From 1c2209c1dc84993d0f766f3d14df1fb3adf9dda2 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 23 May 2023 14:48:15 -0300 Subject: T5160: firewall refactor: new cli structure. Update only all xml --- .../include/firewall/action-and-notrack.xml.i | 41 ++ .../include/firewall/common-rule-ipv4-raw.xml.i | 331 ++++++++++++++++ .../include/firewall/common-rule-ipv4.xml.i | 416 +++++++++++++++++++++ .../include/firewall/common-rule-ipv6.xml.i | 416 +++++++++++++++++++++ .../firewall/default-action-base-chains.xml.i | 22 ++ .../include/firewall/global-options.xml.i | 272 ++++++++++++++ .../include/firewall/inbound-interface.xml.i | 10 + .../include/firewall/ipv4-custom-name.xml.i | 49 +++ .../include/firewall/ipv4-hook-forward.xml.i | 44 +++ .../include/firewall/ipv4-hook-input.xml.i | 43 +++ .../include/firewall/ipv4-hook-output.xml.i | 43 +++ .../include/firewall/ipv4-hook-prerouting.xml.i | 85 +++++ .../include/firewall/ipv6-custom-name.xml.i | 49 +++ .../include/firewall/ipv6-hook-forward.xml.i | 44 +++ .../include/firewall/ipv6-hook-input.xml.i | 43 +++ .../include/firewall/ipv6-hook-output.xml.i | 43 +++ .../include/firewall/match-interface.xml.i | 7 + .../include/firewall/outbound-interface.xml.i | 10 + 18 files changed, 1968 insertions(+) create mode 100644 interface-definitions/include/firewall/action-and-notrack.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-ipv4.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-ipv6.xml.i create mode 100644 interface-definitions/include/firewall/default-action-base-chains.xml.i create mode 100644 interface-definitions/include/firewall/global-options.xml.i create mode 100644 interface-definitions/include/firewall/inbound-interface.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-custom-name.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-forward.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-input.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-output.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-custom-name.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-hook-forward.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-hook-input.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-hook-output.xml.i create mode 100644 interface-definitions/include/firewall/outbound-interface.xml.i (limited to 'interface-definitions/include/firewall') diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i new file mode 100644 index 000000000..5f81a1451 --- /dev/null +++ b/interface-definitions/include/firewall/action-and-notrack.xml.i @@ -0,0 +1,41 @@ + + + + Rule action + + accept jump notrack reject return drop queue + + + accept + Accept matching entries + + + jump + Jump to another chain + + + reject + Reject matching entries + + + return + Return from the current chain and continue at the next rule of the last chain + + + drop + Drop matching entries + + + queue + Enqueue packet to userspace + + + notrack + Igone connection tracking + + + (accept|jump|notrack|reject|return|drop|queue) + + + + diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i new file mode 100644 index 000000000..86af2fb0e --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -0,0 +1,331 @@ + +#include +#include +#include +#include +#include + + + Destination parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + ICMP type and code information + + + + + ICMP code + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + ^(destination|source)$ + + + + + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + + + Source parameters + + + #include + #include + #include + #include + #include + #include + #include + + +#include + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i new file mode 100644 index 000000000..b873d99a3 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i @@ -0,0 +1,416 @@ + +#include +#include +#include +#include +#include +#include +#include + + + Destination parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + ICMP type and code information + + + + + ICMP code + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + ^(destination|source)$ + + + + + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + + + Source parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Session state + + + + + Established state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Invalid state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + New state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Related state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + +#include + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i new file mode 100644 index 000000000..758281335 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i @@ -0,0 +1,416 @@ + +#include +#include +#include +#include +#include +#include +#include + + + Destination parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + ICMPv6 type and code information + + + + + ICMPv6 code + + u32:0-255 + ICMPv6 code (0-255) + + + + + + + + + ICMPv6 type + + u32:0-255 + ICMPv6 type (0-255) + + + + + + + #include + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + ^(destination|source)$ + + + + + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + + + Source parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Session state + + + + + Established state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Invalid state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + New state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Related state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + +#include + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i new file mode 100644 index 000000000..ba7c63cd6 --- /dev/null +++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i @@ -0,0 +1,22 @@ + + + + Default-action for rule-set + + drop accept + + + drop + Drop if no prior rules are hit + + + accept + Accept if no prior rules are hit + + + (drop|accept) + + + drop + + diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i new file mode 100644 index 000000000..3204a239d --- /dev/null +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -0,0 +1,272 @@ + + + + Global Options + + + + + Policy for handling of all IPv4 ICMP echo requests + + enable disable + + + enable + Enable processing of all IPv4 ICMP echo requests + + + disable + Disable processing of all IPv4 ICMP echo requests + + + (enable|disable) + + + enable + + + + Policy for handling broadcast IPv4 ICMP echo and timestamp requests + + enable disable + + + enable + Enable processing of broadcast IPv4 ICMP echo/timestamp requests + + + disable + Disable processing of broadcast IPv4 ICMP echo/timestamp requests + + + (enable|disable) + + + disable + + + + SNMP trap generation on firewall configuration