mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-05 12:35:20 +00:00
3a3b3691d1
Make use of the ebtables functionality to be able to filter certain parameters of icmpv6 packets. Extend the XML parser for icmpv6 types, type ranges, codes, and code ranges. Extend the nwfilter documentation, schema, and test cases. Being able to filter icmpv6 types and codes helps extending the DHCP snooper for IPv6 and filtering at least some parameters of IPv6's NDP (Neighbor Discovery Protocol) packets. However, the filtering will not be as good as the filtering of ARP packets since we cannot check on IP addresses in the payload of the NDP packets. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
1107 lines
30 KiB
XML
1107 lines
30 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<grammar ns="" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
|
|
<include href='basictypes.rng'/>
|
|
<start>
|
|
<ref name="filter"/>
|
|
</start>
|
|
<define name="filter">
|
|
<element name="filter">
|
|
<ref name="filter-node-attributes"/>
|
|
<optional>
|
|
<element name="uuid">
|
|
<ref name="UUID"/>
|
|
</element>
|
|
</optional>
|
|
<zeroOrMore>
|
|
<choice>
|
|
<element name="filterref">
|
|
<ref name="filterref-node-attributes"/>
|
|
</element>
|
|
<element name="rule">
|
|
<ref name="rule-node-attributes"/>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="mac">
|
|
<ref name="match-attribute"/>
|
|
<ref name="common-l2-attributes"/>
|
|
<ref name="mac-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="vlan">
|
|
<ref name="match-attribute"/>
|
|
<ref name="common-l2-attributes"/>
|
|
<ref name="vlan-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="stp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmacandmask-attributes"/>
|
|
<ref name="stp-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="arp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="common-l2-attributes"/>
|
|
<ref name="arp-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="rarp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="common-l2-attributes"/>
|
|
<ref name="arp-attributes"/> <!-- same as arp -->
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="ip">
|
|
<ref name="match-attribute"/>
|
|
<ref name="common-l2-attributes"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="ip-attributes"/>
|
|
<ref name="dscp-attribute"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="common-l2-attributes"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="ip-attributes"/>
|
|
<ref name="icmp-attribute-ranges"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="tcp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="tcp-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="udp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="sctp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="icmp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="icmp-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="igmp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="all">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="esp">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="ah">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="udplite">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ip-attributes-p1"/>
|
|
<ref name="common-ip-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="tcp-ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="tcp-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="udp-ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="sctp-ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-port-attributes"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="icmpv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="icmp-attributes"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="all-ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="esp-ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="ah-ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
<optional>
|
|
<zeroOrMore>
|
|
<element name="udplite-ipv6">
|
|
<ref name="match-attribute"/>
|
|
<ref name="srcmac-attribute"/>
|
|
<ref name="common-ipv6-attributes-p1"/>
|
|
<ref name="common-ipv6-attributes-p2"/>
|
|
<ref name="comment-attribute"/>
|
|
</element>
|
|
</zeroOrMore>
|
|
</optional>
|
|
</element>
|
|
</choice>
|
|
</zeroOrMore>
|
|
</element>
|
|
</define>
|
|
|
|
<!-- ########### attributes of XML nodes ############ -->
|
|
|
|
<define name="filter-node-attributes">
|
|
<attribute name="name">
|
|
<data type="NCName"/>
|
|
</attribute>
|
|
<optional>
|
|
<attribute name="chain">
|
|
<choice>
|
|
<value>root</value>
|
|
<data type="string">
|
|
<param name="pattern">mac[a-zA-Z0-9_\.:\-]{0,9}</param>
|
|
</data>
|
|
<data type="string">
|
|
<param name="pattern">stp[a-zA-Z0-9_\.:\-]{0,9}</param>
|
|
</data>
|
|
<data type="string">
|
|
