From 1c2209c1dc84993d0f766f3d14df1fb3adf9dda2 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Tue, 23 May 2023 14:48:15 -0300
Subject: T5160: firewall refactor: new cli structure. Update only all xml

---
 .../include/firewall/action-and-notrack.xml.i      |  41 ++
 .../include/firewall/common-rule-ipv4-raw.xml.i    | 331 ++++++++++++++++
 .../include/firewall/common-rule-ipv4.xml.i        | 416 +++++++++++++++++++++
 .../include/firewall/common-rule-ipv6.xml.i        | 416 +++++++++++++++++++++
 .../firewall/default-action-base-chains.xml.i      |  22 ++
 .../include/firewall/global-options.xml.i          | 272 ++++++++++++++
 .../include/firewall/inbound-interface.xml.i       |  10 +
 .../include/firewall/ipv4-custom-name.xml.i        |  49 +++
 .../include/firewall/ipv4-hook-forward.xml.i       |  44 +++
 .../include/firewall/ipv4-hook-input.xml.i         |  43 +++
 .../include/firewall/ipv4-hook-output.xml.i        |  43 +++
 .../include/firewall/ipv4-hook-prerouting.xml.i    |  85 +++++
 .../include/firewall/ipv6-custom-name.xml.i        |  49 +++
 .../include/firewall/ipv6-hook-forward.xml.i       |  44 +++
 .../include/firewall/ipv6-hook-input.xml.i         |  43 +++
 .../include/firewall/ipv6-hook-output.xml.i        |  43 +++
 .../include/firewall/match-interface.xml.i         |   7 +
 .../include/firewall/outbound-interface.xml.i      |  10 +
 .../include/version/firewall-version.xml.i         |   2 +-
 19 files changed, 1969 insertions(+), 1 deletion(-)
 create mode 100644 interface-definitions/include/firewall/action-and-notrack.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-ipv4.xml.i
 create mode 100644 interface-definitions/include/firewall/common-rule-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/default-action-base-chains.xml.i
 create mode 100644 interface-definitions/include/firewall/global-options.xml.i
 create mode 100644 interface-definitions/include/firewall/inbound-interface.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-custom-name.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-input.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-output.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-custom-name.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-hook-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-hook-input.xml.i
 create mode 100644 interface-definitions/include/firewall/ipv6-hook-output.xml.i
 create mode 100644 interface-definitions/include/firewall/outbound-interface.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i
new file mode 100644
index 000000000..5f81a1451
--- /dev/null
+++ b/interface-definitions/include/firewall/action-and-notrack.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/action-and-notrack.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept jump notrack reject return drop queue</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Reject matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <valueHelp>
+      <format>notrack</format>
+      <description>Igone connection tracking</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|jump|notrack|reject|return|drop|queue)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
new file mode 100644
index 000000000..86af2fb0e
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -0,0 +1,331 @@
+<!-- include start from firewall/common-rule-ipv4-raw.xml.i -->
+#include <include/firewall/action-and-notrack.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/ttl.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+  </children>
+</node>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="icmp">
+  <properties>
+    <help>ICMP type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="code">
+      <properties>
+        <help>ICMP code</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP code (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="type">
+      <properties>
+        <help>ICMP type</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP type (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/icmp-type-name.xml.i>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>integer/unit (Example: 5/minute)</description>
+        </valueHelp>
+        <constraint>
+          <regex>\d+/(second|minute|hour|day)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="log">
+  <properties>
+    <help>Option to log packets matching rule</help>
+    <completionHelp>
+      <list>enable disable</list>
+    </completionHelp>
+    <valueHelp>
+      <format>enable</format>
+      <description>Enable log</description>
+    </valueHelp>
+    <valueHelp>
+      <format>disable</format>
+      <description>Disable log</description>
+    </valueHelp>
+    <constraint>
+      <regex>(enable|disable)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="connection-status">
+  <properties>
+    <help>Connection status</help>
+  </properties>
+  <children>
+    <leafNode name="nat">
+      <properties>
+        <help>NAT connection status</help>
+        <completionHelp>
+          <list>destination source</list>
+        </completionHelp>
+        <valueHelp>
+          <format>destination</format>
+          <description>Match connections that are subject to destination NAT</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source</format>
+          <description>Match connections that are subject to source NAT</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(destination|source)$</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_protocols.sh</script>
+      <list>all tcp_udp</list>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last second/minute/hour</help>
+        <completionHelp>
+          <list>second minute hour</list>
+        </completionHelp>
+        <valueHelp>
+          <format>second</format>
+          <description>Source addresses seen COUNT times in the last second</description>
+        </valueHelp>
+        <valueHelp>
+          <format>minute</format>
+          <description>Source addresses seen COUNT times in the last minute</description>
+        </valueHelp>
+        <valueHelp>
+          <format>hour</format>
+          <description>Source addresses seen COUNT times in the last hour</description>
+        </valueHelp>
+        <constraint>
+          <regex>(second|minute|hour)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+  </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Comma separated weekdays to match rule on</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>u32:0-6</format>
+          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
new file mode 100644
index 000000000..b873d99a3
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
@@ -0,0 +1,416 @@
+<!-- include start from firewall/common-rule-ipv4.xml.i -->
+#include <include/firewall/action.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/ttl.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+  </children>
+</node>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="icmp">
+  <properties>
+    <help>ICMP type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="code">
+      <properties>
+        <help>ICMP code</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP code (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="type">
+      <properties>
+        <help>ICMP type</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP type (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/icmp-type-name.xml.i>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>integer/unit (Example: 5/minute)</description>
+        </valueHelp>
+        <constraint>
+          <regex>\d+/(second|minute|hour|day)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="log">
+  <properties>
+    <help>Option to log packets matching rule</help>
+    <completionHelp>
+      <list>enable disable</list>
+    </completionHelp>
+    <valueHelp>
+      <format>enable</format>
+      <description>Enable log</description>
+    </valueHelp>
+    <valueHelp>
+      <format>disable</format>
+      <description>Disable log</description>
+    </valueHelp>
+    <constraint>
+      <regex>(enable|disable)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="connection-status">
+  <properties>
+    <help>Connection status</help>
+  </properties>
+  <children>
+    <leafNode name="nat">
+      <properties>
+        <help>NAT connection status</help>
+        <completionHelp>
+          <list>destination source</list>
+        </completionHelp>
+        <valueHelp>
+          <format>destination</format>
+          <description>Match connections that are subject to destination NAT</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source</format>
+          <description>Match connections that are subject to source NAT</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(destination|source)$</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_protocols.sh</script>
+      <list>all tcp_udp</list>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last second/minute/hour</help>
+        <completionHelp>
+          <list>second minute hour</list>
+        </completionHelp>
+        <valueHelp>
+          <format>second</format>
+          <description>Source addresses seen COUNT times in the last second</description>
+        </valueHelp>
+        <valueHelp>
+          <format>minute</format>
+          <description>Source addresses seen COUNT times in the last minute</description>
+        </valueHelp>
+        <valueHelp>
+          <format>hour</format>
+          <description>Source addresses seen COUNT times in the last hour</description>
+        </valueHelp>
+        <constraint>
+          <regex>(second|minute|hour)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/address-mask.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+  </children>
+</node>
+<node name="state">
+  <properties>
+    <help>Session state</help>
+  </properties>
+  <children>
+    <leafNode name="established">
+      <properties>
+        <help>Established state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="invalid">
+      <properties>
+        <help>Invalid state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="new">
+      <properties>
+        <help>New state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="related">
+      <properties>
+        <help>Related state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Comma separated weekdays to match rule on</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>u32:0-6</format>
+          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
new file mode 100644
index 000000000..758281335
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
@@ -0,0 +1,416 @@
+<!-- include start from firewall/common-rule-ipv6.xml.i -->
+#include <include/firewall/action.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/hop-limit.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<node name="destination">
+  <properties>
+    <help>Destination parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/address-mask-ipv6.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-ipv6.xml.i>
+  </children>
+</node>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="icmpv6">
+  <properties>
+    <help>ICMPv6 type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="code">
+      <properties>
+        <help>ICMPv6 code</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMPv6 code (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="type">
+      <properties>
+        <help>ICMPv6 type</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMPv6 type (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/icmpv6-type-name.xml.i>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>integer/unit (Example: 5/minute)</description>
+        </valueHelp>
+        <constraint>
+          <regex>\d+/(second|minute|hour|day)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="log">
+  <properties>
+    <help>Option to log packets matching rule</help>
+    <completionHelp>
+      <list>enable disable</list>
+    </completionHelp>
+    <valueHelp>
+      <format>enable</format>
+      <description>Enable log</description>
+    </valueHelp>
+    <valueHelp>
+      <format>disable</format>
+      <description>Disable log</description>
+    </valueHelp>
+    <constraint>
+      <regex>(enable|disable)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="connection-status">
+  <properties>
+    <help>Connection status</help>
+  </properties>
+  <children>
+    <leafNode name="nat">
+      <properties>
+        <help>NAT connection status</help>
+        <completionHelp>
+          <list>destination source</list>
+        </completionHelp>
+        <valueHelp>
+          <format>destination</format>
+          <description>Match connections that are subject to destination NAT</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source</format>
+          <description>Match connections that are subject to source NAT</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(destination|source)$</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_protocols.sh</script>
+      <list>all tcp_udp</list>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last second/minute/hour</help>
+        <completionHelp>
+          <list>second minute hour</list>
+        </completionHelp>
+        <valueHelp>
+          <format>second</format>
+          <description>Source addresses seen COUNT times in the last second</description>
+        </valueHelp>
+        <valueHelp>
+          <format>minute</format>
+          <description>Source addresses seen COUNT times in the last minute</description>
+        </valueHelp>
+        <valueHelp>
+          <format>hour</format>
+          <description>Source addresses seen COUNT times in the last hour</description>
+        </valueHelp>
+        <constraint>
+          <regex>(second|minute|hour)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/address-mask-ipv6.xml.i>
+    #include <include/firewall/fqdn.xml.i>
+    #include <include/firewall/geoip.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+    #include <include/firewall/source-destination-group-ipv6.xml.i>
+  </children>
+</node>
+<node name="state">
+  <properties>
+    <help>Session state</help>
+  </properties>
+  <children>
+    <leafNode name="established">
+      <properties>
+        <help>Established state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="invalid">
+      <properties>
+        <help>Invalid state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="new">
+      <properties>
+        <help>New state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="related">
+      <properties>
+        <help>Related state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Comma separated weekdays to match rule on</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>u32:0-6</format>
+          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i
new file mode 100644
index 000000000..ba7c63cd6
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i
@@ -0,0 +1,22 @@
+<!-- include start from firewall/default-action-base-chains.xml.i -->
+<leafNode name="default-action">
+  <properties>
+    <help>Default-action for rule-set</help>
+    <completionHelp>
+      <list>drop accept</list>
+    </completionHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept if no prior rules are hit</description>
+    </valueHelp>
+    <constraint>
+      <regex>(drop|accept)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>drop</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
new file mode 100644
index 000000000..3204a239d
--- /dev/null
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -0,0 +1,272 @@
