Name

ip-array ruleblocks — Configure ip-array ruleblocks

Synopsis

/etc/ip-array/{stable|test}/conf.d/ruleblocks.d/file

Description

A ruleblock is a group (stack) of rules, containing only the values of each option, to be read in order of occurence. The structure of the ruleblock is defined in a template. Each rule entry in a ruleblock is interpreted column-wise. How the values in each column are interpreted, is defined in the template called with the ruleblock.

Syntax

A ruleblock definition file must contain the following:

  1. First a root tag including the describing name attribule and the syntax version:

    <ip_array_root name="ruleblocks" syntax_version="1.0">

    The name attribute tells us it is a ruleblocks definition.

    The syntax_version attribute defines the syntax version (only 1.0 is available by now).

  2. The actual ruleblock tag including the name attribute defining the name of the ruleblock:

    <ruleblock name="RULEBLOCK_EXAMPLE">

    The ruleblock name must begin with one of the following prefixes: RB_, RULEBLOCK_.

Usage guidelines

It's a good idea to write down the structure of the template you want to call the ruleblock with as a comment below the ruleblock opening tag. This way you will easily remember what each column has to contain.

Newline separates rules inside a ruleblock. So if your template defines i.e. a ruleblock structure like this:

table chain target proto src

then an entry in the ruleblock may look like this:

filter INPUT ACCEPT tcp 1.1.1.1

You can use your shell variables inside ruleblock rules.

XML style comments (<!-- comment -->) are valid inside ruleblocks.

If you want to leave a value in a column undefined use the character defined with RULE_PLACEHOLDER (default = `_') as a placeholder.

To use spaces inside a column value, use either escaped double quotes (\"value with space\") or single quotes ('value with space').

If the structure of a ruleblock does not fit your needs, it is possible to use the inline functions inside it to add a rule with a different structure.

Inline functions

Inline functions are used inside ruleblocks. Sometimes the structure of a ruleblock does not fit the current need. Using inline functions is a way around this, or allow to modify the behaviour of the rule processing.

The following functions are available inline: add_rule, insert_ipt_rule and create_chain.

For a description on how to use them run: ip-array show -sc public_functions[:name[,...]].

See also

ip-array(8), ip-array.conf(8), ip-array_defaults.conf(8), ip-array_rulefiles(5), ip-array_sysctl_rules(5), ip-array_templates(5)