summaryrefslogtreecommitdiff
path: root/interface-definitions/service_conntrack-sync.xml.in
blob: 8ce82d867c0dff0e4a6f601665871b987b744c3e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
<?xml version="1.0"?>
<interfaceDefinition>
  <node name="service">
    <children>
      <node name="conntrack-sync" owner="${vyos_conf_scripts_dir}/conntrack_sync.py">
        <properties>
          <help>Connection tracking synchronization</help>
          <priority>995</priority>
        </properties>
        <children>
          <leafNode name="accept-protocol">
            <properties>
              <help>Protocols for which local conntrack entries will be synced</help>
              <completionHelp>
                <list>tcp udp icmp icmp6 sctp dccp</list>
              </completionHelp>
              <valueHelp>
                <format>tcp</format>
                <description>Sync Transmission Control Protocol entries</description>
              </valueHelp>
              <valueHelp>
                <format>udp</format>
                <description>Sync User Datagram Protocol entries</description>
              </valueHelp>
              <valueHelp>
                <format>icmp</format>
                <description>Sync Internet Control Message Protocol entries</description>
              </valueHelp>
              <valueHelp>
                <format>icmp6</format>
                <description>Sync IPv6 Internet Control Message Protocol entries</description>
              </valueHelp>
              <valueHelp>
                <format>sctp</format>
                <description>Sync Stream Control Transmission Protocol entries</description>
              </valueHelp>
              <valueHelp>
                <format>dccp</format>
                <description>Sync Datagram Congestion Control Protocol entries</description>
              </valueHelp>
              <constraint>
                <regex>^(tcp|udp|icmp|icmp6|sctp|dccp)$</regex>
              </constraint>
              <constraintErrorMessage>Allowed protocols: tcp udp icmp or sctp</constraintErrorMessage>
              <multi/>
            </properties>
          </leafNode>
          <leafNode name="disable-external-cache">
            <properties>
              <help>Directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall.</help>
              <valueless/>
            </properties>
          </leafNode>
          <leafNode name="event-listen-queue-size">
            <properties>
              <help>Queue size for local conntrack events</help>
              <valueHelp>
                <format>u32</format>
                <description>Queue size in MB</description>
              </valueHelp>
            </properties>
            <defaultValue>8</defaultValue>
          </leafNode>
          <leafNode name="expect-sync">
            <properties>
              <help>Protocol for which expect entries need to be synchronized</help>
              <completionHelp>
                <list>all ftp sip h323 nfs sqlnet</list>
              </completionHelp>
              <constraint>
                <regex>^(all|ftp|sip|h323|nfs|sqlnet)$</regex>
              </constraint>
              <constraintErrorMessage>Invalid protocol</constraintErrorMessage>
              <multi/>
            </properties>
          </leafNode>
          <node name="failover-mechanism">
            <properties>
              <help>Failover mechanism to use for conntrack-sync</help>
            </properties>
            <children>
              <node name="vrrp">
                <properties>
                  <help>VRRP as failover-mechanism to use for conntrack-sync</help>
                </properties>
                <children>
                  <leafNode name="sync-group">
                    <properties>
                      <help>VRRP sync group</help>
                      <completionHelp>
                        <path>high-availability vrrp sync-group</path>
                      </completionHelp>
                    </properties>
                  </leafNode>
                </children>
              </node>
            </children>
          </node>
          <leafNode name="ignore-address">
            <properties>
              <help>IP addresses for which local conntrack entries will not be synced</help>
              <valueHelp>
                <format>ipv4</format>
                <description>IPv4 address to ignore</description>
              </valueHelp>
              <valueHelp>
                <format>ipv4net</format>
                <description>IPv4 prefix to ignore</description>
              </valueHelp>
              <valueHelp>
                <format>ipv6</format>
                <description>IPv6 address to ignore</description>
              </valueHelp>
              <valueHelp>
                <format>ipv6net</format>
                <description>IPv6 prefix to ignore</description>
              </valueHelp>
              <constraint>
                <validator name="ipv4"/>
                <validator name="ipv6"/>
              </constraint>
              <multi/>
            </properties>
          </leafNode>
          <tagNode name="interface">
            <properties>
              <help>Interface to use for syncing conntrack entries</help>
              <completionHelp>
                <script>${vyos_completion_dir}/list_interfaces.py --bridgeable</script>
              </completionHelp>
            </properties>
            <children>
              <leafNode name="peer">
                <properties>
                  <help>IP address of the peer to send the UDP conntrack info too. This disable multicast.</help>
                  <valueHelp>
                    <format>ipv4</format>
                    <description>IP address to listen for incoming connections</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ipv4-address"/>
                  </constraint>
                </properties>
              </leafNode>
            </children>
          </tagNode>
          #include <include/listen-address-ipv4.xml.i>
          <leafNode name="mcast-group">
            <properties>
              <help>Multicast group to use for syncing conntrack entries</help>
              <constraint>
                <validator name="ipv4-multicast"/>
              </constraint>
            </properties>
            <defaultValue>225.0.0.50</defaultValue>
          </leafNode>
          <leafNode name="sync-queue-size">
            <properties>
              <help>Queue size for syncing conntrack entries</help>
              <valueHelp>
                <format>u32</format>
                <description>Queue size in MB</description>
              </valueHelp>
            </properties>
            <defaultValue>1</defaultValue>
          </leafNode>
        </children>
      </node>
    </children>
  </node>
</interfaceDefinition>