+<!-- include start from firewall/global-options.xml.i -->
+<node name="global-options">
+  <properties>
+    <help>Global Options</help>
+  </properties>
+  <children>
+    <leafNode name="all-ping">
+      <properties>
+        <help>Policy for handling of all IPv4 ICMP echo requests</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of all IPv4 ICMP echo requests</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of all IPv4 ICMP echo requests</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="broadcast-ping">
+      <properties>
+        <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="config-trap">
+      <properties>
+        <help>SNMP trap generation on firewall configuration changes</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable sending SNMP trap on firewall configuration change</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable sending SNMP trap on firewall configuration change</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="ip-src-route">
+      <properties>
+        <help>Policy for handling IPv4 packets with source route option</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of IPv4 packets with source route option</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of IPv4 packets with source route option</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="log-martians">
+      <properties>
+        <help>Policy for logging IPv4 packets with invalid addresses</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable logging of IPv4 packets with invalid addresses</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable logging of Ipv4 packets with invalid addresses</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="receive-redirects">
+      <properties>
+        <help>Policy for handling received IPv4 ICMP redirect messages</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of received IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of received IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="resolver-cache">
+      <properties>
+        <help>Retains last successful value if domain resolution fails</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="resolver-interval">
+      <properties>
+        <help>Domain resolver update interval</help>
+        <valueHelp>
+          <format>u32:10-3600</format>
+          <description>Interval (seconds)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 10-3600"/>
+        </constraint>
+      </properties>
+      <defaultValue>300</defaultValue>
+    </leafNode>
+    <leafNode name="send-redirects">
+      <properties>
+        <help>Policy for sending IPv4 ICMP redirect messages</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable sending IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable sending IPv4 ICMP redirect messages</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="source-validation">
+      <properties>
+        <help>Policy for source validation by reversed path, as specified in RFC3704</help>
+        <completionHelp>
+          <list>strict loose disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>strict</format>
+          <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description>
+        </valueHelp>
+        <valueHelp>
+          <format>loose</format>
+          <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>No source validation</description>
+        </valueHelp>
+        <constraint>
+          <regex>(strict|loose|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="syn-cookies">
+      <properties>
+        <help>Policy for using TCP SYN cookies with IPv4</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable use of TCP SYN cookies with IPv4</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable use of TCP SYN cookies with IPv4</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>enable</defaultValue>
+    </leafNode>
+    <leafNode name="twa-hazards-protection">
+      <properties>
+        <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable RFC1337 TIME-WAIT hazards protection</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable RFC1337 TIME-WAIT hazards protection</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="ipv6-receive-redirects">
+      <properties>
+        <help>Policy for handling received ICMPv6 redirect messages</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of received ICMPv6 redirect messages</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of received ICMPv6 redirect messages</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+    <leafNode name="ipv6-src-route">
+      <properties>
+        <help>Policy for handling IPv6 packets with routing extension header</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable processing of IPv6 packets with routing header type 2</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable processing of IPv6 packets with routing header</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>disable</defaultValue>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/inbound-interface.xml.i b/interface-definitions/include/firewall/inbound-interface.xml.i
new file mode 100644
index 000000000..13df71de3
--- /dev/null
+++ b/interface-definitions/include/firewall/inbound-interface.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/inbound-interface.xml.i -->
+<node name="inbound-interface">
+  <properties>
+    <help>Match inbound-interface</help>
+  </properties>
+  <children>
+    #include <include/firewall/match-interface.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
new file mode 100644
index 000000000..b2f8271f7
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -0,0 +1,49 @@
+<!-- include start from firewall/ipv4-custom-name.xml.i -->
+<tagNode name="name">
+  <properties>
+    <help>IPv4 custom firewall</help>
+    <constraint>
+      <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/firewall/default-action.xml.i>
+    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/generic-description.xml.i>
+    <leafNode name="default-jump-target">
+      <properties>
+        <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+        <completionHelp>
+          <path>firewall ip name</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <tagNode name="rule">
+      <properties>
+        <help>IP Firewall custom rule number</help>
+        <valueHelp>
+          <format>u32:1-999999</format>
+          <description>Number for this firewall rule</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-999999"/>
+        </constraint>
+        <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/firewall/common-rule-ipv4.xml.i>
+        #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/outbound-interface.xml.i>
+        <leafNode name="jump-target">
+          <properties>
+            <help>Set jump target. Action jump must be defined to use this setting</help>
+            <completionHelp>
+              <path>firewall ip name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
new file mode 100644
index 000000000..6179afe31
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -0,0 +1,44 @@
+<!-- include start from firewall/ipv4-hook-forward.xml.i -->
+<node name="forward">
+  <properties>
+    <help>IPv4 forward firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv4 firewall forward filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IP Firewall forward filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ip name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
new file mode 100644
index 000000000..f9746378b
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -0,0 +1,43 @@
+<!-- include start from firewall/ipv4-hook-input.xml.i -->
+<node name="input">
+  <properties>
+    <help>IPv4 input firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv4 firewall input filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IP Firewall input filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ip name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
new file mode 100644
index 000000000..a1820f314
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -0,0 +1,43 @@
+<!-- include start from firewall/ipv4-hook-output.xml.i -->
+<node name="output">
+  <properties>
+    <help>IPv4 output firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv4 firewall output filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IP Firewall output filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ip name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
new file mode 100644
index 000000000..229a25ef4
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
@@ -0,0 +1,85 @@
+<!-- include start from firewall/ipv4-hook-prerouting.xml.i -->
+<node name="prerouting">
+  <properties>
+    <help>IPv4 prerouting firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv4 firewall prerouting filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IP Firewall prerouting filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ip name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+    <node name="raw">
+      <properties>
+        <help>IPv4 firewall prerouting raw</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <leafNode name="default-jump-target">
+          <properties>
+            <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+            <completionHelp>
+              <path>firewall ip name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+        <tagNode name="rule">
+          <properties>
+            <help>IP Firewall prerouting raw rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv4-raw.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ip name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
new file mode 100644
index 000000000..6275036c1
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -0,0 +1,49 @@
+<!-- include start from firewall/ipv6-custom-name.xml.i -->
+<tagNode name="ipv6-name">
+  <properties>
+    <help>IPv6 custom firewall</help>
+    <constraint>
+      <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+    </constraint>
+  </properties>
+  <children>
+    #include <include/firewall/default-action.xml.i>
+    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/generic-description.xml.i>
+    <leafNode name="default-jump-target">
+      <properties>
+        <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
+        <completionHelp>
+          <path>firewall ipv6 ipv6-name</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <tagNode name="rule">
+      <properties>
+        <help>IPv6 Firewall custom rule number</help>
+        <valueHelp>
+          <format>u32:1-999999</format>
+          <description>Number for this firewall rule</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-999999"/>
+        </constraint>
+        <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+      </properties>
+      <children>
+        #include <include/firewall/common-rule-ipv6.xml.i>
+        #include <include/firewall/inbound-interface.xml.i>
+        #include <include/firewall/outbound-interface.xml.i>
+        <leafNode name="jump-target">
+          <properties>
+            <help>Set jump target. Action jump must be defined to use this setting</help>
+            <completionHelp>
+              <path>firewall ipv6 ipv6-name</path>
+            </completionHelp>
+          </properties>
+        </leafNode>
+      </children>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
new file mode 100644
index 000000000..042bd9931
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -0,0 +1,44 @@
+<!-- include start from firewall/ipv6-hook-forward.xml.i -->
+<node name="forward">
+  <properties>
+    <help>IPv6 forward firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv6 firewall forward filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall forward filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv6.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ipv6 ipv6-name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
new file mode 100644
index 000000000..8c41e0aca
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -0,0 +1,43 @@
+<!-- include start from firewall/ipv6-hook-input.xml.i -->
+<node name="input">
+  <properties>
+    <help>IPv6 input firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv6 firewall input filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall input filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv6.xml.i>
+            #include <include/firewall/inbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ipv6 ipv6-name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
new file mode 100644
index 000000000..9b756d870
--- /dev/null
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -0,0 +1,43 @@
+<!-- include start from firewall/ipv6-hook-output.xml.i -->
+<node name="output">
+  <properties>
+    <help>IPv6 output firewall</help>
+  </properties>
+  <children>
+    <node name="filter">
+      <properties>
+        <help>IPv6 firewall output filter</help>
+      </properties>
+      <children>
+        #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/generic-description.xml.i>
+        <tagNode name="rule">
+          <properties>
+            <help>IPv6 Firewall output filter rule number</help>
+            <valueHelp>
+              <format>u32:1-999999</format>
+              <description>Number for this firewall rule</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-999999"/>
+            </constraint>
+            <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
+          </properties>
+          <children>
+            #include <include/firewall/common-rule-ipv6.xml.i>
+            #include <include/firewall/outbound-interface.xml.i>
+            <leafNode name="jump-target">
+              <properties>
+                <help>Set jump target. Action jump must be defined to use this setting</help>
+                <completionHelp>
+                  <path>firewall ipv6 ipv6-name</path>
+                </completionHelp>
+              </properties>
+            </leafNode>
+          </children>
+        </tagNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
index 3e52422cf..a62bf8d89 100644
--- a/interface-definitions/include/firewall/match-interface.xml.i
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -5,6 +5,13 @@
     <completionHelp>
       <script>${vyos_completion_dir}/list_interfaces</script>
     </completionHelp>
+    <valueHelp>
+      <format>txt</format>
+      <description>Interface name, wildcard (*) supported</description>
+    </valueHelp>
+    <constraint>
+      #include <include/constraint/interface-name-with-wildcard.xml.i>
+    </constraint>
   </properties>
 </leafNode>
 <leafNode name="interface-group">
diff --git a/interface-definitions/include/firewall/outbound-interface.xml.i b/interface-definitions/include/firewall/outbound-interface.xml.i
new file mode 100644
index 000000000..8654dfd80
--- /dev/null
+++ b/interface-definitions/include/firewall/outbound-interface.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/outbound-interface.xml.i -->
+<node name="outbound-interface">
+  <properties>
+    <help>Match outbound-interface</help>
+  </properties>
+  <children>
+    #include <include/firewall/match-interface.xml.i>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
index c32484542..dd21bfaca 100644
--- a/interface-definitions/include/version/firewall-version.xml.i
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='10'></syntaxVersion>
+<syntaxVersion component='firewall' version='11'></syntaxVersion>
 <!-- include end -->
-- 
cgit v1.2.3


