a hop limit equal to it</help> - <valueHelp> - <format>u32:0-255</format> - <description>Hop limit equal to value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="gt"> - <properties> - <help>Value to match a hop limit greater than or equal to it</help> - <valueHelp> - <format>u32:0-255</format> - <description>Hop limit greater than value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="lt"> - <properties> - <help>Value to match a hop limit less than or equal to it</help> - <valueHelp> - <format>u32:0-255</format> - <description>Hop limit less than value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - </children> - </node> + #include <include/firewall/dscp.xml.i> + #include <include/firewall/packet-length.xml.i> + #include <include/firewall/hop-limit.xml.i> <node name="icmpv6"> <properties> <help>ICMPv6 type and code information</help> @@ -433,7 +427,7 @@ <children> <leafNode name="code"> <properties> - <help>ICMPv6 code (0-255)</help> + <help>ICMPv6 code</help> <valueHelp> <format>u32:0-255</format> <description>ICMPv6 code (0-255)</description> @@ -445,7 +439,7 @@ </leafNode> <leafNode name="type"> <properties> - <help>ICMPv6 type (0-255)</help> + <help>ICMPv6 type</help> <valueHelp> <format>u32:0-255</format> <description>ICMPv6 type (0-255)</description> @@ -530,8 +524,8 @@ </constraint> </properties> <children> - #include <include/firewall/name-default-action.xml.i> - #include <include/firewall/name-default-log.xml.i> + #include <include/firewall/default-action.xml.i> + #include <include/firewall/enable-default-log.xml.i> #include <include/generic-description.xml.i> <tagNode name="rule"> <properties> @@ -571,6 +565,8 @@ </children> </node> #include <include/firewall/common-rule.xml.i> + #include <include/firewall/dscp.xml.i> + #include <include/firewall/packet-length.xml.i> <node name="icmp"> <properties> <help>ICMP type and code information</help> @@ -578,7 +574,7 @@ <children> <leafNode name="code"> <properties> - <help>ICMP code (0-255)</help> + <help>ICMP code</help> <valueHelp> <format>u32:0-255</format> <description>ICMP code (0-255)</description> @@ -590,7 +586,7 @@ </leafNode> <leafNode name="type"> <properties> - <help>ICMP type (0-255)</help> + <help>ICMP type</help> <valueHelp> <format>u32:0-255</format> <description>ICMP type (0-255)</description> @@ -603,49 +599,7 @@ #include <include/firewall/icmp-type-name.xml.i> </children> </node> - <node name="ttl"> - <properties> - <help>Time to live limit</help> - </properties> - <children> - <leafNode name="eq"> - <properties> - <help>Value to match a ttl equal to it</help> - <valueHelp> - <format>u32:0-255</format> - <description>ttl equal to value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="gt"> - <properties> - <help>Value to match a ttl greater than or equal to it</help> - <valueHelp> - <format>u32:0-255</format> - <description>ttl greater than value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - <leafNode name="lt"> - <properties> - <help>Value to match a ttl less than or equal to it</help> - <valueHelp> - <format>u32:0-255</format> - <description>ttl less than value</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-255"/> - </constraint> - </properties> - </leafNode> - </children> - </node> + #include <include/firewall/ttl.xml.i> </children> </tagNode> </children> @@ -788,6 +742,143 @@ </properties> <defaultValue>disable</defaultValue> </leafNode> + <tagNode name="zone"> + <properties> + <help>Zone-policy</help> + <valueHelp> + <format>txt</format> + <description>Zone name</description> + </valueHelp> + <constraint> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> + </constraint> + </properties> + <children> + #include <include/generic-description.xml.i> + #include <include/firewall/enable-default-log.xml.i> + <leafNode name="default-action"> + <properties> + <help>Default-action for traffic coming into this zone</help> + <completionHelp> + <list>drop reject</list> + </completionHelp> + <valueHelp> + <format>drop</format> + <description>Drop silently</description> + </valueHelp> + <valueHelp> + <format>reject</format> + <description>Drop and notify source</description> + </valueHelp> + <constraint> + <regex>(drop|reject)</regex> + </constraint> + </properties> + <defaultValue>drop</defaultValue> + </leafNode> + <tagNode name="from"> + <properties> + <help>Zone from which to filter traffic</help> + <completionHelp> + <path>zone-policy zone</path> + </completionHelp> + </properties> + <children> + <node name="firewall"> + <properties> + <help>Firewall options</help> + </properties> + <children> + <leafNode name="ipv6-name"> + <properties> + <help>IPv6 firewall ruleset</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="name"> + <properties> + <help>IPv4 firewall ruleset</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </tagNode> + <leafNode name="interface"> + <properties> + <help>Interface associated with zone</help> + <valueHelp> + <format>txt</format> + <description>Interface associated with zone</description> + </valueHelp> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + <multi/> + </properties> + </leafNode> + <node name="intra-zone-filtering"> + <properties> + <help>Intra-zone filtering</help> + </properties> + <children> + <leafNode name="action"> + <properties> + <help>Action for intra-zone traffic</help> + <completionHelp> + <list>accept drop</list> + </completionHelp> + <valueHelp> + <format>accept</format> + <description>Accept traffic</description> + </valueHelp> + <valueHelp> + <format>drop</format> + <description>Drop