...
- Export Restful API interface to support configuration of MWAN3, Firewall & NAT, IpSec.
- Site-to-Site tunnels across edges & edges & central orchestrators and application managers
SDEWAN Service
SDEWAN service restful API provides the capability to list available SDEWAN services, get service status and execute service operation.
Common Error code:
...
Error Response:
...
GET /cgi-bin/luci/sdewan/v1/services
Lists all available sdewan services supported by SDEWAN CNF
Request: N/A
Response
...
Response Parameters
...
Architecture
SDEWAN CNF enhances OpenWRT Luci web interface with SDEWAN controllers to provide Restful API for network functions' configuration and control.
CNF includes below modules:
- MWAN3: mwan3 configuration for multiple WAN links’ management
- Firewall: fw3 configuration for firewall rule, NAT rule.
- IpSec: strongswan configuration to setup security tunnel between CNFs
- DNS/DHCP: dnsmasq configuration for DNS and DHCP (ip4) or odhcpd configuration for DHCP (ip6)
- BGP/OSPF: bird configuration for BGP/OSPF auto routing
- Service: manage (e.g. start, stop, restart etc.) lifecycle of network function applications (e.g. mwan3, fw3, strongswan etc.)
- Runtime States: exports system log for debugging
APIs
Common Error code:
| Code | Description |
|---|---|
| 400 | Bad request |
| 401 | unauthorized -the security token is not provides or expired. |
| 404 | resource not found |
Error Response:
| Name | In | Type | Description |
|---|---|---|---|
| message | body | string | error message |
SDEWAN Service
SDEWAN service restful API provides the capability to list available SDEWAN services, get service status and execute service operation.
PUT /cgi-bin/luci/sdewan/v1/serviceservices/{service-name}/
Execute a operation for a service
...
Request Parameters
Name In Type Description service-name path string service name, valid value are "mwan3", "firewall", "ipsec" action body string action to be executed. valid value are "start", "stop", "restart", "reload" Response Request Example
{
"action": "start"
}
...
- Normal response code: 200
- Error response code: 400 (e.g. invalid action)
Response Parameters
Name In Type Description result body string operation execution result Response Example
{
"result": "success"
}
MWAN3
OpenWRT MWAN3 configuration includes below sections:
- Global: common configuration special used to configure routable loopback address (for OpenWRT 18.06)
- Interface: define how each WAN interface is tested for up/down status
- Member: represents an interface with a metric and a weight value
- Policy: defines how traffic is routed through the different WAN interface(s)
- Rule: describes what traffic to match and what policy to assign for that traffic.
SDEWAN CNF will be created with Global and Interface sections initialized based on CNF allocated interfaces.
SD-EWAN MWAN3 CNF API provides support to get/create/update/delete MWAN3 Rule, Policy (with Member).
MWAN3 Policy
GET GET /cgi-bin/luci/sdewan/v1/services
Lists all available sdewan services supported by SDEWAN CNF
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description services body array a list of supported service - Response Example
{
"services": ["mwan3", "firewall", "ipsec"]
}
SDEWAN Interface
SDEWAN interface API provide network interfaces information and control to up/down a network interface
PUT /cgi-bin/luci/sdewan/mwan3/v1/policiesLists all defined policiesinterfaces/{interface}/
Execute a operation for a service
Request: N/A
Response
...
Request Parameters
ResponseName In Type Description policiesinterface path string interface name, e.g. "eth0" action body array a list of defined policies string action to be executed. valid value are "up", "down" Request Example
{
"policiesaction": [{
"name":"balanced",
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
]
"up"
}
}
Response
- Normal response code: 200
- Error response code: 400 (e.g. invalid action), 404 (e.g. interface not found)
Response Parameters
Name In Type Description result body string operation execution result Response Example
{
"result": "success"
}
GET /cgi-bin/luci/sdewan/mwan3/v1/policy/{policy}
Get a policy
interfaces
Lists all available network interfaces of the SDEWAN CNF
Request: N/A
Request Parameters
...
...
Response
- Normal response codes: 200Error response code: 404
Response Parameters
Name In Type Description nameinterfaces body string policy name membersarray a list of available network interfaces ip_address body array policy members interface ip address of the interface ip6_address body array ipv6 address of the interface mac_address body string member mac address of the interface name metricstatus body int (optional) default: 1, members within one policy with a lower metric have precedence over higher metric members weight body int (optional) default: 1, members with same metric will distribute load based on this weight valuestring interface status, valid value are "UP", "DOWN" received_packets body string number of received packets send_packets body string number of send packaets - Response Example
{ "nameinterfaces": "balanced",
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
...
[
{ "ip_address: ["10.0.0.1"],
"name":"eth0",
"status":"UP",
"send_packets":"19148",
"mac_address":"22:22:22:22:22:22",
"receive_packets":"20923" }
]}
GET /cgi-bin/luci/sdewan/mwan3v1/v1/policycreate a new policyinterfaces/{interface-name}
get information of a network interfaces of the SDEWAN CNF
Request:
...
Request Parameters: same with GET's response request
...
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/mwan3/v1/policy/{policy}
update a policy
Request:
...
N/A
Response
- Normal response codes: 200
Response Parameters
Request ExampleName In Type Description policyinterface-name path string policyinterface name membersip_address body array policy members interfaceip address of the interface ip6_address body string member interface name metricarray ipv6 address of the interface mac_address body int (optional) default: 1, members within one policy with a lower metric have precedence over higher metric members weightstring mac address of the interface status body int (optional) default: 1, members with same metric will distribute load based on this weight value {
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/mwan3/v1/policy/{policy}
delete a policy
Request:
Request Parameters
...
Response
- Normal response codes: 200
- Error response codes: 401, 404
MWAN3 Rule
GET /cgi-bin/luci/sdewan/mwan3/v1/rules
Lists all defined rules
...
string interface status, valid value are "UP", "DOWN" received_packets body string number of received packets send_packets body string number of send packaets - Response Example
{ "ip_address: ["10.0.0.1"],
"name":"eth0",
"status":"UP",
"send_packets":"19148",
"mac_address":"22:22:22:22:22:22",
"receive_packets":"20923" }
MWAN3
OpenWRT MWAN3 configuration includes below sections:
- Global: common configuration special used to configure routable loopback address (for OpenWRT 18.06)
- Interface: define how each WAN interface is tested for up/down status
- Member: represents an interface with a metric and a weight value
- Policy: defines how traffic is routed through the different WAN interface(s)
- Rule: describes what traffic to match and what policy to assign for that traffic.
SDEWAN CNF will be created with Global and Interface sections initialized based on CNF allocated interfaces.
SD-EWAN MWAN3 CNF API provides support to get/create/update/delete MWAN3 Rule, Policy (with Member).
MWAN3 Policy
POST /cgi-bin/luci/sdewan/mwan3/v1/policies
create a new policy
Request:
Request Parameters: same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 200
- 201
- Error response codes: 400, 401
Response Parameters
PUT /cgi-bin/luci/sdewan/mwan3/v1/policies/{policy-name}
update a policy
Request:
Request Parameters:
Response ExampleName In Type Description policy-name path string policy name members body array a list of defined rules {
"rules": [{
"name":"default_rule",
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
]
}
...
policy members interface body string member interface name metric body int (optional) default: 1, members within one policy with a lower metric have precedence over higher metric members weight body int (optional) default: 1, members with same metric will distribute load based on this weight value - Request Example
PUT /cgi-bin/luci/sdewan/mwan3/v1/
...
policies/balanced
{
...
Get a rule
Request: N/A
Request Parameters
Name In Type Description rule path string rule name"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
Response
- Normal response codes: 200204
- Error response codecodes: 404
Response Parameters
{
"name":"default_rule",
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
...
- 400, 401, 404
GET /cgi-bin/luci/sdewan/mwan3/v1/policies
Lists all defined policies
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description policies body array a list of defined policies - Response Example
{
"policies": [{
"name":"balanced",
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
]
}
GET /cgi-bin/luci/sdewan/mwan3/v1/rule
create a new rule
Request:
...
Request Parameters: same with GET's response request
...
