Version: current

firewall

ip/firewall/connection/tracking

Type: Settings Directory

Argument	Type	Description
`enabled`	enum (auto \| yes \| no)
`tcp-syn-sent-timeout`	time
`tcp-syn-received-timeout`	time
`tcp-established-timeout`	time
`tcp-fin-wait-timeout`	time
`tcp-close-wait-timeout`	time
`tcp-last-ack-timeout`	time
`tcp-time-wait-timeout`	time
`tcp-close-timeout`	time
`tcp-max-retrans-timeout`	time
`tcp-unacked-timeout`	time
`loose-tcp-tracking`	bool
`liberal-tcp-tracking`	bool
`udp-timeout`	time
`udp-stream-timeout`	time
`icmp-timeout`	time
`generic-timeout`	time

Read-only Argument	Type	Description
`active-ipv4`	bool
`active-ipv6`	bool
`max-entries`	num
`total-entries`	num
`total-ip4-entries`	num
`total-ip6-entries`	num

ip/firewall/address-list

Type: Directory

Flag	Name	Description
`X`	disabled	disabled
`D`	dynamic	dynamic

Argument	Type	Description
`list` ( mandatory )	enum
`address`	alt { ip_range_arg , string }
`timeout`	time
`dynamic`	bool

Read-only Argument	Type	Description
`creation-time`	date_arg

ip/firewall/filter

Type: Directory

Argument	Type	Description
`all`	switch
`static`	switch
`dynamic`	switch
`chain` ( mandatory )	enum
`action`	enum (accept \| jump \| return \| log \| passthrough \| add-src-to-address-list \| add-dst-to-address-list \| drop \| reject \| tarpit \| fasttrack-connection)
`jump-target`	enum ()
`reject-with`	enum (icmp-network-unreachable \| icmp-host-unreachable \| icmp-protocol-unreachable \| icmp-port-unreachable \| icmp-net-prohibited \| icmp-host-prohibited \| tcp-reset \| icmp-admin-prohibited)
`hw-offload` (syscap=crs_prestera)	bool { }
`tcp-flags`	super { !, , multi_arg { array-id, array-id, super { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } } { array-id, array-id, super { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } } }
`p2p`	super { ! , enum (fasttrack \| gnutella \| direct-connect \| edonkey \| bit-torrent \| blubster \| soulseek \| winmx \| warez \| all-p2p) { fasttrack:0x01, gnutella:0x02, direct-connect:0x03, edonkey:0x04, bit-torrent:0x05, blubster:0x06, soulseek:0x07, winmx:0x08, warez:0x09, all-p2p:0xFF } }
`connection-state`	super { ! , ubit (invalid, established, related, new, untracked) { invalid, established, related, new, untracked } }
`connection-nat-state`	super { ! , ubit (srcnat, dstnat, ein-snat, ein-dnat) { srcnat, dstnat, ein-snat, ein-dnat } }
`tls-host`	super { ! , string }
`connection-limit`	super { ! , num , ,num }
`layer7-protocol`	super { ! , enum }
`realm`	super { ! , num }
`protocol`	super { ! , enum () { } }
`src-address`	super { ! , ip_range_arg }
`dst-address`	super { ! , ip_range_arg }
`fragment`	super { bool }
`psd`	super { num , ,time , ,num , ,num }
`ipv4-options`	super { enum (strict-source-routing \| loose-source-routing \| no-source-routing \| record-route \| no-record-route \| timestamp \| no-timestamp \| router-alert \| no-router-alert \| any \| none) { strict-source-routing:0x1, loose-source-routing:0x2, no-source-routing:0x4, record-route:0x8, no-record-route:0x10, timestamp:0x20, no-timestamp:0x40, router-alert:0x80, no-router-alert:0x100, any:0x200, none:0x400 } }
`src-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`dst-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`src-address-list`	super { ! , enum }
`dst-address-list`	super { ! , enum }
`hotspot`	multi_arg { array-id, array-id, super { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } }
`address-list`	enum ()
`address-list-timeout`	alt { enum (none-dynamic \| none-static) { none-dynamic:0, none-static:0xffffffff } , time [ .. 21474836] , }
`ttl`	super { enum (equal \| not-equal \| less-than \| greater-than) { equal:0, not-equal:1, less-than:2, greater-than:3 } , :num [0 .. 255] }
`connection-mark`	super { ! , enum }
`connection-type`	super { ! , enum (ftp \| pptp \| h323 \| sip \| irc \| quake3 \| tftp) { ftp:0, pptp:1, h323:2, sip:3, irc:4, quake3:5, tftp:6 } }
`connection-bytes`	super { num , -num }
`connection-rate`	super { ! , num , -num }
`routing-mark`	super { ! , enum () { } }
`in-interface`	super { ! , interface_enum { } { } }
`out-interface`	super { ! , interface_enum { } { } }
`in-interface-list`	super { ! , enum }
`out-interface-list`	super { ! , enum }
`in-bridge-port`	super { ! , interface_enum { } { } }
`out-bridge-port`	super { ! , interface_enum { } { } }
`in-bridge-port-list`	super { ! , enum }
`out-bridge-port-list`	super { ! , enum }
`packet-mark`	super { ! , enum }
`src-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`dst-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`icmp-options`	super { ! , num [0 .. 255] , [ :range_arg [ .. 255]] }
`src-mac-address`	super { ! , macAddr }
`content`	super { ! , string }
`ingress-priority`	super { ! , num [0 .. 63] }
`priority`	super { ! , num [0 .. 63] }
`dscp`	super { ! , num [0 .. 63] }
`tos`	super { ! , num [0 .. 255] , [ /num [0 .. 255]] }
`limit`	super { ! , num [1 .. 32000000000] , [ /time [1 .. ]] , ,num [ .. 2000000000] , [ :enum (packet \| bit) { packet:0, bit:1 }] }
`dst-limit`	super { num , [ /time] , ,num , ,enum (dst-address \| dst-address-and-port \| src-address \| src-and-dst-addresses \| addresses-and-dst-port) { dst-address:1, dst-address-and-port:3, src-address:4, src-and-dst-addresses:5, addresses-and-dst-port:7 } , [ /time] }
`time`	super { ! , time [0 .. 86400] , -time [0 .. 86400] , ,ubit (sun, mon, tue, wed, thu, fri, sat) { sun, mon, tue, wed, thu, fri, sat } }
`random`	super { num [1 .. 99] }
`nth`	super { ! , num [1 .. ] , [ ,num [1 .. ]] }
`tcp-mss`	super { ! , num [0 .. 65535] , -num [0 .. 65535] }
`per-connection-classifier`	super { ! , enum (src-address \| dst-address \| both-addresses \| src-port \| src-address-and-port \| dst-port \| dst-address-and-port \| both-ports \| both-addresses-and-ports) { src-address:1, dst-address:2, both-addresses:3, src-port:4, src-address-and-port:5, dst-port:8, dst-address-and-port:10, both-ports:12, both-addresses-and-ports:15 } , :num [1 .. ] , /num [0 .. ] }
`packet-size`	super { ! , num [ .. 65535] , -num [ .. 65535] }
`log`	bool
`log-prefix`	string
`ipsec-policy`	super { enum (in \| out) { in:0, out:1 } , ,enum (none \| ipsec) { none:0, ipsec:1 } }

ip/firewall/service-port

Type: Directory

Flag	Name	Description
`X`	disabled	disabled
`I`	invalid	invalid

Argument	Type	Description
`ports`	multi_arg { , num [0 .. 65535] }
`sip-direct-media`	bool
`sip-timeout`	time