silently</description> + </valueHelp> + <constraint> + <regex>(accept|drop)</regex> + </constraint> + </properties> + </leafNode> + <node name="firewall"> + <properties> + <help>Use the specified firewall chain</help> + </properties> + <children> + <leafNode name="ipv6-name"> + <properties> + <help>IPv6 firewall ruleset</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="name"> + <properties> + <help>IPv4 firewall ruleset</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </node> + <leafNode name="local-zone"> + <properties> + <help>Zone to be local-zone</help> + <valueless/> + </properties> + </leafNode> + </children> + </tagNode> </children> </node> </interfaceDefinition> diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i index 441c9dda5..15ff5165f 100644 --- a/interface-definitions/include/accel-ppp/radius-additions.xml.i +++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i @@ -89,18 +89,7 @@ <defaultValue>3</defaultValue> </leafNode> #include <include/radius-nas-identifier.xml.i> - <leafNode name="nas-ip-address"> - <properties> - <help>NAS-IP-Address attribute sent to RADIUS</help> - <constraint> - <validator name="ipv4-address"/> - </constraint> - <valueHelp> - <format>ipv4</format> - <description>NAS-IP-Address attribute</description> - </valueHelp> - </properties> - </leafNode> + #include <include/radius-nas-ip-address.xml.i> <leafNode name="preallocate-vif"> <properties> <help>Enable attribute NAS-Port-Id in Access-Request</help> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index d2bcea62a..70176144d 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1135,6 +1135,19 @@ </leafNode> </children> </node> + <node name="peer-type"> + <properties> + <help>Peer type</help> + </properties> + <children> + <leafNode name="multipath-relax"> + <properties> + <help>Allow load sharing across routes learned from different peer types</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> </children> </node> <leafNode name="cluster-id"> diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i index 512b0296f..92a2fcaaf 100644 --- a/interface-definitions/include/firewall/name-default-action.xml.i +++ b/interface-definitions/include/firewall/default-action.xml.i @@ -1,4 +1,4 @@ -<!-- include start from firewall/name-default-action.xml.i --> +<!-- include start from firewall/default-action.xml.i --> <leafNode name="default-action"> <properties> <help>Default-action for rule-set</help> @@ -21,5 +21,6 @@ <regex>(drop|reject|accept)</regex> </constraint> </properties> + <defaultValue>drop</defaultValue> </leafNode> <!-- include end --> diff --git a/interface-definitions/include/firewall/dscp.xml.i b/interface-definitions/include/firewall/dscp.xml.i new file mode 100644 index 000000000..796bab548 --- /dev/null +++ b/interface-definitions/include/firewall/dscp.xml.i @@ -0,0 +1,36 @@ +<!-- include start from firewall/dscp.xml.i --> +<leafNode name="dscp"> + <properties> + <help>DSCP value</help> + <valueHelp> + <format>u32:0-63</format> + <description>DSCP value to match</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>DSCP range to match</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-63"/> + </constraint> + <multi/> + </properties> +</leafNode> +<leafNode name="dscp-exclude"> + <properties> + <help>DSCP value not to match</help> + <valueHelp> + <format>u32:0-63</format> + <description>DSCP value not to match</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>DSCP range not to match</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-63"/> + </constraint> + <multi/> + </properties> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/enable-default-log.xml.i b/interface-definitions/include/firewall/enable-default-log.xml.i new file mode 100644 index 000000000..0efd8341b --- /dev/null +++ b/interface-definitions/include/firewall/enable-default-log.xml.i @@ -0,0 +1,8 @@ +<!-- include start from firewall/enable-default-log.xml.i --> +<leafNode name="enable-default-log"> + <properties> + <help>Log packets hitting default-action</help> + <valueless/> + </properties> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/eq.xml.i b/interface-definitions/include/firewall/eq.xml.i new file mode 100644 index 000000000..e1b4f37a2 --- /dev/null +++ b/interface-definitions/include/firewall/eq.xml.i @@ -0,0 +1,14 @@ +<!-- include start from firewall/eq.xml.i --> +<leafNode name="eq"> + <properties> + <help>Match on equal value</help> + <valueHelp> + <format>u32:0-255</format> + <description>Equal to value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> +</leafNode> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/gt.xml.i b/interface-definitions/include/firewall/gt.xml.i new file mode 100644 index 000000000..c879171ee --- /dev/null +++ b/interface-definitions/include/firewall/gt.xml.i @@ -0,0 +1,14 @@ +<!-- include start from firewall/gt.xml.i --> +<leafNode name="gt"> + <properties> + <help>Match on greater then value</help> + <valueHelp> + <format>u32:0-255</format> + <description>Greater then value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/hop-limit.xml.i b/interface-definitions/include/firewall/hop-limit.xml.i new file mode 100644 index 000000000..d375dc985 --- /dev/null +++ b/interface-definitions/include/firewall/hop-limit.xml.i @@ -0,0 +1,12 @@ +<!-- include start from firewall/hop-limit.xml.i --> +<node name="hop-limit"> + <properties> + <help>Hop limit</help> + </properties> + <children> + #include <include/firewall/eq.xml.i> + #include <include/firewall/gt.xml.i> + #include <include/firewall/lt.