Example of whole XML configuration file
<?xml version="1.0" encoding="utf-8"?>
<nific xmlns="http://www.liberouter.org/ns/netopeer/nific/0.5">
<!-- Monitor center definition - where to send filtered packets -->
<monitorCenters>
<monitorCenter>
<description>My monitoring center</description>
<host content-type="name">monitor.center.org</host>
<port>6666</port>
</monitorCenter>
</monitorCenters>
<!-- Filtering rules definition -->
<rules>
<rule>
<id>100</id>
<!-- Rule in modified BPF -->
<value>pass crop 400 from 10.0.0.1 to any</value>
</rule>
<rule>
<id>200</id>
<!-- Rule in modified BPF -->
<value>pass from 147.15.2.3 to any port <1024</value>
</rule>
<!-- Default rule action - lowest priority -->
<rule>
<id>4000000000</id>
<value>block</value>
</rule>
</rules>
<!-- NIFIC statistics -->
<statistics>
<upTime>123456</upTime>
<!-- statistics about matched rule -->
<matchRules>
<matchRule>
<ruleId>100</ruleId>
<bytes>212042</bytes>
<packets>356</packets>
</matchRule>
<matchRule>
<ruleId>200</ruleId>
<bytes>212042</bytes>
<packets>356</packets>
</matchRule>
</matchRules>
<!-- statistics of incomming packets to NIFIC -->
<interfaces>
<interface>
<ifInPackets>1234</ifInPackets>
</interface>
</interfaces>
</statistics>
</nific>
XML schema definition
There is a namespace for device configuration named:
http://www.liberouter.org/ns/netopeer/nific/0.5
The schema also contains special attributes called hints intended primarily for frontends as an additional information about the data model and semantics. These hints are distinguished by a special namespace with the h prefix. The set of hints is work in progress defined in a separate document on
http://www.liberouter.org/ns/netopeer/hints/1.0
<grammar
ns="http://www.liberouter.org/ns/netopeer/nific/0.5"
datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes"
xmlns:h="http://www.liberouter.org/ns/netopeer/hints/1.0"
xmlns="http://relaxng.org/ns/structure/1.0">
- The root element is nific. It contains an optional description of the accessories and other information that is described below.
<start>
<element name="nific" h:hide="true">
<ref name="nific-content"/>
</element>
</start>
- nific-content
- At the uppermost level, the data is divided into several parts that are all optional:
- Communication with monitoring center is configured under the monitorCenters element.
- The rules element describe used filtering rules.
- The statistic element describe statistic from NIFIC.
<define name="nific-content">
<interleave>
<optional>
<element name="monitorCenters" h:role="wrapper">
<element name="monitorCenter">
<ref name="monitorCenter-content"/>
</element>
</element>
</optional>
<optional>
<element name="rules" h:role="wrapper">
<zeroOrMore>
<element name="rule">
<ref name="rule-content"/>
</element>
</zeroOrMore>
</element>
</optional>
<optional>
<element name="statistics">
<ref name="statistics-content"/>
</element>
</optional>
- monitorCenter-content
- Monitoring center must be identified by its IP address or hostname and UDP port for receiving data. The other subelements are optional.
- Note that the group element enclosing the host and port element
patterns has two hint attributes:
- h:role="key" indicates that the values of both host and port are to be used as a unique key identifying the monitorCenter.
- h:join=":" specifies that the values of host and port should be rendered together, separated by a colon.
- Finally, a short description of the monitorCenter can be included in the description element.
<define name="monitorCenter-content">
<interleave>
<group h:role="key" h:join=":">
<element name="host">
<ref name="ip-or-name-content"/>
</element>
<element name="port" h:display="port">
<data type="positiveInteger">
<param name="maxInclusive">65535</param>
</data>
</element>
</group>
<optional>
<ref name="description-element"/>
</optional>
</interleave>
</define>
- ip-or-name-content - This data type allows either a DNS host name or IP address (v4 or v6).