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/mwan3/v1/rule/{rule}
update a policy
Request:
...
policies/{policy-name}
Get a policy
Request: N/A
Request Parameters
ruleName In Type Description
rulepolicy-name path string policy name policy body string policy used for the rule
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Request ExampleName In Type Description name body string (optional) source ip address src_portpolicy name members body string (optional) source port or port range dest_iparray policy members interface body string (optional) destination ip address dest_port
stringmember interface name metric body
destination port or port rangeint (optional) proto body string
protocol for the rule. Valid values: "tcp", "udp", "icmp", "all"default: 1, members within one policy with a lower metric have precedence over higher metric members weight body int (optional) family body string (optional) address family. Valid values: "ipv4", "ipv6", "all" sticky body string (optional) default: 0, allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session timeout body int (optional) default: 600, Stickiness timeout value in seconds {
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}default: 1, members with same metric will distribute load based on this weight value - Response Example
{
"name": "balanced",
"members": [
{
"interface": "net1",
"metric" 1,
"weight": 2
}
{
"interface": "net2",
"metric" 1,
"weight": 1
}
]
}
DELETE /cgi-bin/luci/sdewan/mwan3/v1/policies/{policy-name}
delete a policy
Request:
Request Parameters
Name In Type Description policy-name path string policy name
Response
- Normal response codes: 204200
- Error response codes: 400, 401, 404
MWAN3 Rule
DELETE POST /cgi-bin/luci/sdewan/mwan3/v1/rule/{rule}delete a rules
create a new rule
Request:
Request Parameters
Name In Type Description rule path string rule name : same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 200201
- Error response codes: 400, 401, 404
Firewall
OpenWRT Firewall configuration includes below sections:
- Default: declares global firewall settings which do not belong to specific zones
- Include: used to enable customized firewall scripts
- Zone: groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects.
- Forwarding: control the traffic between zones
- Redirect: defines port forwarding (NAT) rules
- Rule: defines basic accept, drop, or reject rules to allow or restrict access to specific ports or hosts.
SDEWAN CNF will be created with Default sections initialized. Include section will not be included in this release.
SD-EWAN Firewall API provides support to get/create/update/delete Firewall Zone, Redirect, Rule and Forwardings
Zone
...
PUT /cgi-bin/luci/sdewan/mwan3/v1/rules/{rule-name}
update a policy
Request:
Request Parameters
Name In Type Description rule-name path string rule name policy body string policy used for the rule src_ip body string (optional) source ip address src_port body string (optional) source port or port range dest_ip body string (optional) destination ip address dest_port body string (optional) destination port or port range proto body string (optional) protocol for the rule. Valid values: "tcp", "udp", "icmp", "all" family body string (optional) address family. Valid values: "ipv4", "ipv6", "all" sticky body string (optional) default: 0, allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session timeout body int (optional) default: 600, Stickiness timeout value in seconds - Request Example
PUT /cgi-bin/luci/sdewan/mwan3/v1/rules/default_rule
{
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
GET /cgi-bin/luci/sdewan/mwan3/v1/rules
Lists all defined rules
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description rules body array a list of defined rules - Response Example
{
"rules": [{
"name":"default_rule",
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
]
}
GET /cgi-bin/luci/sdewan/mwan3/v1/rules/{rule-name}
Get a rule
Request: N/A
Request Parameters
Name In Type Description rule-name path string rule name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string rule name policy body string policy used for the rule src_ip body string (optional) source ip address src_port body string (optional) source port or port range dest_ip body string (optional) destination ip address dest_port body string (optional) destination port or port range proto body string (optional) protocol for the rule. Valid values: "tcp", "udp", "icmp", "all" family body string (optional) address family. Valid values: "ipv4", "ipv6", "all" sticky body string (optional) default: 0, allow traffic from the same source ip address within the timeout limit to use same wan interface as prior session timeout body int (optional) default: 600, Stickiness timeout value in seconds - Response Example
#ipv4 example
{
"name":"default_rule",
"dest_ip": "0.0.0.0/0",
"policy": "balanced"
}
#ipv6 example
{
"name":"default_ipv6_rule",
"dest_ip": "fdca:f00:ba3::/64",
"policy": "balanced"
}
DELETE /cgi-bin/luci/sdewan/mwan3/v1/rules/{rule-name}
delete a rule
Request:
Request Parameters
Name In Type Description rule-name path string rule name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Firewall
OpenWRT Firewall configuration includes below sections:
- Default: declares global firewall settings which do not belong to specific zones
- Include: used to enable customized firewall scripts
- Zone: groups one or more interfaces and serves as a source or destination for forwardings, rules and redirects.
