Merge branch 'firewall' of https://github.com/sarthurdev/vyos-1x into current

* 'firewall' of https://github.com/sarthurdev/vyos-1x:
  zone_policy: T3873: Implement intra-zone-filtering
  policy: T2199: Migrate policy route op-mode to XML/Python
  policy: T2199: Migrate policy route to XML/Python
  zone-policy: T2199: Migrate zone-policy op-mode to XML/Python
  zone-policy: T2199: Migrate zone-policy to XML/Python
  firewall: T2199: Migrate firewall op-mode to XML/Python
  firewall: T2199: Migrate firewall to XML/Python

4 files changed, 444 insertions, 2 deletions

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 40ed1b916..9ea880697 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -157,8 +157,8 @@ delete chain ip raw NAT_CONNTRACK
 add chain ip raw NAT_CONNTRACK
 add rule ip raw NAT_CONNTRACK counter accept
 {%   set base_command = 'add rule ip raw' %}
-{{ base_command }} PREROUTING position {{ pre_ct_ignore }}    counter jump VYATTA_CT_HELPER
-{{ base_command }} OUTPUT     position {{ out_ct_ignore }}    counter jump VYATTA_CT_HELPER
+{{ base_command }} PREROUTING position {{ pre_ct_ignore }}    counter jump VYOS_CT_HELPER
+{{ base_command }} OUTPUT     position {{ out_ct_ignore }}    counter jump VYOS_CT_HELPER
 {{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
 {{ base_command }} OUTPUT     position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
 {% endif %}
diff --git a/data/templates/firewall/nftables-policy.tmpl b/data/templates/firewall/nftables-policy.tmpl
new file mode 100644
index 000000000..aa6bb6fc1
--- /dev/null
+++ b/data/templates/firewall/nftables-policy.tmpl
@@ -0,0 +1,53 @@
+#!/usr/sbin/nft -f
+
+table ip mangle {
+{% if first_install is defined %}
+    chain VYOS_PBR_PREROUTING {
+        type filter hook prerouting priority -150; policy accept;
+    }
+    chain VYOS_PBR_POSTROUTING {
+        type filter hook postrouting priority -150; policy accept;
+    }
+{% endif %}
+{% if route is defined -%}
+{%   for route_text, conf in route.items() %}
+    chain VYOS_PBR_{{ route_text }} {
+{%     if conf.rule is defined %}
+{%       for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
+        {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }}
+{%       endfor %}
+{%     endif %}
+{%     if conf.default_action is defined %}
+        counter {{ conf.default_action | nft_action }} comment "{{ name_text }} default-action {{ conf.default_action }}"
+{%     else %}
+        counter return
+{%     endif %}
+    }
+{%   endfor %}
+{%- endif %}
+}
+
+table ip6 mangle {
+{% if first_install is defined %}
+    chain VYOS_PBR6_PREROUTING {
+        type filter hook prerouting priority -150; policy accept;
+    }
+    chain VYOS_PBR6_POSTROUTING {
+        type filter hook postrouting priority -150; policy accept;
+    }
+{% endif %}
+{% if ipv6_route is defined %}
+{%   for route_text, conf in ipv6_route.items() %}
+    chain VYOS_PBR6_{{ route_text }} {
+{%     if conf.rule is defined %}
+{%       for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
+        {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }}
+{%       endfor %}
+{%     endif %}
+{%     if conf.default_action is defined %}
+        counter {{ conf.default_action | nft_action }} comment "{{ name_text }} default-action {{ conf.default_action }}"
+{%     endif %}
+    }
+{%   endfor %}
+{% endif %}
+}
diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl
new file mode 100644
index 000000000..34bd9b71e
--- /dev/null
+++ b/data/templates/firewall/nftables.tmpl
@@ -0,0 +1,292 @@
+#!/usr/sbin/nft -f
+
+{% if cleanup_commands is defined %}
+{%   for command in cleanup_commands %}
+{{ command }}
+{%   endfor %}
+{% endif %}
+
+{% if group is defined %}
+{%   if group.address_group is defined %}
+{%     for group_name, group_conf in group.address_group.items() %}
+define A_{{ group_name }} = {
+    {{ group_conf.address | join(",") }}
+}
+{%     endfor %}
+{%   endif %}
+{%   if group.ipv6_address_group is defined %}
+{%     for group_name, group_conf in group.ipv6_address_group.items() %}
+define A6_{{ group_name }} = {
+    {{ group_conf.address | join(",") }}
+}
+{%     endfor %}
+{%   endif %}
+{%   if group.network_group is defined %}
+{%     for group_name, group_conf in group.network_group.items() %}
+define N_{{ group_name }} = {
+    {{ group_conf.network | join(",") }}
+}
+{%     endfor %}
+{%   endif %}
+{%   if group.ipv6_network_group is defined %}
+{%     for group_name, group_conf in group.ipv6_network_group.items() %}
+define N6_{{ group_name }} = {
+    {{ group_conf.network | join(",") }}
+}
+{%     endfor %}
+{%   endif %}
+{%   if group.port_group is defined %}
+{%     for group_name, group_conf in group.port_group.items() %}
+define P_{{ group_name }} = {
+    {{ group_conf.port | join(",") }}
