From 1c2209c1dc84993d0f766f3d14df1fb3adf9dda2 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 23 May 2023 14:48:15 -0300 Subject: T5160: firewall refactor: new cli structure. Update only all xml --- interface-definitions/firewall.xml.in | 704 +-------------------- .../include/firewall/action-and-notrack.xml.i | 41 ++ .../include/firewall/common-rule-ipv4-raw.xml.i | 331 ++++++++++ .../include/firewall/common-rule-ipv4.xml.i | 416 ++++++++++++ .../include/firewall/common-rule-ipv6.xml.i | 416 ++++++++++++ .../firewall/default-action-base-chains.xml.i | 22 + .../include/firewall/global-options.xml.i | 272 ++++++++ .../include/firewall/inbound-interface.xml.i | 10 + .../include/firewall/ipv4-custom-name.xml.i | 49 ++ .../include/firewall/ipv4-hook-forward.xml.i | 44 ++ .../include/firewall/ipv4-hook-input.xml.i | 43 ++ .../include/firewall/ipv4-hook-output.xml.i | 43 ++ .../include/firewall/ipv4-hook-prerouting.xml.i | 85 +++ .../include/firewall/ipv6-custom-name.xml.i | 49 ++ .../include/firewall/ipv6-hook-forward.xml.i | 44 ++ .../include/firewall/ipv6-hook-input.xml.i | 43 ++ .../include/firewall/ipv6-hook-output.xml.i | 43 ++ .../include/firewall/match-interface.xml.i | 7 + .../include/firewall/outbound-interface.xml.i | 10 + .../include/version/firewall-version.xml.i | 2 +- 20 files changed, 1983 insertions(+), 691 deletions(-) create mode 100644 interface-definitions/include/firewall/action-and-notrack.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-ipv4.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-ipv6.xml.i create mode 100644 interface-definitions/include/firewall/default-action-base-chains.xml.i create mode 100644 interface-definitions/include/firewall/global-options.xml.i create mode 100644 interface-definitions/include/firewall/inbound-interface.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-custom-name.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-forward.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-input.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-output.xml.i create mode 100644 interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-custom-name.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-hook-forward.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-hook-input.xml.i create mode 100644 interface-definitions/include/firewall/ipv6-hook-output.xml.i create mode 100644 interface-definitions/include/firewall/outbound-interface.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 1cdc7b819..9b36f92e8 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -6,66 +6,7 @@ Firewall - - - Policy for handling of all IPv4 ICMP echo requests - - enable disable - - - enable - Enable processing of all IPv4 ICMP echo requests - - - disable - Disable processing of all IPv4 ICMP echo requests - - - (enable|disable) - - - enable - - - - Policy for handling broadcast IPv4 ICMP echo and timestamp requests - - enable disable - - - enable - Enable processing of broadcast IPv4 ICMP echo/timestamp requests - - - disable - Disable processing of broadcast IPv4 ICMP echo/timestamp requests - - - (enable|disable) - - - disable - - - - SNMP trap generation on firewall configuration changes - - enable disable - - - enable - Enable sending SNMP trap on firewall configuration change - - - disable - Disable sending SNMP trap on firewall configuration change - - - (enable|disable) - - - disable - + #include Firewall group @@ -343,645 +284,28 @@ - + - Interface name to apply firewall configuration - - - - - #include - + IPv4 firewall - - - Forwarded packets on inbound interface - - - #include - - - - - Forwarded packets on outbound interface - - - #include - - - - - Packets destined for this router - - - #include - - - - - - - Policy for handling IPv4 packets with source route option - - enable disable - - - enable - Enable processing of IPv4 packets with source route option - - - disable - Disable processing of IPv4 packets with source route option - - - (enable|disable) - - - disable - - - - IPv6 firewall rule-set name - - [a-zA-Z0-9][\w\-\.]