- Forwarding: control the traffic between zones
- Redirect: defines port forwarding (NAT) rules
- Rule: defines basic accept, drop, or reject rules to allow or restrict access to specific ports or hosts.
SDEWAN CNF will be created with Default sections initialized. Include section will not be implemented in this release.
SD-EWAN Firewall API provides support to get/create/update/delete Firewall Zone, Redirect, Rule and Forwardings
Zone
POST /cgi-bin/luci/sdewan/firewall/v1/zones
create a new zone
Request:
Request Parameters: same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/firewall/v1/zones/{zone-name}
update a zone
Request:
Request Parameters:
Name In Type Description zone-name path string zone name network body array List of interfaces attached to this zone masq body boolean Specifies whether outgoing zone traffic should be masqueraded. "0" or "1" masq_src body string Limit masquerading to the given source subnets. masq_dest body string Limit masquerading to the given destination subnets masq_allow_invalid body boolean whether add DROP INVALIDrulesmtu_fix body boolean Enable MSS clamping for outgoing zone traffic input body string Default policy ( ACCEPT,REJECT,DROP) for incoming zone traffic.forward body string Default policy ( ACCEPT,REJECT,DROP) for forwarded zone traffic.output body string Default policy ( ACCEPT,REJECT,DROP) for output zone traffic.family body string The protocol family ( ipv4,ipv6orany) these iptables rules are for.subnet body string List of IP subnets attached to this zone extra_src body string Extra arguments passed directly to iptables for source classification rules. etra_dest body string Extra arguments passed directly to iptables for destination classification rules. - Request Example
PUT /cgi-bin/luci/sdewan/mwan3/v1/zones/wan
{
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
GET /cgi-bin/luci/sdewan/firewall/v1/zones
Lists all defined zones
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description zones body array a list of defined zones - Response Example
{
"zones": [{
"name":"wan",
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1"
}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/zones/{zone-name}
Get a zone
Request: N/A
Request Parameters
Name In Type Description zone-name path string zone name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) zone name network body array List of interfaces attached to this zone masq body boolean Specifies whether outgoing zone traffic should be masqueraded. "0" or "1" masq_src body string Limit masquerading to the given source subnets. masq_dest body string Limit masquerading to the given destination subnets masq_allow_invalid body boolean whether add DROP INVALIDrulesmtu_fix body boolean Enable MSS clamping for outgoing zone traffic input body string Default policy ( ACCEPT,REJECT,DROP) for incoming zone traffic.forward body string Default policy ( ACCEPT,REJECT,DROP) for forwarded zone traffic.output body string Default policy ( ACCEPT,REJECT,DROP) for output zone traffic.family body string The protocol family ( ipv4,ipv6orany) these iptables rules are for.subnet body string List of IP subnets attached to this zone extra_src body string Extra arguments passed directly to iptables for source classification rules. etra_dest body string Extra arguments passed directly to iptables for destination classification rules. - Response Example
{
"name":"wan",
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1",
}
DELETE /cgi-bin/luci/sdewan/firewall/v1/zones/{zone-name}
delete a zone
Request:
Request Parameters
Name In Type Description zone-name path string zone name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Redirect
POST /cgi-bin/luci/sdewan/firewall/v1/redirects
create a new redirect
Request:
Request Parameters: same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/firewall/v1/redirects/{redirect-name}
update a redirect
Request:
Request Parameters:
