Firewall: T990: Add snat and dst connection status on firewall

3 files changed, 23 insertions, 52 deletions

diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index 6e61de848..e74ce4ee4 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -95,51 +95,25 @@
     </constraint>
   </properties>
 </leafNode>
-<node name="ct-status">
+<leafNode name="connection-status">
   <properties>
-    <help>Connection status in conntrack</help>
+    <help>Connection status</help>
+    <completionHelp>
+      <list>dnat snat</list>
+    </completionHelp>
+    <valueHelp>
+      <format>dnat</format>
+      <description>Match connections that are subject to destination NAT</description>
+    </valueHelp>
+    <valueHelp>
+      <format>snat</format>
+      <description>Match connections that are subject to source NAT</description>
+    </valueHelp>
+    <constraint>
+      <regex>^(dnat|snat)$</regex>
+    </constraint>
   </properties>
-  <children>
-    <leafNode name="dnat">
-      <properties>
-        <help>Set when connection needs DNAT in original direction</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>^(enable|disable)$</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="snat">
-      <properties>
-        <help>Set when connection needs SNAT in original direction</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>^(enable|disable)$</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
+</leafNode>
 <leafNode name="protocol">
   <properties>
     <help>Protocol to match (protocol name, number, or "all")</help>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 5e11e4332..06731dd64 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -49,11 +49,9 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
         if states:
             output.append(f'ct state {{{states}}}')
 
-    if 'ct_status' in rule_conf and rule_conf['ct_status']:
-        status = ",".join([s for s, v in rule_conf['ct_status'].items() if v == 'enable'])
-
-        if status:
-            output.append(f'ct status {{{status}}}')
+    if 'connection_status' in rule_conf and rule_conf['connection_status']:
+        status = rule_conf['connection_status']
+        output.append(f'ct status {{{status}}}')
 
     if 'protocol' in rule_conf and rule_conf['protocol'] != 'all':
         proto = rule_conf['protocol']
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index b914d930a..13bf02cd1 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -171,12 +171,11 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'state', 'invalid', 'enable'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'action', 'accept'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'state', 'new', 'enable'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'ct-status', 'dnat', 'enable'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '3', 'connection-status', 'dnat'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'action', 'accept'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'state', 'new', 'enable'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'state', 'established', 'enable'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'ct-status', 'snat', 'enable'])
-        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'ct-status', 'dnat', 'enable'])
+        self.cli_set(['firewall', 'name', 'smoketest', 'rule', '4', 'connection-status', 'snat'])
 
         self.cli_set(['interfaces', 'ethernet', 'eth0', 'firewall', 'in', 'name', 'smoketest'])
 
@@ -187,7 +186,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['ct state { established, related }', 'return'],
             ['ct state { invalid }', 'reject'],
             ['ct state { new }', 'ct status { dnat }', 'return'],
-            ['ct state { established, new }', 'ct status { snat, dnat }', 'return'],
+            ['ct state { established, new }', 'ct status { snat }', 'return'],
             ['smoketest default-action', 'drop']
         ]