Read-only Argument	Type	Description
`name`	string

ip/firewall/nat

Type: Directory

Argument	Type	Description
`all`	switch
`static`	switch
`dynamic`	switch
`chain` ( mandatory )	enum
`action`	enum (accept \| jump \| return \| log \| passthrough \| add-src-to-address-list \| add-dst-to-address-list \| src-nat \| masquerade \| dst-nat \| redirect \| same \| netmap \| endpoint-independent-nat \| socksify)
`jump-target`	enum ()
`to-addresses`	super { , ip_range_arg }
`to-ports`	super { , num [0 .. 65535] , -num [0 .. 65535] }
`same-not-by-dst`	bool { }
`randomise-ports`	bool { }
`socksify-service`	enum
`socks5-server`	ipAddr
`socks5-port`	num
`connection-limit`	super { ! , num , ,num }
`layer7-protocol`	super { ! , enum }
`realm`	super { ! , num }
`protocol`	super { ! , enum () { } }
`src-address`	super { ! , ip_range_arg }
`dst-address`	super { ! , ip_range_arg }
`fragment`	super { bool }
`psd`	super { num , ,time , ,num , ,num }
`ipv4-options`	super { enum (strict-source-routing \| loose-source-routing \| no-source-routing \| record-route \| no-record-route \| timestamp \| no-timestamp \| router-alert \| no-router-alert \| any \| none) { strict-source-routing:0x1, loose-source-routing:0x2, no-source-routing:0x4, record-route:0x8, no-record-route:0x10, timestamp:0x20, no-timestamp:0x40, router-alert:0x80, no-router-alert:0x100, any:0x200, none:0x400 } }
`src-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`dst-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`src-address-list`	super { ! , enum }
`dst-address-list`	super { ! , enum }
`hotspot`	multi_arg { array-id, array-id, super { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } }
`address-list`	enum ()
`address-list-timeout`	alt { enum (none-dynamic \| none-static) { none-dynamic:0, none-static:0xffffffff } , time [ .. 21474836] , }
`ttl`	super { enum (equal \| not-equal \| less-than \| greater-than) { equal:0, not-equal:1, less-than:2, greater-than:3 } , :num [0 .. 255] }
`connection-mark`	super { ! , enum }
`connection-type`	super { ! , enum (ftp \| pptp \| h323 \| sip \| irc \| quake3 \| tftp) { ftp:0, pptp:1, h323:2, sip:3, irc:4, quake3:5, tftp:6 } }
`connection-bytes`	super { num , -num }
`connection-rate`	super { ! , num , -num }
`routing-mark`	super { ! , enum () { } }
`in-interface`	super { ! , interface_enum { } { } }
`out-interface`	super { ! , interface_enum { } { } }
`in-interface-list`	super { ! , enum }
`out-interface-list`	super { ! , enum }
`in-bridge-port`	super { ! , interface_enum { } { } }
`out-bridge-port`	super { ! , interface_enum { } { } }
`in-bridge-port-list`	super { ! , enum }
`out-bridge-port-list`	super { ! , enum }
`packet-mark`	super { ! , enum }
`src-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`dst-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`icmp-options`	super { ! , num [0 .. 255] , [ :range_arg [ .. 255]] }
`src-mac-address`	super { ! , macAddr }
`content`	super { ! , string }
`ingress-priority`	super { ! , num [0 .. 63] }
`priority`	super { ! , num [0 .. 63] }
`dscp`	super { ! , num [0 .. 63] }
`tos`	super { ! , num [0 .. 255] , [ /num [0 .. 255]] }
`limit`	super { ! , num [1 .. 32000000000] , [ /time [1 .. ]] , ,num [ .. 2000000000] , [ :enum (packet \| bit) { packet:0, bit:1 }] }
`dst-limit`	super { num , [ /time] , ,num , ,enum (dst-address \| dst-address-and-port \| src-address \| src-and-dst-addresses \| addresses-and-dst-port) { dst-address:1, dst-address-and-port:3, src-address:4, src-and-dst-addresses:5, addresses-and-dst-port:7 } , [ /time] }
`time`	super { ! , time [0 .. 86400] , -time [0 .. 86400] , ,ubit (sun, mon, tue, wed, thu, fri, sat) { sun, mon, tue, wed, thu, fri, sat } }
`random`	super { num [1 .. 99] }
`nth`	super { ! , num [1 .. ] , [ ,num [1 .. ]] }
`tcp-mss`	super { ! , num [0 .. 65535] , -num [0 .. 65535] }
`per-connection-classifier`	super { ! , enum (src-address \| dst-address \| both-addresses \| src-port \| src-address-and-port \| dst-port \| dst-address-and-port \| both-ports \| both-addresses-and-ports) { src-address:1, dst-address:2, both-addresses:3, src-port:4, src-address-and-port:5, dst-port:8, dst-address-and-port:10, both-ports:12, both-addresses-and-ports:15 } , :num [1 .. ] , /num [0 .. ] }
`packet-size`	super { ! , num [ .. 65535] , -num [ .. 65535] }
`log`	bool
`log-prefix`	string
`ipsec-policy`	super { enum (in \| out) { in:0, out:1 } , ,enum (none \| ipsec) { none:0, ipsec:1 } }

