Difference between revisions of "Configuration file"
(→Configuration grammar) |
|||
| Line 45: | Line 45: | ||
| <tt> ll-client</tt> || || || || Configure a link-local IPv4 address | | <tt> ll-client</tt> || || || || Configure a link-local IPv4 address | ||
|- bgcolor=ccccff | |- bgcolor=ccccff | ||
| − | | <tt> router-advertisement</tt> || Routing || || || Enable IPv6 router advertisement on this interface | + | | <tt> router-advertisement {</tt> || Routing || || || Enable IPv6 router advertisement on this interface |
| + | |- bgcolor=ccccff | ||
| + | | <tt> name-server</tt> ''addr'' || || Yes || ''System's DNS'' || Use the specified name server instead of the system's name servers | ||
| + | |- bgcolor=ccccff | ||
| + | | <tt> search-domain</tt> ''fqdn'' || || || ''System's domain'' || Use the specified name server instead of the system's search domain | ||
| + | |- bgcolor=ccccff | ||
| + | | colspan=5 | <tt> }</tt> | ||
|- bgcolor=ccccff | |- bgcolor=ccccff | ||
| <tt> router-solicitation</tt> || || || || Configures an IPv6 route, and possibly address, automatically | | <tt> router-solicitation</tt> || || || || Configures an IPv6 route, and possibly address, automatically | ||
Revision as of 20:55, 6 November 2013
This page mainly describes the syntax of the configuration. The functionality of the system is fully defined by its configuration file, and system modifications such as skeleton files if root access is enabled. Since root access is disabled by default, administrators can normally get a complete picture of the system by studying the configuration file. From the web administration, it can be viewed on the Configuration > Plain-text editor page. Using the CLI (for example over SSH) it is viewed with configure by typing
[email protected]> configure [] [email protected]# show bgp { ...
How the file is used by the system
The configuration is stored in a revision-managed database. Every time a new configuration is saved, it is commited to the database. The current (running) configuration is shown by checking out the latest configuration revision; called HEAD. Each revision is associated with a revision number, which is a simple, increasing integer counter. When a user commits a configuration, it's first applied (made effective to the system). If the application was successful, it is saved.
Whenever a new configuration is applied, it's transformed into event keys, which may have an ID and several values. These new keys are compared to the old (running configuration) keys, comprising an event list. If a user commits a configuration which results in no events (differences in keys) an exception (error) is given. One example of this would be if a user added the line media autoselect to an interface. Since autoselect is the default media type, no event would be generated by this configuration change (which is correct, since it doesn't not represent a change in the system state). If a list of events were generated, it's delivered to the backend's routines responsible of updating the system state. The minimally necessary change in order to bring the system into the new requested state will be performed.
Upon boot (system startup) the latest revision (HEAD) is checked out by the backend, and compared to the old list of keys, which is of course empty. Thus, a every change necessary to bring a reset system into the state requested by the configuration is performed.
File format and syntax
The configuration has a hierarchical format, with one statement per line, and child/parent relationships indicated by curly brackets and tabs. For example, an IP address 2a01:2b0:3030:1337::1 on a network with prefix length 64 and a matching gateway configured an a VLAN with tag 1 on a physical interface with device name em0 would be represented as
interface em0 {
interface vlan1 {
address 2a01:2b0:3030:1337::da7a/64
route default 2a01:2b0:3030:1337::1
}
}
Configuration grammar
The table below specifies the entire configuration grammar, and what it does.