* - - - - #include - #include - #include - - - Set jump target. Action jump must be defined in default-action to use this setting - - firewall ipv6-name - - - - - - Firewall rule number (IPv6) - - u32:1-999999 - Number for this Firewall rule - - - - - Firewall rule number must be between 1 and 999999 - - - #include - #include - - - Destination parameters - - - #include - #include - #include - #include - #include - #include - - - - - Source parameters - - - #include - #include - #include - #include - #include - #include - - - #include - #include - #include - #include - #include - - - ICMPv6 type and code information - - - - - ICMPv6 code - - u32:0-255 - ICMPv6 code (0-255) - - - - - - - - - ICMPv6 type - - u32:0-255 - ICMPv6 type (0-255) - - - - - - - #include - - - - - Set jump target. Action jump must be defined to use this setting - - firewall ipv6-name - - - - #include - - - - - - - Policy for handling received ICMPv6 redirect messages - - enable disable - - - enable - Enable processing of received ICMPv6 redirect messages - - - disable - Disable processing of received ICMPv6 redirect messages - - - (enable|disable) - - - disable - - - - Policy for handling IPv6 packets with routing extension header - - enable disable - - - enable - Enable processing of IPv6 packets with routing header type 2 - - - disable - Disable processing of IPv6 packets with routing header - - - (enable|disable) - - - disable - - - - Policy for logging IPv4 packets with invalid addresses - - enable disable - - - enable - Enable logging of IPv4 packets with invalid addresses - - - disable - Disable logging of Ipv4 packets with invalid addresses - - - (enable|disable) - - - enable - - - - IPv4 firewall rule-set name - - [a-zA-Z0-9][\w\-\.]* - - - - #include - #include - #include - - - Set jump target. Action jump must be defined in default-action to use this setting - - firewall name - - - - - - Firewall rule number (IPv4) - - u32:1-999999 - Number for this Firewall rule - - - - - Firewall rule number must be between 1 and 999999 - - - #include - #include - - - Destination parameters - - - #include - #include - #include - #include - #include - #include - - - - - Source parameters - - - #include - #include - #include - #include - #include - #include - - - #include - #include - #include - #include - - - ICMP type and code information - - - - - ICMP code - - u32:0-255 - ICMP code (0-255) - - - - - - - - - ICMP type - - u32:0-255 - ICMP type (0-255) - - - - - - - #include - - - - - Set jump target. Action jump must be defined to use this setting - - firewall name - - - - #include - #include - - - - - - - Policy for handling received IPv4 ICMP redirect messages - - enable disable - - - enable - Enable processing of received IPv4 ICMP redirect messages - - - disable - Disable processing of received IPv4 ICMP redirect messages - - - (enable|disable) - - - disable - - - - Retains last successful value if domain resolution fails - - - - - - Domain resolver update interval - - u32:10-3600 - Interval (seconds) - - - - - - 300 - - - - Policy for sending IPv4 ICMP redirect messages - - enable disable - - - enable - Enable sending IPv4 ICMP redirect messages - - - disable - Disable sending IPv4 ICMP redirect messages - - - (enable|disable) - - - enable - - - - Policy for source validation by reversed path, as specified in RFC3704 - - strict loose disable - - - strict - Enable Strict Reverse Path Forwarding as defined in RFC3704 - - - loose - Enable Loose Reverse Path Forwarding as defined in RFC3704 - - - disable - No source validation - - - (strict|loose|disable) - - - disable - - - - Global firewall state-policy - - - - - Global firewall policy for packets part of an established connection - - - #include - #include - #include - - - - - Global firewall policy for packets part of an invalid connection - - - #include - #include - #include - - - - - Global firewall policy for packets part of a related connection - - - #include - #include - #include - - + #include + #include + #include + #include - - - Policy for using TCP SYN cookies with IPv4 - - enable disable - - - enable - Enable use of TCP SYN cookies with IPv4 - - - disable - Disable use of TCP SYN cookies with IPv4 - - - (enable|disable) - - - enable - - + - RFC1337 TCP TIME-WAIT assasination hazards protection - - enable disable - - - enable - Enable RFC1337 TIME-WAIT hazards protection - - - disable - Disable RFC1337 TIME-WAIT hazards protection - - - (enable|disable) - - - disable - - - - Zone-policy - - txt - Zone name - - - [a-zA-Z0-9][\w\-\.]* - + IPv6 firewall - #include - #include - - - Default-action for traffic coming into this zone - - drop reject - - - drop - Drop silently - - - reject - Drop and notify source - - - (drop|reject) - - - drop - - - - Zone from which to filter traffic - - zone-policy zone - - - - - - Firewall options - - - - - IPv6 firewall ruleset - - firewall ipv6-name - - - - - - IPv4 firewall ruleset - - firewall name - - - - - - - - - - Interface associated with zone - - txt - Interface associated with zone - - - vrf - VRF associated with zone - - - - vrf name - - - - - - - Intra-zone filtering - - - - - Action for intra-zone traffic - - accept drop - - - accept - Accept traffic - - - drop - Drop silently - - - (accept|drop) - - - - - - Use the specified firewall chain - - - - - IPv6 firewall ruleset - - firewall