+}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+
+table ip filter {
+{% if first_install is defined %}
+    chain VYOS_FW_IN {
+        type filter hook forward priority 0; policy accept;
+    }
+    chain VYOS_FW_OUT {
+        type filter hook forward priority 1; policy accept;
+        jump VYOS_POST_FW
+    }
+    chain VYOS_FW_LOCAL {
+        type filter hook input priority 0; policy accept;
+        jump VYOS_POST_FW
+    }
+    chain VYOS_FW_OUTPUT {
+        type filter hook output priority 0; policy accept;
+        jump VYOS_POST_FW
+    }
+    chain VYOS_POST_FW {
+        return
+    }
+    chain VYOS_FRAG_MARK {
+        type filter hook prerouting priority -450; policy accept;
+        ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
+    }
+{% endif %}
+{% if name is defined %}
+{%   for name_text, conf in name.items() %}
+{%     set default_log = 'log' if 'enable_default_log' in conf else '' %}
+    chain {{ name_text }} {
+{%     if conf.rule is defined %}
+{%       for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
+        {{ rule_conf | nft_rule(name_text, rule_id) }}
+{%       endfor %}
+{%     endif %}
+{%     if conf.default_action is defined %}
+        counter {{ default_log }} {{ conf.default_action | nft_action }} comment "{{ name_text }} default-action {{ conf.default_action }}"
+{%     else %}
+        return
+{%     endif %}
+    }
+{%   endfor %}
+{% endif %}
+{% if state_policy is defined %}
+    chain VYOS_STATE_POLICY {
+{%   if state_policy.established is defined %}
+        {{ state_policy.established | nft_state_policy('established') }}
+{%   endif %}
+{%   if state_policy.invalid is defined %}
+        {{ state_policy.invalid | nft_state_policy('invalid') }}
+{%   endif %}
+{%   if state_policy.related is defined %}
+        {{ state_policy.related | nft_state_policy('related') }}
+{%   endif %}
+        return
+    }
+{% endif %}
+}
+
+table ip6 filter {
+{% if first_install is defined %}
+    chain VYOS_FW6_IN {
+        type filter hook forward priority 0; policy accept;
+    }
+    chain VYOS_FW6_OUT {
+        type filter hook forward priority 1; policy accept;
+        jump VYOS_POST_FW6
+    }
+    chain VYOS_FW6_LOCAL {
+        type filter hook input priority 0; policy accept;
+        jump VYOS_POST_FW6
+    }
+    chain VYOS_FW6_OUTPUT {
+        type filter hook output priority 0; policy accept;
+        jump VYOS_POST_FW6
+    }
+    chain VYOS_POST_FW6 {
+        return
+    }
+    chain VYOS_FRAG6_MARK {
+        type filter hook prerouting priority -450; policy accept;
+        exthdr frag exists meta mark set 0xffff1 return
+    }
+{% endif %}
+{% if ipv6_name is defined %}
+{%   for name_text, conf in ipv6_name.items() %}
+{%     set default_log = 'log' if 'enable_default_log' in conf else '' %}
+    chain {{ name_text }} {
+{%     if conf.rule is defined %}
+{%       for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
+        {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
+{%       endfor %}
+{%     endif %}
+{%     if conf.default_action is defined %}
+        counter {{ default_log }} {{ conf.default_action | nft_action }} comment "{{ name_text }} default-action {{ conf.default_action }}"
+{%     else %}
+        return
+{%     endif %}
+    }
+{%   endfor %}
+{% endif %}
+{% if state_policy is defined %}
+    chain VYOS_STATE_POLICY6 {
+{%   if state_policy.established is defined %}
+        {{ state_policy.established | nft_state_policy('established') }}
+{%   endif %}
+{%   if state_policy.invalid is defined %}
+        {{ state_policy.invalid | nft_state_policy('invalid') }}
+{%   endif %}
+{%   if state_policy.related is defined %}
+        {{ state_policy.related | nft_state_policy('related') }}
+{%   endif %}
+        return
+    }
+{% endif %}
+}
+
+{% if first_install is defined %}
+table ip nat {
+    chain PREROUTING {
+        type nat hook prerouting priority -100; policy accept;
+        counter jump VYOS_PRE_DNAT_HOOK
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority 100; policy accept;
+        counter jump VYOS_PRE_SNAT_HOOK
+    }
+
+    chain VYOS_PRE_DNAT_HOOK {
+        return
+    }
+
+    chain VYOS_PRE_SNAT_HOOK {
+        return
+    }
+}
+
+table ip6 nat {
+    chain PREROUTING {
+        type nat hook prerouting priority -100; policy accept;
+        counter jump VYOS_DNPT_HOOK
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority 100; policy accept;
+        counter jump VYOS_SNPT_HOOK
+    }
+
+    chain VYOS_DNPT_HOOK {
+        return
+    }
+
+    chain VYOS_SNPT_HOOK {
+        return
+    }
+}
+
+table inet mangle {
+    chain FORWARD {
+        type filter hook forward priority -150; policy accept;
+    }
+}
+
+table raw {
+    chain VYOS_TCP_MSS {