| Grammar | Category | Multiple | Default | Comment |
|---|---|---|---|---|
| interface name { | Generic | Yes | The options in this scope are shared, and applies to most interface types | |
| group "string" | Yes | Add the interface to a group (good way to name interfaces) | ||
| description "string" | Only visual free-text description of the interface | |||
| address cidr | Yes | Add an address with netmask using CIDR notation (both IPv4 and IPv6) | ||
| mtu integer | Set the interface's MTU | |||
| ll-address lladdr | Set the interface's link layer (MAC) address | |||
| proxy-arp cidr | Yes | Add proxy-arp for a host or CIDR (inclusive). | ||
| ll-client | Configure a link-local IPv4 address | |||
| router-advertisement { | Routing | Enable IPv6 router advertisement on this interface | ||
| name-server addr | Yes | System's DNS | Use the specified name server instead of the system's name servers | |
| search-domain fqdn | System's domain | Use the specified name server instead of the system's search domain | ||
| } | ||||
| router-solicitation | Configures an IPv6 route, and possibly address, automatically | |||
| route cidr addr { | Yes | Add a static route to cidr via gateway address (both IPv4 and IPv6) | ||
| label "string" | Set a label on the route | |||
| } | ||||
| rdomain integer | 0 | Place the interface in one of the routing domains | ||
| mpls | Enable MPLS label processing on the interface | |||
| metric integer | 0 | Set the metric to integer hops, used by some routing protocols | ||
| interface vlanid { | 802.1q | Yes | Create a VLAN interface on the parent interface with tag id | |
| shared options | Yes | Most shared options such as address and group | ||
| tag integer | vlan's id | Set the interface's VLAN tag | ||
| } | ||||
| interface svlanid { | 802.1ad | Yes | Create a QinQ/provider bridge VLAN interface on the parent interface with tag id | |
| shared options | Yes | Most shared options such as interface vlanX | ||
| tag integer | svlan's id | Set the interface's VLAN tag | ||
| } | ||||
| interface carpid { | Failover | Yes | Create a failover (redundant address) on the parent interface | |
| shared options | Yes | Most shared options such as address and group | ||
| vhid integer | 1 | Set the virtual (redundant) IP's ID | ||
| advbase integer | 1 | Set the announce interval in seconds | ||
| advskew integer | 0 | Skew the announce interval | ||
| password "string" | Empty | Set the authentication key | ||
| } | ||||
| interface pfsyncid { | Yes | Create a firewall state synchronization interface on the parent interface | ||
| shared options | Yes | Many shared options such as description and group | ||
| sync-peer ipv4addr | If specified, synchronize with this peer instead of multicasting | |||
| } | ||||
| interface pppoeid { | Yes | Create a PPPoE interface on the parent interface | ||
| shared options | Yes | Many shared options such as description and group | ||
| user username | Set the PPPoE username | |||
| password password | Set the PPPoE password | |||
| } | ||||
| dhcp-client { | DHCP | Configure the parent interface's address automatically using DHCP | ||
| timeout integer | 60 | DHCP client timeout in seconds | ||
| retry integer | 300 | DHCP client total retry timeout in seconds | ||
| request "string" | Yes | Everything | Objects to request, such as "router" or "name-server" | |
| } | ||||
| dhcp-server { | Announce the parent interface's network configuration using DHCP | |||
| router addr | Parent's address | Use the specified address instead of the interface's first address | ||
| range addr addr | Calculated | Use the specified address range instead of the automatically calculated | ||
| name-server addr | Yes | System's DNS | Use the specified name server instead of the system's name servers | |
| search-domain fqdn | System's domain | Use the specified name server instead of the system's search domain | ||
| lease-time integer | 43200 | Set the lease time, in seconds | ||
| max-lease-time integer | 86400 | Set the lease time, in seconds | ||
| option integer hex | Yes | Set options (eg. option 43 0x..) | ||
| host "string" { | Yes | Create a reserved DHCP lease (BOOTP host) | ||
| ll-address lladdr | The reserved host's link layer (MAC) address | |||
| address ipv4addr | The reserved host's IPv4 address | |||
| } | ||||
| } | ||||
| dhcp-relay { | Relay DHCP on the parent interface | |||
| server addr | Yes | Add a server to the list of servers to forward requests to | ||
| option integer | Yes | Set options (eg. option 82) | ||
| } | ||||
| dhcp6-client | DHCPv6 | Configure the parent interface's IPv6 address automatically using DHCPv6 | ||
