Name

ip-array_templates — Configure ip-array templates

Synopsis

/etc/ip-array/{stable|test}/conf.d/templates.d/file          
        

Description

A ruleblock is a group (stack) of rules, containing only the values of each option, to be read in order of occurence. The structure of the ruleblock is defined in a template. Each rule entry in a ruleblock is interpreted column-wise. How the values in each column are interpreted, is defined in the template called with the ruleblock.

Syntax

A template definition file must contain the following:

  1. First a root tag including the describing name attribule and the syntax version:

    <ip_array_root name="iptables_templates" syntax_version="1.0">

    The name attribute tells us it is an iptables template.

    The syntax_version attribute defines the syntax version (only 1.0 is available by now).

  2. The actual template tag including the name attribute defining the name of the template:

    <template name="T_EXAMPLE">

    The template name must begin with one of the following prefixes: T_, BT_, GT_, TEMPLATE_, BASE_TEMPLATE_, GLOBAL_TEMPLATE_.

Tags

The following list describes the tags which are valid inside the templates.

table

The name of the iptables table (defaults to `filter' if unset).

target

A comma separated list of iptables targets. Usually the target will be 'jumped' (--jump) to. To use a goto (--goto) instead, prefix the target name with `goto:'.

chain

A comma separated list of iptables chains. A maximum of 2 chain names can be specified, if the reverse_mode is `reverse' or `mirror'. Otherwise only one is valid.

reverse_mode

Reverse mode can either be set to `reverse' or `mirror'. This means that a second option list will be processed (most likely the return traffic). See option_list_1 below. If `mirror' is specified the first option list will be copied to the second one. Otherwise option_list_1 will be used.

reverse_condition

If this condition evaluates to true, than reverse mode will be used (if specified - othewise this setting does not make sense).

The condition must be defined like this:

foo:bar

where foo is the condition and bar is the value it has to match.

template_msg

A message that will be displayed as the template is called, if VERBOSE is greater or equal 3.

mandatory_vars

A comma separated list of variable names that must be defined in the ruleblock called with the template.

load_template

Other templates to load into the current one.

Important

Those loaded templates will always be read before any option_list or always_use list. Means they are on the more left side from the ruleblock perspective.

option_list_0

These are the actual iptables arguments which will be filled with values from the ruleblock called with the template.

The list of valid iptables arguments and their usage can be called with: ip-array show -sc ipt_args[,...].

You can define default values to be used by using this syntax:

name=default_value

I.e. idev=eth0

These default values will be used if the according ruleblock entry is not defined (filled with the rule placeholder value, or undefined).

option_list_1

This second list of iptables options is used for the reverse_mode if set to `reverse'. I.e. what has been idev (input interface) will be odev (output interface) in the reverse rule.

always_use_0

You can define default values for option_list_0 by using this syntax:

name=default_value

I.e. idev=eth0

always_use_1

You can define default values for option_list_1 by using this syntax:

name=default_value

I.e. odev=eth0

state_match_arg

A maximum of two comma separated lists with state-names of the state/conntrack match. I.e. NEW,ESTABLISHED ESTABLISHED.

The second one is only used if the reverse_mode is set to `reverse'.

Usage guidelines

It is recommended to build small chunk templates (called base templates) and to use them modulary to build your final templates (using the load_template tag).

See also

ip-array(8), ip-array.conf(8), ip-array_defaults.conf(8), ip-array_ruleblocks(5), ip-array_rulefiles(5), ip-array_sysctl_rules(5)