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/lt.xml.i b/interface-definitions/include/firewall/lt.xml.i new file mode 100644 index 000000000..77894d3ce --- /dev/null +++ b/interface-definitions/include/firewall/lt.xml.i @@ -0,0 +1,14 @@ +<!-- include start from firewall/lt.xml.i --> +<leafNode name="lt"> + <properties> + <help>Match on less then value</help> + <valueHelp> + <format>u32:0-255</format> + <description>Less then value</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-255"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i deleted file mode 100644 index 1d0ff9497..000000000 --- a/interface-definitions/include/firewall/name-default-log.xml.i +++ /dev/null @@ -1,8 +0,0 @@ -<!-- include start from firewall/name-default-log.xml.i --> -<leafNode name="enable-default-log"> - <properties> - <help>Option to log packets hitting default-action</help> - <valueless/> - </properties> -</leafNode> -<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/name.xml.i b/interface-definitions/include/firewall/name.xml.i new file mode 100644 index 000000000..231b9b144 --- /dev/null +++ b/interface-definitions/include/firewall/name.xml.i @@ -0,0 +1,18 @@ +<!-- include start from firewall/name.xml.i --> +<leafNode name="name"> + <properties> + <help>Local IPv4 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> +</leafNode> +<leafNode name="ipv6-name"> + <properties> + <help>Local IPv6 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end from firewall/name.xml.i -->
\ No newline at end of file diff --git a/interface-definitions/include/firewall/packet-length.xml.i b/interface-definitions/include/firewall/packet-length.xml.i new file mode 100644 index 000000000..91f08314a --- /dev/null +++ b/interface-definitions/include/firewall/packet-length.xml.i @@ -0,0 +1,36 @@ +<!-- include start from firewall/packet-length.xml.i --> +<leafNode name="packet-length"> + <properties> + <help>Payload size in bytes, including header and data to match</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Packet length to match</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>Packet length range to match</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + <multi/> + </properties> +</leafNode> +<leafNode name="packet-length-exclude"> + <properties> + <help>Payload size in bytes, including header and data not to match</help> + <valueHelp> + <format>u32:1-65535</format> + <description>Packet length not to match</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>Packet length range not to match</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65535"/> + </constraint> + <multi/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i index b99896687..fc0da3135 100644 --- a/interface-definitions/include/firewall/tcp-flags.xml.i +++ b/interface-definitions/include/firewall/tcp-flags.xml.i @@ -114,6 +114,22 @@ </node> </children> </node> + <leafNode name="mss"> + <properties> + <help>Maximum segment size (MSS)</help> + <valueHelp> + <format>u32:1-16384</format> + <description>Maximum segment size</description> + </valueHelp> + <valueHelp> + <format><min>-<max></format> + <description>TCP MSS range (use '-' as delimiter)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-16384"/> + </constraint> + </properties> + </leafNode> </children> </node> <!-- include end --> diff --git a/interface-definitions/include/firewall/ttl.xml.i b/interface-definitions/include/firewall/ttl.xml.i new file mode 100644 index 000000000..9c782a9a5 --- /dev/null +++ b/interface-definitions/include/firewall/ttl.xml.i @@ -0,0 +1,12 @@ +<!-- include start from firewall/ttl.xml.i --> +<node name="ttl"> + <properties> + <help>Time to live limit</help> + </properties> + <children> + #include <include/firewall/eq.xml.i> + #include <include/firewall/gt.xml.i> + #include <include/firewall/lt.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/include/inbound-interface.xml.i b/interface-definitions/include/inbound-interface.xml.i new file mode 100644 index 000000000..3289bbf8f --- /dev/null +++ b/interface-definitions/include/inbound-interface.xml.i @@ -0,0 +1,11 @@ +<!-- include start from inbound-interface.xml.i --> +<leafNode name="inbound-interface"> + <properties> + <help>Inbound interface of NAT traffic</help> + <completionHelp> + <list>any</list> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/interface-firewall-vif-c.xml.i b/interface-definitions/include/interface/interface-firewall-vif-c.xml.i deleted file mode 100644 index 1bc235fcb..000000000 --- a/interface-definitions/include/interface/interface-firewall-vif-c.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall-vif-c.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../../@).$VAR(../../@).$VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/interface-firewall-vif.xml.i b/interface-definitions/include/interface/interface-firewall-vif.xml.i deleted file mode 100644 index a37ac5c4a..000000000 --- a/interface-definitions/include/interface/interface-firewall-vif.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall-vif.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../@).$VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/interface-firewall.xml.i b/interface-definitions/include/interface/interface-firewall.xml.i deleted file mode 100644 index b3f20c3bf..000000000 --- a/interface-definitions/include/interface/interface-firewall.