From 68d14fe80145542ffd08a5f7d5cde6c090a0de07 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Wed, 31 May 2023 15:07:42 +0000
Subject: T5160: firewall refactor: change firewall ip to firewall ipv4

---
 data/templates/firewall/nftables.j2                |  30 +--
 interface-definitions/firewall.xml.in              |   2 +-
 .../include/firewall/ipv4-custom-name.xml.i        |   6 +-
 .../include/firewall/ipv4-hook-forward.xml.i       |   4 +-
 .../include/firewall/ipv4-hook-input.xml.i         |   4 +-
 .../include/firewall/ipv4-hook-output.xml.i        |   4 +-
 .../include/firewall/ipv4-hook-prerouting.xml.i    |  10 +-
 op-mode-definitions/firewall.xml.in                |  12 +-
 python/vyos/firewall.py                            |   4 +-
 smoketest/scripts/cli/test_firewall.py             | 254 ++++++++++-----------
 src/conf_mode/firewall.py                          |  53 ++++-
 src/migration-scripts/firewall/10-to-11            | 110 ++++-----
 src/op_mode/firewall.py                            |  20 +-
 13 files changed, 273 insertions(+), 240 deletions(-)

(limited to 'interface-definitions/include')

diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index dcfe71a58..98ceebaa5 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,16 +1,15 @@
 #!/usr/sbin/nft -f
 
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
 
 {% if first_install is not vyos_defined %}
 delete table ip vyos_filter
 {% endif %}
 table ip vyos_filter {
-{% if ip is vyos_defined %}
-{%     if ip.forward is vyos_defined %}
+{% if ipv4 is vyos_defined %}
+{%     if ipv4.forward is vyos_defined %}
 {%         set ns = namespace(sets=[]) %}
-{%         for prior, conf in ip.forward.items() %}
+{%         for prior, conf in ipv4.forward.items() %}
 {%             set def_action = conf.default_action %}
     chain VYOS_FORWARD_{{ prior }} {
         type filter hook forward priority {{ prior }}; policy {{ def_action }};
@@ -33,9 +32,9 @@ table ip vyos_filter {
 {%         endfor %}
 {%     endif %}
 
-{%     if ip.input is vyos_defined %}
+{%     if ipv4.input is vyos_defined %}
 {%         set ns = namespace(sets=[]) %}
-{%         for prior, conf in ip.input.items() %}
+{%         for prior, conf in ipv4.input.items() %}
 {%             set def_action = conf.default_action %}
     chain VYOS_INPUT_{{ prior }} {
         type filter hook input priority {{ prior }}; policy {{ def_action }};
@@ -58,9 +57,9 @@ table ip vyos_filter {
 {%         endfor %}
 {%     endif %}
 
-{%     if ip.output is vyos_defined %}
+{%     if ipv4.output is vyos_defined %}
 {%         set ns = namespace(sets=[]) %}
-{%         for prior, conf in ip.output.items() %}
+{%         for prior, conf in ipv4.output.items() %}
 {%             set def_action = conf.default_action %}
     chain VYOS_OUTPUT_{{ prior }} {
         type filter hook output priority {{ prior }}; policy {{ def_action }};
@@ -87,9 +86,9 @@ table ip vyos_filter {
         type filter hook prerouting priority -450; policy accept;
         ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
     }
-{%     if ip.prerouting is vyos_defined %}
+{%     if ipv4.prerouting is vyos_defined %}
 {%         set ns = namespace(sets=[]) %}
-{%         for prior, conf in ip.prerouting.items() %}
+{%         for prior, conf in ipv4.prerouting.items() %}
     chain VYOS_PREROUTING_{{ prior }} {
         type filter hook prerouting priority {{ prior }}; policy accept;
 {%             if conf.rule is vyos_defined %}
@@ -112,9 +111,9 @@ table ip vyos_filter {
     }
 {%         endfor %}
 {%     endif %}
-{%     if ip.name is vyos_defined %}
+{%     if ipv4.name is vyos_defined %}
 {%         set ns = namespace(sets=[]) %}
-{%         for name_text, conf in ip.name.items() %}
+{%         for name_text, conf in ipv4.name.items() %}
     chain NAME_{{ name_text }} {
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
@@ -152,10 +151,6 @@ table ip vyos_filter {
 {% endif %}
 
 {{ group_tmpl.groups(group, False) }}
-
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }}
-{% endif %}
 }
 
 {% if first_install is not vyos_defined %}
@@ -283,7 +278,4 @@ table ip6 vyos_filter {
 
 {{ group_tmpl.groups(group, True) }}
 
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }}
-{% endif %}
 }
\ No newline at end of file
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 9b36f92e8..127f4b7e7 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -284,7 +284,7 @@
           </tagNode>
         </children>
       </node>
-      <node name="ip">
+      <node name="ipv4">
         <properties>
           <help>IPv4 firewall</help>
         </properties>
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
index b2f8271f7..7fd802f3b 100644
--- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -14,13 +14,13 @@
       <properties>
         <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
         <completionHelp>
-          <path>firewall ip name</path>
+          <path>firewall ipv4 name</path>
         </completionHelp>
       </properties>
     </leafNode>
     <tagNode name="rule">
       <properties>
-        <help>IP Firewall custom rule number</help>
+        <help>IPv4 Firewall custom rule number</help>
         <valueHelp>
           <format>u32:1-999999</format>
           <description>Number for this firewall rule</description>
@@ -38,7 +38,7 @@
           <properties>
             <help>Set jump target. Action jump must be defined to use this setting</help>
             <completionHelp>
-              <path>firewall ip name</path>
+              <path>firewall ipv4 name</path>
             </completionHelp>
           </properties>
         </leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
index 6179afe31..beb9df64e 100644
--- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -13,7 +13,7 @@
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
-            <help>IP Firewall forward filter rule number</help>
+            <help>IPv4 Firewall forward filter rule number</help>
             <valueHelp>
               <format>u32:1-999999</format>
               <description>Number for this firewall rule</description>
@@ -31,7 +31,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ip name</path>
+                  <path>firewall ipv4 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
index f9746378b..1a2e1399f 100644
--- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -13,7 +13,7 @@
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
-            <help>IP Firewall input filter rule number</help>
+            <help>IPv4 Firewall input filter rule number</help>
             <valueHelp>
               <format>u32:1-999999</format>
               <description>Number for this firewall rule</description>
@@ -30,7 +30,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ip name</path>
+                  <path>firewall ipv4 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
index a1820f314..e870e2b79 100644
--- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -13,7 +13,7 @@
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
-            <help>IP Firewall output filter rule number</help>
+            <help>IPv4 Firewall output filter rule number</help>
             <valueHelp>
               <format>u32:1-999999</format>
               <description>Number for this firewall rule</description>
@@ -30,7 +30,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ip name</path>
+                  <path>firewall ipv4 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
diff --git a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
index 229a25ef4..c38918375 100644
--- a/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-prerouting.xml.i
@@ -13,7 +13,7 @@
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
-            <help>IP Firewall prerouting filter rule number</help>
+            <help>IPv4 Firewall prerouting filter rule number</help>
             <valueHelp>
               <format>u32:1-999999</format>
               <description>Number for this firewall rule</description>
@@ -30,7 +30,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ip name</path>
+                  <path>firewall ipv4 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
@@ -49,13 +49,13 @@
           <properties>
             <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
             <completionHelp>
-              <path>firewall ip name</path>
+              <path>firewall ipv4 name</path>
             </completionHelp>
           </properties>
         </leafNode>
         <tagNode name="rule">
           <properties>
-            <help>IP Firewall prerouting raw rule number</help>
+            <help>IPv4 Firewall prerouting raw rule number</help>
             <valueHelp>
               <format>u32:1-999999</format>
               <description>Number for this firewall rule</description>
@@ -72,7 +72,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ip name</path>
+                  <path>firewall ipv4 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
diff --git a/op-mode-definitions/firewall.xml.in b/op-mode-definitions/firewall.xml.in
index b29e93f5e..164ce6b60 100644
--- a/op-mode-definitions/firewall.xml.in
+++ b/op-mode-definitions/firewall.xml.in
@@ -231,7 +231,7 @@
             </children>
             <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show_family --family $3</command>
           </node>
-          <node name="ip">
+          <node name="ipv4">
             <properties>
               <help>Show IPv4 firewall</help>
             </properties>
@@ -250,7 +250,7 @@
                         <properties>
                           <help>Show summary of IPv4 forward filter firewall rules</help>
                           <completionHelp>
-                            <path>firewall ip forward filter rule</path>
+                            <path>firewall ipv4 forward filter rule</path>
                           </completionHelp>
                         </properties>
                         <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
@@ -274,7 +274,7 @@
                         <properties>
                           <help>Show summary of IPv4 input filter firewall rules</help>
                           <completionHelp>
-                            <path>firewall ip input filter rule</path>
+                            <path>firewall ipv4 input filter rule</path>
                           </completionHelp>
                         </properties>
                         <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
@@ -298,7 +298,7 @@
                         <properties>
                           <help>Show summary of IPv4 output filter firewall rules</help>
                           <completionHelp>
-                            <path>firewall ip output filter rule</path>
+                            <path>firewall ipv4 output filter rule</path>
                           </completionHelp>
                         </properties>
                         <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
@@ -312,7 +312,7 @@
                 <properties>
                   <help>Show IPv4 custom firewall chains</help>
                   <completionHelp>
-                    <path>firewall ip name</path>
+                    <path>firewall ipv4 name</path>
                   </completionHelp>
                 </properties>
                 <children>
@@ -320,7 +320,7 @@
                     <properties>
                       <help>Show summary of IPv4 custom firewall ruleset</help>
                       <completionHelp>
-                        <path>firewall ip name ${COMP_WORDS[6]} rule</path>
+                        <path>firewall ipv4 name ${COMP_WORDS[6]} rule</path>
                       </completionHelp>
                     </properties>
                     <command>sudo ${vyos_op_scripts_dir}/firewall.py --action show --hook $4 --priority $5 --rule $7</command>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 86a324062..bb32556af 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -49,7 +49,7 @@ def fqdn_config_parse(firewall):
         suffix = path[5][0]
         set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
             
-        if (path[0] == 'ip') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+        if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
             firewall['ip_fqdn'][set_name] = domain
         elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name'):
             if path[1] == 'ipv6_name':
@@ -521,7 +521,7 @@ def geoip_update(firewall, force=False):
             set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
             if path[1] == 'ipv6_name':
                 set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}'
-                if ( path[0] == 'ip' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
+                if ( path[0] == 'ipv4' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
                     for code in codes:
                         ipv4_codes.setdefault(code, []).append(set_name)
                 elif ( path[0] == 'ipv6' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ):
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 640b7971c..7a7628873 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -90,13 +90,13 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         return False
 
     def test_geoip(self):
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match'])
 
         self.cli_commit()
 
@@ -127,17 +127,17 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'eth0'])
         self.cli_set(['firewall', 'group', 'interface-group', 'smoketest_interface', 'interface', 'vtun0'])
 
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '2', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'address', '172.16.10.10'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'protocol', 'tcp_udp'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '2', 'source', 'group', 'mac-group', 'smoketest_mac'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'source', 'group', 'domain-group', 'smoketest_domain'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'outbound-interface', 'interface-group', 'smoketest_interface'])
 
         self.cli_commit()
 
@@ -167,10 +167,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port', 'port', '53'])
         self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'port', '123'])
         self.cli_set(['firewall', 'group', 'port-group', 'smoketest_port1', 'include', 'smoketest_port'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
-        self.cli_set(['firewall', 'ip', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network1'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'destination', 'group', 'port-group', 'smoketest_port1'])
+        self.cli_set(['firewall', 'ipv4', 'name', 'smoketest', 'rule', '1', 'protocol', 'tcp_udp'])
 
         self.cli_commit()
 
@@ -196,53 +196,53 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         mss_range = '501-1460'
         conn_mark = '555'
 