| dhcp6-delegate { | Configure the parent interface's IPv6 address using DHCPv6 PD (prefix delegation) | |||
| address addr | ::1:0:0:0:1/64 | The address to prepend after the delegated prefix (SLA ID) | ||
| interface interface | any | Specify a specific dhcp6-client by parent interface | ||
| } | ||||
| dhcp6-server { | Announce using DHCPv6, affects router-advertisement flags | |||
| range addr addr | Use stateful (managed) DHCPv6, affects router-advertisement flags | |||
| name-server addr | Yes | System's DNS | Use the specified name server instead of the system's name servers | |
| search-domain fqdn | System's domain | Use the specified name server instead of the system's search domain | ||
| lease-time integer | 3600 | Set the lease time, in seconds | ||
| } | ||||
| firewall { | Generic | Yes | Add firewall rules (pf) directly to the interface as a conditional anchor | |
| firewall rules | Yes | Firewall rules such as pass and block | ||
| } | ||||
| ftp-proxy | Add a ftp-proxy for local clients (active FTP) | |||
| pptp-proxy | Add a pptp-proxy for local clients (multiple clients behind NAT) | |||
| } | ||||
| interface device { | Physical | Yes | Interface options for physical interfaces | |
| shared options | Yes | Most shared options such as address and group | ||
| media media | autoselect | Set the devices's media type, such as "10baseT" | ||
| mediaopt mediaopt | Set the devices's media options, such as "full-duplex" or "hostap" for 802.11 | |||
| mode mode | autoselect | Set the devices's mode, such as "11g" for 802.11 wireless interfaces | ||
| ssid "string" | Set the devices's IEEE 802.11 ESSID | |||
| wpa-psk "string" | Set the devices's IEEE 802.11 WPA2 key | |||
| channel "integer" | Set the devices's IEEE 802.11 channel | |||
| } | ||||
| interface bridgeid { | Bridge | Yes | Create a bridge interface | |
| shared options | Yes | Most shared options such as address and group | ||
| member interface { | Yes | Add an interface as a member to the bridge by specifying it's name | ||
| stp | no | Specify to enable STP on the member interface | ||
| edge yes or no | auto | Specify to manually set the edge status | ||
| ptp yes or no | auto | Specify to manually set the PTP status | ||
| } | ||||
| link2 | Specify to enable Link2 | |||
| protocol rstp or stp | rstp | STP protocol | ||
| max-addresses integer | 100 | Specify the bridge's address cache size | ||
| } | ||||
| interface trunkid { | Trunk | Yes | Create a trunk (link aggregation) interface | |
| shared options | Yes | Most shared options such as address and group | ||
| member interface | Yes | Adds an interface to the link aggregate | ||
| protocol trunkproto | roundrobin | Selects a trunk method such as lacp, failover, loadbalance or broadcast | ||
| } | ||||
| interface mpeid { | Routing | Yes | Create an MPLS provider edge interface | |
| shared options | Yes | Many shared options such as firewall and group | ||
| label integer | 0 | Sets the MPLS SHIM label | ||
| } | ||||
| interface pflogid { | Generic | Yes | Create an additional firewall log interface | |
| shared options | Yes | Many shared options such as group | ||
| } | ||||
| interface pflowid { | Yes | Create a NetFlow v5 sender | ||
| shared options | Yes | Many shared options such as mtu and group | ||
| sender addr | Which address to use when sending NetFlow data | |||
| server addr | Which server to send NetFlow data to | |||
| port integer | 2055 | NetFlow port | ||
| } | ||||
| interface gifid { | VPN | Yes | Create a generic tunnel interface | |
| shared options | Yes | Many shared options such as firewall and group | ||
| address cidr addr | Specifies the local and remote interface addresses | |||
| tunnel addr addr | Specifies the local and remote tunnel endpoint addresses | |||
| tdomain integer | 0 | Place the tunnel addresses in one of the routing domains | ||
| } | ||||
| interface greid { | Yes | Create a GRE tunnel interface | ||
| shared options | Yes | Many shared options such as firewall and group | ||
| address cidr addr | Specifies the local and remote interface addresses | |||
| tunnel addr addr | Specifies the local and remote tunnel endpoint addresses | |||
| tdomain integer | 0 | Place the tunnel addresses in one of the routing domains | ||
| } | ||||
| interface encid { | Yes | Create an additional encapsulation interface (enc0 always exists) | ||
| shared options | Yes | Many shared options such as firewall and group | ||
| } | ||||
| interface loid { | Yes | Create an additional loopback interface (lo0 always exists) | ||
| shared options | Yes | Many shared options such as firewall and group | ||
| } | ||||
| ipsec { | IPSec and IKE configuration, including macros | |||
