diff options
author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-08-30 11:46:16 +0200 |
---|---|---|
committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-09-13 11:59:11 +0200 |
commit | 450ca9a9b46d69036af432ddad316d4ddb126085 (patch) | |
tree | 5f39017252450472e7c012ae30b506995158600f /interface-definitions | |
parent | 627cfc6d6733998a721ac97f9f5bc44c4c2c6797 (diff) | |
download | vyos-1x-450ca9a9b46d69036af432ddad316d4ddb126085.tar.gz vyos-1x-450ca9a9b46d69036af432ddad316d4ddb126085.zip |
firewall: T2199: Refactor firewall + zone-policy, move interfaces under firewall node
* Refactor firewall and zone-policy rule creation and cleanup
* Migrate interface firewall values to `firewall interfaces <name> <direction> name/ipv6-name <name>`
* Remove `firewall-interface.py` conf script
Diffstat (limited to 'interface-definitions')
26 files changed, 54 insertions, 259 deletions
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index d1497d572..fb24cd558 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -314,6 +314,40 @@ </tagNode> </children> </node> + <tagNode name="interface"> + <properties> + <help>Interface name</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + <children> + <node name="in"> + <properties> + <help>Forwarded packets on inbound interface</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + <node name="out"> + <properties> + <help>Forwarded packets on outbound interface</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + <node name="local"> + <properties> + <help>Packets destined for this router</help> + </properties> + <children> + #include <include/firewall/name.xml.i> + </children> + </node> + </children> + </tagNode> <leafNode name="ip-src-route"> <properties> <help>Policy for handling IPv4 packets with source route option</help> diff --git a/interface-definitions/include/firewall/name.xml.i b/interface-definitions/include/firewall/name.xml.i new file mode 100644 index 000000000..231b9b144 --- /dev/null +++ b/interface-definitions/include/firewall/name.xml.i @@ -0,0 +1,18 @@ +<!-- include start from firewall/name.xml.i --> +<leafNode name="name"> + <properties> + <help>Local IPv4 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> +</leafNode> +<leafNode name="ipv6-name"> + <properties> + <help>Local IPv6 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end from firewall/name.xml.i -->
\ No newline at end of file diff --git a/interface-definitions/include/interface/interface-firewall-vif-c.xml.i b/interface-definitions/include/interface/interface-firewall-vif-c.xml.i deleted file mode 100644 index 1bc235fcb..000000000 --- a/interface-definitions/include/interface/interface-firewall-vif-c.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall-vif-c.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../../@).$VAR(../../@).$VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/interface-firewall-vif.xml.i b/interface-definitions/include/interface/interface-firewall-vif.xml.i deleted file mode 100644 index a37ac5c4a..000000000 --- a/interface-definitions/include/interface/interface-firewall-vif.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall-vif.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../../@).$VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/interface-firewall.xml.i b/interface-definitions/include/interface/interface-firewall.xml.i deleted file mode 100644 index b3f20c3bf..000000000 --- a/interface-definitions/include/interface/interface-firewall.xml.i +++ /dev/null @@ -1,79 +0,0 @@ -<!-- include start from interface/interface-firewall.xml.i --> -<node name="firewall" owner="${vyos_conf_scripts_dir}/firewall-interface.py $VAR(../@)"> - <properties> - <priority>615</priority> - <help>Firewall options</help> - </properties> - <children> - <node name="in"> - <properties> - <help>forwarded packets on inbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Inbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Inbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="out"> - <properties> - <help>forwarded packets on outbound interface</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Outbound IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Outbound IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - <node name="local"> - <properties> - <help>packets destined for this router</help> - </properties> - <children> - <leafNode name="name"> - <properties> - <help>Local IPv4 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall name</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ipv6-name"> - <properties> - <help>Local IPv6 firewall ruleset name for interface</help> - <completionHelp> - <path>firewall ipv6-name</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> -</node> -<!-- include end --> diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i index c1af9f9e3..916349ade 100644 --- a/interface-definitions/include/interface/vif-s.xml.i +++ b/interface-definitions/include/interface/vif-s.xml.i @@ -18,7 +18,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall-vif.xml.i> #include <include/interface/interface-policy-vif.xml.i> <leafNode name="protocol"> <properties> @@ -68,7 +67,6 @@ #include <include/interface/mtu-68-16000.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> - #include <include/interface/interface-firewall-vif-c.xml.i> #include <include/interface/interface-policy-vif-c.xml.i> </children> </tagNode> diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 57ef8d64c..73a8c98ff 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -18,7 +18,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall-vif.xml.i> #include <include/interface/interface-policy-vif.xml.i> <leafNode name="egress-qos"> <properties> diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i index 059a89f24..065925319 100644 --- a/interface-definitions/include/version/firewall-version.xml.i +++ b/interface-definitions/include/version/firewall-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/firewall-version.xml.i --> -<syntaxVersion component='firewall' version='7'></syntaxVersion> +<syntaxVersion component='firewall' version='8'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 8b6c6ef62..41e4a68a8 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -56,7 +56,6 @@ #include <include/interface/disable.xml.i> #include <include/interface/vrf.