-        self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'log', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'reject'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'protocol', 'tcp'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'log', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
-
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '3', 'log', 'disable'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '4', 'packet-type', 'host'])
-
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'protocol', 'tcp'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'action', 'return'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'protocol', 'gre'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark])
-
-        self.cli_set(['firewall', 'ip', 'output', 'filter', 'default-action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'protocol', 'gre'])
-        self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc])
-        self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'action', 'return'])
-        self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
-        self.cli_set(['firewall', 'ip', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'source', 'address', '172.16.20.10'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '172.16.10.10'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'log-options', 'level', 'debug'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'ttl', 'eq', '15'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'destination', 'port', '8888'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'log-options', 'level', 'err'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'syn'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'tcp', 'flags', 'not', 'ack'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'ttl', 'gt', '102'])
+
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'destination', 'port', '22'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'limit', 'rate', '5/minute'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '3', 'log', 'disable'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'destination', 'port', '22'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'count', '10'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'recent', 'time', 'minute'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '4', 'packet-type', 'host'])
+
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'flags', 'syn'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'tcp', 'mss', mss_range])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'packet-type', 'broadcast'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '5', 'inbound-interface', 'interface-name', interface])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'action', 'return'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'protocol', 'gre'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '6', 'connection-mark', conn_mark])
+
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'default-action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'protocol', 'gre'])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '5', 'outbound-interface', 'interface-name', interface_wc])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'action', 'return'])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'protocol', 'icmp'])
+        self.cli_set(['firewall', 'ipv4', 'output', 'filter', 'rule', '6', 'connection-mark', conn_mark])
 
         self.cli_commit()
 
@@ -274,39 +274,39 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name2 = 'smoketest-adv2'
         interface = 'eth0'
 
-        self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log'])
-
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '64'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '512'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'packet-length', '1024'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'dscp', '17'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'dscp', '52'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
-
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'dscp', '3-11'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
-
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'default-action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
-        self.cli_set(['firewall', 'ip', 'forward', 'filter', 'rule', '1', 'jump-target', name])
-
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'action', 'queue'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '2', 'queue', '3'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'action', 'queue'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass'])
-        self.cli_set(['firewall', 'ip', 'input', 'filter', 'rule', '3', 'queue', '0-15'])
+        self.cli_set(['firewall', 'ip4', 'name', name, 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ip4', 'name', name, 'enable-default-log'])
+
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '64'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '512'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'packet-length', '1024'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '17'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'dscp', '52'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'group', '66'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'snapshot-length', '6666'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '6', 'log-options', 'queue-threshold','32000'])
+
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length', '1-30000'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'packet-length-exclude', '60000-65535'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
+
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
+
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'action', 'queue'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '2', 'queue', '3'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'protocol', 'udp'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'action', 'queue'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'fanout'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue-options', 'bypass'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '3', 'queue', '0-15'])
 
         self.cli_commit()
 
@@ -332,20 +332,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         self.cli_set(['firewall', 'group', 'address-group', 'mask_group', 'address', '1.1.1.1'])
 
-        self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'enable-default-log'])
 
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address', '0.0.1.2'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'destination', 'address-mask', '0.0.255.255'])
 
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address', '!0.0.3.4'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'source', 'address-mask', '0.0.255.255'])
 
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'source', 'address-mask', '0.0.255.255'])
 
         self.cli_commit()
 
@@ -483,20 +483,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'smoketest-state'
         interface = 'eth0'
 
-        self.cli_set(['firewall', 'ip', 'name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'action', 'reject'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
-
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'action', 'accept'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
-        self.cli_set(['firewall', 'ip', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'related', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'action', 'reject'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '2', 'state', 'invalid', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'state', 'new', 'enable'])
+
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '3', 'connection-status', 'nat', 'destination'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'new', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'state', 'established', 'enable'])
+        self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '4', 'connection-status', 'nat', 'source'])
 
         self.cli_commit()
 
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 4c5341e22..a50ae2ec6 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -101,7 +101,7 @@ def geoip_updated(conf, firewall):
         if path[1] == 'ipv6_name':
             set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}'
 
-        if (path[0] == 'ip') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
+        if (path[0] == 'ipv4') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
             out['name'].append(set_name)
         elif (path[0] == 'ipv6') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ):
             out['ipv6_name'].append(set_name)
@@ -133,6 +133,47 @@ def get_config(config=None):
                                     get_first_key=True,
                                     with_recursive_defaults=True)
 
+    # We have gathered the dict representation of the CLI, but there are
+    # default options which we need to update into the dictionary retrived.
+    # XXX: T2665: we currently have no nice way for defaults under tag
+    # nodes, thus we load the defaults "by hand"
+    default_values = defaults(base)
+
+    for family in ['ipv4', 'ipv6']:
+        for tmp in ['name', 'ipv6_name', 'forward', 'input', 'output', 'prerouting']:
+            if tmp in default_values[family]:
+                del default_values[family][tmp]
+
+
+    firewall = dict_merge(default_values, firewall)
+
+    # Merge in defaults for IPv4 ruleset
+    if 'name' in firewall['ipv4']:
+        default_values = defaults(base + ['ipv4'] + ['name'])
+        for name in firewall['ipv4']['name']:
+            firewall['ipv4']['name'][name] = dict_merge(default_values,
+                                                firewall['ipv4']['name'][name])
+    for hook in ['forward', 'input', 'output', 'prerouting']:
+        if hook in firewall['ipv4']:
+            for priority in ['filter', 'mangle', 'raw']:
+                if priority in firewall['ipv4'][hook]:
+                    default_values = defaults(base + ['ipv4'] + [hook] + [priority])
+                    firewall['ipv4'][hook][priority] = dict_merge(default_values,
+                                                        firewall['ipv4'][hook][priority])
+
+    # Merge in defaults for IPv6 ruleset
+    if 'ipv6_name' in firewall['ipv6']:
+        default_values = defaults(base + ['ipv6'] + ['ipv6-name'])
+        for ipv6_name in firewall['ipv6']['ipv6_name']:
+            firewall['ipv6']['ipv6_name'][ipv6_name] = dict_merge(default_values,
+                                                          firewall['ipv6']['ipv6_name'][ipv6_name])
+    for hook in ['forward', 'input', 'output', 'prerouting']:
+        if hook in firewall['ipv6']:
+            for priority in ['filter', 'mangle', 'raw']:
+                if priority in firewall['ipv6'][hook]:
+                    default_values = defaults(base + ['ipv6'] + [hook] + [priority])
+                    firewall['ipv6'][hook][priority] = dict_merge(default_values,
+                                                        firewall['ipv6'][hook][priority])
 
     firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
     if firewall['group_resync']:
@@ -165,7 +206,7 @@ def verify_rule(firewall, rule_conf, ipv6):
             raise ConfigError('jump-target defined, but action jump needed and it is not defined')
         target = rule_conf['jump_target']
         if not ipv6:
-            if target not in dict_search_args(firewall, 'ip', 'name'):
+            if target not in dict_search_args(firewall, 'ipv4', 'name'):
                 raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
         else:
             if target not in dict_search_args(firewall, 'ipv6', 'ipv6_name'):
@@ -297,10 +338,10 @@ def verify(firewall):
                 for group_name, group in groups.items():
                     verify_nested_group(group_name, group, groups, [])
 
-    if 'ip' in firewall:
+    if 'ipv4' in firewall:
         for name in ['name','forward','input','output']:
-            if name in firewall['ip']:
-                for name_id, name_conf in firewall['ip'][name].items():
+            if name in firewall['ipv4']:
+                for name_id, name_conf in firewall['ipv4'][name].items():
                     if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
                         raise ConfigError('default-action set to jump, but no default-jump-target specified')
                     if 'default_jump_target' in name_conf:
@@ -310,7 +351,7 @@ def verify(firewall):
                         if name_conf['default_jump_target'] == name_id:
                             raise ConfigError(f'Loop detected on default-jump-target.')
                         ## Now need to check that default-jump-target exists (other firewall chain/name)
-                        if target not in dict_search_args(firewall['ip'], 'name'):
+                        if target not in dict_search_args(firewall['ipv4'], 'name'):
                             raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
 
                     if 'rule' in name_conf:
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index b2880afac..9dad86b62 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -20,22 +20,22 @@
 #  set firewall name <name> ...
 #  set firewall ipv6-name <name> ...
 #  To
-#  set firewall ip name <name> 
+#  set firewall ipv4 name <name> 
 #  set firewall ipv6 ipv6-name <name> 
 
 ## Also from 'firewall interface' removed.
 ## in and out:
     # set firewall interface <iface> [in|out] [name | ipv6-name] <name>
     # To
-    # set firewall [ip | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface>
-    # set firewall [ip | ipv6] forward filter rule <5,10,15,...> action jump
-    # set firewall [ip | ipv6] forward filter rule <5,10,15,...> jump-target <name>
+    # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> [inbound-interface | outboubd-interface] interface-name <iface>
+    # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> action jump
+    # set firewall [ipv4 | ipv6] forward filter rule <5,10,15,...> jump-target <name>
 ## local:
     # set firewall interface <iface> local [name | ipv6-name] <name>
     # To
-    # set firewall [ip | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface>
-    # set firewall [ip | ipv6] input filter rule <5,10,15,...> action jump
-    # set firewall [ip | ipv6] input filter rule <5,10,15,...> jump-target <name>
+    # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> inbound-interface interface-name <iface>
+    # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> action jump
+    # set firewall [ipv4 | ipv6] input filter rule <5,10,15,...> jump-target <name>
 
 import re
 
@@ -63,7 +63,7 @@ if not config.exists(base):
 
 ### Migration of state policies
 if config.exists(base + ['state-policy']):
-    for family in ['ip', 'ipv6']:
+    for family in ['ipv4', 'ipv6']:
         for hook in ['forward', 'input', 'output']:
             for priority in ['filter']:
                 # Add default-action== accept for compatibility reasons:
@@ -89,11 +89,11 @@ for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv
 
 ### Migration of firewall name and ipv6-name
 if config.exists(base + ['name']):
-    config.set(['firewall', 'ip', 'name'])
-    config.set_tag(['firewall', 'ip', 'name'])
+    config.set(['firewall', 'ipv4', 'name'])
+    config.set_tag(['firewall', 'ipv4', 'name'])
 
     for ipv4name in config.list_nodes(base + ['name']):
-        config.copy(base + ['name', ipv4name], base + ['ip', 'name', ipv4name])
+        config.copy(base + ['name', ipv4name], base + ['ipv4', 'name', ipv4name])
     config.delete(base + ['name'])
 
