diff options
author | talmakion <andrewt@telekinetica.net> | 2024-07-28 21:47:07 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-28 14:47:07 +0300 |
commit | e2bf8812f73a75356f56274968be8859a2186d73 (patch) | |
tree | 2f71b4042bb602ca58f03792af0143903e8e3f24 /op-mode-definitions | |
parent | ba4198fc3cb80628ad38118f4dcc3bfe43181de1 (diff) | |
download | vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.tar.gz vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.zip |
firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
Diffstat (limited to 'op-mode-definitions')
0 files changed, 0 insertions, 0 deletions