diff options
author | talmakion <andrewt@telekinetica.net> | 2024-07-28 21:47:07 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-28 14:47:07 +0300 |
commit | e2bf8812f73a75356f56274968be8859a2186d73 (patch) | |
tree | 2f71b4042bb602ca58f03792af0143903e8e3f24 /interface-definitions/include/firewall/ipv6-hook-input.xml.i | |
parent | ba4198fc3cb80628ad38118f4dcc3bfe43181de1 (diff) | |
download | vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.tar.gz vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.zip |
firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
Diffstat (limited to 'interface-definitions/include/firewall/ipv6-hook-input.xml.i')
-rw-r--r-- | interface-definitions/include/firewall/ipv6-hook-input.xml.i | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i index e1f41e64c..154b10259 100644 --- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i +++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i @@ -27,7 +27,7 @@ <children> #include <include/firewall/common-rule-ipv6.xml.i> #include <include/firewall/inbound-interface.xml.i> - #include <include/firewall/match-ipsec.xml.i> + #include <include/firewall/match-ipsec-in.xml.i> </children> </tagNode> </children> |