 if config.exists(base + ['ipv6-name']):
@@ -117,8 +117,8 @@ if config.exists(base + ['interface']):
                     target = config.return_value(base + ['interface', iface, direction, 'name'])
                     if direction == 'in':
                         # Add default-action== accept for compatibility reasons:
-                        config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept')
-                        new_base = base + ['ip', 'forward', 'filter', 'rule']
+                        config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+                        new_base = base + ['ipv4', 'forward', 'filter', 'rule']
                         config.set(new_base)
                         config.set_tag(new_base)
                         config.set(new_base + [fwd_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
@@ -127,8 +127,8 @@ if config.exists(base + ['interface']):
                         fwd_ipv4_rule = fwd_ipv4_rule + 5
                     elif direction == 'out':
                         # Add default-action== accept for compatibility reasons:
-                        config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept')
-                        new_base = base + ['ip', 'forward', 'filter', 'rule']
+                        config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
+                        new_base = base + ['ipv4', 'forward', 'filter', 'rule']
                         config.set(new_base)
                         config.set_tag(new_base)
                         config.set(new_base + [fwd_ipv4_rule, 'outbound-interface', 'interface-name'], value=iface)
@@ -137,8 +137,8 @@ if config.exists(base + ['interface']):
                         fwd_ipv4_rule = fwd_ipv4_rule + 5
                     else:
                         # Add default-action== accept for compatibility reasons:
-                        config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept')
-                        new_base = base + ['ip', 'input', 'filter', 'rule']
+                        config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
+                        new_base = base + ['ipv4', 'input', 'filter', 'rule']
                         config.set(new_base)
                         config.set_tag(new_base)
                         config.set(new_base + [inp_ipv4_rule, 'inbound-interface', 'interface-name'], value=iface)
@@ -197,20 +197,20 @@ if config.exists(base + ['zone']):
         if config.exists(base + ['zone', zone, 'local-zone']):
             local_zone = 'True'
             # Add default-action== accept for compatibility reasons:
-            config.set(base + ['ip', 'input', 'filter', 'default-action'], value='accept')
+            config.set(base + ['ipv4', 'input', 'filter', 'default-action'], value='accept')
             config.set(base + ['ipv6', 'input', 'filter', 'default-action'], value='accept')
-            config.set(base + ['ip', 'output', 'filter', 'default-action'], value='accept')
+            config.set(base + ['ipv4', 'output', 'filter', 'default-action'], value='accept')
             config.set(base + ['ipv6', 'output', 'filter', 'default-action'], value='accept')
             for from_zone in config.list_nodes(base + ['zone', zone, 'from']):
                 group_name = 'IG_' + from_zone
                 if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'name']):
                     # ipv4 input ruleset
                     target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
-                    config.set(base + ['ip', 'input', 'filter', 'rule'])
-                    config.set_tag(base + ['ip', 'input', 'filter', 'rule'])
-                    config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
-                    config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
-                    config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+                    config.set(base + ['ipv4', 'input', 'filter', 'rule'])
+                    config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
+                    config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
+                    config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value='jump')
+                    config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
                     inp_ipv4_rule = inp_ipv4_rule + 5
                 if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
                     # ipv6 input ruleset
@@ -228,21 +228,21 @@ if config.exists(base + ['zone']):
                 local_def_action = config.return_value(base + ['zone', zone, 'default-action'])
             else:
                 local_def_action = 'drop'
-            config.set(base + ['ip', 'input', 'filter', 'rule'])
-            config.set_tag(base + ['ip', 'input', 'filter', 'rule'])
-            config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
+            config.set(base + ['ipv4', 'input', 'filter', 'rule'])
+            config.set_tag(base + ['ipv4', 'input', 'filter', 'rule'])
+            config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'action'], value=local_def_action)
             config.set(base + ['ipv6', 'input', 'filter', 'rule'])
             config.set_tag(base + ['ipv6', 'input', 'filter', 'rule'])
             config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'action'], value=local_def_action)
             if config.exists(base + ['zone', zone, 'enable-default-log']):
-                config.set(base + ['ip', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
+                config.set(base + ['ipv4', 'input', 'filter', 'rule', inp_ipv4_rule, 'log'], value='enable')
                 config.set(base + ['ipv6', 'input', 'filter', 'rule', inp_ipv6_rule, 'log'], value='enable')
 
         else:
         # It's not a local zone
             group_name = 'IG_' + zone
             # Add default-action== accept for compatibility reasons:
-            config.set(base + ['ip', 'forward', 'filter', 'default-action'], value='accept')
+            config.set(base + ['ipv4', 'forward', 'filter', 'default-action'], value='accept')
             config.set(base + ['ipv6', 'forward', 'filter', 'default-action'], value='accept')
             # intra-filtering migration. By default accept
             intra_zone_ipv4_action = 'accept'
@@ -258,11 +258,11 @@ if config.exists(base + ['zone']):
                 if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
                     intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
                     intra_zone_ipv6_action = 'jump'
-            config.set(base + ['ip', 'forward', 'filter', 'rule'])
-            config.set_tag(base + ['ip', 'forward', 'filter', 'rule'])
-            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+            config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=group_name)
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=intra_zone_ipv4_action)
             config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
             config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
             config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'inbound-interface', 'interface-group'], value=group_name)
@@ -270,7 +270,7 @@ if config.exists(base + ['zone']):
             if intra_zone_ipv4_action == 'jump':
                 if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name']):
                     intra_zone_ipv4_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'name'])
-                    config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
+                    config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=intra_zone_ipv4_target)
             if intra_zone_ipv6_action == 'jump':
                 if config.exists(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name']):
                     intra_zone_ipv6_target = config.return_value(base + ['zone', zone, 'intra-zone-filtering', 'firewall', 'ipv6-name'])
@@ -293,20 +293,20 @@ if config.exists(base + ['zone']):
                         target_ipv4_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'name'])
                         if config.exists(base + ['zone', from_zone, 'local-zone']):
                             # It's from LOCAL zone -> Output filtering 
-                            config.set(base + ['ip', 'output', 'filter', 'rule'])
-                            config.set_tag(base + ['ip', 'output', 'filter', 'rule'])
-                            config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-                            config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
-                            config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+                            config.set(base + ['ipv4', 'output', 'filter', 'rule'])
+                            config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
+                            config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+                            config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value='jump')
+                            config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
                             out_ipv4_rule = out_ipv4_rule + 5
                         else:
                             # It's not LOCAL zone -> forward filtering
-                            config.set(base + ['ip', 'forward', 'filter', 'rule'])
-                            config.set_tag(base + ['ip', 'forward', 'filter', 'rule'])
-                            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-                            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
-                            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
-                            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
+                            config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+                            config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'inbound-interface', 'interface-group'], value=from_group)
+                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value='jump')
+                            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'jump-target'], value=target_ipv4_chain)
                             fwd_ipv4_rule = fwd_ipv4_rule + 5
                     if config.exists(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name']):
                         target_ipv6_chain = config.return_value(base + ['zone', zone, 'from', from_zone, 'firewall', 'ipv6-name'])
@@ -333,12 +333,12 @@ if config.exists(base + ['zone']):
                 def_action = config.return_value(base + ['zone', zone, 'default-action'])
             else:
                 def_action = 'drop'
-            config.set(base + ['ip', 'forward', 'filter', 'rule'])
-            config.set_tag(base + ['ip', 'forward', 'filter', 'rule'])
-            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
-            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule'])
+            config.set_tag(base + ['ipv4', 'forward', 'filter', 'rule'])
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'outbound-interface', 'interface-group'], value=group_name)
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'action'], value=def_action)
             description = 'zone_' + zone + ' default-action'
-            config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
+            config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'description'], value=description)
             config.set(base + ['ipv6', 'forward', 'filter', 'rule'])
             config.set_tag(base + ['ipv6', 'forward', 'filter', 'rule'])
             config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'outbound-interface', 'interface-group'], value=group_name)
@@ -346,7 +346,7 @@ if config.exists(base + ['zone']):
             config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'description'], value=description)
 
             if config.exists(base + ['zone', zone, 'enable-default-log']):
-                config.set(base + ['ip', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
+                config.set(base + ['ipv4', 'forward', 'filter', 'rule', fwd_ipv4_rule, 'log'], value='enable')
                 config.set(base + ['ipv6', 'forward', 'filter', 'rule', fwd_ipv6_rule, 'log'], value='enable')
             fwd_ipv4_rule = fwd_ipv4_rule + 5
             fwd_ipv6_rule = fwd_ipv6_rule + 5
@@ -354,9 +354,9 @@ if config.exists(base + ['zone']):
     # Migrate default-action (force to be drop in output chain) if local zone is defined
     if local_zone == 'True':
         # General drop in output change if needed
-        config.set(base + ['ip', 'output', 'filter', 'rule'])
-        config.set_tag(base + ['ip', 'output', 'filter', 'rule'])
-        config.set(base + ['ip', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
+        config.set(base + ['ipv4', 'output', 'filter', 'rule'])
+        config.set_tag(base + ['ipv4', 'output', 'filter', 'rule'])
+        config.set(base + ['ipv4', 'output', 'filter', 'rule', out_ipv4_rule, 'action'], value=local_def_action)
         config.set(base + ['ipv6', 'output', 'filter', 'rule'])
         config.set_tag(base + ['ipv6', 'output', 'filter', 'rule'])
         config.set(base + ['ipv6', 'output', 'filter', 'rule', out_ipv6_rule, 'action'], value=local_def_action)
diff --git a/src/op_mode/firewall.py b/src/op_mode/firewall.py
index 8eb883f81..ff7e2f398 100755
--- a/src/op_mode/firewall.py
+++ b/src/op_mode/firewall.py
@@ -27,7 +27,7 @@ from vyos.utils.dict import dict_search_args
 def get_config_firewall(conf, hook=None, priority=None, ipv6=False, interfaces=True):
     config_path = ['firewall']
     if hook:
-        config_path += ['ipv6' if ipv6 else 'ip', hook]
+        config_path += ['ipv6' if ipv6 else 'ipv4', hook]
         if priority:
             config_path += [priority]
 
@@ -160,9 +160,9 @@ def show_firewall():
     if not firewall:
         return
 
-    if 'ip' in firewall:
-        for hook, hook_conf in firewall['ip'].items():
-            for prior, prior_conf in firewall['ip'][hook].items():
+    if 'ipv4' in firewall:
+        for hook, hook_conf in firewall['ipv4'].items():
+            for prior, prior_conf in firewall['ipv4'][hook].items():
                 output_firewall_name(hook, prior, prior_conf, ipv6=False)
 
     if 'ipv6' in firewall:
@@ -265,9 +265,9 @@ def show_summary():
     v4_out = []
     v6_out = []
 
-    if 'ip' in firewall:
-        for hook, hook_conf in firewall['ip'].items():
-            for prior, prior_conf in firewall['ip'][hook].items():
+    if 'ipv4' in firewall:
+        for hook, hook_conf in firewall['ipv4'].items():
+            for prior, prior_conf in firewall['ipv4'][hook].items():
                 description = prior_conf.get('description', '')
                 v4_out.append([hook, prior, description])
 
@@ -296,9 +296,9 @@ def show_statistics():
     if not firewall:
         return
 
-    if 'ip' in firewall:
-        for hook, hook_conf in firewall['ip'].items():
-            for prior, prior_conf in firewall['ip'][hook].items():
+    if 'ipv4' in firewall:
+        for hook, hook_conf in firewall['ipv4'].items():
+            for prior, prior_conf in firewall['ipv4'][hook].items():
                 output_firewall_name_statistics(hook,prior, prior_conf, ipv6=False)
 
     if 'ipv6' in firewall:
-- 
cgit v1.2.3


From 0300bf433d9aaff81fdecf9eeaabba8d06c1999f Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Mon, 3 Jul 2023 16:32:37 -0300
Subject: T5160: firewall refactor: move <set firewall ipv6 ipv6-name ...> to
 <set firewall ipv6 name ...> . Also fix some unexpected behaviour with geoip.

