3db7181104
Make it configurable how many packets get handled at a max per signal to prevent DoS attacks by clients. Issue #2953
150 lines
5.5 KiB
XML
150 lines
5.5 KiB
XML
<?xml version="1.0"?>
|
|
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
|
|
|
|
<xs:include schemaLocation="base_types.xsd"/>
|
|
<xs:include schemaLocation="net_types.xsd"/>
|
|
<xs:include schemaLocation="timeout_types.xsd"/>
|
|
|
|
<xs:simpleType name="Domain_name">
|
|
<xs:restriction base="xs:string">
|
|
<xs:minLength value="1"/>
|
|
<xs:maxLength value="160"/>
|
|
</xs:restriction>
|
|
</xs:simpleType><!-- Domain_name -->
|
|
|
|
<xs:simpleType name="Nr_of_ports">
|
|
<xs:restriction base="xs:integer">
|
|
<xs:minInclusive value="1"/>
|
|
<xs:maxInclusive value="65536"/>
|
|
</xs:restriction>
|
|
</xs:simpleType><!-- Nr_of_ports -->
|
|
|
|
<xs:complexType name="L2_rule">
|
|
<xs:attribute name="dst" type="Ipv4_address_prefix" />
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
</xs:complexType><!-- L2_rule -->
|
|
|
|
<xs:complexType name="L3_rule">
|
|
<xs:choice minOccurs="0" maxOccurs="unbounded">
|
|
|
|
<xs:element name="permit">
|
|
<xs:complexType>
|
|
<xs:attribute name="port" type="Port" />
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
</xs:complexType>
|
|
</xs:element><!-- permit -->
|
|
|
|
<xs:element name="permit-any">
|
|
<xs:complexType>
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
</xs:complexType>
|
|
</xs:element><!-- permit-any -->
|
|
|
|
</xs:choice>
|
|
<xs:attribute name="dst" type="Ipv4_address_prefix" />
|
|
</xs:complexType><!-- L3_rule -->
|
|
|
|
<xs:complexType name="L3_forward_rule">
|
|
<xs:attribute name="port" type="Port" />
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
<xs:attribute name="to" type="Ipv4_address" />
|
|
</xs:complexType><!-- L3_forward_rule -->
|
|
|
|
<xs:element name="config">
|
|
<xs:complexType>
|
|
<xs:choice minOccurs="0" maxOccurs="unbounded">
|
|
|
|
<xs:element name="report">
|
|
<xs:complexType>
|
|
<xs:attribute name="config" type="Boolean" />
|
|
<xs:attribute name="config_triggers" type="Boolean" />
|
|
<xs:attribute name="bytes" type="Boolean" />
|
|
<xs:attribute name="interval_sec" type="Seconds" />
|
|
</xs:complexType>
|
|
</xs:element><!-- report -->
|
|
|
|
<xs:element name="default-policy">
|
|
<xs:complexType>
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
</xs:complexType>
|
|
</xs:element><!-- default-policy -->
|
|
|
|
<xs:element name="policy">
|
|
<xs:complexType>
|
|
<xs:complexContent>
|
|
<xs:extension base="Session_policy">
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
</xs:extension>
|
|
</xs:complexContent>
|
|
</xs:complexType>
|
|
</xs:element><!-- policy -->
|
|
|
|
<xs:element name="uplink">
|
|
<xs:complexType>
|
|
<xs:attribute name="label" type="Session_label" />
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
</xs:complexType>
|
|
</xs:element><!-- uplink -->
|
|
|
|
<xs:element name="domain">
|
|
<xs:complexType>
|
|
<xs:choice minOccurs="0" maxOccurs="unbounded">
|
|
|
|
<xs:element name="ip" type="L2_rule" />
|
|
<xs:element name="icmp" type="L2_rule" />
|
|
|
|
<xs:element name="nat">
|
|
<xs:complexType>
|
|
<xs:attribute name="icmp-ids" type="Nr_of_ports" />
|
|
<xs:attribute name="tcp-ports" type="Nr_of_ports" />
|
|
<xs:attribute name="udp-ports" type="Nr_of_ports" />
|
|
<xs:attribute name="domain" type="Domain_name" />
|
|
</xs:complexType>
|
|
</xs:element><!-- nat -->
|
|
|
|
<xs:element name="dhcp-server">
|
|
<xs:complexType>
|
|
<xs:attribute name="ip_first" type="Ipv4_address" />
|
|
<xs:attribute name="ip_last" type="Ipv4_address" />
|
|
<xs:attribute name="ip_lease_time_sec" type="Seconds" />
|
|
<xs:attribute name="dns_server" type="Ipv4_address" />
|
|
<xs:attribute name="dns_server_from" type="Domain_name" />
|
|
</xs:complexType>
|
|
</xs:element><!-- dhcp-server -->
|
|
|
|
<xs:element name="tcp" type="L3_rule" />
|
|
<xs:element name="udp" type="L3_rule" />
|
|
<xs:element name="tcp-forward" type="L3_forward_rule" />
|
|
<xs:element name="udp-forward" type="L3_forward_rule" />
|
|
|
|
</xs:choice>
|
|
<xs:attribute name="name" type="Domain_name" />
|
|
<xs:attribute name="interface" type="Ipv4_address_prefix" />
|
|
<xs:attribute name="gateway" type="Ipv4_address" />
|
|
<xs:attribute name="verbose_packets" type="Boolean" />
|
|
<xs:attribute name="verbose_packet_drop" type="Boolean" />
|
|
<xs:attribute name="label" type="Session_label" />
|
|
<xs:attribute name="icmp_echo_server" type="Boolean" />
|
|
</xs:complexType>
|
|
</xs:element><!-- domain -->
|
|
|
|
</xs:choice>
|
|
<xs:attribute name="max_packets_per_signal" type="xs:nonNegativeInteger" />
|
|
<xs:attribute name="verbose" type="Boolean" />
|
|
<xs:attribute name="verbose_packets" type="Boolean" />
|
|
<xs:attribute name="verbose_packet_drop" type="Boolean" />
|
|
<xs:attribute name="verbose_domain_state" type="Boolean" />
|
|
<xs:attribute name="dhcp_discover_timeout_sec" type="Seconds" />
|
|
<xs:attribute name="dhcp_request_timeout_sec" type="Seconds" />
|
|
<xs:attribute name="dhcp_offer_timeout_sec" type="Seconds" />
|
|
<xs:attribute name="udp_idle_timeout_sec" type="Seconds" />
|
|
<xs:attribute name="tcp_idle_timeout_sec" type="Seconds" />
|
|
<xs:attribute name="icmp_idle_timeout_sec" type="Seconds" />
|
|
<xs:attribute name="tcp_max_segm_lifetime_sec" type="Seconds" />
|
|
<xs:attribute name="icmp_echo_server" type="Boolean" />
|
|
<xs:attribute name="ld_verbose" type="Boolean" />
|
|
</xs:complexType>
|
|
</xs:element><!-- config -->
|
|
|
|
</xs:schema>
|