From e2bf8812f73a75356f56274968be8859a2186d73 Mon Sep 17 00:00:00 2001 From: talmakion Date: Sun, 28 Jul 2024 21:47:07 +1000 Subject: firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests --- interface-definitions/include/firewall/ipv6-hook-output.xml.i | 2 ++ 1 file changed, 2 insertions(+) (limited to 'interface-definitions/include/firewall/ipv6-hook-output.xml.i') diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i index f877cfaaf..d3c4c1ead 100644 --- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i @@ -26,6 +26,7 @@ #include + #include #include @@ -53,6 +54,7 @@ #include + #include #include -- cgit v1.2.3