From 2dc2df575bc4de60759a272f5e6880326501a7ef Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Thu, 16 Nov 2023 15:37:56 +0000
Subject: T4072: firewall: backport bridge firewall to sagitta

---
 .../include/firewall/action-l2.xml.i               | 37 +++++++++++++++++++
 .../include/firewall/action.xml.i                  |  8 +++--
 .../include/firewall/bridge-custom-name.xml.i      | 39 ++++++++++++++++++++
 .../include/firewall/bridge-hook-forward.xml.i     | 34 ++++++++++++++++++
 .../include/firewall/common-rule-bridge.xml.i      | 34 ++++++++++++++++++
 .../include/firewall/common-rule-inet.xml.i        |  7 +---
 .../include/firewall/default-action-bridge.xml.i   | 34 ++++++++++++++++++
 .../include/firewall/default-action.xml.i          | 10 ++++--
 .../include/firewall/match-vlan.xml.i              | 41 ++++++++++++++++++++++
 9 files changed, 233 insertions(+), 11 deletions(-)
 create mode 100644 interface-definitions/include/firewall/action-l2.xml.i
 create mode 100644 interface-definitions/include/firewall/bridge-custom-name.xml.i
 create mode 100644 interface-definitions/include/firewall/bridge-hook-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-bridge.xml.i
 create mode 100644 interface-definitions/include/firewall/default-action-bridge.xml.i
 create mode 100644 interface-definitions/include/firewall/match-vlan.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i
new file mode 100644
index 000000000..43fd211b4
--- /dev/null
+++ b/interface-definitions/include/firewall/action-l2.xml.i
@@ -0,0 +1,37 @@
+<!-- include start from firewall/action-l2.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump return drop queue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|return|drop|queue)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 7c6e33839..9391a7bee 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,12 +3,16 @@
   <properties>
     <help>Rule action</help>
     <completionHelp>
-      <list>accept jump reject return drop queue</list>
+      <list>accept continue jump reject return drop queue</list>
     </completionHelp>
     <valueHelp>
       <format>accept</format>
       <description>Accept matching entries</description>
     </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
     <valueHelp>
       <format>jump</format>
       <description>Jump to another chain</description>
@@ -30,7 +34,7 @@
       <description>Enqueue packet to userspace</description>
     </valueHelp>
     <constraint>
-      <regex>(accept|jump|reject|return|drop|queue)</regex>
+      <regex>(accept|continue|jump|reject|return|drop|queue)</regex>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i
new file mode 100644
index 000000000..a85fd5a19
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i
@@ -0,0 +1,39 @@
+<!-- include start from firewall/bridge-custom-name.xml.i -->
+<tagNode name="name">
+  <properties>
+    <help>Bridge custom firewall</help>
+    <constraint>
+      <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/firewall/default-action.xml.i>
+    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/generic-description.xml.i>
+    <leafNode name="default-jump-target">
+      <properties>
+        <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+        <completionHelp>
+          <path>firewall bridge name</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <tagNode name="rule">
+      <properties>
+        <help>Bridge Firewall forward filter rule number</help>
+        <valueHelp>
+          <format>u32:1-999999</format>
+          <description>Number for this firewall rule</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-999999"/>
+        </constraint>
+        <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/firewall/common-rule-bridge.xml.i>
+      </children>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
new file mode 100644
index 000000000..23d757070
--- /dev/null
+++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/bridge-hook-forward.xml.i -->
+<node name="forward">
+  <properties>
+    <help>Bridge forward firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>Bridge firewall forward filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>Bridge Firewall forward filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-bridge.xml.i>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
new file mode 100644
index 000000000..ebf95a111
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/common-rule-bridge.xml.i -->
+#include <include/firewall/action-l2.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+  </children>
+</node>
+#include <include/generic-disable-node.xml.i>
+<leafNode name="jump-target">
+  <properties>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall bridge name</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+#include <include/firewall/log.xml.i>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/mac-address.xml.i>
+  </children>
+</node>
+#include <include/firewall/inbound-interface.xml.i>
+#include <include/firewall/outbound-interface.xml.i>
+#include <include/firewall/match-vlan.xml.i>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 52721ecc4..030adfe7c 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -7,12 +7,7 @@
 #include <include/firewall/connection-mark.xml.i>
 #include <include/firewall/conntrack-helper.xml.i>
 #include <include/firewall/nft-queue.xml.i>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
+#include <include/generic-disable-node.xml.i>
 <node name="fragment">
   <properties>
     <help>IP fragment match</help>
diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i
new file mode 100644
index 000000000..577165976
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action-bridge.xml.i
@@ -0,0 +1,34 @@
+<!-- include start from firewall/default-action-bridge.xml.i -->
+<leafNode name="default-action">
+  <properties>
+    <help>Default action for rule-set</help>
+    <completionHelp>
+      <list>drop jump return accept continue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <constraint>
+      <regex>(drop|jump|return|accept|continue)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>drop</defaultValue>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
index 80efaf335..6a49d800e 100644
--- a/interface-definitions/include/firewall/default-action.xml.i
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -1,9 +1,9 @@
 <!-- include start from firewall/default-action.xml.i -->
 <leafNode name="default-action">
   <properties>
-    <help>Default-action for rule-set</help>
+    <help>Default action for rule-set</help>
     <completionHelp>
-      <list>drop jump reject return accept</list>
+      <list>drop jump reject return accept continue</list>
     </completionHelp>
     <valueHelp>
       <format>drop</format>
@@ -25,8 +25,12 @@
       <format>accept</format>
       <description>Accept if no prior rules are hit</description>
     </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
     <constraint>
-      <regex>(drop|jump|reject|return|accept)</regex>
+      <regex>(drop|jump|reject|return|accept|continue)</regex>
     </constraint>
   </properties>
   <defaultValue>drop</defaultValue>
diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i
new file mode 100644
index 000000000..d0820f7d8
--- /dev/null
+++ b/interface-definitions/include/firewall/match-vlan.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/match-vlan.xml.i -->
+<node name="vlan">
+  <properties>
+    <help>VLAN parameters</help>
+  </properties>
+  <children>
+    <leafNode name="id">
+      <properties>
+        <help>VLAN id</help>
+        <valueHelp>
+          <format>u32:0-4096</format>
+          <description>VLAN id</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;start-end&gt;</format>
+          <description>VLAN id range to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 0-4095"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="priority">
+      <properties>
+        <help>VLAN priority(pcp)</help>
+        <valueHelp>
+          <format>u32:0-7</format>
+          <description>VLAN priority</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;start-end&gt;</format>
+          <description>VLAN priority range to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 0-7"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
-- 
cgit v1.2.3