ipv6-name - - - - - - IPv4 firewall ruleset - - firewall name - - - - - - - - - - Zone to be local-zone - - - + #include + #include + #include + #include - + diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i new file mode 100644 index 000000000..5f81a1451 --- /dev/null +++ b/interface-definitions/include/firewall/action-and-notrack.xml.i @@ -0,0 +1,41 @@ + + + + Rule action + + accept jump notrack reject return drop queue + + + accept + Accept matching entries + + + jump + Jump to another chain + + + reject + Reject matching entries + + + return + Return from the current chain and continue at the next rule of the last chain + + + drop + Drop matching entries + + + queue + Enqueue packet to userspace + + + notrack + Igone connection tracking + + + (accept|jump|notrack|reject|return|drop|queue) + + + + diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i new file mode 100644 index 000000000..86af2fb0e --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i @@ -0,0 +1,331 @@ + +#include +#include +#include +#include +#include + + + Destination parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + ICMP type and code information + + + + + ICMP code + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + ^(destination|source)$ + + + + + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + + + Source parameters + + + #include + #include + #include + #include + #include + #include + #include + + +#include + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i new file mode 100644 index 000000000..b873d99a3 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i @@ -0,0 +1,416 @@ + +#include +#include +#include +#include +#include +#include +#include + + + Destination parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + ICMP type and code information + + + + + ICMP code + + u32:0-255 + ICMP code (0-255) + + + + + + + + + ICMP type + + u32:0-255 + ICMP type (0-255) + + + + + + + #include + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + ^(destination|source)$ + + + + + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + + + Source parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Session state + + + + + Established state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Invalid state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + New state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Related state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + +#include + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i new file mode 100644 index 000000000..758281335 --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i @@ -0,0 +1,416 @@ + +#include +#include +#include +#include +#include +#include +#include + + + Destination parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Option to disable firewall rule + + + + + + IP fragment match + + + + + Second and further fragments of fragmented packets + + + + + + Head fragments or unfragmented packets + + + + + + + + ICMPv6 type and code information + + + + + ICMPv6 code + + u32:0-255 + ICMPv6 code (0-255) + + + + + + + + + ICMPv6 type + + u32:0-255 + ICMPv6 type (0-255) + + + + + + + #include + + + + + Inbound IPsec packets + + + + + Inbound IPsec packets + + + + + + Inbound non-IPsec packets + + + + + + + + Rate limit using a token bucket filter + + + + + Maximum number of packets to allow in excess of rate + + u32:0-4294967295 + Maximum number of packets to allow in excess of rate + + + + + + + + + Maximum average matching rate + + txt + integer/unit (Example: 5/minute) + + + \d+/(second|minute|hour|day) + + + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Connection status + + + + + NAT connection status + + destination source + + + destination + Match connections that are subject to destination NAT + + + source + Match connections that are subject to source NAT + + + ^(destination|source)$ + + + + + + + + Protocol to match (protocol name, number, or "all") + + + all tcp_udp + + + all + All IP protocols + + + tcp_udp + Both TCP and UDP + + + u32:0-255 + IP protocol number + + + <protocol> + IP protocol name + + + !