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i index c1af9f9e3..916349ade 100644 --- a/interface-definitions/include/interface/vif-s.xml.i +++ b/interface-definitions/include/interface/vif-s.xml.i @@ -18,7 +18,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall-vif.xml.i> #include <include/interface/interface-policy-vif.xml.i> <leafNode name="protocol"> <properties> @@ -68,7 +67,6 @@ #include <include/interface/mtu-68-16000.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> - #include <include/interface/interface-firewall-vif-c.xml.i> #include <include/interface/interface-policy-vif-c.xml.i> </children> </tagNode> diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 57ef8d64c..73a8c98ff 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -18,7 +18,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall-vif.xml.i> #include <include/interface/interface-policy-vif.xml.i> <leafNode name="egress-qos"> <properties> diff --git a/interface-definitions/include/ipv4-address-prefix.xml.i b/interface-definitions/include/ipv4-address-prefix.xml.i new file mode 100644 index 000000000..f5be6f1fe --- /dev/null +++ b/interface-definitions/include/ipv4-address-prefix.xml.i @@ -0,0 +1,19 @@ +<!-- include start from ipv4-address-prefix.xml.i --> +<leafNode name="address"> + <properties> + <help>IP address, prefix</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to match</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 prefix to match</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv4-prefix"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/nat/protocol.xml.i b/interface-definitions/include/nat/protocol.xml.i new file mode 100644 index 000000000..54e7ff00d --- /dev/null +++ b/interface-definitions/include/nat/protocol.xml.i @@ -0,0 +1,34 @@ +<!-- include start from nat/protocol.xml.i --> +<leafNode name="protocol"> + <properties> + <help>Protocol to match (protocol name, number, or "all")</help> + <completionHelp> + <script>${vyos_completion_dir}/list_protocols.sh</script> + <list>all tcp_udp</list> + </completionHelp> + <valueHelp> + <format>all</format> + <description>All IP protocols</description> + </valueHelp> + <valueHelp> + <format>tcp_udp</format> + <description>Both TCP and UDP</description> + </valueHelp> + <valueHelp> + <format>u32:0-255</format> + <description>IP protocol number</description> + </valueHelp> + <valueHelp> + <format><protocol></format> + <description>IP protocol name</description> + </valueHelp> + <valueHelp> + <format>!<protocol></format> + <description>IP protocol name</description> + </valueHelp> + <constraint> + <validator name="ip-protocol"/> + </constraint> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/radius-nas-ip-address.xml.i b/interface-definitions/include/radius-nas-ip-address.xml.i new file mode 100644 index 000000000..8d0a3fd6a --- /dev/null +++ b/interface-definitions/include/radius-nas-ip-address.xml.i @@ -0,0 +1,14 @@ +<!-- include start from radius-nas-ip-address.xml.i --> +<leafNode name="nas-ip-address"> + <properties> + <help>NAS-IP-Address attribute sent to RADIUS</help> + <constraint> + <validator name="ipv4-address"/> + </constraint> + <valueHelp> + <format>ipv4</format> + <description>NAS-IP-Address attribute</description> + </valueHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i index 059a89f24..065925319 100644 --- a/interface-definitions/include/version/firewall-version.xml.i +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/firewall-version.xml.i --> -<syntaxVersion component='firewall' version='7'></syntaxVersion> +<syntaxVersion component='firewall' version='8'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 8b6c6ef62..41e4a68a8 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -56,7 +56,6 @@ #include <include/interface/disable.xml.i> #include <include/interface/vrf.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="hash-policy"> <properties> diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index 48ee1efbc..1e11cd4c6 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -41,7 +41,6 @@ #include <include/interface/disable.xml.i> #include <include/interface/vrf.xml.i> #include <include/interface/mtu-68-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="forwarding-delay"> <properties> diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in index 01438de31..fb36741f7 100644 --- a/interface-definitions/interfaces-dummy.xml.in +++ b/interface-definitions/interfaces-dummy.xml.in @@ -19,7 +19,6 @@ #include <include/interface/address-ipv4-ipv6.xml.i> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="ip"> <properties> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index c821f04b2..77f130e1c 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -31,7 +31,6 @@ </leafNode> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="duplex"> <properties> @@ -94,6 +93,12 @@ <valueless/> </properties> </leafNode> + <leafNode name="rfs"> + <properties> + <help>Enable Receive Flow Steering</help> + <valueless/> + </properties> + </leafNode> <leafNode name="sg"> <properties> <help>Enable Scatter-Gather</help> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index 6e8a8fee2..b959c787d 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -23,7 +23,6 @@ #include <include/interface/ipv6-options.xml.i> #include <include/interface/mac.xml.i> #include <include/interface/mtu-1450-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="parameters"> <properties> diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in index 2164bfa4e..d01c760f8 100644 --- a/interface-definitions/interfaces-input.xml.in +++ b/interface-definitions/interfaces-input.xml.in @@ -19,7 +19,6 @@ <children> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/redirect.xml.i> </children> diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index 6a85064cd..bde68dd5a 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -32,7 +32,6 @@ <defaultValue>5000</defaultValue> </leafNode> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="encapsulation"> <properties> diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index adb48813f..5c9f4cd76 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -21,7 +21,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/ipv4-options.xml.i> #include <include/interface/ipv6-options.