Name In Type Description redirect-name path string redirect name src body string (Required for DNAT) traffic source zone src_ip body string Match incoming traffic from the specified source ip address. src_dip body string (Required for SNAT) For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address. src_mac body string Match incoming traffic from the specified mac address. src_port body port or range Match incoming traffic originating from the given source port or port range on the client host. src_dport body port or range For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value. proto body string Match incoming traffic using the given protocol. Can be one of tcp,udp,tcpudp,udplite,icmp,esp,ah,sctp, oralldest body string Specifies the traffic destination zone. Must refer to one of the defined zone names. dest_ip body string For DNAT, redirect matches incoming traffic to the specified internal host. For SNAT, it matches traffic directed at the given address. dest_port body port or range For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. mark body string match traffic against the given firewall mark target body string (Required) NAT target: SNAT, DNAT family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for- Request Example
PUT /cgi-bin/luci/sdewan/mwan3/v1/redirects/dnat_lan
{
"src":"wan",
"src_dport":"19900",
"dest":"lan",
"dest_ip":"192.168.1.1",
"dest_port":"22",
"proto":"tcp",
"target":"DNAT"}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
GET /cgi-bin/luci/sdewan/firewall/v1/redirects
Lists all defined redirects
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Name In Type Description redirects body array a list of defined redirects - Response Example
{
"redirects": [{
"name":"dnat_lan",
"src":"wan",
"src_dport":"19900",
"dest":"lan",
"dest_ip":"192.168.1.1",
"dest_port":"22",
"proto":"tcp",
"target":"DNAT"}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/redirects/{redirect-name}
Get a redirect
Request: N/A
Request Parameters
Name In Type Description redirect-name path string redirect name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) forwarding name src body string (Required for DNAT) traffic source zone src_ip body string Match incoming traffic from the specified source ip address. src_dip body string (Required for SNAT) For DNAT, match incoming traffic directed at the given destination ip address. For SNAT rewrite the source address to the given address. src_mac body string Match incoming traffic from the specified mac address. src_port body port or range Match incoming traffic originating from the given source port or port range on the client host. src_dport body port or range For DNAT, match incoming traffic directed at the given destination port or port range on this host. For SNAT rewrite the source ports to the given value. proto body string Match incoming traffic using the given protocol. Can be one of tcp,udp,tcpudp,udplite,icmp,esp,ah,sctp, oralldest body string Specifies the traffic destination zone. Must refer to one of the defined zone names. dest_ip body string For DNAT, redirect matches incoming traffic to the specified internal host. For SNAT, it matches traffic directed at the given address. dest_port body port or range For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. mark body string match traffic against the given firewall mark target body string (Required) NAT target: SNAT, DNAT family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for- Response Example
{
"name":"dnat_lan",
"src":"wan",
"src_dport":"19900",
"dest":"lan",
"dest_ip":"192.168.1.1",
"dest_port":"22",
"proto":"tcp",
"target":"DNAT"}
DELETE /cgi-bin/luci/sdewan/firewall/v1/zones
Lists all defined zones
Request: N/A
Response
...
redirects/{redirect-name}
delete a redirect rule
Request:
Request Parameters
Name In Type Description zonesredirect-name bodypath array a list of defined zonesstring redirect name
Response
...