---
 data/templates/firewall/nftables.j2                |  4 +-
 .../include/firewall/ipv6-custom-name.xml.i        |  6 +--
 .../include/firewall/ipv6-hook-forward.xml.i       |  2 +-
 .../include/firewall/ipv6-hook-input.xml.i         |  2 +-
 .../include/firewall/ipv6-hook-output.xml.i        |  2 +-
 python/vyos/firewall.py                            | 15 +++----
 smoketest/scripts/cli/test_firewall.py             | 52 +++++++++++-----------
 src/conf_mode/firewall.py                          | 36 +++++++--------
 src/migration-scripts/firewall/10-to-11            |  8 ++--
 9 files changed, 63 insertions(+), 64 deletions(-)

(limited to 'interface-definitions/include')

diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 1c70a6b77..10cbc68cb 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -183,8 +183,8 @@ table ip6 vyos_filter {
         exthdr frag exists meta mark set 0xffff1 return
     }
 
-{%     if ipv6.ipv6_name is vyos_defined %}
-{%         for name_text, conf in ipv6.ipv6_name.items() %}
+{%     if ipv6.name is vyos_defined %}
+{%         for name_text, conf in ipv6.name.items() %}
     chain NAME6_{{ name_text }} {
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
index 6275036c1..4b6777293 100644
--- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -1,5 +1,5 @@
 <!-- include start from firewall/ipv6-custom-name.xml.i -->
-<tagNode name="ipv6-name">
+<tagNode name="name">
   <properties>
     <help>IPv6 custom firewall</help>
     <constraint>
@@ -14,7 +14,7 @@
       <properties>
         <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
         <completionHelp>
-          <path>firewall ipv6 ipv6-name</path>
+          <path>firewall ipv6 name</path>
         </completionHelp>
       </properties>
     </leafNode>
@@ -38,7 +38,7 @@
           <properties>
             <help>Set jump target. Action jump must be defined to use this setting</help>
             <completionHelp>
-              <path>firewall ipv6 ipv6-name</path>
+              <path>firewall ipv6 name</path>
             </completionHelp>
           </properties>
         </leafNode>
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
index 042bd9931..25e1bd288 100644
--- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -31,7 +31,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ipv6 ipv6-name</path>
+                  <path>firewall ipv6 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
index 8c41e0aca..f9a4d71b4 100644
--- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -30,7 +30,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ipv6 ipv6-name</path>
+                  <path>firewall ipv6 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
index 9b756d870..9bf73a778 100644
--- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -30,7 +30,7 @@
               <properties>
                 <help>Set jump target. Action jump must be defined to use this setting</help>
                 <completionHelp>
-                  <path>firewall ipv6 ipv6-name</path>
+                  <path>firewall ipv6 name</path>
                 </completionHelp>
               </properties>
             </leafNode>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index b028f0af0..4aa509fe2 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -51,8 +51,8 @@ def fqdn_config_parse(firewall):
             
         if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
             firewall['ip_fqdn'][set_name] = domain
-        elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name'):
-            if path[1] == 'ipv6_name':
+        elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+            if path[1] == 'name':
                 set_name = f'name6_{priority}_{rule}_{suffix}'
             firewall['ip6_fqdn'][set_name] = domain
 
@@ -160,8 +160,8 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
                 if hook == 'OUT':
                     hook_name = 'output'
                 if hook == 'NAM':
-                    hook_name = f'name{def_suffix}'
-                output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC_{hook_name}_{fw_name}_{rule_id}')
+                    hook_name = f'name'
+                output.append(f'{ip_name} {prefix}addr {operator} @GEOIP_CC{def_suffix}_{hook_name}_{fw_name}_{rule_id}')
 
             if 'mac_address' in side_conf:
                 suffix = side_conf["mac_address"]
@@ -519,12 +519,11 @@ def geoip_update(firewall, force=False):
         # Map country codes to set names
         for codes, path in dict_search_recursive(firewall, 'country_code'):
             set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
-            if path[1] == 'ipv6_name':
-                set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}'
-            if ( path[0] == 'ipv4' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
+            if ( path[0] == 'ipv4'):
                 for code in codes:
                     ipv4_codes.setdefault(code, []).append(set_name)
-            elif ( path[0] == 'ipv6' ) and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ):
+            elif ( path[0] == 'ipv6' ):
+                set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}'
                 for code in codes:
                     ipv6_codes.setdefault(code, []).append(set_name)
 
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index bd7666313..9412ce984 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -362,14 +362,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'v6-smoketest'
         interface = 'eth0'
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'source', 'address', '2002::1'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'log', 'enable'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'log-options', 'level', 'crit'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'source', 'address', '2002::1'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '2002::1:1'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log', 'enable'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'log-options', 'level', 'crit'])
 
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'default-action', 'accept'])
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '2', 'action', 'reject'])
@@ -411,15 +411,15 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name2 = 'v6-smoketest-adv2'
         interface = 'eth0'
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'packet-length', '65'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'packet-length', '513'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'packet-length', '1025'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'dscp', '18'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'dscp', '53'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '65'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '513'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'packet-length', '1025'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '18'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'dscp', '53'])
 
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv6', 'forward', 'filter', 'rule', '4', 'packet-length', '1-1999'])
@@ -454,20 +454,20 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         self.cli_set(['firewall', 'group', 'ipv6-address-group', 'mask_group', 'address', '::beef'])
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'default-action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'enable-default-log'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address', '::1111:2222:3333:4444'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '1', 'destination', 'address-mask', '::ffff:ffff:ffff:ffff'])
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '2', 'action', 'accept'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'action', 'accept'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address', '!::aaaa:bbbb:cccc:dddd'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '2', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
 
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'action', 'drop'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
-        self.cli_set(['firewall', 'ipv6', 'ipv6-name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'group', 'address-group', 'mask_group'])
+        self.cli_set(['firewall', 'ipv6', 'name', name, 'rule', '3', 'source', 'address-mask', '::ffff:ffff:ffff:ffff'])
 
         self.cli_commit()
 
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index a50ae2ec6..c8b1e27db 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -98,21 +98,21 @@ def geoip_updated(conf, firewall):
 
     for key, path in dict_search_recursive(firewall, 'geoip'):
         set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
-        if path[1] == 'ipv6_name':
-            set_name = f'GEOIP_CC_name6_{path[2]}_{path[4]}'
-
-        if (path[0] == 'ipv4') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name' ):
+        if (path[0] == 'ipv4'):
             out['name'].append(set_name)
-        elif (path[0] == 'ipv6') and ( path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'ipv6_name' ):
+        elif (path[0] == 'ipv6'):
+            set_name = f'GEOIP_CC6_{path[1]}_{path[2]}_{path[4]}'
             out['ipv6_name'].append(set_name)
+            
         updated = True
 
     if 'delete' in node_diff:
         for key, path in dict_search_recursive(node_diff['delete'], 'geoip'):
-            set_name = f'GEOIP_CC_{path[2]}_{path[4]}'
-            if path[1] == 'name':
+            set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
+            if (path[0] == 'ipv4'):
                 out['deleted_name'].append(set_name)
-            elif path[1] == 'ipv6-name':
+            elif (path[0] == 'ipv6'):
+                set_name = f'GEOIP_CC_{path[1]}_{path[2]}_{path[4]}'
                 out['deleted_ipv6_name'].append(set_name)
             updated = True
 
@@ -140,7 +140,7 @@ def get_config(config=None):
     default_values = defaults(base)
 
     for family in ['ipv4', 'ipv6']:
-        for tmp in ['name', 'ipv6_name', 'forward', 'input', 'output', 'prerouting']:
+        for tmp in ['name', 'forward', 'input', 'output', 'prerouting']:
             if tmp in default_values[family]:
                 del default_values[family][tmp]
 
@@ -162,11 +162,11 @@ def get_config(config=None):
                                                         firewall['ipv4'][hook][priority])
 
     # Merge in defaults for IPv6 ruleset
-    if 'ipv6_name' in firewall['ipv6']:
-        default_values = defaults(base + ['ipv6'] + ['ipv6-name'])
-        for ipv6_name in firewall['ipv6']['ipv6_name']:
-            firewall['ipv6']['ipv6_name'][ipv6_name] = dict_merge(default_values,
-                                                          firewall['ipv6']['ipv6_name'][ipv6_name])
+    if 'name' in firewall['ipv6']:
+        default_values = defaults(base + ['ipv6'] + ['name'])
+        for ipv6_name in firewall['ipv6']['name']:
+            firewall['ipv6']['name'][ipv6_name] = dict_merge(default_values,
+                                                          firewall['ipv6']['name'][ipv6_name])
     for hook in ['forward', 'input', 'output', 'prerouting']:
         if hook in firewall['ipv6']:
             for priority in ['filter', 'mangle', 'raw']:
@@ -209,8 +209,8 @@ def verify_rule(firewall, rule_conf, ipv6):
             if target not in dict_search_args(firewall, 'ipv4', 'name'):
                 raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
         else:
-            if target not in dict_search_args(firewall, 'ipv6', 'ipv6_name'):
-                raise ConfigError(f'Invalid jump-target. Firewall ipv6-name {target} does not exist on the system')
+            if target not in dict_search_args(firewall, 'ipv6', 'name'):
+                raise ConfigError(f'Invalid jump-target. Firewall ipv6 name {target} does not exist on the system')
 
     if 'queue_options' in rule_conf:
         if 'queue' not in rule_conf['action']:
@@ -359,7 +359,7 @@ def verify(firewall):
                             verify_rule(firewall, rule_conf, False)
 
     if 'ipv6' in firewall:
-        for name in ['ipv6_name','forward','input','output']:
+        for name in ['name','forward','input','output']:
             if name in firewall['ipv6']:
                 for name_id, name_conf in firewall['ipv6'][name].items():
                     if 'jump' in name_conf['default_action'] and 'default_jump_target' not in name_conf:
@@ -371,7 +371,7 @@ def verify(firewall):
                         if name_conf['default_jump_target'] == name_id:
                             raise ConfigError(f'Loop detected on default-jump-target.')
                         ## Now need to check that default-jump-target exists (other firewall chain/name)
-                        if target not in dict_search_args(firewall['ipv6'], 'ipv6_name'):
+                        if target not in dict_search_args(firewall['ipv6'], 'name'):
                             raise ConfigError(f'Invalid jump-target. Firewall name {target} does not exist on the system')
 
                     if 'rule' in name_conf:
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 8cd2a4df8..8afcb64fd 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -21,7 +21,7 @@
 #  set firewall ipv6-name <name> ...
 #  To
 #  set firewall ipv4 name <name> 
-#  set firewall ipv6 ipv6-name <name> 
+#  set firewall ipv6 name <name> 
 
 ## Also from 'firewall interface' removed.
 ## in and out:
@@ -97,11 +97,11 @@ if config.exists(base + ['name']):
     config.delete(base + ['name'])
 
 if config.exists(base + ['ipv6-name']):
-    config.set(['firewall', 'ipv6', 'ipv6-name'])
-    config.set_tag(['firewall', 'ipv6', 'ipv6-name'])
+    config.set(['firewall', 'ipv6', 'name'])
+    config.set_tag(['firewall', 'ipv6', 'name'])
 
     for ipv6name in config.list_nodes(base + ['ipv6-name']):
-        config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'ipv6-name', ipv6name])
+        config.copy(base + ['ipv6-name', ipv6name], base + ['ipv6', 'name', ipv6name])
     config.delete(base + ['ipv6-name'])
 
 ### Migration of firewall interface
-- 
cgit v1.2.3


From a07a46d5d4ace155bc540aee6c745b600d6498b0 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Tue, 4 Jul 2023 10:44:45 +0000
Subject: T5160: firewall refactor: change default value for <default-action>
 from <drop> to <accept> if default-action is not specified in base chains