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/mirror.xml.i> <node name="security"> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 6cbd91ff4..3876e31da 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -34,7 +34,6 @@ </children> </node> #include <include/interface/description.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="device-type"> <properties> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 9674cfc0e..84f76a7ee 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -19,7 +19,6 @@ #include <include/pppoe-access-concentrator.xml.i> #include <include/interface/authentication.xml.i> #include <include/interface/dial-on-demand.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/no-default-route.xml.i> #include <include/interface/default-route-distance.xml.i> diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index 53e6445fa..4eb9bf111 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -28,7 +28,6 @@ #include <include/source-interface-ethernet.xml.i> #include <include/interface/mac.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="mode"> <properties> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 98ff878ba..fe49d337a 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -29,7 +29,6 @@ #include <include/source-address-ipv4-ipv6.xml.i> #include <include/interface/tunnel-remote.xml.i> #include <include/source-interface.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="6rd-prefix"> <properties> diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in index aa83a04b2..eeaea0dc3 100644 --- a/interface-definitions/interfaces-vti.xml.in +++ b/interface-definitions/interfaces-vti.xml.in @@ -25,7 +25,6 @@ #include <include/interface/mirror.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> </children> </tagNode> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index faa3dd5e0..4902ff36d 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -54,7 +54,6 @@ #include <include/interface/mac.xml.i> #include <include/interface/mtu-1200-16000.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="mtu"> <defaultValue>1450</defaultValue> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 4a1b4ac68..23f50d146 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -21,7 +21,6 @@ #include <include/interface/disable.xml.i> #include <include/port-number.xml.i> #include <include/interface/mtu-68-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/mirror.xml.i> <leafNode name="mtu"> diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index daee770a9..9e7fc29bc 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -20,7 +20,6 @@ </properties> <children> #include <include/interface/address-ipv4-ipv6-dhcp.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="capabilities"> <properties> diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in index 3071e6091..b0b8367dc 100644 --- a/interface-definitions/interfaces-wwan.xml.in +++ b/interface-definitions/interfaces-wwan.xml.in @@ -39,7 +39,6 @@ #include <include/interface/ipv4-options.xml.i> #include <include/interface/ipv6-options.xml.i> #include <include/interface/dial-on-demand.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index 9295b631f..501ff05d3 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -14,15 +14,7 @@ #include <include/nat-rule.xml.i> <tagNode name="rule"> <children> - <leafNode name="inbound-interface"> - <properties> - <help>Inbound interface of NAT traffic</help> - <completionHelp> - <list>any</list> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - </properties> - </leafNode> + #include <include/inbound-interface.xml.i> <node name="translation"> <properties> <help>Inside NAT IP (destination NAT only)</help> @@ -65,6 +57,17 @@ <children> #include <include/nat-rule.xml.i> <tagNode name="rule"> + <properties> + <help>Rule number for NAT</help> + <valueHelp> + <format>u32:1-999999</format> + <description>Number of NAT rule</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-999999"/> + </constraint> + <constraintErrorMessage>NAT rule number must be between 1 and 999999</constraintErrorMessage> + </properties> <children> #include <include/nat-interface.xml.i> <node name="translation"> @@ -110,6 +113,38 @@ </tagNode> </children> </node> + <node name="static"> + <properties> + <help>Static NAT (one-to-one)</help> + </properties> + <children> + <tagNode name="rule"> + <properties> + <help>Rule number for NAT</help> + </properties> + <children> + #include <include/generic-description.xml.i> + <node name="destination"> + <properties> + <help>NAT destination parameters</help> + </properties> + <children> + #include <include/ipv4-address-prefix.xml.i> + </children> + </node> + #include <include/inbound-interface.xml.i> + <node name="translation"> + <properties> + <help>Translation