From f86041de88c3b0e0ce9ecc6d2cbc309bc8cb28e2 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sun, 1 Aug 2021 00:13:47 +0200
Subject: policy: T2199: Migrate policy route to XML/Python
---
.../include/interface/interface-policy-vif-c.xml.i | 26 +
.../include/interface/interface-policy-vif.xml.i | 26 +
.../include/interface/interface-policy.xml.i | 26 +
.../include/interface/vif-s.xml.i | 2 +
interface-definitions/include/interface/vif.xml.i | 1 +
.../include/policy/route-common-rule-ipv6.xml.i | 569 +++++++++++++++++++++
.../include/policy/route-common-rule.xml.i | 418 +++++++++++++++
.../include/policy/route-rule-action.xml.i | 17 +
8 files changed, 1085 insertions(+)
create mode 100644 interface-definitions/include/interface/interface-policy-vif-c.xml.i
create mode 100644 interface-definitions/include/interface/interface-policy-vif.xml.i
create mode 100644 interface-definitions/include/interface/interface-policy.xml.i
create mode 100644 interface-definitions/include/policy/route-common-rule-ipv6.xml.i
create mode 100644 interface-definitions/include/policy/route-common-rule.xml.i
create mode 100644 interface-definitions/include/policy/route-rule-action.xml.i
(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/interface/interface-policy-vif-c.xml.i b/interface-definitions/include/interface/interface-policy-vif-c.xml.i
new file mode 100644
index 000000000..5dad6422b
--- /dev/null
+++ b/interface-definitions/include/interface/interface-policy-vif-c.xml.i
@@ -0,0 +1,26 @@
+
+
+
+ 620
+ Policy route options
+
+
+
+
+ IPv4 policy route ruleset for interface
+
+ policy route
+
+
+
+
+
+ IPv6 policy route ruleset for interface
+
+ policy ipv6-route
+
+
+
+
+
+
diff --git a/interface-definitions/include/interface/interface-policy-vif.xml.i b/interface-definitions/include/interface/interface-policy-vif.xml.i
new file mode 100644
index 000000000..5ee80ae13
--- /dev/null
+++ b/interface-definitions/include/interface/interface-policy-vif.xml.i
@@ -0,0 +1,26 @@
+
+
+
+ 620
+ Policy route options
+
+
+
+
+ IPv4 policy route ruleset for interface
+
+ policy route
+
+
+
+
+
+ IPv6 policy route ruleset for interface
+
+ policy ipv6-route
+
+
+
+
+
+
diff --git a/interface-definitions/include/interface/interface-policy.xml.i b/interface-definitions/include/interface/interface-policy.xml.i
new file mode 100644
index 000000000..06f025af1
--- /dev/null
+++ b/interface-definitions/include/interface/interface-policy.xml.i
@@ -0,0 +1,26 @@
+
+
+
+ 620
+ Policy route options
+
+
+
+
+ IPv4 policy route ruleset for interface
+
+ policy route
+
+
+
+
+
+ IPv6 policy route ruleset for interface
+
+ policy ipv6-route
+
+
+
+
+
+
diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i
index caa5248ab..f1a61ff64 100644
--- a/interface-definitions/include/interface/vif-s.xml.i
+++ b/interface-definitions/include/interface/vif-s.xml.i
@@ -19,6 +19,7 @@
#include
#include
#include
+ #include
Protocol used for service VLAN (default: 802.1ad)
@@ -65,6 +66,7 @@
#include
#include
#include
+ #include
#include
diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i
index a2382cc1b..11ba7e2f8 100644
--- a/interface-definitions/include/interface/vif.xml.i
+++ b/interface-definitions/include/interface/vif.xml.i
@@ -20,6 +20,7 @@
#include
#include
#include
+ #include
VLAN egress QoS
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
new file mode 100644
index 000000000..2d6adcd1d
--- /dev/null
+++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
@@ -0,0 +1,569 @@
+
+#include
+#include
+
+
+ Option to disable firewall rule
+
+
+
+
+
+ IP fragment match
+
+
+
+
+ Second and further fragments of fragmented packets
+
+
+
+
+
+ Head fragments or unfragmented packets
+
+
+
+
+
+
+
+ Inbound IPsec packets
+
+
+
+
+ Inbound IPsec packets
+
+
+
+
+
+ Inbound non-IPsec packets
+
+
+
+
+
+
+
+ Rate limit using a token bucket filter
+
+
+
+
+ Maximum number of packets to allow in excess of rate
+
+ u32:0-4294967295
+ Maximum number of packets to allow in excess of rate