| flow ... | Yes | Manual ipsecctl flow policy, requesting encryption based on its conditions | ||
| esp ... | Yes | Manual ipsecctl SA of the specified type | ||
| ike ... | Yes | Automatic ipsecctl IKE policy for isakmpd | ||
| ikev2 ... | Yes | An IKEv2 policy for iked | ||
| } | ||||
| vpn-server { | L2TP and PPTP server for roaming clients | |||
| l2tp { | Enable the L2TP server | |||
| secret "string" | The IKE shared secret | |||
| } | ||||
| pptp | Enable the PPTP server | |||
| pool cidr | 192.0.2.0/24 | Override the default address pool | ||
| listen addr | any | Explicitly bind an IP address | ||
| interface interface | wan | Allow clients to connected from somewhere else than WAN | ||
| name-server "string" | Yes | System's name-server | Override the default name servers to be distributed | |
| search-domain fqdn | System's domain | Use the specified name server instead of the system's search domain | ||
| route "cidr" | Yes | Send classless static routes to client | ||
| option integer hex | Yes | Send DHCP option to client | ||
| authentication "string" { | Yes | An authentication group (for firewall filtering) with users in it | ||
| radius default | Enable RADIUS support for this group, default is optional | |||
| name-server "string" | Yes | Servers's name-server | Override the default name servers to be distributed | |
| search-domain fqdn | Servers's domain | Use the specified name server instead of the server's search domain | ||
| route "cidr" | Yes | Send classless static routes to client | ||
| option integer hex | Yes | Send DHCP option to client | ||
| user "string" { | Yes | Remote access users | ||
| password "string" | The password's Blowfish crypt | |||
| full-name "string" | The user's full name | |||
| } | ||||
| } | ||||
| radius { | Enable external RADIUS authentication | |||
| server addr | Yes | Address of radius servers | ||
| secret "string" | Shared secret | |||
| accounting | Enable accounting | |||
| } | ||||
| } | ||||
| firewall { | Generic | Add firewall rules (pf) | ||
| pass ... | Yes | Allow packets matching the conditions | ||
| block ... | Yes | Block packets matching the conditions | ||
| match ... | Yes | Modify packets matching the condition without changing their pass/block state | ||
| } | ||||
| bgp { | Routing | BGPv4 configuration for bgpd | ||
| AS integer | Set the local autonomous system number | |||
| network cidr | Yes | Announce the specified network as belonging to our AS | ||
| rdomain integer { | Yes | Setup and distribution of Virtual Private Networks | ||
| } | ||||
| neighbor addr { | Yes | Establishes TCP connections to other BGP speakers | ||
| } | ||||
| } | ||||
| ospf { config | OSPFv2 configuration for ospfd | |||
| ospf6 { config | OSPFv3 configuration for ospf6d | |||
| ldp { config | MPLS LDP configuration for ldpd | |||
| load-balancer { config | Load balancing and availability configuration for relayd | |||
| cluster { | Cluster configuration | |||
| peer address { | Cluster peer | |||
| } | ||||
| } | ||||
| system { | Collection of settings having to do with the appliance's system | |||
| host-name fqdn | The system's host name | |||
| keyboard-layout layout | us | The system's keyboard layout (video console) | ||
| time-zone timezone | The system's time zone | |||
| dns { | ||||
| name-server addr | Yes | DNS server to be used by the system, and distributed to clients | ||
| search-domain fqdn | The system's search domain | |||
| } | ||||
| authentication { | Collection of system users | |||
| root-password "string" | The root access password's Blowfish crypt | |||
| user "string" { | Yes | System users | ||
| password "string" | The password's Blowfish crypt | |||
| full-name "string" | The user's full name | |||
| class "string" | The user's login class | |||
| } | ||||
| } | ||||
| ntp { | Network time | |||
| server addr or fqdn | Yes | NTP server to sync with | ||
| } | ||||
| syslog { | Remote logging | |||
| server addr or fqdn | Yes | Syslog server to send logs to | ||
| } | ||||
| snmp-server { | SNMP server | |||
| read-only community string | public | |||
| system location string | ||||
| ... | Other options for snmpd | |||
| } | ||||
| ssh-server { | Secure shell server | |||
| rdomain integer | 0 | |||
| listen addr | any | |||
| port integer | 22 | |||
| ecdsa-key { data | The private elliptic-curve key | |||
| dsa-key { data | The private DSA key | |||
| rsa-key { data | The private RSA key | |||
| } | ||||
| http-server { | Web (HTTPS) server | |||
| rdomain integer | 0 | |||
| listen addr | any | |||
| port integer | 443 | |||
| rsa-key { data | The private RSA key | |||
| x509-certificate { data | The X.509 certificate | |||
| } | ||||
| } | ||||