<param name="pattern">vlan[a-zA-Z0-9_\.:\-]{0,8}</param>
|
|
</data>
|
|
<data type="string">
|
|
<param name="pattern">arp[a-zA-Z0-9_\.:\-]{0,9}</param>
|
|
</data>
|
|
<data type="string">
|
|
<param name="pattern">rarp[a-zA-Z0-9_\.:\-]{0,8}</param>
|
|
</data>
|
|
<data type="string">
|
|
<param name="pattern">ipv4[a-zA-Z0-9_\.:\-]{0,8}</param>
|
|
</data>
|
|
<data type="string">
|
|
<param name="pattern">ipv6[a-zA-Z0-9_\.:\-]{0,8}</param>
|
|
</data>
|
|
</choice>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="priority">
|
|
<ref name='priority-type'/>
|
|
</attribute>
|
|
</optional>
|
|
</define>
|
|
|
|
<define name="filterref-node-attributes">
|
|
<attribute name="filter">
|
|
<data type="NCName"/>
|
|
</attribute>
|
|
<zeroOrMore>
|
|
<element name="parameter">
|
|
<attribute name="name">
|
|
<ref name="filter-param-name"/>
|
|
</attribute>
|
|
<attribute name="value">
|
|
<ref name="filter-param-value"/>
|
|
</attribute>
|
|
</element>
|
|
</zeroOrMore>
|
|
</define>
|
|
|
|
<define name="rule-node-attributes">
|
|
<attribute name="action">
|
|
<ref name='action-type'/>
|
|
</attribute>
|
|
<attribute name="direction">
|
|
<ref name='direction-type'/>
|
|
</attribute>
|
|
<optional>
|
|
<attribute name="priority">
|
|
<ref name='priority-type'/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="statematch">
|
|
<ref name='statematch-type'/>
|
|
</attribute>
|
|
</optional>
|
|
</define>
|
|
|
|
<define name="match-attribute">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="match">
|
|
<ref name="virYesNo"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="srcmac-attribute">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="srcmacaddr">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="srcmacandmask-attributes">
|
|
<interleave>
|
|
<ref name="srcmac-attribute"/>
|
|
<optional>
|
|
<attribute name="srcmacmask">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="common-l2-attributes">
|
|
<interleave>
|
|
<ref name="srcmacandmask-attributes"/>
|
|
<optional>
|
|
<attribute name="dstmacaddr">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstmacmask">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="common-ip-attributes-p1">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="srcipaddr">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="srcipmask">
|
|
<ref name="addrMask"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipaddr">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipmask">
|
|
<ref name="addrMask"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="common-ip-attributes-p2">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="srcipfrom">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="srcipto">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipfrom">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipto">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dscp">
|
|
<ref name="sixbitrange"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="connlimit-above">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="state">
|
|
<ref name="stateflags-type"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="ipset">
|
|
<ref name="ipset-name-type"/>
|
|
</attribute>
|
|
<attribute name="ipsetflags">
|
|
<ref name="ipset-flags-type"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="common-ipv6-attributes-p1">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="srcipaddr">
|
|
<ref name="addrIPv6"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="srcipmask">
|
|
<ref name="addrMaskv6"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipaddr">
|
|
<ref name="addrIPv6"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipmask">
|
|
<ref name="addrMaskv6"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="common-ipv6-attributes-p2">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="srcipfrom">
|
|
<ref name="addrIPv6"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="srcipto">
|
|
<ref name="addrIPv6"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipfrom">
|
|
<ref name="addrIPv6"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstipto">
|
|
<ref name="addrIPv6"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dscp">
|
|
<ref name="sixbitrange"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="common-port-attributes">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="srcportstart">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="srcportend">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstportstart">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="dstportend">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="icmp-attributes">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="type">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="code">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="icmp-attribute-ranges">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="type">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="typeend">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="code">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="codeend">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="mac-attributes">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="protocolid">
