From f57ad85b346a08bd3aa31d95c9a7438f783c2b6e Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 4 Jul 2023 09:58:26 -0300 Subject: T5160: firewall refactor: fix regexep for connection-status. Create new file with common matcher for ipv4 and ipv6, and use include on all chains for all this comman matchers --- .../include/firewall/common-rule-inet.xml.i | 374 +++++++++++++++++++++ .../include/firewall/common-rule-ipv4-raw.xml.i | 2 +- .../include/firewall/common-rule-ipv4.xml.i | 354 +------------------ .../include/firewall/common-rule-ipv6.xml.i | 354 +------------------ .../include/firewall/ipv4-custom-name.xml.i | 8 - .../include/firewall/ipv4-hook-forward.xml.i | 8 - .../include/firewall/ipv4-hook-input.xml.i | 8 - .../include/firewall/ipv4-hook-output.xml.i | 8 - .../include/firewall/ipv6-custom-name.xml.i | 8 - .../include/firewall/ipv6-hook-forward.xml.i | 8 - .../include/firewall/ipv6-hook-input.xml.i | 8 - .../include/firewall/ipv6-hook-output.xml.i | 8 - 12 files changed, 385 insertions(+), 763 deletions(-) create mode 100644 interface-definitions/include/firewall/common-rule-inet.xml.i (limited to 'interface-definitions/include') diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i new file mode 100644 index 000000000..7a2eb86d4 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-inet.xml.i @@ -0,0 +1,374 @@ + +#include +#include +#include +#include +#include +#include + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + (destination|source) + + + + + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + + + Session state + + + + + Established state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Invalid state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + New state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Related state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + +#include + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i index 86af2fb0e..a1071a09a 100644 --- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -165,7 +165,7 @@ Match connections that are subject to source NAT - ^(destination|source)$ + (destination|source) diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i index b873d99a3..4ed179ae7 100644 --- a/interface-definitions/include/firewall/common-rule-ipv4.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i @@ -1,11 +1,6 @@ -#include -#include -#include -#include -#include +#include #include -#include Destination parameters @@ -20,31 +15,6 @@ #include - - - Option to disable firewall rule - - - - - - IP fragment match - - - - - Second and further fragments of fragmented packets - - - - - - Head fragments or unfragmented packets - - - - - ICMP type and code information @@ -77,176 +47,14 @@ #include - - - Inbound IPsec packets - - - - - Inbound IPsec packets - - - - - - Inbound non-IPsec packets - - - - - - - - Rate limit using a token bucket filter - - - - - Maximum number of packets to allow in excess of rate - - u32:0-4294967295 - Maximum number of packets to allow in excess of rate - - - - - - - - - Maximum average matching rate - - txt - integer/unit (Example: 5/minute) - - - \d+/(second|minute|hour|day) - - - - - - - - Option to log packets matching rule - - enable disable - - - enable - Enable log - - - disable - Disable log - - - (enable|disable) - - - -#include - - - Connection status - - - - - NAT connection status - - destination source - - - destination - Match connections that are subject to destination NAT - - - source - Match connections that are subject to source NAT - - - ^(destination|source)$ - - - - - - + - Protocol to match (protocol name, number, or "all") + Set jump target. Action jump must be defined to use this setting - - all tcp_udp + firewall ipv4 name - - all - All IP protocols - - - tcp_udp - Both TCP and UDP - - - u32:0-255 - IP protocol number - - - <protocol> - IP protocol name - - - !<protocol> - IP protocol name - - - - - - - Parameters for matching recently seen sources - - - - - Source addresses seen more than N times - - u32:1-255 - Source addresses seen more than N times - - - - - - - - - Source addresses seen in the last second/minute/hour - - second minute hour - - - second - Source addresses seen COUNT times in the last second - - - minute - Source addresses seen COUNT times in the last minute - - - hour - Source addresses seen COUNT times in the last hour - - - (second|minute|hour) - - - - - Source parameters @@ -261,156 +69,4 @@ #include - - - Session state - - - - - Established state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - - Invalid state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - - New state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - - Related state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - -#include - - - Time to match rule - - - - - Date to start matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to start matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Date to stop matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to stop matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Comma separated weekdays to match rule on - - txt - Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) - - - u32:0-6 - Day number (0 = Sunday ... 