ip/firewall/connection

Type: Directory

Flag	Name	Description
`E`	expected	expected
`S`	seen-reply	seen-reply
`A`	assured	assured
`C`	confirmed	confirmed
`D`	dying	dying
`F`	fasttrack	fasttrack
`H`	hw-offload	hw-offload
`s`	srcnat	srcnat
`d`	dstnat	dstnat
`h`	uses-helper	uses-helper

Read-only Argument	Type	Description
`protocol`	enum ()
`src-address`	ipAddr
`src-port`	num
`dst-address`	ipAddr
`dst-port`	num
`reply-src-address`	ipAddr
`reply-src-port`	num
`reply-dst-address`	ipAddr
`reply-dst-port`	num
`tcp-state`	enum (none \| syn-sent \| syn-recv \| established \| fin-wait \| close-wait \| last-ack \| time-wait \| close \| listen)
`icmp-type`	num
`icmp-code`	num
`icmp-id`	num
`gre-protocol`	num
`gre-version`	num
`gre-key`	num
`connection-type`	string
`timeout`	time
`connection-mark`	string
`orig-packets`	num
`orig-bytes`	num
`orig-fasttrack-packets`	num
`orig-fasttrack-bytes`	num
`repl-packets`	num
`repl-bytes`	num
`repl-fasttrack-packets`	num
`repl-fasttrack-bytes`	num
`orig-rate`	num
`repl-rate`	num