changes + + enable disable + + + enable + Enable sending SNMP trap on firewall configuration change + + + disable + Disable sending SNMP trap on firewall configuration change + + + (enable|disable) + + + disable + + + + Policy for handling IPv4 packets with source route option + + enable disable + + + enable + Enable processing of IPv4 packets with source route option + + + disable + Disable processing of IPv4 packets with source route option + + + (enable|disable) + + + disable + + + + Policy for logging IPv4 packets with invalid addresses + + enable disable + + + enable + Enable logging of IPv4 packets with invalid addresses + + + disable + Disable logging of Ipv4 packets with invalid addresses + + + (enable|disable) + + + enable + + + + Policy for handling received IPv4 ICMP redirect messages + + enable disable + + + enable + Enable processing of received IPv4 ICMP redirect messages + + + disable + Disable processing of received IPv4 ICMP redirect messages + + + (enable|disable) + + + disable + + + + Retains last successful value if domain resolution fails + + + + + + Domain resolver update interval + + u32:10-3600 + Interval (seconds) + + + + + + 300 + + + + Policy for sending IPv4 ICMP redirect messages + + enable disable + + + enable + Enable sending IPv4 ICMP redirect messages + + + disable + Disable sending IPv4 ICMP redirect messages + + + (enable|disable) + + + enable + + + + Policy for source validation by reversed path, as specified in RFC3704 + + strict loose disable + + + strict + Enable Strict Reverse Path Forwarding as defined in RFC3704 + + + loose + Enable Loose Reverse Path Forwarding as defined in RFC3704 + + + disable + No source validation + + + (strict|loose|disable) + + + disable + + + + Policy for using TCP SYN cookies with IPv4 + + enable disable + + + enable + Enable use of TCP SYN cookies with IPv4 + + + disable + Disable use of TCP SYN cookies with IPv4 + + + (enable|disable) + + + enable + + + + RFC1337 TCP TIME-WAIT assasination hazards protection + + enable disable + + + enable + Enable RFC1337 TIME-WAIT hazards protection + + + disable + Disable RFC1337 TIME-WAIT hazards protection + + + (enable|disable) + + + disable + + + + Policy for handling received ICMPv6 redirect messages + + enable disable + + + enable + Enable processing of received ICMPv6 redirect messages + + + disable + Disable processing of received ICMPv6 redirect messages + + + (enable|disable) + + + disable + + + + Policy for handling IPv6 packets with routing extension header + + enable disable + + + enable + Enable processing of IPv6 packets with routing header type 2 + + + disable + Disable processing of IPv6 packets with routing header + + + (enable|disable) + + + disable + + + + diff --git a/interface-definitions/include/firewall/inbound-interface.xml.i b/interface-definitions/include/firewall/inbound-interface.xml.i new file mode 100644 index 000000000..13df71de3 --- /dev/null +++ b/interface-definitions/include/firewall/inbound-interface.xml.i @@ -0,0 +1,10 @@ + + + + Match inbound-interface + + + #include + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i new file mode 100644 index 000000000..b2f8271f7 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -0,0 +1,49 @@ + + + + IPv4 custom firewall + + [a-zA-Z0-9][\w\-\.]* + + + + #include + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall ip name + + + + + + IP Firewall custom rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i new file mode 100644 index 000000000..6179afe31 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -0,0 +1,44 @@ + + + + IPv4 forward firewall + + + + + IPv4 firewall forward filter + + + #include + #include + + + IP Firewall forward filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i new file mode 100644 index 000000000..f9746378b --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i @@ -0,0 +1,43 @@ + + + + IPv4 input firewall + + + + + IPv4 firewall input filter + + + #include + #include + + + IP Firewall input filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i new file mode 100644 index 000000000..a1820f314 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -0,0 +1,43 @@ + + + + IPv4 output firewall + + + + + IPv4 firewall output filter + + + #include + #include + + + IP Firewall output filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i new file mode 100644 index 000000000..229a25ef4 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -0,0 +1,85 @@ + + + + IPv4 prerouting firewall + + + + + IPv4 firewall prerouting filter + + + #include + #include + + + IP Firewall prerouting filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + IPv4 firewall prerouting raw + + + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall ip name + + + + + + IP Firewall prerouting raw rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i new file mode 100644 index 000000000..6275036c1 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i @@ -0,0 +1,49 @@ + + + + IPv6 custom firewall + + [a-zA-Z0-9][\w\-\.]* + + + + #include + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall ipv6 ipv6-name + + + + + + IPv6 Firewall custom rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i new file mode 100644 index 000000000..042bd9931 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i @@ -0,0 +1,44 @@ + + + + IPv6 forward firewall + + + + + IPv6 firewall forward filter + + + #include + #include + + + IPv6 Firewall forward filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i new file mode 100644 index 000000000..8c41e0aca --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i @@ -0,0 +1,43 @@ + + + + IPv6 input firewall + + + + + IPv6 firewall input filter + + + #include + #include + + + IPv6 Firewall input filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i new file mode 100644 index 000000000..9b756d870 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -0,0 +1,43 @@ + + + + IPv6 output firewall + + + + + IPv6 firewall output filter + + + #include + #include + + + IPv6 Firewall output filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i index 3e52422cf..a62bf8d89 100644 --- a/interface-definitions/include/firewall/match-interface.xml.i +++ b/interface-definitions/include/firewall/match-interface.xml.i @@ -5,6 +5,13 @@ + + txt + Interface name, wildcard (*) supported + + + #include + diff --git a/interface-definitions/include/firewall/outbound-interface.xml.i b/interface-definitions/include/firewall/outbound-interface.xml.i new file mode 100644 index 000000000..8654dfd80 --- /dev/null +++ b/interface-definitions/include/firewall/outbound-interface.xml.i @@ -0,0 +1,10 @@ + + + + Match outbound-interface + + + #include + + + \ No newline at end of file -- cgit v1.2.3