<protocol> + IP protocol name + + + + + + + + + Parameters for matching recently seen sources + + + + + Source addresses seen more than N times + + u32:1-255 + Source addresses seen more than N times + + + + + + + + + Source addresses seen in the last second/minute/hour + + second minute hour + + + second + Source addresses seen COUNT times in the last second + + + minute + Source addresses seen COUNT times in the last minute + + + hour + Source addresses seen COUNT times in the last hour + + + (second|minute|hour) + + + + + + + + Source parameters + + + #include + #include + #include + #include + #include + #include + #include + + + + + Session state + + + + + Established state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Invalid state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + New state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + + Related state + + enable disable + + + enable + Enable + + + disable + Disable + + + (enable|disable) + + + + + +#include + + + Time to match rule + + + + + Date to start matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to start matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Date to stop matching rule + + txt + Enter date using following notation - YYYY-MM-DD + + + (\d{4}\-\d{2}\-\d{2}) + + + + + + Time of day to stop matching rule + + txt + Enter time using using 24 hour notation - hh:mm:ss + + + ([0-2][0-9](\:[0-5][0-9]){1,2}) + + + + + + Comma separated weekdays to match rule on + + txt + Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday) + + + u32:0-6 + Day number (0 = Sunday ... 6 = Saturday) + + + + + + diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i new file mode 100644 index 000000000..ba7c63cd6 --- /dev/null +++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i @@ -0,0 +1,22 @@ + + + + Default-action for rule-set + + drop accept + + + drop + Drop if no prior rules are hit + + + accept + Accept if no prior rules are hit + + + (drop|accept) + + + drop + + diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i new file mode 100644 index 000000000..3204a239d --- /dev/null +++ b/interface-definitions/include/firewall/global-options.xml.i @@ -0,0 +1,272 @@ + + + + Global Options + + + + + Policy for handling of all IPv4 ICMP echo requests + + enable disable + + + enable + Enable processing of all IPv4 ICMP echo requests + + + disable + Disable processing of all IPv4 ICMP echo requests + + + (enable|disable) + + + enable + + + + Policy for handling broadcast IPv4 ICMP echo and timestamp requests + + enable disable + + + enable + Enable processing of broadcast IPv4 ICMP echo/timestamp requests + + + disable + Disable processing of broadcast IPv4 ICMP echo/timestamp requests + + + (enable|disable) + + + disable + + + + SNMP trap generation on firewall configuration changes + + enable disable + + + enable + Enable sending SNMP trap on firewall configuration change + + + disable + Disable sending SNMP trap on firewall configuration change + + + (enable|disable) + + + disable + + + + Policy for handling IPv4 packets with source route option + + enable disable + + + enable + Enable processing of IPv4 packets with source route option + + + disable + Disable processing of IPv4 packets with source route option + + + (enable|disable) + + + disable + + + + Policy for logging IPv4 packets with invalid addresses + + enable disable + + + enable + Enable logging of IPv4 packets with invalid addresses + + + disable + Disable logging of Ipv4 packets with invalid addresses + + + (enable|disable) + + + enable + + + + Policy for handling received IPv4 ICMP redirect messages + + enable disable + + + enable + Enable processing of received IPv4 ICMP redirect messages + + + disable + Disable processing of received IPv4 ICMP redirect messages + + + (enable|disable) + + + disable + + + + Retains last successful value if domain resolution fails + + + + + + Domain resolver update interval + + u32:10-3600 + Interval (seconds) + + + + + + 300 + + + + Policy for sending IPv4 ICMP redirect messages + + enable disable + + + enable + Enable sending IPv4 ICMP redirect messages + + + disable + Disable sending IPv4 ICMP redirect messages + + + (enable|disable) + + + enable + + + + Policy for source validation by reversed path, as specified in RFC3704 + + strict loose disable + + + strict + Enable Strict Reverse Path Forwarding as defined in RFC3704 + + + loose + Enable Loose Reverse Path Forwarding as defined in RFC3704 + + + disable + No source validation + + + (strict|loose|disable) + + + disable + + + + Policy for using TCP SYN cookies with IPv4 + + enable disable + + + enable + Enable use of TCP SYN cookies with IPv4 + + + disable + Disable use of TCP SYN cookies with IPv4 + + + (enable|disable) + + + enable + + + + RFC1337 TCP TIME-WAIT assasination hazards protection + + enable disable + + + enable + Enable RFC1337 TIME-WAIT hazards protection + + + disable + Disable RFC1337 TIME-WAIT hazards protection + + + (enable|disable) + + + disable + + + + Policy for handling received ICMPv6 redirect messages + + enable disable + + + enable + Enable processing of received ICMPv6 redirect messages + + + disable + Disable processing of received ICMPv6 redirect messages + + + (enable|disable) + + + disable + + + + Policy for handling IPv6 packets with routing extension header + + enable disable + + + enable + Enable processing of IPv6 packets with routing header type 2 + + + disable + Disable processing of IPv6 packets with routing header + + + (enable|disable) + + + disable + + + + diff --git a/interface-definitions/include/firewall/inbound-interface.xml.i b/interface-definitions/include/firewall/inbound-interface.xml.i new file mode 100644 index 000000000..13df71de3 --- /dev/null +++ b/interface-definitions/include/firewall/inbound-interface.xml.i @@ -0,0 +1,10 @@ + + + + Match inbound-interface + + + #include + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i new file mode 100644 index 000000000..b2f8271f7 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i @@ -0,0 +1,49 @@ + + + + IPv4 custom firewall + + [a-zA-Z0-9][\w\-\.]* + + + + #include + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall ip name + + + + + + IP Firewall custom rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i new file mode 100644 index 000000000..6179afe31 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i @@ -0,0 +1,44 @@ + + + + IPv4 forward firewall + + + + + IPv4 firewall forward filter + + + #include + #include + + + IP Firewall forward filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i new file mode 100644 index 000000000..f9746378b --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i @@ -0,0 +1,43 @@ + + + + IPv4 input firewall + + + + + IPv4 firewall input filter + + + #include + #include + + + IP Firewall input filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i new file mode 100644 index 000000000..a1820f314 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i @@ -0,0 +1,43 @@ + + + + IPv4 output firewall + + + + + IPv4 firewall output filter + + + #include + #include + + + IP Firewall output filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i new file mode 100644 index 000000000..229a25ef4 --- /dev/null +++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i @@ -0,0 +1,85 @@ + + + + IPv4 prerouting firewall + + + + + IPv4 firewall prerouting filter + + + #include + #include + + + IP Firewall prerouting filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + IPv4 firewall prerouting raw + + + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall ip name + + + + + + IP Firewall prerouting raw rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ip name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i new file mode 100644 index 000000000..6275036c1 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i @@ -0,0 +1,49 @@ + + + + IPv6 custom firewall + + [a-zA-Z0-9][\w\-\.]* + + + + #include + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall ipv6 ipv6-name + + + + + + IPv6 Firewall custom rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i new file mode 100644 index 000000000..042bd9931 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i @@ -0,0 +1,44 @@ + + + + IPv6 forward firewall + + + + + IPv6 firewall forward filter + + + #include + #include + + + IPv6 Firewall forward filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i new file mode 100644 index 000000000..8c41e0aca --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i @@ -0,0 +1,43 @@ + + + + IPv6 input firewall + + + + + IPv6 firewall input filter + + + #include + #include + + + IPv6 Firewall input filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i new file mode 100644 index 000000000..9b756d870 --- /dev/null +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -0,0 +1,43 @@ + + + + IPv6 output firewall + + + + + IPv6 firewall output filter + + + #include + #include + + + IPv6 Firewall output filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + #include + + + Set jump target. Action jump must be defined to use this setting + + firewall ipv6 ipv6-name + + + + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i index 3e52422cf..a62bf8d89 100644 --- a/interface-definitions/include/firewall/match-interface.xml.i +++ b/interface-definitions/include/firewall/match-interface.xml.i @@ -5,6 +5,13 @@ + + txt + Interface name, wildcard (*) supported + + + #include + diff --git a/interface-definitions/include/firewall/outbound-interface.xml.i b/interface-definitions/include/firewall/outbound-interface.xml.i new file mode 100644 index 000000000..8654dfd80 --- /dev/null +++ b/interface-definitions/include/firewall/outbound-interface.xml.i @@ -0,0 +1,10 @@ + + + + Match outbound-interface + + + #include + + + \ No newline at end of file diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i index c32484542..dd21bfaca 100644 --- a/interface-definitions/include/version/firewall-version.xml.i +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -1,3 +1,3 @@ - + -- cgit v1.2.3