+
+
+
+
+
+
+
+
+ Maximum average matching rate
+
+ u32:0-4294967295
+ Maximum average matching rate
+
+
+
+
+
+
+
+
+
+
+ Option to log packets matching rule
+
+ enable disable
+
+
+ enable
+ Enable log
+
+
+ disable
+ Disable log
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ Protocol to match (protocol name, number, or "all")
+
+
+
+
+ all
+ All IP protocols
+
+
+ tcp_udp
+ Both TCP and UDP
+
+
+ 0-255
+ IP protocol number
+
+
+ !<protocol>
+ IP protocol number
+
+
+
+
+
+ all
+
+
+
+ Parameters for matching recently seen sources
+
+
+
+
+ Source addresses seen more than N times
+
+ u32:1-255
+ Source addresses seen more than N times
+
+
+
+
+
+
+
+
+ Source addresses seen in the last N seconds
+
+ u32:0-4294967295
+ Source addresses seen in the last N seconds
+
+
+
+
+
+
+
+
+
+
+ Packet modifications
+
+
+
+
+ Packet Differentiated Services Codepoint (DSCP)
+
+ u32:0-63
+ DSCP number
+
+
+
+
+
+
+
+
+ Packet marking
+
+ u32:1-2147483647
+ Packet marking
+
+
+
+
+
+
+
+
+ Routing table to forward packet with
+
+ u32:1-200
+ Table number
+
+
+ main
+ Main table
+
+
+
+ ^(main)$
+
+
+
+
+
+ TCP Maximum Segment Size
+
+ u32:500-1460
+ Explicitly set TCP MSS value
+
+
+
+
+
+
+
+
+
+
+ Source parameters
+
+
+ #include
+ #include
+
+
+ Source MAC address
+
+ <MAC address>
+ MAC address to match
+
+
+ !<MAC address>
+ Match everything except the specified MAC address
+
+
+
+ #include
+
+
+
+
+ Session state
+
+
+
+
+ Established state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ Invalid state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ New state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ Related state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+
+
+ TCP flags to match
+
+
+
+
+ TCP flags to match
+
+ txt
+ TCP flags to match
+
+
+
+ \n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+
+
+
+
+
+
+
+ Time to match rule
+
+
+
+
+ Monthdays to match rule on
+
+
+
+
+ Date to start matching rule
+
+
+
+
+ Time of day to start matching rule
+
+
+
+
+ Date to stop matching rule
+
+
+
+
+ Time of day to stop matching rule
+
+
+
+
+ Interpret times for startdate, stopdate, starttime and stoptime to be UTC
+
+
+
+
+
+ Weekdays to match rule on
+
+
+
+
+
+
+ ICMPv6 type and code information
+
+
+
+
+ ICMP type-name
+
+ any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big
+
+
+ any
+ Any ICMP type/code
+
+
+ echo-reply
+ ICMP type/code name
+
+
+ pong
+ ICMP type/code name
+
+
+ destination-unreachable
+ ICMP type/code name
+
+
+ network-unreachable
+ ICMP type/code name
+
+
+ host-unreachable
+ ICMP type/code name
+
+
+ protocol-unreachable
+ ICMP type/code name
+
+
+ port-unreachable
+ ICMP type/code name
+
+
+ fragmentation-needed
+ ICMP type/code name
+
+
+ source-route-failed
+ ICMP type/code name
+
+
+ network-unknown
+ ICMP type/code name
+
+
+ host-unknown
+ ICMP type/code name
+
+
+ network-prohibited
+ ICMP type/code name
+
+
+ host-prohibited
+ ICMP type/code name
+
+
+ TOS-network-unreachable
+ ICMP type/code name
+
+
+ TOS-host-unreachable
+ ICMP type/code name
+
+
+ communication-prohibited
+ ICMP type/code name
+
+
+ host-precedence-violation
+ ICMP type/code name
+
+
+ precedence-cutoff
+ ICMP type/code name
+
+
+ source-quench
+ ICMP type/code name
+
+
+ redirect
+ ICMP type/code name
+
+
+ network-redirect
+ ICMP type/code name
+
+
+ host-redirect
+ ICMP type/code name
+
+
+ TOS-network-redirect
+ ICMP type/code name
+
+
+ TOS host-redirect
+ ICMP type/code name
+
+
+ echo-request
+ ICMP type/code name
+
+
+ ping
+ ICMP type/code name
+
+
+ router-advertisement
+ ICMP type/code name
+
+
+ router-solicitation
+ ICMP type/code name
+
+
+ time-exceeded
+ ICMP type/code name
+
+
+ ttl-exceeded
+ ICMP type/code name
+
+
+ ttl-zero-during-transit
+ ICMP type/code name
+
+
+ ttl-zero-during-reassembly
+ ICMP type/code name
+
+
+ parameter-problem
+ ICMP type/code name
+
+
+ ip-header-bad
+ ICMP type/code name
+
+
+ required-option-missing
+ ICMP type/code name
+
+