ip/firewall/mangle

Type: Directory

Argument	Type	Description
`all`	switch
`static`	switch
`dynamic`	switch
`chain` ( mandatory )	enum
`action`	enum (accept \| jump \| return \| log \| passthrough \| add-src-to-address-list \| add-dst-to-address-list \| sniff-tzsp \| sniff-pc \| drop \| mark-packet \| mark-connection \| change-mss \| change-dscp \| strip-ipv4-options \| change-ttl \| mark-routing \| set-priority \| clear-df \| fasttrack-connection \| route)
`jump-target`	enum ()
`new-packet-mark`	enum ()
`new-connection-mark`	enum ()
`new-routing-mark`	enum ()
`new-mss`	alt { , enum (clamp-to-pmtu) { clamp-to-pmtu:65535 } , num [40 .. 65534] }
`new-dscp`	enum (from-priority-to-high-3-bits \| from-priority)
`new-priority`	alt { , enum (from-dscp \| from-ingress \| from-dscp-high-3-bits) { from-dscp:65536, from-ingress:65537, from-dscp-high-3-bits:65538 } , num [0 .. 63] }
`new-ttl`	super { , enum (set \| increment \| decrement) { set:0, increment:1, decrement:2 } , :num [0 .. 255] }
`passthrough`	bool { }
`tcp-flags`	super { !, , multi_arg { array-id, array-id, super { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } } { array-id, array-id, super { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } } }
`p2p`	super { ! , enum (fasttrack \| gnutella \| direct-connect \| edonkey \| bit-torrent \| blubster \| soulseek \| winmx \| warez \| all-p2p) { fasttrack:0x01, gnutella:0x02, direct-connect:0x03, edonkey:0x04, bit-torrent:0x05, blubster:0x06, soulseek:0x07, winmx:0x08, warez:0x09, all-p2p:0xFF } }
`connection-state`	super { ! , ubit (invalid, established, related, new, untracked) { invalid, established, related, new, untracked } }
`connection-nat-state`	super { ! , ubit (srcnat, dstnat) { srcnat, dstnat } }
`sniff-target`	ipAddr { }
`sniff-target-port`	num { }
`sniff-id`	num { }
`route-dst`	ipAddr { }
`tls-host`	super { ! , string }
`connection-limit`	super { ! , num , ,num }
`layer7-protocol`	super { ! , enum }
`realm`	super { ! , num }
`protocol`	super { ! , enum () { } }
`src-address`	super { ! , ip_range_arg }
`dst-address`	super { ! , ip_range_arg }
`fragment`	super { bool }
`psd`	super { num , ,time , ,num , ,num }
`ipv4-options`	super { enum (strict-source-routing \| loose-source-routing \| no-source-routing \| record-route \| no-record-route \| timestamp \| no-timestamp \| router-alert \| no-router-alert \| any \| none) { strict-source-routing:0x1, loose-source-routing:0x2, no-source-routing:0x4, record-route:0x8, no-record-route:0x10, timestamp:0x20, no-timestamp:0x40, router-alert:0x80, no-router-alert:0x100, any:0x200, none:0x400 } }
`src-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`dst-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`src-address-list`	super { ! , enum }
`dst-address-list`	super { ! , enum }
