firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)

* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
   fw rules
 * Add ipsec match-ipsec-out and match-none-out
 * Change all the points where the match-ipsec.xml.i include was used
   before, making sure the new includes (match-ipsec-in/out.xml.i) are
   used appropriately. There were a handful of spots where match-ipsec.xml.i
   had snuck back in for output hooked chains already
   (the common-rule-* includes)
 * Add the -out generators to rendered templates
 * Heavy modification to firewall config validators:
   * I needed to check for ipsec-in matches no matter how deeply nested
     under an output-hook chain(via jump-target) - this always generates
     an error.
   * Ended up retrofitting the jump-targets validator from root chains
     and for named custom chains. It checks for recursive loops and improper
     IPsec matches.
 * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
   smoketests

1 files changed, 0 insertions, 1 deletions

diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index 960c960db..e8da1a0e1 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -9,7 +9,6 @@
 #include <include/firewall/limit.xml.i>
 #include <include/firewall/log.xml.i>
 #include <include/firewall/log-options.xml.i>
-#include <include/firewall/match-ipsec.xml.i>
 #include <include/firewall/protocol.xml.i>
 #include <include/firewall/nft-queue.xml.i>
 #include <include/firewall/recent.xml.i>