+ timestamp-request
+ ICMP type/code name
+
+
+ timestamp-reply
+ ICMP type/code name
+
+
+ address-mask-request
+ ICMP type/code name
+
+
+ address-mask-reply
+ ICMP type/code name
+
+
+ packet-too-big
+ ICMP type/code name
+
+
+ ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)$
+
+
+
+
+
+
+
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
new file mode 100644
index 000000000..c4deefd2a
--- /dev/null
+++ b/interface-definitions/include/policy/route-common-rule.xml.i
@@ -0,0 +1,418 @@
+
+#include
+#include
+
+
+ Option to disable firewall rule
+
+
+
+
+
+ IP fragment match
+
+
+
+
+ Second and further fragments of fragmented packets
+
+
+
+
+
+ Head fragments or unfragmented packets
+
+
+
+
+
+
+
+ Inbound IPsec packets
+
+
+
+
+ Inbound IPsec packets
+
+
+
+
+
+ Inbound non-IPsec packets
+
+
+
+
+
+
+
+ Rate limit using a token bucket filter
+
+
+
+
+ Maximum number of packets to allow in excess of rate
+
+ u32:0-4294967295
+ Maximum number of packets to allow in excess of rate
+
+
+
+
+
+
+
+
+ Maximum average matching rate
+
+ u32:0-4294967295
+ Maximum average matching rate
+
+
+
+
+
+
+
+
+
+
+ Option to log packets matching rule
+
+ enable disable
+
+
+ enable
+ Enable log
+
+
+ disable
+ Disable log
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ Protocol to match (protocol name, number, or "all")
+
+
+
+
+ all
+ All IP protocols
+
+
+ tcp_udp
+ Both TCP and UDP
+
+
+ 0-255
+ IP protocol number
+
+
+ !<protocol>
+ IP protocol number
+
+
+
+
+
+ all
+
+
+
+ Parameters for matching recently seen sources
+
+
+
+
+ Source addresses seen more than N times
+
+ u32:1-255
+ Source addresses seen more than N times
+
+
+
+
+
+
+
+
+ Source addresses seen in the last N seconds
+
+ u32:0-4294967295
+ Source addresses seen in the last N seconds
+
+
+
+
+
+
+
+
+
+
+ Packet modifications
+
+
+
+
+ Packet Differentiated Services Codepoint (DSCP)
+
+ u32:0-63
+ DSCP number
+
+
+
+
+
+
+
+
+ Packet marking
+
+ u32:1-2147483647
+ Packet marking
+
+
+
+
+
+
+
+
+ Routing table to forward packet with
+
+ u32:1-200
+ Table number
+
+
+ main
+ Main table
+
+
+
+ ^(main)$
+
+
+
+
+
+ TCP Maximum Segment Size
+
+ u32:500-1460
+ Explicitly set TCP MSS value
+
+
+
+
+
+
+
+
+
+
+ Source parameters
+
+
+ #include
+ #include
+
+
+ Source MAC address
+
+ <MAC address>
+ MAC address to match
+
+
+ !<MAC address>
+ Match everything except the specified MAC address
+
+
+
+ #include
+
+
+
+
+ Session state
+
+
+
+
+ Established state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ Invalid state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ New state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+ Related state
+
+ enable disable
+
+
+ enable
+ Enable
+
+
+ disable
+ Disable
+
+
+ ^(enable|disable)$
+
+
+
+
+
+
+
+ TCP flags to match
+
+
+
+
+ TCP flags to match
+
+ txt
+ TCP flags to match
+
+
+
+ \n\n Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL\n When specifying more than one flag, flags should be comma-separated.\n For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset
+
+
+
+
+
+
+
+ Time to match rule
+
+
+
+
+ Monthdays to match rule on
+
+
+
+
+ Date to start matching rule
+
+
+
+
+ Time of day to start matching rule
+
+
+
+
+ Date to stop matching rule
+
+
+
+
+ Time of day to stop matching rule
+
+
+
+
+ Interpret times for startdate, stopdate, starttime and stoptime to be UTC
+
+
+
+
+
+ Weekdays to match rule on
+
+
+
+
+
+
+ ICMP type and code information
+
+
+
+
+ ICMP code (0-255)
+
+ u32:0-255
+ ICMP code (0-255)
+
+
+
+
+
+
+
+
+ ICMP type (0-255)
+
+ u32:0-255
+ ICMP type (0-255)
+
+
+
+
+
+
+ #include
+
+
+
diff --git a/interface-definitions/include/policy/route-rule-action.xml.i b/interface-definitions/include/policy/route-rule-action.xml.i
new file mode 100644
index 000000000..9c880579d
--- /dev/null
+++ b/interface-definitions/include/policy/route-rule-action.xml.i
@@ -0,0 +1,17 @@
+
+
+
+ Rule action [REQUIRED]
+
+ drop
+
+
+ drop
+ Drop matching entries
+
+
+ ^(drop)$
+
+
+
+
--
cgit v1.2.3