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="hash-policy"> <properties> diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index 48ee1efbc..1e11cd4c6 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -41,7 +41,6 @@ #include <include/interface/disable.xml.i> #include <include/interface/vrf.xml.i> #include <include/interface/mtu-68-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="forwarding-delay"> <properties> diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in index 01438de31..fb36741f7 100644 --- a/interface-definitions/interfaces-dummy.xml.in +++ b/interface-definitions/interfaces-dummy.xml.in @@ -19,7 +19,6 @@ #include <include/interface/address-ipv4-ipv6.xml.i> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="ip"> <properties> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index c821f04b2..ab65a93f3 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -31,7 +31,6 @@ </leafNode> #include <include/interface/disable-link-detect.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="duplex"> <properties> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index 6e8a8fee2..b959c787d 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -23,7 +23,6 @@ #include <include/interface/ipv6-options.xml.i> #include <include/interface/mac.xml.i> #include <include/interface/mtu-1450-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="parameters"> <properties> diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in index 2164bfa4e..d01c760f8 100644 --- a/interface-definitions/interfaces-input.xml.in +++ b/interface-definitions/interfaces-input.xml.in @@ -19,7 +19,6 @@ <children> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/redirect.xml.i> </children> diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index 6a85064cd..bde68dd5a 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -32,7 +32,6 @@ <defaultValue>5000</defaultValue> </leafNode> #include <include/interface/disable.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="encapsulation"> <properties> diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index adb48813f..5c9f4cd76 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -21,7 +21,6 @@ #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/ipv4-options.xml.i> #include <include/interface/ipv6-options.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/mirror.xml.i> <node name="security"> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index 6cbd91ff4..3876e31da 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -34,7 +34,6 @@ </children> </node> #include <include/interface/description.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="device-type"> <properties> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 9674cfc0e..84f76a7ee 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -19,7 +19,6 @@ #include <include/pppoe-access-concentrator.xml.i> #include <include/interface/authentication.xml.i> #include <include/interface/dial-on-demand.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/no-default-route.xml.i> #include <include/interface/default-route-distance.xml.i> diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index 53e6445fa..4eb9bf111 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -28,7 +28,6 @@ #include <include/source-interface-ethernet.xml.i> #include <include/interface/mac.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="mode"> <properties> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 98ff878ba..fe49d337a 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -29,7 +29,6 @@ #include <include/source-address-ipv4-ipv6.xml.i> #include <include/interface/tunnel-remote.xml.i> #include <include/source-interface.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="6rd-prefix"> <properties> diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in index aa83a04b2..eeaea0dc3 100644 --- a/interface-definitions/interfaces-vti.xml.in +++ b/interface-definitions/interfaces-vti.xml.in @@ -25,7 +25,6 @@ #include <include/interface/mirror.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> </children> </tagNode> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index faa3dd5e0..4902ff36d 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -54,7 +54,6 @@ #include <include/interface/mac.xml.i> #include <include/interface/mtu-1200-16000.xml.i> #include <include/interface/mirror.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <leafNode name="mtu"> <defaultValue>1450</defaultValue> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index 4a1b4ac68..23f50d146 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -21,7 +21,6 @@ #include <include/interface/disable.xml.i> #include <include/port-number.xml.i> #include <include/interface/mtu-68-16000.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/mirror.xml.i> <leafNode name="mtu"> diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index daee770a9..9e7fc29bc 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -20,7 +20,6 @@ </properties> <children> #include <include/interface/address-ipv4-ipv6-dhcp.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> <node name="capabilities"> <properties> diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in index 3071e6091..b0b8367dc 100644 --- a/interface-definitions/interfaces-wwan.xml.in +++ b/interface-definitions/interfaces-wwan.xml.in @@ -39,7 +39,6 @@ #include <include/interface/ipv4-options.xml.i> #include <include/interface/ipv6-options.xml.i> #include <include/interface/dial-on-demand.xml.i> - #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in index dc3408c3d..cf53e2bc8 100644 --- a/interface-definitions/zone-policy.xml.in +++ b/interface-definitions/zone-policy.xml.in @@ -3,7 +3,7 @@ <node name="zone-policy" owner="${vyos_conf_scripts_dir}/zone_policy.py"> <properties> <help>Configure zone-policy</help> - <priority>250</priority> + <priority>198</priority> </properties> <children> <tagNode name="zone"> |