{
"zones": [
{
"name":"wan",
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1"
}
]
}
GET
- Normal response codes: 200
- Error response codes: 401, 404
Rule
POST /cgi-bin/luci/sdewan/firewall/v1/rules
create a new rule
Request:
Request Parameters: same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 201
- Error response codes: 400, 401
PUT /cgi-bin/luci/sdewan/firewall/v1/zonerules/{zonerule-name}
Get update a zonerule
Request: N/A
Request Parameters:
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) zone name network body array List of interfaces attached to this zone masq body boolean Specifies whether outgoing zone traffic should be masqueraded. "0" or "1" masq_src body string Limit masquerading to the given source subnets. masq_dest body string Limit masquerading to the given destination subnets masq_allow_invalid body boolean whether add DROP INVALIDrulesmtu_fix body boolean Enable MSS clamping for outgoing zone traffic input body string Default policy ( ACCEPT,REJECT,DROP) for incoming zone traffic.forward body string Default policy ( ACCEPT,REJECT,DROP) for forwarded zone traffic.output body string Default policy (ACCEPT,REJECT,DROP) for output zone traffic.Name In Type Description zone path string zone name
Response
- Response Example
The protocolrule-name path string rule name src body string (Required) traffic source zone src_ip body string Match incoming traffic from the specified source ip address src_mac body string Match incoming traffic from the specified mac address src_port body port or range Match incoming traffic from the specified source port or port range proto body string Match incoming traffic using the given protocol. Can be one of tcp,udp,tcpudp,udplite,icmp,esp,ah,sctp, orallicmp_type body string For protocol icmpselect specific icmp types to match.dest body string traffic destination zone. Must refer to one of the defined zone names, or * for any zone dest_ip body string Match incoming traffic directed to the specified destination ip address dest_port body port or range Match incoming traffic directed at the given destination port or port range mark body string If specified, match traffic against the given firewall mark target body string (Required) Firewall action ( ACCEPT,REJECT,DROP,MARK,NOTRACK) for matched trafficset_mark body string Zeroes out the bits given by mask and ORs value into the packet mark. set_xmark body string Zeroes out the bits given by mask and XORs value into the packet mark family body string
theseProtocol family ( ipv4,ipv6orany)
are for. subnetto generate iptables rules extra_src body string for extra body string List of IP subnets attached to this zone
passed directlyExtra arguments
for source classification rules.to pass to iptables etra_dest body string Extra arguments passed directly to iptables for destination classification rules. {
"name":"wan",
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1",
}
POST /cgi-bin/luci/sdewan/firewall/v1/zone
create a new zone
Request:
Request Parameters: same with GET's response request
- Request Example: same with GET's response example
. Useful mainly to specify additional match options, such as -m policy --dir infor IPsec. - Request Example
PUT /cgi-bin/luci/sdewan/mwan3/v1/rules/reject_lan_80
{
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":"tcp",
"target":"REJECT"
}
Response
- Normal response codes: 201204
- Error response codes: 400, 401, 404
PUT GET /cgi-bin/luci/sdewan/firewall/v1/zone/{zone}
update a zone
Request:
...
rules
Lists all defined rules
Request: N/A
Response
...
- Normal response codes: 200
Response Parameters
Request ExampleName In Type Description zonerules body path string zone name {other params} body same with GET response {
"network":"wan",
"input": "REJECT",
"output": "ACCEPT",
"forward": "REJECT",
"masq": "1",
"mtu_fix": "1"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
array a list of defined rules - Response Example
{
"rules": [{
"name":"reject_lan_80"
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":"tcp",
"target":"REJECT"
}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/zonerules/{zonerule-name}delete a zone
Get a rule
Request: N/A
Request Parameters
Name In Type Description zonerule-name path string zone namerule name
Response
- Normal response codes: 200
- Error response codescode: 401, 404
Redirect
Rule
GET /cgi-bin/luci/sdewan/firewall/v1/frules
Lists all defined rules
Request: N/A
Response
- Normal response codes: 200
Response Parameters
Response ExampleName In Type Description rules body array a list of defined rules {
"rules": [{
"name":"REJECT_LAN_80"
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":"tcp",
"target":"REJECT"
}
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/rule/{rule}
Get a rule
Request: N/A
Request Parameters
...
Response
...
Response
- Normal response codes: 201
- Error response codes: 400, 401
...
- Normal response codes: 200
- Error response code: 404
Response Parameters
Name In Type Description name body string (Required) forwarding name src body string (Required) traffic source zone dest body string (Required) traffic destination zone family body string
to generate iptables rules for.name body string (Required) rule name src body string (Required) traffic source zone src_ip body string Match incoming traffic from the specified source ip address src_mac body string Match incoming traffic from the specified mac address src_port body port or range Match incoming traffic from the specified source port or port range proto body string Match incoming traffic using the given protocol. Can be one of tcp,udp,tcpudp,udplite,icmp,esp,ah,sctp, orallicmp_type body string For protocol icmpselect specific icmp types to match.dest body string traffic destination zone. Must refer to one of the defined zone names, or * for any zone dest_ip body string Match incoming traffic directed to the specified destination ip address dest_port body port or range Match incoming traffic directed at the given destination port or port range mark body string If specified, match traffic against the given firewall mark target body string (Required) Firewall action ( ACCEPT,REJECT,DROP,MARK,NOTRACK) for matched trafficset_mark body string Zeroes out the bits given by mask and ORs value into the packet mark. set_xmark body string Zeroes out the bits given by mask and XORs value into the packet mark family body string Protocol family ( ipv4,ipv6orany)to generate iptables rules for extra body string Extra arguments to pass to iptables. Useful mainly to specify additional match options, such as -m policy --dir infor IPsec.- Response Example
REJECT{
"name":"
LANreject_
"tcp",lan_80"
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":
"target":"REJECT"
}
POST /cgi-bin/luci/sdewan/firewall/v1/rule
create a new rule
Request:
...