address or prefix</help> + </properties> + <children> + #include <include/ipv4-address-prefix.xml.i> + </children> + </node> + </children> + </tagNode> + </children> + </node> </children> </node> </interfaceDefinition> diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in index bde1a6f8d..dab4543e0 100644 --- a/interface-definitions/nat66.xml.in +++ b/interface-definitions/nat66.xml.in @@ -50,6 +50,7 @@ </completionHelp> </properties> </leafNode> + #include <include/nat/protocol.xml.i> <node name="destination"> <properties> <help>IPv6 destination prefix options</help> @@ -72,6 +73,7 @@ </constraint> </properties> </leafNode> + #include <include/nat-port.xml.i> </children> </node> <node name="source"> @@ -96,6 +98,7 @@ </constraint> </properties> </leafNode> + #include <include/nat-port.xml.i> </children> </node> <node name="translation"> @@ -128,6 +131,7 @@ </constraint> </properties> </leafNode> + #include <include/nat-translation-port.xml.i> </children> </node> </children> @@ -179,6 +183,7 @@ </completionHelp> </properties> </leafNode> + #include <include/nat/protocol.xml.i> <node name="destination"> <properties> <help>IPv6 destination prefix options</help> @@ -211,6 +216,7 @@ </constraint> </properties> </leafNode> + #include <include/nat-port.xml.i> </children> </node> <node name="source"> @@ -245,6 +251,7 @@ </constraint> </properties> </leafNode> + #include <include/nat-port.xml.i> </children> </node> <node name="translation"> @@ -269,6 +276,7 @@ </constraint> </properties> </leafNode> + #include <include/nat-translation-port.xml.i> </children> </node> </children> diff --git a/interface-definitions/policy-local-route.xml.in b/interface-definitions/policy-local-route.xml.in index d969613b1..8619e839e 100644 --- a/interface-definitions/policy-local-route.xml.in +++ b/interface-definitions/policy-local-route.xml.in @@ -6,6 +6,7 @@ <node name="local-route" owner="${vyos_conf_scripts_dir}/policy-local-route.py"> <properties> <help>IPv4 policy route of local traffic</help> + <priority>500</priority> </properties> <children> <tagNode name="rule"> @@ -96,6 +97,7 @@ <node name="local-route6" owner="${vyos_conf_scripts_dir}/policy-local-route.py"> <properties> <help>IPv6 policy route of local traffic</help> + <priority>500</priority> </properties> <children> <tagNode name="rule"> diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in index a10c9b08f..f480f3bd5 100644 --- a/interface-definitions/policy-route.xml.in +++ b/interface-definitions/policy-route.xml.in @@ -12,7 +12,7 @@ </properties> <children> #include <include/generic-description.xml.i> - #include <include/firewall/name-default-log.xml.i> + #include <include/firewall/enable-default-log.xml.i> <tagNode name="rule"> <properties> <help>Policy rule number</help> @@ -47,6 +47,9 @@ </children> </node> #include <include/policy/route-common-rule-ipv6.xml.i> + #include <include/firewall/dscp.xml.i> + #include <include/firewall/packet-length.xml.i> + #include <include/firewall/hop-limit.xml.i> </children> </tagNode> </children> @@ -61,7 +64,7 @@ </properties> <children> #include <include/generic-description.xml.i> - #include <include/firewall/name-default-log.xml.i> + #include <include/firewall/enable-default-log.xml.i> <tagNode name="rule"> <properties> <help>Policy rule number</help> @@ -96,6 +99,9 @@ </children> </node> #include <include/policy/route-common-rule.xml.i> + #include <include/firewall/dscp.xml.i> + #include <include/firewall/packet-length.xml.i> + #include <include/firewall/ttl.xml.i> </children> </tagNode> </children> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index cc1de609d..e794c4b90 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -392,7 +392,7 @@ <description>Prefix to match against</description> </valueHelp> <constraint> - <validator name="ip-prefix"/> + <validator name="ipv4-prefix"/> </constraint> </properties> </leafNode> diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols-rpki.xml.in index 68762ff9a..4535d3990 100644 --- a/interface-definitions/protocols-rpki.xml.in +++ b/interface-definitions/protocols-rpki.xml.in @@ -12,15 +12,15 @@ <help>RPKI cache server address</help> <valueHelp> <format>ipv4</format> - <description>IP address of NTP server</description> + <description>IP address of RPKI server</description> </valueHelp> <valueHelp> <format>ipv6</format> - <description>IPv6 address of NTP server</description> + <description>IPv6 address of RPKI server</description> </valueHelp> <valueHelp> <format>hostname</format> - <description>Fully qualified domain name of NTP server</description> + <description>Fully qualified domain name of RPKI server</description> </valueHelp> <constraint> <validator name="ipv4-address"/> diff --git a/interface-definitions/service-monitoring-telegraf.xml.in b/interface-definitions/service-monitoring-telegraf.xml.in index 36f40a539..68215dba4 100644 --- a/interface-definitions/service-monitoring-telegraf.xml.in +++ b/interface-definitions/service-monitoring-telegraf.xml.in @@ -10,7 +10,7 @@ <children> <node name="telegraf" owner="${vyos_conf_scripts_dir}/service_monitoring_telegraf.py"> <properties> - <help>Telegraf monitoring</help> + <help>Telegraf metric collector</help> </properties> <children> <node name="influxdb"> @@ -228,27 +228,7 @@ </constraint> </properties> </leafNode> - <leafNode name="listen-address"> - <properties> - <help>Local IP addresses to listen on</help> - <completionHelp> - <script>${vyos_completion_dir}/list_local_ips.sh --both</script> - </completionHelp> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address to listen for incoming connections</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>IPv6 address to listen for incoming connections</description> - </valueHelp> - <constraint> - <validator name="ipv4-address"/> - <validator name="ipv6-address"/> - <validator name="ipv6-link-local"/> - </constraint> - </properties> - </leafNode> + #include <include/listen-address.xml.i> <leafNode name="metric-version"> <properties> <help>Metric version control mapping from Telegraf to Prometheus format</help> @@ -291,21 +271,10 @@ </leafNode> </children> </node> - <leafNode name="url"> - <properties> - <help>Remote URL</help> - <valueHelp> - <format>url</format> - <description>Remote URL to Splunk collector</description> - </valueHelp> - <constraint> - <regex>^(http(s?):\/\/.*):(\d*)\/?(.*)</regex> - </constraint> - <constraintErrorMessage>Incorrect URL format</constraintErrorMessage> - </properties> - </leafNode> + #include <include/monitoring/url.xml.i> </children> </node> + #include <include/interface/vrf.xml.i> </children> </node> </children> diff --git a/interface-definitions/service-pppoe-server.xml.in b/interface-definitions/service-pppoe-server.xml.in index 50f42849b..c88f9e950 100644 --- a/interface-definitions/service-pppoe-server.xml.in +++ b/interface-definitions/service-pppoe-server.xml.in @@ -90,7 +90,7 @@ <description>VLAN monitor range for the automatic creation of vlans (e.g. 1-4094)</description> </valueHelp> <constraint> - <validator name="range" argument="--min=1 --max=4094"/> + <validator name="numeric" argument="--range 1-4094"/> </constraint> <multi/> </properties> diff --git a/interface-definitions/service-upnp.xml.in b/interface-definitions/service-upnp.xml.in index a129b7260..ec23d87df 100644 --- a/interface-definitions/service-upnp.xml.in +++ b/interface-definitions/service-upnp.xml.in @@ -103,19 +103,19 @@ </valueHelp> <valueHelp> <format>ipv4</format> - <description>IP address to listen for incoming connections</description> + <description>IPv4 address to listen for incoming connections</description> </valueHelp> <valueHelp> - <format>ipv4-prefix</format> - <description>IP prefix to listen for incoming connections</description> + <format>ipv4net</format> + <description>IPv4 prefix to listen for incoming connections</description> </valueHelp> <valueHelp> <format>ipv6</format> - <description>IP address to listen for incoming connections</description> + <description>IPv6 address to listen for incoming connections</description> </valueHelp> <valueHelp> - <format>ipv6-prefix</format> - <description>IP prefix to listen for incoming connections</description> + <format>ipv6net</format> + <description>IPv6 prefix to listen for incoming connections</description> </valueHelp> <multi/> <constraint> @@ -197,10 +197,15 @@ <help>The IP to which this rule applies (REQUIRE)</help> <valueHelp> <format>ipv4</format> + <description>The IPv4 address to which this rule applies</description> + </valueHelp> + <valueHelp> + <format>ipv4net</format> <description>The IPv4 to which this rule applies</description> </valueHelp> <constraint> - <validator name="ipv4-address" /> + <validator name="ipv4-address"/> + <validator name="ipv4-host"/> </constraint> </properties> </leafNode> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in index 14f12b569..5810a97c6 100644 --- a/interface-definitions/system-conntrack.xml.in +++ b/interface-definitions/system-conntrack.xml.in @@ -259,13 +259,13 @@ </leafNode> <leafNode name="max-retrans"> <properties> - <help>TCP maximum retransmit attempts</help> + <help>Maximum number of packets that can be retransmitted without received an ACK</help> <valueHelp> - <format>u32:1-2147483647</format> - <description>Generic connection timeout in seconds</description> + <format>u32:1-255</format> + <description>Number of packets to be retransmitted</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1-2147483647"/> + <validator name="numeric" argument="--range 1-255"/> </constraint> </properties> <defaultValue>3</defaultValue> diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index 8cd25799b..a9fed81fe 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -36,7 +36,7 @@ <properties> <help>System keyboard layout, type ISO2</help> <completionHelp> - <list>us fr de fi no dk dvorak</list> + <list>us fr de es fi jp106 no dk dvorak</list> </completionHelp> <valueHelp> <format>us</format> @@ -51,10 +51,18 @@ <description>Germany</description> </valueHelp> <valueHelp> + <format>es</format> + <description>Spain</description> + </valueHelp> + <valueHelp> <format>fi</format> <description>Finland</description> </valueHelp> <valueHelp> + <format>jp106</format> + <description>Japan</description> + </valueHelp> + <valueHelp> <format>no</format> <description>Norway</description> </valueHelp> @@ -66,6 +74,10 @@ <format>dvorak</format> <description>Dvorak</description> </valueHelp> + <constraint> + <regex>(us|fr|de|es|fi|jp106|no|dk|dvorak)</regex> + </constraint> + <constraintErrorMessage>Invalid keyboard layout</constraintErrorMessage> </properties> <defaultValue>us</defaultValue> </leafNode> diff --git a/interface-definitions/system-proxy.xml.in b/interface-definitions/system-proxy.xml.in index 1c06b347f..8fb6bfae5 100644 --- a/interface-definitions/system-proxy.xml.in +++ b/interface-definitions/system-proxy.xml.in @@ -11,7 +11,7 @@ <properties> <help>Proxy URL</help> <constraint> - <regex>http:\/\/[a-z0-9\.]