`hotspot`	multi_arg { array-id, array-id, super { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } }
`address-list`	enum ()
`address-list-timeout`	alt { enum (none-dynamic \| none-static) { none-dynamic:0, none-static:0xffffffff } , time [ .. 21474836] , }
`ttl`	super { enum (equal \| not-equal \| less-than \| greater-than) { equal:0, not-equal:1, less-than:2, greater-than:3 } , :num [0 .. 255] }
`connection-mark`	super { ! , enum }
`connection-type`	super { ! , enum (ftp \| pptp \| h323 \| sip \| irc \| quake3 \| tftp) { ftp:0, pptp:1, h323:2, sip:3, irc:4, quake3:5, tftp:6 } }
`connection-bytes`	super { num , -num }
`connection-rate`	super { ! , num , -num }
`routing-mark`	super { ! , enum () { } }
`in-interface`	super { ! , interface_enum { } { } }
`out-interface`	super { ! , interface_enum { } { } }
`in-interface-list`	super { ! , enum }
`out-interface-list`	super { ! , enum }
`in-bridge-port`	super { ! , interface_enum { } { } }
`out-bridge-port`	super { ! , interface_enum { } { } }
`in-bridge-port-list`	super { ! , enum }
`out-bridge-port-list`	super { ! , enum }
`packet-mark`	super { ! , enum }
`src-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`dst-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`icmp-options`	super { ! , num [0 .. 255] , [ :range_arg [ .. 255]] }
`src-mac-address`	super { ! , macAddr }
`content`	super { ! , string }
`ingress-priority`	super { ! , num [0 .. 63] }
`priority`	super { ! , num [0 .. 63] }
`dscp`	super { ! , num [0 .. 63] }
`tos`	super { ! , num [0 .. 255] , [ /num [0 .. 255]] }
`limit`	super { ! , num [1 .. 32000000000] , [ /time [1 .. ]] , ,num [ .. 2000000000] , [ :enum (packet \| bit) { packet:0, bit:1 }] }
`dst-limit`	super { num , [ /time] , ,num , ,enum (dst-address \| dst-address-and-port \| src-address \| src-and-dst-addresses \| addresses-and-dst-port) { dst-address:1, dst-address-and-port:3, src-address:4, src-and-dst-addresses:5, addresses-and-dst-port:7 } , [ /time] }
`time`	super { ! , time [0 .. 86400] , -time [0 .. 86400] , ,ubit (sun, mon, tue, wed, thu, fri, sat) { sun, mon, tue, wed, thu, fri, sat } }
`random`	super { num [1 .. 99] }
`nth`	super { ! , num [1 .. ] , [ ,num [1 .. ]] }
`tcp-mss`	super { ! , num [0 .. 65535] , -num [0 .. 65535] }
`per-connection-classifier`	super { ! , enum (src-address \| dst-address \| both-addresses \| src-port \| src-address-and-port \| dst-port \| dst-address-and-port \| both-ports \| both-addresses-and-ports) { src-address:1, dst-address:2, both-addresses:3, src-port:4, src-address-and-port:5, dst-port:8, dst-address-and-port:10, both-ports:12, both-addresses-and-ports:15 } , :num [1 .. ] , /num [0 .. ] }
`packet-size`	super { ! , num [ .. 65535] , -num [ .. 65535] }
`log`	bool
`log-prefix`	string
`ipsec-policy`	super { enum (in \| out) { in:0, out:1 } , ,enum (none \| ipsec) { none:0, ipsec:1 } }

