From 1772c0a7232789e6eeb0caa78fe630fab899522d Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 7 Sep 2023 20:30:50 +0000 Subject: T4072: add firewall bridge filtering. First implementation only applies for forward chain and few matchers. Should be extended in the future. --- interface-definitions/firewall.xml.in | 9 ++++ .../include/firewall/action-l2.xml.i | 37 ++++++++++++++ .../include/firewall/action.xml.i | 8 ++- .../include/firewall/bridge-custom-name.xml.i | 39 +++++++++++++++ .../include/firewall/bridge-hook-forward.xml.i | 34 +++++++++++++ .../include/firewall/common-rule-bridge.xml.i | 57 ++++++++++++++++++++++ .../include/firewall/default-action-bridge.xml.i | 34 +++++++++++++ .../include/firewall/default-action.xml.i | 8 ++- .../include/firewall/match-vlan.xml.i | 41 ++++++++++++++++ 9 files changed, 263 insertions(+), 4 deletions(-) create mode 100644 interface-definitions/include/firewall/action-l2.xml.i create mode 100644 interface-definitions/include/firewall/bridge-custom-name.xml.i create mode 100644 interface-definitions/include/firewall/bridge-hook-forward.xml.i create mode 100644 interface-definitions/include/firewall/common-rule-bridge.xml.i create mode 100644 interface-definitions/include/firewall/default-action-bridge.xml.i create mode 100644 interface-definitions/include/firewall/match-vlan.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index 127f4b7e7..8e462f3eb 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -284,6 +284,15 @@ + + + Bridge firewall + + + #include + #include + + IPv4 firewall diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i new file mode 100644 index 000000000..84af576c8 --- /dev/null +++ b/interface-definitions/include/firewall/action-l2.xml.i @@ -0,0 +1,37 @@ + + + + Rule action + + accept continue jump return drop queue + + + accept + Accept matching entries + + + continue + Continue parsing next rule + + + jump + Jump to another chain + + + return + Return from the current chain and continue at the next rule of the last chain + + + drop + Drop matching entries + + + queue + Enqueue packet to userspace + + + (accept|continue|jump|return|drop|queue) + + + + diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i index 7c6e33839..9391a7bee 100644 --- a/interface-definitions/include/firewall/action.xml.i +++ b/interface-definitions/include/firewall/action.xml.i @@ -3,12 +3,16 @@ Rule action - accept jump reject return drop queue + accept continue jump reject return drop queue accept Accept matching entries + + continue + Continue parsing next rule + jump Jump to another chain @@ -30,7 +34,7 @@ Enqueue packet to userspace - (accept|jump|reject|return|drop|queue) + (accept|continue|jump|reject|return|drop|queue) diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i new file mode 100644 index 000000000..a85fd5a19 --- /dev/null +++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i @@ -0,0 +1,39 @@ + + + + Bridge custom firewall + + [a-zA-Z0-9][\w\-\.]* + + + + #include + #include + #include + + + Set jump target. Action jump must be defined in default-action to use this setting + + firewall bridge name + + + + + + Bridge Firewall forward filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i new file mode 100644 index 000000000..23d757070 --- /dev/null +++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i @@ -0,0 +1,34 @@ + + + + Bridge forward firewall + + + + + Bridge firewall forward filter + + + #include + #include + + + Bridge Firewall forward filter rule number + + u32:1-999999 + Number for this firewall rule + + + + + Firewall rule number must be between 1 and 999999 + + + #include + + + + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i new file mode 100644 index 000000000..381e04b1e --- /dev/null +++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i @@ -0,0 +1,57 @@ + +#include +#include + + + Destination parameters + + + #include + + + + + Option to disable firewall rule + + + + + + Set jump target. Action jump must be defined to use this setting + + firewall bridge name + + + + + + Option to log packets matching rule + + enable disable + + + enable + Enable log + + + disable + Disable log + + + (enable|disable) + + + +#include + + + Source parameters + + + #include + + +#include +#include +#include + \ No newline at end of file diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i new file mode 100644 index 000000000..858c7aeeb --- /dev/null +++ b/interface-definitions/include/firewall/default-action-bridge.xml.i @@ -0,0 +1,34 @@ + + + + Default-action for rule-set + + drop jump return accept continue + + + drop + Drop if no prior rules are hit + + + jump + Jump to another chain if no prior rules are hit + + + return + Return from the current chain and continue at the next rule of the last chain + + + accept + Accept if no prior rules are hit + + + continue + Continue parsing next rule + + + (drop|jump|return|accept|continue) + + + drop + + diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i index 80efaf335..53a161495 100644 --- a/interface-definitions/include/firewall/default-action.xml.i +++ b/interface-definitions/include/firewall/default-action.xml.i @@ -3,7 +3,7 @@ Default-action for rule-set - drop jump reject return accept + drop jump reject return accept continue drop @@ -25,8 +25,12 @@ accept Accept if no prior rules are hit + + continue + Continue parsing next rule + - (drop|jump|reject|return|accept) + (drop|jump|reject|return|accept|continue) drop diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i new file mode 100644 index 000000000..44ad02c99 --- /dev/null +++ b/interface-definitions/include/firewall/match-vlan.xml.i @@ -0,0 +1,41 @@ + + + + VLAN parameters + + + + + Vlan id + + u32:0-4096 + Vlan id + + + <start-end> + Vlan id range to match + + + + + + + + + Vlan priority(pcp) + + u32:0-7 + Vlan priority + + + <start-end> + Vlan priority range to match + + + + + + + + + \ No newline at end of file -- cgit v1.2.3