Merge branch 'firewall' into current

* firewall:
  firewall: T4651: re-implement packet-length CLI option to use <multi/>
  firewall: T3568: improve default-action help string
  firewall: T3568: add XML include block for eq,gt,lt options
  smoketest: firewall: add re-usable variables when running testcases
  Firewall: T4651: Change proposed cli from ip-length to packet-length
  Firewall: T4651: Add options to match packet size on firewall rules.

1 files changed, 11 insertions, 1 deletions

diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 663c4394a..0bc5378db 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -150,7 +150,7 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                 if suffix[0] == '!':
                     suffix = f'!= {suffix[1:]}'
                 output.append(f'{ip_name} {prefix}addr {suffix}')
-            
+
             if dict_search_args(side_conf, 'geoip', 'country_code'):
                 operator = ''
                 if dict_search_args(side_conf, 'geoip', 'inverse_match') != None:
@@ -265,6 +265,16 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                 if 'type' in rule_conf[icmp]:
                     output.append(icmp + ' type ' + rule_conf[icmp]['type'])
 
+
+    if 'packet_length' in rule_conf:
+        lengths_str = ','.join(rule_conf['packet_length'])
+        output.append(f'ip{def_suffix} length {{{lengths_str}}}')
+
+    if 'packet_length_exclude' in rule_conf:
+        negated_lengths_str = ','.join(rule_conf['packet_length_exclude'])
+        output.append(f'ip{def_suffix} length != {{{negated_lengths_str}}}')
+
+
     if 'ipsec' in rule_conf:
         if 'match_ipsec' in rule_conf['ipsec']:
             output.append('meta ipsec == 1')