Page Menu
Home
VyOS Platform
Search
Configure Global Search
Log In
Files
F38930190
system_conntrack.xml.in
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
22 KB
Referenced Files
None
Subscribers
None
system_conntrack.xml.in
View Options
<?xml version="1.0"?>
<interfaceDefinition>
<node name="system">
<children>
<node name="conntrack" owner="${vyos_conf_scripts_dir}/system_conntrack.py">
<properties>
<help>Connection Tracking Engine Options</help>
<!-- Before NAT and conntrack-sync are configured -->
<priority>218</priority>
</properties>
<children>
<leafNode name="flow-accounting">
<properties>
<help>Enable connection tracking flow accounting</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="expect-table-size">
<properties>
<help>Size of connection tracking expect table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Number of entries allowed in connection tracking expect table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>2048</defaultValue>
</leafNode>
<leafNode name="hash-size">
<properties>
<help>Hash size for connection tracking table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Size of hash to use for connection tracking table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>32768</defaultValue>
</leafNode>
<node name="ignore">
<properties>
<help>Customized rules to ignore selective connection tracking</help>
</properties>
<children>
<node name="ipv4">
<properties>
<help>IPv4 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack ignore rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/source-destination-group-ipv4.xml.i>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
#include <include/ip-protocol.xml.i>
<leafNode name="protocol">
<properties>
<help>Protocol to match (protocol name, number, or "all")</help>
<completionHelp>
<script>${vyos_completion_dir}/list_protocols.sh</script>
<list>all tcp_udp</list>
</completionHelp>
<valueHelp>
<format>all</format>
<description>All IP protocols</description>
</valueHelp>
<valueHelp>
<format>tcp_udp</format>
<description>Both TCP and UDP</description>
</valueHelp>
<valueHelp>
<format>u32:0-255</format>
<description>IP protocol number</description>
</valueHelp>
<valueHelp>
<format><protocol></format>
<description>IP protocol name</description>
</valueHelp>
<valueHelp>
<format>!<protocol></format>
<description>IP protocol name</description>
</valueHelp>
<constraint>
<validator name="ip-protocol"/>
</constraint>
</properties>
</leafNode>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/source-destination-group-ipv4.xml.i>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
</children>
</tagNode>
</children>
</node>
<node name="ipv6">
<properties>
<help>IPv6 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack ignore rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/firewall/source-destination-group-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to ignore connections tracking on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
#include <include/ip-protocol.xml.i>
<leafNode name="protocol">
<properties>
<help>Protocol to match (protocol name, number, or "all")</help>
<completionHelp>
<script>${vyos_completion_dir}/list_protocols.sh</script>
<list>all tcp_udp</list>
</completionHelp>
<valueHelp>
<format>all</format>
<description>All IP protocols</description>
</valueHelp>
<valueHelp>
<format>tcp_udp</format>
<description>Both TCP and UDP</description>
</valueHelp>
<valueHelp>
<format>u32:0-255</format>
<description>IP protocol number</description>
</valueHelp>
<valueHelp>
<format><protocol></format>
<description>IP protocol name</description>
</valueHelp>
<valueHelp>
<format>!<protocol></format>
<description>IP protocol name</description>
</valueHelp>
<constraint>
<validator name="ip-protocol"/>
</constraint>
</properties>
</leafNode>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/firewall/source-destination-group-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
#include <include/firewall/tcp-flags.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<node name="log">
<properties>
<help>Log connection tracking events per protocol</help>
</properties>
<children>
<node name="icmp">
<properties>
<help>Log connection tracking events for ICMP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
<node name="other">
<properties>
<help>Log connection tracking events for all protocols other than TCP, UDP and ICMP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
<node name="tcp">
<properties>
<help>Log connection tracking events for TCP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
<node name="udp">
<properties>
<help>Log connection tracking events for UDP</help>
</properties>
<children>
#include <include/conntrack/log-common.xml.i>
</children>
</node>
</children>
</node>
<node name="modules">
<properties>
<help>Connection tracking modules</help>
</properties>
<children>
<leafNode name="ftp">
<properties>
<help>FTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="h323">
<properties>
<help>H.323 connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="nfs">
<properties>
<help>NFS connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="pptp">
<properties>
<help>PPTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="rtsp">
<properties>
<help>RTSP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="sip">
<properties>
<help>SIP connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="sqlnet">
<properties>
<help>SQLnet connection tracking</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="tftp">
<properties>
<help>TFTP connection tracking</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="table-size">
<properties>
<help>Size of connection tracking table</help>
<valueHelp>
<format>u32:1-50000000</format>
<description>Number of entries allowed in connection tracking table</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-50000000"/>
</constraint>
</properties>
<defaultValue>262144</defaultValue>
</leafNode>
<node name="tcp">
<properties>
<help>TCP options</help>
</properties>
<children>
<leafNode name="half-open-connections">
<properties>
<help>Maximum number of TCP half-open connections</help>
<valueHelp>
<format>u32:1-2147483647</format>
<description>Generic connection timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-2147483647"/>
</constraint>
</properties>
<defaultValue>512</defaultValue>
</leafNode>
<leafNode name="loose">
<properties>
<help>Policy to track previously established connections</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Allow tracking of previously established connections</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Do not allow tracking of previously established connections</description>
</valueHelp>
<constraint>
<regex>(enable|disable)</regex>
</constraint>
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
<leafNode name="max-retrans">
<properties>
<help>Maximum number of packets that can be retransmitted without received an ACK</help>
<valueHelp>
<format>u32:1-255</format>
<description>Number of packets to be retransmitted</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
</children>
</node>
<node name="timeout">
<properties>
<help>Connection timeout options</help>
</properties>
<children>
<node name="custom">
<properties>
<help>Define custom timeouts per connection</help>
</properties>
<children>
<node name="ipv4">
<properties>
<help>IPv4 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Timeout rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to apply custom connection timers on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
<node name="protocol">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
</properties>
<children>
#include <include/conntrack/timeout-custom-protocols.xml.i>
</children>
</node>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/nat-address.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
<node name="ipv6">
<properties>
<help>IPv6 rules</help>
</properties>
<children>
<tagNode name="rule">
<properties>
<help>Rule number</help>
<valueHelp>
<format>u32:1-999999</format>
<description>Number of conntrack rule</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-999999"/>
</constraint>
<constraintErrorMessage>Timeout rule number must be between 1 and 999999</constraintErrorMessage>
</properties>
<children>
#include <include/generic-description.xml.i>
<node name="destination">
<properties>
<help>Destination parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
<leafNode name="inbound-interface">
<properties>
<help>Interface to apply custom connection timers on</help>
<completionHelp>
<list>any</list>
<script>${vyos_completion_dir}/list_interfaces</script>
</completionHelp>
</properties>
</leafNode>
<node name="protocol">
<properties>
<help>Customize protocol specific timers, one protocol configuration per rule</help>
</properties>
<children>
#include <include/conntrack/timeout-custom-protocols.xml.i>
</children>
</node>
<node name="source">
<properties>
<help>Source parameters</help>
</properties>
<children>
#include <include/firewall/address-ipv6.xml.i>
#include <include/nat-port.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
File Metadata
Details
Attached
Mime Type
text/xml
Expires
Tue, Dec 16, 3:59 AM (22 h, 58 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3071901
Default Alt Text
system_conntrack.xml.in (22 KB)
Attached To
Mode
rVYOSONEX vyos-1x
Attached
Detach File
Event Timeline
Log In to Comment