firewall: T970: Refactor domain resolver, add firewall source/destination `fqdn` node

author: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-10-31 14:26:51 +0100
committer: sarthurdev <965089+sarthurdev@users.noreply.github.com> 2022-11-03 21:09:28 +0100
commit: 051e063fdf2e459a0716a35778b33ea6bb2fdcb6 (patch)
tree: dd7c4fc17366774ac7026520cff03da09d85a185 /interface-definitions
parent: 3f91033927d80748b70e1ef58b2941643d1aca33 (diff)
download: vyos-1x-051e063fdf2e459a0716a35778b33ea6bb2fdcb6.tar.gz
vyos-1x-051e063fdf2e459a0716a35778b33ea6bb2fdcb6.zip
3 files changed, 46 insertions, 1 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 673461036..2d8f17351 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -126,7 +126,7 @@
                     <description>Domain address to match</description>
                   </valueHelp>
                   <constraint>
-                    <regex>[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,99}?(\/.*)?</regex>
+                    <validator name="fqdn"/>
                   </constraint>
                   <multi/>
                 </properties>
@@ -408,6 +408,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -419,6 +420,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -572,6 +574,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -583,6 +586,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -656,6 +660,25 @@
         </properties>
         <defaultValue>disable</defaultValue>
       </leafNode>
+      <leafNode name="resolver-cache">
+        <properties>
+          <help>Retains last successful value if domain resolution fails</help>
+          <valueless/>
+        </properties>
+      </leafNode>
+      <leafNode name="resolver-interval">
+        <properties>
+          <help>Domain resolver update interval</help>
+          <valueHelp>
+            <format>u32:10-3600</format>
+            <description>Interval (seconds)</description>
+          </valueHelp>
+          <constraint>
+            <validator name="numeric" argument="--range 10-3600"/>
+          </constraint>
+        </properties>
+        <defaultValue>300</defaultValue>
+      </leafNode>
       <leafNode name="send-redirects">
         <properties>
           <help>Policy for sending IPv4 ICMP redirect messages</help>
diff --git a/interface-definitions/include/firewall/fqdn.xml.i b/interface-definitions/include/firewall/fqdn.xml.i
new file mode 100644
index 000000000..9eb3925b5
--- /dev/null
+++ b/interface-definitions/include/firewall/fqdn.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/fqdn.xml.i -->
+<leafNode name="fqdn">
+  <properties>
+    <help>Fully qualified domain name</help>
+    <valueHelp>
+      <format>&lt;fqdn&gt;</format>
+      <description>Fully qualified domain name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="fqdn"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
index c2cc7edb3..2a42d236c 100644
--- a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
@@ -12,6 +12,14 @@
         </completionHelp>
       </properties>
     </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
     #include <include/firewall/mac-group.xml.i>
     <leafNode name="network-group">
       <properties>
author	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-10-31 14:26:51 +0100
committer	sarthurdev <965089+sarthurdev@users.noreply.github.com>	2022-11-03 21:09:28 +0100
commit	051e063fdf2e459a0716a35778b33ea6bb2fdcb6 (patch)
tree	dd7c4fc17366774ac7026520cff03da09d85a185 /interface-definitions
parent	3f91033927d80748b70e1ef58b2941643d1aca33 (diff)
download	vyos-1x-051e063fdf2e459a0716a35778b33ea6bb2fdcb6.tar.gz vyos-1x-051e063fdf2e459a0716a35778b33ea6bb2fdcb6.zip