+</regex> + <regex>http(s)?:\/\/[a-z0-9-\.]+</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in index f734283e7..fd70a76dc 100644 --- a/interface-definitions/vpn-l2tp.xml.in +++ b/interface-definitions/vpn-l2tp.xml.in @@ -215,6 +215,7 @@ </properties> </leafNode> #include <include/radius-nas-identifier.xml.i> + #include <include/radius-nas-ip-address.xml.i> <node name="dae-server"> <properties> <help>IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA)</help> diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 21b47125d..bc7f78e79 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,6 +50,16 @@ </leafNode> </children> </node> + <leafNode name="group"> + <properties> + <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> + <valueHelp> + <format>txt</format> + <description>Group string. The group may be followed by a user-friendly name in brackets: group1[First Group]</description> + </valueHelp> + <multi/> + </properties> + </leafNode> #include <include/auth-local-users.xml.i> <node name="local-users"> <children> @@ -144,10 +154,19 @@ </properties> <defaultValue>2</defaultValue> </leafNode> + <leafNode name="groupconfig"> + <properties> + <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius.</help> + </properties> + </leafNode> </children> </node> </children> </node> + #include <include/listen-address-ipv4.xml.i> + <leafNode name="listen-address"> + <defaultValue>0.0.0.0</defaultValue> + </leafNode> <node name="listen-ports"> <properties> <help>Specify custom ports to use for client connections</help> @@ -265,6 +284,39 @@ </children> </node> #include <include/name-server-ipv4-ipv6.xml.i> + <leafNode name="split-dns"> + <properties> + <help>Domains over which the provided DNS should be used</help> + <valueHelp> + <format>txt</format> + <description>Client prefix length</description> + </valueHelp> + <constraint> + <validator name="fqdn"/> + </constraint> + <multi/> + </properties> + </leafNode> + <leafNode name="tunnel-all-dns"> + <properties> + <help>If the tunnel-all-dns option is set to yes, tunnel all DNS queries via the VPN. This is the default when a default route is set.</help> + <completionHelp> + <list>yes no</list> + </completionHelp> + <valueHelp> + <format>yes</format> + <description>Enable tunneling of all DNS traffic</description> + </valueHelp> + <valueHelp> + <format>no</format> + <description>Disable tunneling of all DNS traffic</description> + </valueHelp> + <constraint> + <regex>(yes|no)</regex> + </constraint> + </properties> + <defaultValue>no</defaultValue> + </leafNode> </children> </node> </children> diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in deleted file mode 100644 index dca4c59d1..000000000 --- a/interface-definitions/zone-policy.xml.in +++ /dev/null @@ -1,148 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="zone-policy" owner="${vyos_conf_scripts_dir}/zone_policy.py"> - <properties> - <help>Configure zone-policy</help> - <priority>250</priority> - </properties> - <children> - <tagNode name="zone"> - <properties> - <help>Zone name</help> - <valueHelp> - <format>txt</format> - <description>Zone name</description> - </valueHelp> - <constraint> - <regex>[a-zA-Z0-9][\w\-\.]*</regex> - </constraint> - </properties> - <children> - #include <include/generic-description.xml.i> - #include <include/firewall/name-default-log.xml.i> - <leafNode name="default-action"> - <properties> - <help>Default-action for traffic coming into this zone</help> - <completionHelp> - <list>drop reject</list> - </completionHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <valueHelp> - <format>reject</format> - <description>Drop and notify source</description> - </valueHelp> - <constraint> - <regex>(drop|reject)</regex> - </constraint> - </properties> - <defaultValue>drop</defaultValue> - </leafNode> - <tagNode name="from"> - <properties> - <help>Zone from which to filter traffic</help> - <completionHelp> - <path>zone-policy zone</path> - </completionHelp> - </properties> - <children> - <node name="firewall"> - <properties> - <help>Firewall options</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </tagNode> - <leafNode name="interface"> - <properties> - <help>Interface associated with zone</help> - <valueHelp> - <format>txt</format> - <description>Interface associated with zone</description> - </valueHelp> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <multi/> - </properties> - </leafNode> - <node name="intra-zone-filtering"> - <properties> - <help>Intra-zone filtering</help> - </properties> - <children> - <leafNode name="action"> - <properties> - <help>Action for intra-zone traffic</help> - <completionHelp> - <list>accept drop</list> - </completionHelp> - <valueHelp> - <format>accept</format> - <description>Accept traffic</description> - </valueHelp> - <valueHelp> - <format>drop</format> - <description>Drop silently</description> - </valueHelp> - <constraint> - <regex>(accept|drop)</regex> - </constraint> - </properties> - </leafNode> - <node name="firewall"> - <properties> - <help>Use the specified firewall chain</help> - </properties> - <children> - <leafNode name="ipv6-name"> - <properties> - <help>IPv6 firewall ruleset</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="name"> - <properties> - <help>IPv4 firewall ruleset</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> - <leafNode name="local-zone"> - <properties> - <help>Zone to be local-zone</help> - <valueless/> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> -</interfaceDefinition> |