+        type filter hook forward priority -300; policy accept;
+    }
+
+    chain PREROUTING {
+        type filter hook prerouting priority -200; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
+        counter jump VYOS_CT_PREROUTING_HOOK
+        notrack
+    }
+
+    chain OUTPUT {
+        type filter hook output priority -200; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
+        counter jump VYOS_CT_OUTPUT_HOOK
+        notrack
+    }
+
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+
+    chain VYOS_CT_HELPER {
+        ct helper set "rpc_tcp" tcp dport {111} return
+        ct helper set "rpc_udp" udp dport {111} return
+        ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
+        return
+    }
+
+    chain VYOS_CT_IGNORE {
+        return
+    }
+
+    chain VYOS_CT_TIMEOUT {
+        return
+    }
+
+    chain VYOS_CT_PREROUTING_HOOK {
+        return
+    }
+
+    chain VYOS_CT_OUTPUT_HOOK {
+        return
+    }
+}
+
+table ip6 raw {
+    chain VYOS_TCP_MSS {
+        type filter hook forward priority -300; policy accept;
+    }
+
+    chain PREROUTING {
+        type filter hook prerouting priority -300; policy accept;
+        counter jump VYOS_CT_PREROUTING_HOOK
+        notrack
+    }
+
+    chain OUTPUT {
+        type filter hook output priority -300; policy accept;
+        counter jump VYOS_CT_OUTPUT_HOOK
+        notrack
+    }
+
+    chain VYOS_CT_PREROUTING_HOOK {
+        return
+    }
+
+    chain VYOS_CT_OUTPUT_HOOK {
+        return
+    }
+}
+{% endif %}
diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl
new file mode 100644
index 000000000..21230c688
--- /dev/null
+++ b/data/templates/zone_policy/nftables.tmpl
@@ -0,0 +1,97 @@
+#!/usr/sbin/nft -f
+
+{% if cleanup_commands is defined %}
+{%   for command in cleanup_commands %}
+{{ command }}
+{%   endfor %}
+{% endif %}
+
+{% if zone is defined %}
+table ip filter {
+{%   for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %}
+{%     if zone_conf.local_zone is defined %}
+    chain VZONE_{{ zone_name }}_IN {
+        iifname lo counter return
+{%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%       endfor %}
+        counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+    }
+    chain VZONE_{{ zone_name }}_OUT {
+        oifname lo counter return
+{%         for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%         endfor %}
+        counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+    }
+{%     else %}
+    chain VZONE_{{ zone_name }} {
+        iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=False) }}
+{%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %}
+{%         if zone[from_zone].local_zone is not defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%         endif %}
+{%       endfor %}
+        counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+    }
+{%     endif %}
+{%   endfor %}
+}
+
+table ip6 filter {
+{%   for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %}
+{%     if zone_conf.local_zone is defined %}
+    chain VZONE6_{{ zone_name }}_IN {
+        iifname lo counter return
+{%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%       endfor %}
+        counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+    }
+    chain VZONE6_{{ zone_name }}_OUT {
+        oifname lo counter return
+{%         for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%         endfor %}
+        counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+    }
+{%     else %}
+    chain VZONE6_{{ zone_name }} {
+        iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=True) }}
+{%       for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %}
+{%         if zone[from_zone].local_zone is not defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%         endif %}
+{%       endfor %}
+        counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+    }
+{%     endif %}
+{%   endfor %}
+}
+
+{%   for zone_name, zone_conf in zone.items() %}
+{%     if zone_conf.ipv4 %}
+{%       if 'local_zone' in zone_conf %}
+insert rule ip filter VYOS_FW_LOCAL counter jump VZONE_{{ zone_name }}_IN
+insert rule ip filter VYOS_FW_OUTPUT counter jump VZONE_{{ zone_name }}_OUT
+{%       else %}
+insert rule ip filter VYOS_FW_OUT oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
+{%       endif %}
+{%     endif %}
+{%     if zone_conf.ipv6 %}
+{%       if 'local_zone' in zone_conf %}
+insert rule ip6 filter VYOS_FW6_LOCAL counter jump VZONE6_{{ zone_name }}_IN
+insert rule ip6 filter VYOS_FW6_OUTPUT counter jump VZONE6_{{ zone_name }}_OUT
+{%       else %}
+insert rule ip6 filter VYOS_FW6_OUT oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE6_{{ zone_name }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+
+{% endif %}