---
 .../include/firewall/default-action-base-chains.xml.i        |  2 +-
 smoketest/scripts/cli/test_firewall.py                       | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/default-action-base-chains.xml.i b/interface-definitions/include/firewall/default-action-base-chains.xml.i
index ba7c63cd6..aa62abf3d 100644
--- a/interface-definitions/include/firewall/default-action-base-chains.xml.i
+++ b/interface-definitions/include/firewall/default-action-base-chains.xml.i
@@ -17,6 +17,6 @@
       <regex>(drop|accept)</regex>
     </constraint>
   </properties>
-  <defaultValue>drop</defaultValue>
+  <defaultValue>accept</defaultValue>
 </leafNode>
 <!-- include end -->
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 9412ce984..7a13f396f 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -254,7 +254,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['tcp dport 22', 'limit rate 5/minute', 'accept'],
             ['tcp dport 22', 'add @RECENT_FWD_filter_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'meta pkttype host', 'drop'],
             ['chain VYOS_INPUT_filter'],
-            ['type filter hook input priority filter; policy drop;'],
+            ['type filter hook input priority filter; policy accept;'],
             ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"', 'meta pkttype broadcast', 'accept'],
             ['meta l4proto gre', f'ct mark {mark_hex}', 'return'],
             ['chain VYOS_OUTPUT_filter'],
@@ -294,7 +294,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp', '3-11'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '7', 'dscp-exclude', '21-25'])
 
-        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'accept'])
+        self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'default-action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'source', 'address', '198.51.100.1'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'action', 'jump'])
         self.cli_set(['firewall', 'ipv4', 'forward', 'filter', 'rule', '1', 'jump-target', name])
@@ -312,10 +312,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['chain VYOS_FORWARD_filter'],
-            ['type filter hook forward priority filter; policy accept;'],
+            ['type filter hook forward priority filter; policy drop;'],
             ['ip saddr 198.51.100.1', f'jump NAME_{name}'],
             ['chain VYOS_INPUT_filter'],
-            ['type filter hook input priority filter; policy drop;'],
+            ['type filter hook input priority filter; policy accept;'],
             [f'meta l4proto tcp','queue to 3'],
             [f'meta l4proto udp','queue flags bypass,fanout to 0-15'],
             [f'chain NAME_{name}'],
@@ -394,7 +394,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['type filter hook forward priority filter; policy accept;'],
             ['meta l4proto { tcp, udp }', 'th dport 8888', f'iifname "{interface}"', 'reject'],
             ['chain VYOS_IPV6_INPUT_filter'],
-            ['type filter hook input priority filter; policy drop;'],
+            ['type filter hook input priority filter; policy accept;'],
             ['meta l4proto udp', 'ip6 saddr 2002::1:2', f'iifname "{interface}"', 'accept'],
             ['chain VYOS_IPV6_OUTPUT_filter'],
             ['type filter hook output priority filter; policy drop;'],
@@ -436,7 +436,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             ['chain VYOS_IPV6_FORWARD_filter'],
-            ['type filter hook forward priority filter; policy drop;'],
+            ['type filter hook forward priority filter; policy accept;'],
             ['ip6 length 1-1999', 'ip6 length != 60000-65535', 'ip6 dscp 0x04-0x0e', 'ip6 dscp != 0x1f-0x23', 'accept'],
             ['chain VYOS_IPV6_INPUT_filter'],
             ['type filter hook input priority filter; policy accept;'],
-- 
cgit v1.2.3


From f57ad85b346a08bd3aa31d95c9a7438f783c2b6e Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Tue, 4 Jul 2023 09:58:26 -0300
Subject: T5160: firewall refactor: fix regexep for connection-status. Create
 new file with common matcher for ipv4 and ipv6, and use include on all chains
 for all this comman matchers

---
 .../include/firewall/common-rule-inet.xml.i        | 374 +++++++++++++++++++++
 .../include/firewall/common-rule-ipv4-raw.xml.i    |   2 +-
 .../include/firewall/common-rule-ipv4.xml.i        | 354 +------------------
 .../include/firewall/common-rule-ipv6.xml.i        | 354 +------------------
 .../include/firewall/ipv4-custom-name.xml.i        |   8 -
 .../include/firewall/ipv4-hook-forward.xml.i       |   8 -
 .../include/firewall/ipv4-hook-input.xml.i         |   8 -
 .../include/firewall/ipv4-hook-output.xml.i        |   8 -
 .../include/firewall/ipv6-custom-name.xml.i        |   8 -
 .../include/firewall/ipv6-hook-forward.xml.i       |   8 -
 .../include/firewall/ipv6-hook-input.xml.i         |   8 -
 .../include/firewall/ipv6-hook-output.xml.i        |   8 -
 12 files changed, 385 insertions(+), 763 deletions(-)
 create mode 100644 interface-definitions/include/firewall/common-rule-inet.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
new file mode 100644
index 000000000..7a2eb86d4
--- /dev/null
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -0,0 +1,374 @@
+<!-- include start from firewall/common-rule-inet.xml.i -->
+#include <include/firewall/action.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/dscp.xml.i>
+#include <include/firewall/packet-options.xml.i>
+#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/nft-queue.xml.i>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>integer/unit (Example: 5/minute)</description>
+        </valueHelp>
+        <constraint>
+          <regex>\d+/(second|minute|hour|day)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="log">
+  <properties>
+    <help>Option to log packets matching rule</help>
+    <completionHelp>
+      <list>enable disable</list>
+    </completionHelp>
+    <valueHelp>
+      <format>enable</format>
+      <description>Enable log</description>
+    </valueHelp>
+    <valueHelp>
+      <format>disable</format>
+      <description>Disable log</description>
+    </valueHelp>
+    <constraint>
+      <regex>(enable|disable)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<leafNode name="log">
+  <properties>
+    <help>Option to log packets matching rule</help>
+    <completionHelp>
+      <list>enable disable</list>
+    </completionHelp>
+    <valueHelp>
+      <format>enable</format>
+      <description>Enable log</description>
+    </valueHelp>
+    <valueHelp>
+      <format>disable</format>
+      <description>Disable log</description>
+    </valueHelp>
+    <constraint>
+      <regex>(enable|disable)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+#include <include/firewall/rule-log-options.xml.i>
+<node name="connection-status">
+  <properties>
+    <help>Connection status</help>
+  </properties>
+  <children>
+    <leafNode name="nat">
+      <properties>
+        <help>NAT connection status</help>
+        <completionHelp>
+          <list>destination source</list>
+        </completionHelp>
+        <valueHelp>
+          <format>destination</format>
+          <description>Match connections that are subject to destination NAT</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source</format>
+          <description>Match connections that are subject to source NAT</description>
+        </valueHelp>
+        <constraint>
+          <regex>(destination|source)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_protocols.sh</script>
+      <list>all tcp_udp</list>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>u32:0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last second/minute/hour</help>
+        <completionHelp>
+          <list>second minute hour</list>
+        </completionHelp>
+        <valueHelp>
+          <format>second</format>
+          <description>Source addresses seen COUNT times in the last second</description>
+        </valueHelp>
+        <valueHelp>
+          <format>minute</format>
+          <description>Source addresses seen COUNT times in the last minute</description>
+        </valueHelp>
+        <valueHelp>
+          <format>hour</format>
+          <description>Source addresses seen COUNT times in the last hour</description>
+        </valueHelp>
+        <constraint>
+          <regex>(second|minute|hour)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="state">
+  <properties>
+    <help>Session state</help>
+  </properties>
+  <children>
+    <leafNode name="established">
+      <properties>
+        <help>Established state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="invalid">
+      <properties>
+        <help>Invalid state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="new">
+      <properties>
+        <help>New state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="related">
+      <properties>
+        <help>Related state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter date using following notation - YYYY-MM-DD</description>
+        </valueHelp>
+        <constraint>
+          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
+        </valueHelp>
+        <constraint>
+          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Comma separated weekdays to match rule on</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
+        </valueHelp>
+        <valueHelp>
+          <format>u32:0-6</format>
+          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
+        </valueHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index 86af2fb0e..a1071a09a 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -165,7 +165,7 @@
           <description>Match connections that are subject to source NAT</description>
         </valueHelp>
         <constraint>
-          <regex>^(destination|source)$</regex>
+          <regex>(destination|source)</regex>
         </constraint>
       </properties>
     </leafNode>
diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
index b873d99a3..4ed179ae7 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i
@@ -1,11 +1,6 @@
 <!-- include start from firewall/common-rule-ipv4.xml.i -->
-#include <include/firewall/action.xml.i>
-#include <include/generic-description.xml.i>
-#include <include/firewall/dscp.xml.i>
-#include <include/firewall/packet-options.xml.i>
-#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/common-rule-inet.xml.i>
 #include <include/firewall/ttl.xml.i>
-#include <include/firewall/nft-queue.xml.i>
 <node name="destination">
   <properties>
     <help>Destination parameters</help>
@@ -20,31 +15,6 @@
     #include <include/firewall/source-destination-group.xml.i>
   </children>
 </node>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
 <node name="icmp">
   <properties>
     <help>ICMP type and code information</help>
@@ -77,176 +47,14 @@
     #include <include/firewall/icmp-type-name.xml.i>
   </children>
 </node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>integer/unit (Example: 5/minute)</description>
-        </valueHelp>
-        <constraint>
-          <regex>\d+/(second|minute|hour|day)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-#include <include/firewall/rule-log-options.xml.i>
-<node name="connection-status">
-  <properties>
-    <help>Connection status</help>
-  </properties>
-  <children>
-    <leafNode name="nat">
-      <properties>
-        <help>NAT connection status</help>
-        <completionHelp>
-          <list>destination source</list>
-        </completionHelp>
-        <valueHelp>
-          <format>destination</format>
-          <description>Match connections that are subject to destination NAT</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source</format>
-          <description>Match connections that are subject to source NAT</description>
-        </valueHelp>
-        <constraint>
-          <regex>^(destination|source)$</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="protocol">
+<leafNode name="jump-target">
   <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
     <completionHelp>
-      <script>${vyos_completion_dir}/list_protocols.sh</script>
-      <list>all tcp_udp</list>
+      <path>firewall ipv4 name</path>
     </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>u32:0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
   </properties>
 </leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last second/minute/hour</help>
-        <completionHelp>
-          <list>second minute hour</list>
-        </completionHelp>
-        <valueHelp>
-          <format>second</format>
-          <description>Source addresses seen COUNT times in the last second</description>
-        </valueHelp>
-        <valueHelp>
-          <format>minute</format>
-          <description>Source addresses seen COUNT times in the last minute</description>
-        </valueHelp>
-        <valueHelp>
-          <format>hour</format>
-          <description>Source addresses seen COUNT times in the last hour</description>
-        </valueHelp>
-        <constraint>
-          <regex>(second|minute|hour)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
 <node name="source">
   <properties>
     <help>Source parameters</help>
@@ -261,156 +69,4 @@
     #include <include/firewall/source-destination-group.xml.i>
   </children>
 </node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Comma separated weekdays to match rule on</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
-        </valueHelp>
-        <valueHelp>
-          <format>u32:0-6</format>
-          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
-        </valueHelp>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
index 758281335..6219557db 100644
--- a/interface-definitions/include/firewall/common-rule-ipv6.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i
@@ -1,11 +1,6 @@
 <!-- include start from firewall/common-rule-ipv6.xml.i -->
-#include <include/firewall/action.xml.i>
-#include <include/generic-description.xml.i>
-#include <include/firewall/dscp.xml.i>
-#include <include/firewall/packet-options.xml.i>
-#include <include/firewall/connection-mark.xml.i>
+#include <include/firewall/common-rule-inet.xml.i>
 #include <include/firewall/hop-limit.xml.i>
-#include <include/firewall/nft-queue.xml.i>
 <node name="destination">
   <properties>
     <help>Destination parameters</help>
@@ -20,31 +15,6 @@
     #include <include/firewall/source-destination-group-ipv6.xml.i>
   </children>
 </node>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
 <node name="icmpv6">
   <properties>
     <help>ICMPv6 type and code information</help>
@@ -77,176 +47,14 @@
     #include <include/firewall/icmpv6-type-name.xml.i>
   </children>
 </node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>integer/unit (Example: 5/minute)</description>
-        </valueHelp>
-        <constraint>
-          <regex>\d+/(second|minute|hour|day)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-#include <include/firewall/rule-log-options.xml.i>
-<node name="connection-status">
-  <properties>
-    <help>Connection status</help>
-  </properties>
-  <children>
-    <leafNode name="nat">
-      <properties>
-        <help>NAT connection status</help>
-        <completionHelp>
-          <list>destination source</list>
-        </completionHelp>
-        <valueHelp>
-          <format>destination</format>
-          <description>Match connections that are subject to destination NAT</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source</format>
-          <description>Match connections that are subject to source NAT</description>
-        </valueHelp>
-        <constraint>
-          <regex>^(destination|source)$</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="protocol">
+<leafNode name="jump-target">
   <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
+    <help>Set jump target. Action jump must be defined to use this setting</help>
     <completionHelp>
-      <script>${vyos_completion_dir}/list_protocols.sh</script>
-      <list>all tcp_udp</list>
+      <path>firewall ipv6 name</path>
     </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>u32:0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
   </properties>
 </leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last second/minute/hour</help>
-        <completionHelp>
-          <list>second minute hour</list>
-        </completionHelp>
-        <valueHelp>
-          <format>second</format>
-          <description>Source addresses seen COUNT times in the last second</description>
-        </valueHelp>
-        <valueHelp>
-          <format>minute</format>
-          <description>Source addresses seen COUNT times in the last minute</description>
-        </valueHelp>
-        <valueHelp>
-          <format>hour</format>
-          <description>Source addresses seen COUNT times in the last hour</description>
-        </valueHelp>
-        <constraint>
-          <regex>(second|minute|hour)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
 <node name="source">
   <properties>
     <help>Source parameters</help>
@@ -261,156 +69,4 @@
     #include <include/firewall/source-destination-group-ipv6.xml.i>
   </children>
 </node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Comma separated weekdays to match rule on</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
-        </valueHelp>
-        <valueHelp>
-          <format>u32:0-6</format>
-          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
-        </valueHelp>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
index 7fd802f3b..9d6ecfaf2 100644
--- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -34,14 +34,6 @@
         #include <include/firewall/common-rule-ipv4.xml.i>
         #include <include/firewall/inbound-interface.xml.i>
         #include <include/firewall/outbound-interface.xml.i>
-        <leafNode name="jump-target">
-          <properties>
-            <help>Set jump target. Action jump must be defined to use this setting</help>
-            <completionHelp>
-              <path>firewall ipv4 name</path>
-            </completionHelp>
-          </properties>
-        </leafNode>
       </children>
     </tagNode>
   </children>
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
index beb9df64e..08ee96419 100644
--- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -27,14 +27,6 @@
             #include <include/firewall/common-rule-ipv4.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
-            <leafNode name="jump-target">
-              <properties>
-                <help>Set jump target. Action jump must be defined to use this setting</help>
-                <completionHelp>
-                  <path>firewall ipv4 name</path>
-                </completionHelp>
-              </properties>
-            </leafNode>
           </children>
         </tagNode>
       </children>
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
index 1a2e1399f..32b0ec94f 100644
--- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -26,14 +26,6 @@
           <children>
             #include <include/firewall/common-rule-ipv4.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
-            <leafNode name="jump-target">
-              <properties>
-                <help>Set jump target. Action jump must be defined to use this setting</help>
-                <completionHelp>
-                  <path>firewall ipv4 name</path>
-                </completionHelp>
-              </properties>
-            </leafNode>
           </children>
         </tagNode>
       </children>
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
index e870e2b79..d50d1e93b 100644
--- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -26,14 +26,6 @@
           <children>
             #include <include/firewall/common-rule-ipv4.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
-            <leafNode name="jump-target">
-              <properties>
-                <help>Set jump target. Action jump must be defined to use this setting</help>
-                <completionHelp>
-                  <path>firewall ipv4 name</path>
-                </completionHelp>
-              </properties>
-            </leafNode>
           </children>
         </tagNode>
       </children>
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
index 4b6777293..81610babf 100644
--- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -34,14 +34,6 @@
         #include <include/firewall/common-rule-ipv6.xml.i>
         #include <include/firewall/inbound-interface.xml.i>
         #include <include/firewall/outbound-interface.xml.i>
-        <leafNode name="jump-target">
-          <properties>
-            <help>Set jump target. Action jump must be defined to use this setting</help>
-            <completionHelp>
-              <path>firewall ipv6 name</path>
-            </completionHelp>
-          </properties>
-        </leafNode>
       </children>
     </tagNode>
   </children>
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
index 25e1bd288..20ab8dbe8 100644
--- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -27,14 +27,6 @@
             #include <include/firewall/common-rule-ipv6.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
-            <leafNode name="jump-target">
-              <properties>
-                <help>Set jump target. Action jump must be defined to use this setting</help>
-                <completionHelp>
-                  <path>firewall ipv6 name</path>
-                </completionHelp>
-              </properties>
-            </leafNode>
           </children>
         </tagNode>
       </children>
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
index f9a4d71b4..e34958f28 100644
--- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -26,14 +26,6 @@
           <children>
             #include <include/firewall/common-rule-ipv6.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
-            <leafNode name="jump-target">
-              <properties>
-                <help>Set jump target. Action jump must be defined to use this setting</help>
-                <completionHelp>
-                  <path>firewall ipv6 name</path>
-                </completionHelp>
-              </properties>
-            </leafNode>
           </children>
         </tagNode>
       </children>
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
index 9bf73a778..eb4ea7ac3 100644
--- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -26,14 +26,6 @@
           <children>
             #include <include/firewall/common-rule-ipv6.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
-            <leafNode name="jump-target">
-              <properties>
-                <help>Set jump target. Action jump must be defined to use this setting</help>
-                <completionHelp>
-                  <path>firewall ipv6 name</path>
-                </completionHelp>
-              </properties>
-            </leafNode>
           </children>
         </tagNode>
       </children>
-- 
cgit v1.2.3