6 = Saturday) - - - - - - + \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i index 758281335..6219557db 100644 --- a/interface-definitions/include/firewall/common-rule-ipv6.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i @@ -1,11 +1,6 @@ -#include -#include -#include -#include -#include +#include #include -#include Destination parameters @@ -20,31 +15,6 @@ #include - - - Option to disable firewall rule - - - - - - IP fragment match - - - - - Second and further fragments of fragmented packets - - - - - - Head fragments or unfragmented packets - - - - - ICMPv6 type and code information @@ -77,176 +47,14 @@ #include - - - Inbound IPsec packets - - - - - Inbound IPsec packets - - - - - - Inbound non-IPsec packets - - - - - - - - Rate limit using a token bucket filter - - - - - Maximum number of packets to allow in excess of rate - - u32:0-4294967295 - Maximum number of packets to allow in excess of rate - - - - - - - - - Maximum average matching rate - - txt - integer/unit (Example: 5/minute) - - - \d+/(second|minute|hour|day) - - - - - - - - Option to log packets matching rule - - enable disable - - - enable - Enable log - - - disable - Disable log - - - (enable|disable) - - - -#include - - - Connection status - - - - - NAT connection status - - destination source - - - destination - Match connections that are subject to destination NAT - - - source - Match connections that are subject to source NAT - - - ^(destination|source)$ - - - - - - + - Protocol to match (protocol name, number, or "all") + Set jump target. Action jump must be defined to use this setting - - all tcp_udp + firewall ipv6 name - - all - All IP protocols - - - tcp_udp - Both TCP and UDP - - - u32:0-255 - IP protocol number - - - <protocol> - IP protocol name - - - !<protocol> - IP protocol name - - - - - - - Parameters for matching recently seen sources - - - - - Source addresses seen more than N times - - u32:1-255 - Source addresses seen more than N times - - - - - - - - - Source addresses seen in the last second/minute/hour - - second minute hour - - - second - Source addresses seen COUNT times in the last second - - - minute - Source addresses seen COUNT times in the last minute - - - hour - Source addresses seen COUNT times in the last hour - - - (second|minute|hour) - - - - - Source parameters @@ -261,156 +69,4 @@ #include - - - Session state - - - - - Established state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - - Invalid state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - - New state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - - Related state - - enable disable - - - enable - Enable - - - disable - Disable - - - (enable|disable) - - - - - -#include - - - Time to match rule - - - - - Date to start matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to start matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Date to stop matching rule - - txt - Enter date using following notation - YYYY-MM-DD - - - (\d{4}\-\d{2}\-\d{2}) - - - - - - Time of day to stop matching rule - - txt - Enter time using using 24 hour notation - hh:mm:ss - - - ([0-2][0-9](\:[0-5][0-9]){1,2}) - - - - - - Comma separated weekdays to match rule on - - txt - Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) - - - u32:0-6 - Day number (0 = Sunday ... 6 = Saturday) - - - - - - + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i index 7fd802f3b..9d6ecfaf2 100644 --- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -34,14 +34,6 @@ #include #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv4 name - - - diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i index beb9df64e..08ee96419 100644 --- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -27,14 +27,6 @@ #include #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv4 name - - - diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i index 1a2e1399f..32b0ec94f 100644 --- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i @@ -26,14 +26,6 @@ #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv4 name - - - diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i index e870e2b79..d50d1e93b 100644 --- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -26,14 +26,6 @@ #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv4 name - - - diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i index 4b6777293..81610babf 100644 --- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i +++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i @@ -34,14 +34,6 @@ #include #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv6 name - - - diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i index 25e1bd288..20ab8dbe8 100644 --- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i @@ -27,14 +27,6 @@ #include #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv6 name - - - diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i index f9a4d71b4..e34958f28 100644 --- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i @@ -26,14 +26,6 @@ #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv6 name - - - diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i index 9bf73a778..eb4ea7ac3 100644 --- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -26,14 +26,6 @@ #include #include - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv6 name - - - -- cgit v1.2.3