Request Parameters: same with GET's response request
"tcp",
"target":"REJECT"
}
DELETE /cgi-bin/luci/sdewan/firewall/v1/rulerules/{rule-name}
update a delete a firewall rule
Request:
Request Parameters:
Request ExampleName In Type Description rule-name path string rule name {other params} body same with GET response {
"src":"lan",
"src_ip": "192.168.1.2",
"src_port": "80",
"proto":"tcp",
"target":"REJECT"
}rule name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Forwarding
POST /cgi-bin/luci/sdewan/firewall/v1/forwardings
create a new forwarding
Request:
Request Parameters: same with PUT's request
- Request Example: same with PUT's example
Response
- Normal response codes: 204201
- Error response codes: 400, 401, 404
DELETE PUT /cgi-bin/luci/sdewan/firewall/v1/ruleforwardings/{ruleforwarding-name}delete a firewall rule
update a forwarding
Request:
Request Parameters:
- Normal response codes: 200
Response Parameters
Name In Type Description forwardings body array a list of defined forwardings
ruleName In Type Description
ruleforwarding-name path string forwarding name
Response
- Normal response codes: 200
- Error response codes: 401, 404
Forwarding
GET /cgi-bin/luci/sdewan/firewall/v1/forwardings
Lists all defined forwardings
Request: N/A
Response
{
"forwardings": [{
"name":"lan-wan",
src body string (Required) traffic source zone dest body string (Required) traffic destination zone family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for.- Request Example
PUT /cgi-bin/luci/sdewan/mwan3/v1/forwardings/lan_wan
{
"src":"lan",
"dest": "wan"
}
]
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
GET /cgi-bin/luci/sdewan/firewall/v1/forwarding/{forwarding}Get a forwardingforwardings
Lists all defined forwardings
Request: N/A
Request Parameters
...
A
Response
...
Response
- Normal response codes: 201
- Error response codes: 400, 401
...
- Normal response codes: 200Error response code: 404
Response Parameters
Response Example
nameName In Type Description forwardings body string (Required) forwarding name src body string (Required) traffic source zone dest body string (Required) traffic destination zone family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for.{
array a list of defined forwardings - Response Example
{
"forwardings": [{
"name":"lan-_wan",
"src":"lan",
"dest": "wan"
}
POST /cgi-bin/luci/sdewan/firewall/v1/forwarding
create a new forwarding
Request:
...
Request Parameters: same with GET's response request
]
}
GET /cgi-bin/luci/sdewan/firewall/v1/forwardingforwardings/{forwarding-name}
update Get a forwarding
Request: N/A
Request Parameters
Name In Type Description forwarding-name path string forwarding name
Response
- Normal response codes: 200
- Error response code: 404
Response Parameters
Request ExampleName In Type Description forwarding path string forwarding name {other params} body same with GET response {
name body string (Required) forwarding name src body string (Required) traffic source zone dest body string (Required) traffic destination zone family body string Protocol family ( ipv4,ipv6orany) to generate iptables rules for.- Response Example
{
"name":"lan_wan",
"src":"lan",
"dest": "wan"
}
Response
- Normal response codes: 204
- Error response codes: 400, 401, 404
DELETE /cgi-bin/luci/sdewan/firewall/v1/forwardingforwardings/{forwarding-name}
delete a forwarding rule
...
Request Parameters
Name In Type Description forwarding-name path string forwarding name
...