From 4e07fa25f551325fd90b92426e4693107090d346 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Fri, 11 Aug 2023 18:26:53 +0000
Subject: T5460: remove config-trap from firewall

---
 .../include/firewall/global-options.xml.i            | 20 --------------------
 src/conf_mode/firewall.py                            | 15 ---------------
 src/migration-scripts/firewall/10-to-11              | 12 ++++++------
 3 files changed, 6 insertions(+), 41 deletions(-)

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index 3204a239d..a63874cb0 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -44,26 +44,6 @@
       </properties>
       <defaultValue>disable</defaultValue>
     </leafNode>
-    <leafNode name="config-trap">
-      <properties>
-        <help>SNMP trap generation on firewall configuration changes</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable sending SNMP trap on firewall configuration change</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable sending SNMP trap on firewall configuration change</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-      <defaultValue>disable</defaultValue>
-    </leafNode>
     <leafNode name="ip-src-route">
       <properties>
         <help>Policy for handling IPv4 packets with source route option</help>
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index c8b1e27db..7c09dfe9b 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -180,14 +180,6 @@ def get_config(config=None):
         # Update nat and policy-route as firewall groups were updated
         set_dependents('group_resync', conf)
 
-    #if 'config_trap' in firewall and firewall['config_trap'] == 'enable':
-    if 'config_trap' in firewall and firewall['global_options']['config_trap'] == 'enable':
-        diff = get_config_diff(conf)
-        firewall['trap_diff'] = diff.get_child_nodes_diff_str(base)
-        firewall['trap_targets'] = conf.get_config_dict(['service', 'snmp', 'trap-target'],
-                                        key_mangling=('-', '_'), get_first_key=True,
-                                        no_tag_node_value_mangle=True)
-
     firewall['geoip_updated'] = geoip_updated(conf, firewall)
 
     fqdn_config_parse(firewall)
@@ -327,10 +319,6 @@ def verify_nested_group(group_name, group, groups, seen):
             verify_nested_group(g, groups[g], groups, seen)
 
 def verify(firewall):
-    if 'config_trap' in firewall and firewall['config_trap'] == 'enable':
-        if not firewall['trap_targets']:
-            raise ConfigError(f'Firewall config-trap enabled but "service snmp trap-target" is not defined')
-
     if 'group' in firewall:
         for group_type in nested_group_types:
             if group_type in firewall['group']:
@@ -410,9 +398,6 @@ def post_apply_trap(firewall):
     if 'first_install' in firewall:
         return None
 
-    if 'config_trap' not in firewall['global_options'] or firewall['global_options']['config_trap'] != 'enable':
-        return None
-
     if not process_named_running('snmpd'):
         return None
 
diff --git a/src/migration-scripts/firewall/10-to-11 b/src/migration-scripts/firewall/10-to-11
index 8afcb64fd..716c5a240 100755
--- a/src/migration-scripts/firewall/10-to-11
+++ b/src/migration-scripts/firewall/10-to-11
@@ -45,7 +45,7 @@ from sys import exit
 from vyos.configtree import ConfigTree
 from vyos.ifconfig import Section
 
-if (len(argv) < 1):
+if len(argv) < 2:
     print("Must specify file name!")
     exit(1)
 
@@ -77,14 +77,14 @@ if config.exists(base + ['state-policy']):
                     config.set(base + [family, hook, priority, 'rule', position, 'action'], value=action)
                     position = position + 1
     config.delete(base + ['state-policy'])
-############
 
 ## migration of global options:
 for option in ['all-ping', 'broadcast-ping', 'config-trap', 'ip-src-route', 'ipv6-receive-redirects', 'ipv6-src-route', 'log-martians',
                 'receive-redirects', 'resolver-cache', 'resolver-internal', 'send-redirects', 'source-validation', 'syn-cookies', 'twa-hazards-protection']:
     if config.exists(base + [option]):
-        val = config.return_value(base + [option])
-        config.set(base + ['global-options', option], value=val)
+        if option != 'config-trap':
+            val = config.return_value(base + [option])
+            config.set(base + ['global-options', option], value=val)
         config.delete(base + [option])
 
 ### Migration of firewall name and ipv6-name
@@ -182,7 +182,7 @@ if config.exists(base + ['interface']):
     config.delete(base + ['interface'])
 
 
-### Migration of zones config v2:
+### Migration of zones:
 ### User interface groups 
 if config.exists(base + ['zone']):
     inp_ipv4_rule = 101
@@ -364,7 +364,7 @@ if config.exists(base + ['zone']):
 
     config.delete(base + ['zone'])
 
-###### END migration zones v2
+###### END migration zones
 
 try:
     with open(file_name, 'w') as f:
-- 
cgit v1.2.3