ip/firewall/calea

Type: Directory

Argument	Type	Description
`filter`	alt { enum (all) { all:0 } , bool , enum (prerouting \| input \| forward \| output \| postrouting) { prerouting:1, input:2, forward:3, output:4, postrouting:5 } }
`chain` ( mandatory )	enum (prerouting \| input \| forward \| output \| postrouting)
`action`	enum (sniff \| sniff-pc)
`sniff-target`	ipAddr { }
`sniff-target-port`	num { }
`sniff-id`	num { }
`tls-host`	super { ! , string }
`connection-limit`	super { ! , num , ,num }
`layer7-protocol`	super { ! , enum }
`realm`	super { ! , num }
`protocol`	super { ! , enum () { } }
`src-address`	super { ! , ip_range_arg }
`dst-address`	super { ! , ip_range_arg }
`fragment`	super { bool }
`psd`	super { num , ,time , ,num , ,num }
`ipv4-options`	super { enum (strict-source-routing \| loose-source-routing \| no-source-routing \| record-route \| no-record-route \| timestamp \| no-timestamp \| router-alert \| no-router-alert \| any \| none) { strict-source-routing:0x1, loose-source-routing:0x2, no-source-routing:0x4, record-route:0x8, no-record-route:0x10, timestamp:0x20, no-timestamp:0x40, router-alert:0x80, no-router-alert:0x100, any:0x200, none:0x400 } }
`src-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`dst-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`src-address-list`	super { ! , enum }
`dst-address-list`	super { ! , enum }
`hotspot`	multi_arg { array-id, array-id, super { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } }
`address-list`	enum ()
`address-list-timeout`	alt { enum (none-dynamic \| none-static) { none-dynamic:0, none-static:0xffffffff } , time [ .. 21474836] , }
`ttl`	super { enum (equal \| not-equal \| less-than \| greater-than) { equal:0, not-equal:1, less-than:2, greater-than:3 } , :num [0 .. 255] }
`connection-mark`	super { ! , enum }
`connection-type`	super { ! , enum (ftp \| pptp \| h323 \| sip \| irc \| quake3 \| tftp) { ftp:0, pptp:1, h323:2, sip:3, irc:4, quake3:5, tftp:6 } }
`connection-bytes`	super { num , -num }
`connection-rate`	super { ! , num , -num }
`routing-mark`	super { ! , enum () { } }
`in-interface`	super { ! , interface_enum { } { } }
`out-interface`	super { ! , interface_enum { } { } }
`in-interface-list`	super { ! , enum }
`out-interface-list`	super { ! , enum }
`in-bridge-port`	super { ! , interface_enum { } { } }
`out-bridge-port`	super { ! , interface_enum { } { } }
`in-bridge-port-list`	super { ! , enum }
`out-bridge-port-list`	super { ! , enum }
`packet-mark`	super { ! , enum }
`src-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`dst-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`icmp-options`	super { ! , num [0 .. 255] , [ :range_arg [ .. 255]] }
`src-mac-address`	super { ! , macAddr }
`content`	super { ! , string }
`ingress-priority`	super { ! , num [0 .. 63] }
`priority`	super { ! , num [0 .. 63] }
`dscp`	super { ! , num [0 .. 63] }
`tos`	super { ! , num [0 .. 255] , [ /num [0 .. 255]] }
`limit`	super { ! , num [1 .. 32000000000] , [ /time [1 .. ]] , ,num [ .. 2000000000] , [ :enum (packet \| bit) { packet:0, bit:1 }] }
`dst-limit`	super { num , [ /time] , ,num , ,enum (dst-address \| dst-address-and-port \| src-address \| src-and-dst-addresses \| addresses-and-dst-port) { dst-address:1, dst-address-and-port:3, src-address:4, src-and-dst-addresses:5, addresses-and-dst-port:7 } , [ /time] }
`time`	super { ! , time [0 .. 86400] , -time [0 .. 86400] , ,ubit (sun, mon, tue, wed, thu, fri, sat) { sun, mon, tue, wed, thu, fri, sat } }
`random`	super { num [1 .. 99] }
`nth`	super { ! , num [1 .. ] , [ ,num [1 .. ]] }
`tcp-mss`	super { ! , num [0 .. 65535] , -num [0 .. 65535] }
`per-connection-classifier`	super { ! , enum (src-address \| dst-address \| both-addresses \| src-port \| src-address-and-port \| dst-port \| dst-address-and-port \| both-ports \| both-addresses-and-ports) { src-address:1, dst-address:2, both-addresses:3, src-port:4, src-address-and-port:5, dst-port:8, dst-address-and-port:10, both-ports:12, both-addresses-and-ports:15 } , :num [1 .. ] , /num [0 .. ] }
`packet-size`	super { ! , num [ .. 65535] , -num [ .. 65535] }
`log`	bool
`log-prefix`	string
`ipsec-policy`	super { enum (in \| out) { in:0, out:1 } , ,enum (none \| ipsec) { none:0, ipsec:1 } }

