diff --git a/README.md b/README.md index a453eae6..ab84a8ef 100644 --- a/README.md +++ b/README.md @@ -421,6 +421,7 @@ generators: * [`packetfilter`](./doc/generators/packetfilter.md): PacketFilter * [`paloaltofw`](./doc/generators/paloaltofw.md): Palo Alto PANOS * [`pcap`](./doc/generators/pcap.md): PcapFilter +* [`sonic`](./doc/generators/sonic.md): SONiC ACLs in config_db.json format * [`speedway`](./doc/generators/speedway.md): Speedway * [`srxlo`](./doc/generators/srxlo.md): Stateless Juniper ACL * [`windows_advfirewall`](./doc/generators/windows_advfirewall.md): Windows diff --git a/doc/generators/sonic.md b/doc/generators/sonic.md new file mode 100644 index 00000000..0d8c182f --- /dev/null +++ b/doc/generators/sonic.md @@ -0,0 +1,45 @@ +# SONiC + +The SONiC header designation has the following format: + +``` +target:: sonic filter-name {inet|inet6|mixed} +``` + +* _filter-name_: defines the name of the filter. This is a required field. + Note that the filter name will be present as a key of every ACE (i.e. rule) in + generated policy. For example if the filter-name is 'MyPolicy', each ACE will + come out like: + + ``` + { + 'MyPolicy|RULE_10': {...}, + 'MyPolicy|RULE_20': {...}, + ... + } + ``` + +## Term Format + +* _action::_ The action to take when matched. See Actions section for valid + options. +* _destination-address::_ One or more destination address tokens. +* _destination-port::_ One or more service definition tokens. +* _expiration::_ Stop rendering this term after specified date. Date format: + [YYYY](YYYY.md)-[MM](MM.md)-[DD](DD.md). +* _protocol::_ The network protocols this term will match, such as tcp, udp, or + sctp. +* _source-address::_ One or more source address tokens. +* _source-port::_ One or more service definition tokens. + +## Sub Tokens + +### Actions + +* _accept_ +* _deny_ + +### Option + +* _tcp-established::_ Only match "established" connections. It is not stateful - + any TCP packet with ACK and/or RST TCP flag set will match.