|
|
<ref name="mac-protocolid"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="vlan-attributes">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="vlanid">
|
|
<ref name="vlan-vlanid"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="encap-protocol">
|
|
<ref name="mac-protocolid"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="stp-attributes">
|
|
<optional>
|
|
<attribute name="type">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="flags">
|
|
<ref name="uint8range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="root-priority">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="root-priority-hi">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="root-address">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="root-address-mask">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="root-cost">
|
|
<ref name="uint32range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="root-cost-hi">
|
|
<ref name="uint32range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="sender-priority">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="sender-priority-hi">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="sender-address">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="sender-address-mask">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="port">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="port-hi">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="age">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="age-hi">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="max-age">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="max-age-hi">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="hello-time">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="hello-time-hi">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="forward-delay">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="forward-delay-hi">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
</define>
|
|
|
|
<define name="arp-attributes">
|
|
<interleave>
|
|
<optional>
|
|
<attribute name="arpsrcmacaddr">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="arpsrcipaddr">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="arpdstmacaddr">
|
|
<ref name="addrMAC"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="arpdstipaddr">
|
|
<ref name="addrIP"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="hwtype">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="opcode">
|
|
<ref name="arpOpcodeType"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="protocoltype">
|
|
<ref name="uint16range"/>
|
|
</attribute>
|
|
</optional>
|
|
<optional>
|
|
<attribute name="gratuitous">
|
|
<ref name="boolean"/>
|
|
</attribute>
|
|
</optional>
|
|
</interleave>
|
|
</define>
|
|
|
|
<define name="ip-attributes">
|
|
<optional>
|
|
<attribute name="protocol">
|
|
<ref name="ipProtocolType"/>
|
|
</attribute>
|
|
</optional>
|
|
</define>
|
|
|
|
<define name="dscp-attribute">
|
|
<optional>
|
|
<attribute name="dscp">
|
|
<ref name="sixbitrange"/>
|
|
</attribute>
|
|
</optional>
|
|
</define>
|
|
|
|
<define name="comment-attribute">
|
|
<optional>
|
|
<attribute name="comment">
|
|
<ref name="comment-type"/>
|
|
</attribute>
|
|
</optional>
|
|
</define>
|
|
|
|
<define name="tcp-attributes">
|
|
<optional>
|
|
<attribute name="flags">
|
|
<ref name="tcpflags-type"/>
|
|
</attribute>
|
|
</optional>
|
|
</define>
|
|
|
|
<!-- ################ type library ################ -->
|
|
|
|
<define name="variable-name-type">
|
|
<data type="string">
|
|
<param name="pattern">$[a-zA-Z0-9_]+(\[[ ]*[@]?[0-9]+[ ]*\])?</param>
|
|
</data>
|
|
</define>
|
|
|
|
<define name="addrMAC">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">([a-fA-F0-9]{1,2}:){5}[a-fA-F0-9]{1,2}</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="addrIP">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9]</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="addrIPv6">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">([a-fA-F0-9]{0,4}:){2,7}([a-fA-F0-9]*)(([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9])?</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="addrMask">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">0</param>
|
|
<param name="maxInclusive">32</param>
|
|
</data>
|
|
|
|
<data type="string">
|
|
<param name="pattern">([0-2]?[0-9]?[0-9]\.){3}[0-2]?[0-9]?[0-9]</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="addrMaskv6">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">0</param>
|
|
<param name="maxInclusive">128</param>
|
|
</data>
|
|
|
|
<data type="string">
|
|
<param name="pattern">([a-fA-F0-9]{0,4}:){2,7}([a-fA-F0-9]*)</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="sixbitrange">
|
|
<choice>
|
|
<data type="string">
|
|
<param name="pattern">0x([0-3][0-9a-fA-F]|[0-9a-fA-F])</param>
|
|
</data>
|
|
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">0</param>
|
|
<param name="maxInclusive">63</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="mac-protocolid">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">0x([6-9a-fA-F][0-9a-fA-F]{2}|[0-9a-fA-F]{4})</param>
|
|
</data>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">1536</param>
|
|
<param name="maxInclusive">65535</param>
|
|
</data>
|
|
|
|
<choice>
|
|
<value>arp</value>
|
|
<value>rarp</value>
|
|
<value>ipv4</value>
|
|
<value>ipv6</value>
|
|
<value>vlan</value>
|
|
</choice>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="vlan-vlanid">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">0x([0-9a-fA-F]{1,3})</param>
|
|
</data>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">0</param>
|
|
<param name="maxInclusive">4095</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="uint16range">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">0x[0-9a-fA-F]{1,4}</param>
|
|
</data>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">0</param>
|
|
<param name="maxInclusive">65535</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="uint32range">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">0x[0-9a-fA-F]{1,8}</param>
|
|
</data>
|
|
|
|
<data type="unsignedInt"/>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="boolean">
|
|
<choice>
|
|
<value>yes</value>
|
|
<value>no</value>
|
|
<value>true</value>
|
|
<value>false</value>
|
|
<value>1</value>
|
|
<value>0</value>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="arpOpcodeType">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">0</param>
|
|
<param name="maxInclusive">65535</param>
|
|
</data>
|
|
|
|
<data type="string">
|
|
<param name="pattern">([Rr]eply|[Rr]equest|[Rr]equest_[Rr]everse|[Rr]eply_[Rr]everse|DRARP_[Rr]equest|DRARP_[Rr]eply|DRARP_[Ee]rror|InARP_[Rr]equest|ARP_NAK)</param>
|
|
</data>
|
|
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="ipProtocolType">
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
|
|
<data type="string">
|
|
<param name="pattern">0x[0-9a-fA-F]{1,2}</param>
|
|
</data>
|
|
|
|
<data type="int">
|
|
<param name="minInclusive">0</param>
|
|
<param name="maxInclusive">255</param>
|
|
</data>
|
|
|
|
<choice>
|
|
<value>tcp</value>
|
|
<value>udp</value>
|
|
<value>udplite</value>
|
|
<value>esp</value>
|
|
<value>ah</value>
|
|
<value>icmp</value>
|
|
<value>igmp</value>
|
|
<value>sctp</value>
|
|
<value>icmpv6</value>
|
|
</choice>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name="filter-param-name">
|
|
<data type="string">
|
|
<param name="pattern">[a-zA-Z0-9_]+</param>
|
|
</data>
|
|
</define>
|
|
|
|
<define name="filter-param-value">
|
|
<data type="string">
|
|
<param name="pattern">[a-zA-Z0-9_\.:]+</param>
|
|
</data>
|
|
</define>
|
|
|
|
<define name='action-type'>
|
|
<choice>
|
|
<value>drop</value>
|
|
<value>accept</value>
|
|
<value>reject</value>
|
|
<value>continue</value>
|
|
<value>return</value>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name='direction-type'>
|
|
<choice>
|
|
<value>in</value>
|
|
<value>out</value>
|
|
<value>inout</value>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name='priority-type'>
|
|
<data type="int">
|
|
<param name="minInclusive">-1000</param>
|
|
<param name="maxInclusive">1000</param>
|
|
</data>
|
|
</define>
|
|
<define name='statematch-type'>
|
|
<data type="string">
|
|
<param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param>
|
|
</data>
|
|
</define>
|
|
|
|
<define name='comment-type'>
|
|
<data type="string"/>
|
|
</define>
|
|
|
|
<define name='stateflags-type'>
|
|
<data type="string">
|
|
<param name="pattern">((NEW|ESTABLISHED|RELATED|INVALID)(,(NEW|ESTABLISHED|RELATED|INVALID))*|NONE)</param>
|
|
</data>
|
|
</define>
|
|
|
|
<define name='tcpflags-type'>
|
|
<data type="string">
|
|
<param name="pattern">((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)/((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)</param>
|
|
</data>
|
|
</define>
|
|
|
|
<define name='ipset-name-type'>
|
|
<choice>
|
|
<ref name="variable-name-type"/>
|
|
<data type="string">
|
|
<param name="pattern">[a-zA-Z0-9_\.:\-\+ ]{1,31}</param>
|
|
</data>
|
|
</choice>
|
|
</define>
|
|
|
|
<define name='ipset-flags-type'>
|
|
<data type="string">
|
|
<param name="pattern">(src|dst)(,(src|dst)){0,5}</param>
|
|
</data>
|
|
</define>
|
|
</grammar>
|