Skip to content

Latest commit

 

History

History
54 lines (50 loc) · 3.2 KB

nsxt.md

File metadata and controls

54 lines (50 loc) · 3.2 KB
Raw

NSXT

The nsx header designation has the following format:

target:: nsxt {section_name} {inet|inet6|mixed} section-id securitygroup securitygroupId
section_name: specifies the name of the section all terms in this header apply to.
inet: specifies that the resulting filter should only render IPv4 addresses.
inet6: specifies that the resulting filter should only render IPv6 addresses.
mixed: specifies that the resulting filter should render both IPv4 and IPv6 addresses.
sectionId: specifies the Id for the section [optional]
securitygroup: specifies that the appliedTo should be security group [optional]
securitygroupId: specifies the Id of the security group [mandatory if securitygroup is given]
(Required keywords option and verbatim are not supported in NSX)

Nsxt

The nsxt header designation has the following format:

target:: nsxt {section_name} {inet|inet6|mixed} section-id securitygroup securitygroupId
  • section_name: specifies the name of the dfw rule all terms in this header apply to. [mandatory field]
  • inet: specifies the output should be for IPv4 only filters. This is the default format.
  • inet6: specifies the output be for IPv6 only filters.
  • mixed: specifies that the resulting filter should render both IPv4 and IPv6 addresses.
  • sectionId: specifies the Id for the section [optional]
  • securitygroup: specifies that the appliedTo should be security group [optional]
  • securitygroupId: specifies the Id of the security group [mandatory if securitygroup is given] (Required keywords option and verbatim are not supported in NSX)

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-port:: One or more service definition tokens
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • option:: See platforms supported Options section.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-port:: one or more service definition tokens.
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • reject
  • reject-with-tcp-rst