firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616)

* Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for
   fw rules
 * Add ipsec match-ipsec-out and match-none-out
 * Change all the points where the match-ipsec.xml.i include was used
   before, making sure the new includes (match-ipsec-in/out.xml.i) are
   used appropriately. There were a handful of spots where match-ipsec.xml.i
   had snuck back in for output hooked chains already
   (the common-rule-* includes)
 * Add the -out generators to rendered templates
 * Heavy modification to firewall config validators:
   * I needed to check for ipsec-in matches no matter how deeply nested
     under an output-hook chain(via jump-target) - this always generates
     an error.
   * Ended up retrofitting the jump-targets validator from root chains
     and for named custom chains. It checks for recursive loops and improper
     IPsec matches.
 * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation"
   smoketests

1 files changed, 6 insertions, 2 deletions

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 664df28cc..40399f481 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -366,10 +366,14 @@ def parse_rule(rule_conf, hook, fw_name, rule_id, ip_name):
         output.append(f'ip{def_suffix} dscp != {{{negated_dscp_str}}}')
 
     if 'ipsec' in rule_conf:
-        if 'match_ipsec' in rule_conf['ipsec']:
+        if 'match_ipsec_in' in rule_conf['ipsec']:
             output.append('meta ipsec == 1')
-        if 'match_none' in rule_conf['ipsec']:
+        if 'match_none_in' in rule_conf['ipsec']:
             output.append('meta ipsec == 0')
+        if 'match_ipsec_out' in rule_conf['ipsec']:
+            output.append('rt ipsec exists')
+        if 'match_none_out' in rule_conf['ipsec']:
+            output.append('rt ipsec missing')
 
     if 'fragment' in rule_conf:
         # Checking for fragmentation after priority -400 is not possible,