VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=pr-template 2024-07-29T15:05:21+00:00 2024-07-29T15:05:21+00:00 Andrew Topp andrewt@telekinetica.net 2024-07-29T15:05:21+00:00 urn:sha1:3d42009c0e3cf5ea7ea0ed167b4d8f655667edd8 This patch on #3616 will only attempt to fix ipsec matches in rules if the firewall config tree passed to migrate_chain() has rules attached. 2024-07-28T11:47:07+00:00 talmakion andrewt@telekinetica.net 2024-07-28T11:47:07+00:00 urn:sha1:e2bf8812f73a75356f56274968be8859a2186d73 * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests