summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall/ipv6-hook-input.xml.i
diff options
context:
space:
mode:
authortalmakion <andrewt@telekinetica.net>2024-07-28 21:47:07 +1000
committerGitHub <noreply@github.com>2024-07-28 14:47:07 +0300
commite2bf8812f73a75356f56274968be8859a2186d73 (patch)
tree2f71b4042bb602ca58f03792af0143903e8e3f24 /interface-definitions/include/firewall/ipv6-hook-input.xml.i
parentba4198fc3cb80628ad38118f4dcc3bfe43181de1 (diff)
downloadvyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.tar.gz
vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.zip
firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
Diffstat (limited to 'interface-definitions/include/firewall/ipv6-hook-input.xml.i')
-rw-r--r--interface-definitions/include/firewall/ipv6-hook-input.xml.i2
1 files changed, 1 insertions, 1 deletions
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
index e1f41e64c..154b10259 100644
--- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -27,7 +27,7 @@
<children>
#include <include/firewall/common-rule-ipv6.xml.i>
#include <include/firewall/inbound-interface.xml.i>
- #include <include/firewall/match-ipsec.xml.i>
+ #include <include/firewall/match-ipsec-in.xml.i>
</children>
</tagNode>
</children>