<define name="ip-or-name-content">
<choice>
<group>
<attribute name="content-type">
<value>ipv4</value>
</attribute>
<ref name="ipv4-address-content"/>
</group>
<group>
<attribute name="content-type">
<value>ipv6</value>
</attribute>
<ref name="ipv6-address-content"/>
</group>
<group>
<attribute name="content-type">
<value>name</value>
</attribute>
<ref name="domain-name-content"/>
</group>
</choice>
</define>
- ipv4-address-content - This data type defines the IPv4 address in the usual dotted quad notation using a regular expression pattern.
<define name="ipv4-address-content">
<data type="token">
<param name="pattern">((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])</param>
</data>
</define>
- ipv6-address-content - This data type represents the IPv6 address in one of the three textual formats defined in RFC 4291 (full, shortened and mixed).
<define name="ipv6-address-content">
<choice>
<data type="token">
<param name="pattern">([0-9a-fA-F]{0,4}:){0,7}[0-9a-fA-F]{0,4}</param>
<param name="pattern">(([0-9a-fA-F]+:){7}[0-9a-fA-F]+)|(([0-9a-fA-F]+:)*[0-9a-fA-F]+)?::(([0-9a-fA-F]+:)*[0-9a-fA-F]+)?</param>
</data>
<data type="token">
<param name="pattern">([0-9a-fA-F]{0,4}:){0,6}((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9]).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])</param>
<param name="pattern">(([0-9a-fA-F]+:){6}|(([0-9a-fA-F]+:)*[0-9a-fA-F]+)?::([0-9a-fA-F]+:)*)((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9]).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])</param>
</data>
</choice>
</define>
- domain-name-content - This data type represents a DNS domain name as per RFC 1034 and 1123.
<define name="domain-name-content">
<data type="token">
<param name="maxLength">255</param>
<param name="pattern">([A-Za-z0-9]([-A-Za-z0-9]{0,61}[A-Za-z0-9])?\.)*[A-Za-z0-9]([-A-Za-z0-9]{0,61}[A-Za-z0-9])?\.?</param>
</data>
</define>
- description-element - This element contains free text description of its parent object.
<define name="description-element">
<optional>
<element name="description">
<text/>
</element>
</optional>
</define>
- rule-content - The rule-content element describe used filtering rules. Every rule has to have UNIQUE identifier which is a rule priority too - lower number is higher priority (it is highly recommended to use identifiers with step 100 because of future adding new rule with priority between just added rules). Own rules are described in element value and are in our special format which is very similar with commonly used BPF format - the format is detailed described in other document.
<define name="rule-content">
<element name="id" h:role="key">
<data type="positiveInteger">
<param name="maxInclusive">4000000000</param>
</data>
</element>
<element name="value">
<text/>
</element>
</define>
- statistics-content
- The statistics-content element describe statistics of NIFIC:
- uptime - measure of the time NIFIC has been "up" and running - in seconds
- statistics about matched rules.
- statistics about incomming packets to network interface of NIFIC (incomming packets to NIFIC).
<define name="statistics-content">
<interleave>
<optional>
<element name="upTime">
<data type="unsignedInt"/>
</element>
</optional>
<optional>
<element name="matchRules">
<ref name="matchRules-content"/>
</element>
</optional>
<optional>
<element name="interfaces" h:role="wrapper">
<element name="interface">
<ref name="interface-content"/>
</element>
</element>
</optional>
</interleave>
</define>
- matchRules-content - The matchRules-content describe statistic information about matched rules.
<define name="matchRules-content">
<interleave>
<optional>
<zeroOrMore>
<element name="matchRule">
<ref name="matchRule-content"/>
</element>
</zeroOrMore>
</optional>
</interleave>
</define>
- matchRule-content - The matchRule-content element describe statistic information about each matched rule. The ruleId element is unique identifier to rule (it is reference to element id in element rule). Rule statics are number of matched packets by the rule and sum of that packets sizes in bytes.
<define name="matchRules-content">
<interleave>
<element name="ruleId">
<data type="positiveInteger">
<param name="maxInclusive">4294967295</param>
</data>
</element>
<element name="bytes">
<data type="unsignedLong"/>
</element>
<element name="packets">
<data type="unsignedLong"/>
</element>
</interleave>
</define>
- interface-content - The interface-content element describe statistics about incomming packets to network interface of NIFIC (incomming packets to NIFIC).
<define name="interface-content">
<element name="ifInPackets">
<data type="unsignedLong"/>
</element>
</define>
