From 4e8839b6d78c7629cd2c1daee0438472c96365a4 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Tue, 21 Nov 2023 17:36:20 +0000
Subject: T5419: firewall: backport firewall flowtable to Sagitta.

---
 interface-definitions/firewall.xml.in              | 40 +++++++++++++++++++
 .../include/firewall/action-forward.xml.i          | 45 ++++++++++++++++++++++
 .../include/firewall/ipv4-hook-forward.xml.i       |  2 +
 .../include/firewall/ipv6-hook-forward.xml.i       |  2 +
 .../include/firewall/offload-target.xml.i          | 10 +++++
 interface-definitions/interfaces-ethernet.xml.in   |  6 +++
 6 files changed, 105 insertions(+)
 create mode 100644 interface-definitions/include/firewall/action-forward.xml.i
 create mode 100644 interface-definitions/include/firewall/offload-target.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 4704b200e..0bb14a1b3 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -7,6 +7,46 @@
     </properties>
     <children>
       #include <include/firewall/global-options.xml.i>
+      <tagNode name="flowtable">
+        <properties>
+          <help>Flowtable</help>
+          <constraint>
+            <regex>[a-zA-Z0-9][\w\-\.]*</regex>
+          </constraint>
+        </properties>
+        <children>
+          #include <include/generic-description.xml.i>
+          <leafNode name="interface">
+            <properties>
+              <help>Interfaces to use this flowtable</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces</script>
+              </completionHelp>
+              <multi/>
+            </properties>
+          </leafNode>
+          <leafNode name="offload">
+            <properties>
+              <help>Offloading method</help>
+              <completionHelp>
+                <list>hardware software</list>
+              </completionHelp>
+              <valueHelp>
+                <format>hardware</format>
+                <description>Hardware offload</description>
+              </valueHelp>
+              <valueHelp>
+                <format>software</format>
+                <description>Software offload</description>
+              </valueHelp>
+              <constraint>
+                <regex>(hardware|software)</regex>
+              </constraint>
+            </properties>
+            <defaultValue>software</defaultValue>
+          </leafNode>
+        </children>
+      </tagNode>
       <node name="group">
         <properties>
           <help>Firewall group</help>
diff --git a/interface-definitions/include/firewall/action-forward.xml.i b/interface-definitions/include/firewall/action-forward.xml.i
new file mode 100644
index 000000000..87da72c97
--- /dev/null
+++ b/interface-definitions/include/firewall/action-forward.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from firewall/action-forward.xml.i -->
+<leafNode name="action">
+  <properties>
+    <help>Rule action</help>
+    <completionHelp>
+      <list>accept continue jump reject return drop queue offload</list>
+    </completionHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>continue</format>
+      <description>Continue parsing next rule</description>
+    </valueHelp>
+    <valueHelp>
+      <format>jump</format>
+      <description>Jump to another chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Reject matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>return</format>
+      <description>Return from the current chain and continue at the next rule of the last chain</description>
+    </valueHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop matching entries</description>
+    </valueHelp>
+    <valueHelp>
+      <format>queue</format>
+      <description>Enqueue packet to userspace</description>
+    </valueHelp>
+    <valueHelp>
+      <format>offload</format>
+      <description>Offload packet via flowtable</description>
+    </valueHelp>
+    <constraint>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
index 9831498c9..100f1c3d9 100644
--- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -25,8 +25,10 @@
             <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
           </properties>
           <children>
+            #include <include/firewall/action-forward.xml.i>
             #include <include/firewall/common-rule-ipv4.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/offload-target.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
           </children>
         </tagNode>
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
index 5c86871e5..fb38267eb 100644
--- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -25,8 +25,10 @@
             <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
           </properties>
           <children>
+            #include <include/firewall/action-forward.xml.i>
             #include <include/firewall/common-rule-ipv6.xml.i>
             #include <include/firewall/inbound-interface.xml.i>
+            #include <include/firewall/offload-target.xml.i>
             #include <include/firewall/outbound-interface.xml.i>
           </children>
         </tagNode>
diff --git a/interface-definitions/include/firewall/offload-target.xml.i b/interface-definitions/include/firewall/offload-target.xml.i
new file mode 100644
index 000000000..b1ae39100
--- /dev/null
+++ b/interface-definitions/include/firewall/offload-target.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from firewall/offload-target.xml.i -->
+<leafNode name="offload-target">
+  <properties>
+    <help>Set flowtable offload target. Action offload must be defined to use this setting</help>
+    <completionHelp>
+      <path>firewall flowtable</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index 3669336fd..5aaa7095c 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -80,6 +80,12 @@
                   <valueless/>
                 </properties>
               </leafNode>
+              <leafNode name="hw-tc-offload">
+                <properties>
+                  <help>Enable Hardware Flow Offload</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
               <leafNode name="lro">
                 <properties>
                   <help>Enable Large Receive Offload</help>
-- 
cgit v1.2.3