summaryrefslogtreecommitdiff
path: root/interface-definitions/include/firewall/match-ipsec.xml.i
diff options
context:
space:
mode:
authortalmakion <andrewt@telekinetica.net>2024-07-28 21:47:07 +1000
committerGitHub <noreply@github.com>2024-07-28 14:47:07 +0300
commite2bf8812f73a75356f56274968be8859a2186d73 (patch)
tree2f71b4042bb602ca58f03792af0143903e8e3f24 /interface-definitions/include/firewall/match-ipsec.xml.i
parentba4198fc3cb80628ad38118f4dcc3bfe43181de1 (diff)
downloadvyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.tar.gz
vyos-1x-e2bf8812f73a75356f56274968be8859a2186d73.zip
firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)
* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests
Diffstat (limited to 'interface-definitions/include/firewall/match-ipsec.xml.i')
-rw-r--r--interface-definitions/include/firewall/match-ipsec.xml.i22
1 files changed, 17 insertions, 5 deletions
diff --git a/interface-definitions/include/firewall/match-ipsec.xml.i b/interface-definitions/include/firewall/match-ipsec.xml.i
index 82c2b324d..d8d31ef1a 100644
--- a/interface-definitions/include/firewall/match-ipsec.xml.i
+++ b/interface-definitions/include/firewall/match-ipsec.xml.i
@@ -1,21 +1,33 @@
<!-- include start from firewall/match-ipsec.xml.i -->
<node name="ipsec">
<properties>
- <help>Inbound IPsec packets</help>
+ <help>IPsec encapsulated packets</help>
</properties>
<children>
- <leafNode name="match-ipsec">
+ <leafNode name="match-ipsec-in">
<properties>
- <help>Inbound IPsec packets</help>
+ <help>Inbound traffic that was IPsec encapsulated</help>
<valueless/>
</properties>
</leafNode>
- <leafNode name="match-none">
+ <leafNode name="match-none-in">
<properties>
- <help>Inbound non-IPsec packets</help>
+ <help>Inbound traffic that was not IPsec encapsulated</help>
<valueless/>
</properties>
</leafNode>
+ <leafNode name="match-ipsec-out">
+ <properties>
+ <help>Outbound traffic to be IPsec encapsulated</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="match-none-out">
+ <properties>
+ <help>Outbound traffic that will not be IPsec encapsulated</help>
+ <valueless/>
+ </properties>
+ </leafNode>
</children>
</node>
<!-- include end --> \ No newline at end of file