diff options
author | talmakion <andrewt@telekinetica.net> | 2024-07-28 21:47:07 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-28 14:47:07 +0300 |
commit | e2bf8812f73a75356f56274968be8859a2186d73 (patch) | |
tree | 2f71b4042bb602ca58f03792af0143903e8e3f24 /interface-definitions/include/firewall/match-ipsec.xml.i | |
parent | ba4198fc3cb80628ad38118f4dcc3bfe43181de1 (diff) | |
download | vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.tar.gz vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.zip |
firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
fw rules
* Add ipsec match-ipsec-out and match-none-out
* Change all the points where the match-ipsec.xml.i include was used
before, making sure the new includes (match-ipsec-in/out.xml.i) are
used appropriately. There were a handful of spots where match-ipsec.xml.i
had snuck back in for output hooked chains already
(the common-rule-* includes)
* Add the -out generators to rendered templates
* Heavy modification to firewall config validators:
* I needed to check for ipsec-in matches no matter how deeply nested
under an output-hook chain(via jump-target) - this always generates
an error.
* Ended up retrofitting the jump-targets validator from root chains
and for named custom chains. It checks for recursive loops and improper
IPsec matches.
* Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
smoketests
Diffstat (limited to 'interface-definitions/include/firewall/match-ipsec.xml.i')
-rw-r--r-- | interface-definitions/include/firewall/match-ipsec.xml.i | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/interface-definitions/include/firewall/match-ipsec.xml.i b/interface-definitions/include/firewall/match-ipsec.xml.i index 82c2b324d..d8d31ef1a 100644 --- a/interface-definitions/include/firewall/match-ipsec.xml.i +++ b/interface-definitions/include/firewall/match-ipsec.xml.i @@ -1,21 +1,33 @@ <!-- include start from firewall/match-ipsec.xml.i --> <node name="ipsec"> <properties> - <help>Inbound IPsec packets</help> + <help>IPsec encapsulated packets</help> </properties> <children> - <leafNode name="match-ipsec"> + <leafNode name="match-ipsec-in"> <properties> - <help>Inbound IPsec packets</help> + <help>Inbound traffic that was IPsec encapsulated</help> <valueless/> </properties> </leafNode> - <leafNode name="match-none"> + <leafNode name="match-none-in"> <properties> - <help>Inbound non-IPsec packets</help> + <help>Inbound traffic that was not IPsec encapsulated</help> <valueless/> </properties> </leafNode> + <leafNode name="match-ipsec-out"> + <properties> + <help>Outbound traffic to be IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="match-none-out"> + <properties> + <help>Outbound traffic that will not be IPsec encapsulated</help> + <valueless/> + </properties> + </leafNode> </children> </node> <!-- include end -->
\ No newline at end of file |