ip/firewall/layer7-protocol

Type: Directory

Argument	Type	Description
`name`	string
`regexp`	string

ip/firewall/raw

Type: Directory

Flag	Name	Description
`X`	disabled	disabled
`I`	invalid	invalid
`D`	dynamic	dynamic

Argument	Type	Description
`all`	switch
`static`	switch
`dynamic`	switch
`chain` ( mandatory )	enum
`action`	enum (accept \| jump \| return \| log \| passthrough \| add-src-to-address-list \| add-dst-to-address-list \| drop \| notrack)
`jump-target`	enum ()
`tcp-flags`	super { !, , multi_arg { array-id, array-id, super { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } } { array-id, array-id, super { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } { ! , enum (fin \| syn \| rst \| psh \| ack \| urg \| ece \| cwr) { fin:0, syn:1, rst:2, psh:3, ack:4, urg:5, ece:6, cwr:7 } } } }
`tls-host`	super { ! , string }
`in-interface`	super { ! , interface_enum { } { } }
`out-interface`	super { ! , interface_enum { } { } }
`in-interface-list`	super { ! , enum }
`out-interface-list`	super { ! , enum }
`in-bridge-port`	super { ! , interface_enum { } { } }
`out-bridge-port`	super { ! , interface_enum { } { } }
`in-bridge-port-list`	super { ! , enum }
`out-bridge-port-list`	super { ! , enum }
`packet-mark`	super { ! , enum }
`src-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`dst-port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`port`	super { ! , multi_arg { , , range_arg [ .. 65535] } { , , range_arg [ .. 65535] } }
`icmp-options`	super { ! , num [0 .. 255] , [ :range_arg [ .. 255]] }
`src-mac-address`	super { ! , macAddr }
`content`	super { ! , string }
`ingress-priority`	super { ! , num [0 .. 63] }
`priority`	super { ! , num [0 .. 63] }
`dscp`	super { ! , num [0 .. 63] }
`tos`	super { ! , num [0 .. 255] , [ /num [0 .. 255]] }
`limit`	super { ! , num [1 .. 32000000000] , [ /time [1 .. ]] , ,num [ .. 2000000000] , [ :enum (packet \| bit) { packet:0, bit:1 }] }
`dst-limit`	super { num , [ /time] , ,num , ,enum (dst-address \| dst-address-and-port \| src-address \| src-and-dst-addresses \| addresses-and-dst-port) { dst-address:1, dst-address-and-port:3, src-address:4, src-and-dst-addresses:5, addresses-and-dst-port:7 } , [ /time] }
`time`	super { ! , time [0 .. 86400] , -time [0 .. 86400] , ,ubit (sun, mon, tue, wed, thu, fri, sat) { sun, mon, tue, wed, thu, fri, sat } }
`random`	super { num [1 .. 99] }
`nth`	super { ! , num [1 .. ] , [ ,num [1 .. ]] }
`tcp-mss`	super { ! , num [0 .. 65535] , -num [0 .. 65535] }
`per-connection-classifier`	super { ! , enum (src-address \| dst-address \| both-addresses \| src-port \| src-address-and-port \| dst-port \| dst-address-and-port \| both-ports \| both-addresses-and-ports) { src-address:1, dst-address:2, both-addresses:3, src-port:4, src-address-and-port:5, dst-port:8, dst-address-and-port:10, both-ports:12, both-addresses-and-ports:15 } , :num [1 .. ] , /num [0 .. ] }
`packet-size`	super { ! , num [ .. 65535] , -num [ .. 65535] }
`log`	bool
`log-prefix`	string
`ipsec-policy`	super { enum (in \| out) { in:0, out:1 } , ,enum (none \| ipsec) { none:0, ipsec:1 } }
`protocol`	super { ! , enum () { } }
`src-address`	super { ! , ip_range_arg }
`dst-address`	super { ! , ip_range_arg }
`fragment`	super { bool }
`psd`	super { num , ,time , ,num , ,num }
`ipv4-options`	super { enum (strict-source-routing \| loose-source-routing \| no-source-routing \| record-route \| no-record-route \| timestamp \| no-timestamp \| router-alert \| no-router-alert \| any \| none) { strict-source-routing:0x1, loose-source-routing:0x2, no-source-routing:0x4, record-route:0x8, no-record-route:0x10, timestamp:0x20, no-timestamp:0x40, router-alert:0x80, no-router-alert:0x100, any:0x200, none:0x400 } }
`src-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`dst-address-type`	super { ! , ubit (unicast, local, broadcast, multicast, blackhole) { unicast, local, broadcast, multicast, blackhole } }
`src-address-list`	super { ! , enum }
`dst-address-list`	super { ! , enum }
`hotspot`	multi_arg { array-id, array-id, super { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } { ! , enum (from-client \| auth \| local-dst \| to-client \| http) { from-client:0, auth:1, local-dst:2, to-client:3, http:4 } } }
`address-list`	enum ()
`address-list-timeout`	alt { enum (none-dynamic \| none-static) { none-dynamic:0, none-static:0xffffffff } , time [ .. 21474836] , }
`ttl`	super { enum (equal \| not-equal \| less-than \| greater-than) { equal:0, not-equal:1, less-than:2, greater-than:3 } , :num [0 .. 255] }

Read-only Argument	Type	Description
`bytes`	num
`packets`	num

ip/firewall/raw/reset-counters

Type: Command

ip/firewall/raw/reset-counters-all

Type: Command

ip/firewall/connection/tracking​

ip/firewall/address-list​

ip/firewall/filter​

ip/firewall/service-port​

ip/firewall/nat​

ip/firewall/connection​

ip/firewall/mangle​

ip/firewall/calea​

ip/firewall/layer7-protocol​

ip/firewall/raw​

ip/firewall/raw/reset-counters​

ip/firewall/raw/reset-counters-all​

ip/firewall/connection/tracking

ip/firewall/address-list

ip/firewall/filter

ip/firewall/service-port

ip/firewall/nat

ip/firewall/connection

ip/firewall/mangle

ip/firewall/calea

ip/firewall/layer7-protocol

ip/firewall/raw

ip/firewall/raw/reset-counters

ip/firewall/raw/reset-counters-all