From 2e436854d91e3adb7ac1bb24c64ec7189eb21bee Mon Sep 17 00:00:00 2001
From: sever-sever <v.gletenko@vyos.io>
Date: Sat, 17 Oct 2020 09:58:53 +0000
Subject: sysctl-forwarding: T752: Add disable forwarding for ipv4

---
 .../include/interface-disable-forwarding.xml.i            |  8 ++++++++
 interface-definitions/include/interface-ipv4.xml.i        |  1 +
 interface-definitions/include/vif.xml.i                   |  1 +
 interface-definitions/interfaces-bonding.xml.in           |  1 +
 interface-definitions/interfaces-bridge.xml.in            |  1 +
 interface-definitions/interfaces-ethernet.xml.in          |  1 +
 interface-definitions/interfaces-pseudo-ethernet.xml.in   |  1 +
 interface-definitions/interfaces-vxlan.xml.in             |  1 +
 interface-definitions/interfaces-wireless.xml.in          |  1 +
 python/vyos/ifconfig/interface.py                         | 15 +++++++++++++++
 smoketest/scripts/cli/base_interfaces_test.py             |  4 ++++
 11 files changed, 35 insertions(+)
 create mode 100644 interface-definitions/include/interface-disable-forwarding.xml.i

diff --git a/interface-definitions/include/interface-disable-forwarding.xml.i b/interface-definitions/include/interface-disable-forwarding.xml.i
new file mode 100644
index 000000000..7cbb726ec
--- /dev/null
+++ b/interface-definitions/include/interface-disable-forwarding.xml.i
@@ -0,0 +1,8 @@
+<!-- included start from interface-disable-forwarding.xml.i -->
+<leafNode name="disable-forwarding">
+  <properties>
+    <help>Disable IPv4 forwarding on this interface</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- included end -->
diff --git a/interface-definitions/include/interface-ipv4.xml.i b/interface-definitions/include/interface-ipv4.xml.i
index 551059247..66842ab9b 100644
--- a/interface-definitions/include/interface-ipv4.xml.i
+++ b/interface-definitions/include/interface-ipv4.xml.i
@@ -5,6 +5,7 @@
   </properties>
   <children>
     #include <include/interface-disable-arp-filter.xml.i>
+    #include <include/interface-disable-forwarding.xml.i>
     #include <include/interface-enable-arp-accept.xml.i>
     #include <include/interface-enable-arp-announce.xml.i>
     #include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/include/vif.xml.i b/interface-definitions/include/vif.xml.i
index 15c453fcc..a0f7c0bc8 100644
--- a/interface-definitions/include/vif.xml.i
+++ b/interface-definitions/include/vif.xml.i
@@ -47,6 +47,7 @@
       <children>
         #include <include/interface-arp-cache-timeout.xml.i>
         #include <include/interface-disable-arp-filter.xml.i>
+        #include <include/interface-disable-forwarding.xml.i>
         #include <include/interface-enable-arp-accept.xml.i>
         #include <include/interface-enable-arp-announce.xml.i>
         #include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index b28be387b..4e2c61d07 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -84,6 +84,7 @@
             <children>
               #include <include/interface-arp-cache-timeout.xml.i>
               #include <include/interface-disable-arp-filter.xml.i>
+              #include <include/interface-disable-forwarding.xml.i>
               #include <include/interface-enable-arp-accept.xml.i>
               #include <include/interface-enable-arp-announce.xml.i>
               #include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in
index 92356d696..787e856d7 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces-bridge.xml.in
@@ -85,6 +85,7 @@
             <children>
               #include <include/interface-arp-cache-timeout.xml.i>
               #include <include/interface-enable-arp-accept.xml.i>
+              #include <include/interface-disable-forwarding.xml.i>
               #include <include/interface-enable-arp-announce.xml.i>
               #include <include/interface-enable-arp-ignore.xml.i>
               #include <include/interface-disable-arp-filter.xml.i>
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index 0aef0d332..a19a766d3 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -63,6 +63,7 @@
             <children>
               #include <include/interface-arp-cache-timeout.xml.i>
               #include <include/interface-disable-arp-filter.xml.i>
+              #include <include/interface-disable-forwarding.xml.i>
               #include <include/interface-enable-arp-accept.xml.i>
               #include <include/interface-enable-arp-announce.xml.i>
               #include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in
index 4382db598..3fceb70b6 100644
--- a/interface-definitions/interfaces-pseudo-ethernet.xml.in
+++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in
@@ -27,6 +27,7 @@
             <children>
               #include <include/interface-arp-cache-timeout.xml.i>
               #include <include/interface-disable-arp-filter.xml.i>
+              #include <include/interface-disable-forwarding.xml.i>
               #include <include/interface-enable-arp-accept.xml.i>
               #include <include/interface-enable-arp-announce.xml.i>
               #include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index 67001174f..7fdead16a 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -39,6 +39,7 @@
             <children>
               #include <include/interface-arp-cache-timeout.xml.i>
               #include <include/interface-disable-arp-filter.xml.i>
+              #include <include/interface-disable-forwarding.xml.i>
               #include <include/interface-enable-arp-accept.xml.i>
               #include <include/interface-enable-arp-announce.xml.i>
               #include <include/interface-enable-arp-ignore.xml.i>
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in
index 90d0675da..423ec7ba2 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces-wireless.xml.in
@@ -465,6 +465,7 @@
             <children>
               #include <include/interface-arp-cache-timeout.xml.i>
               #include <include/interface-disable-arp-filter.xml.i>
+              #include <include/interface-disable-forwarding.xml.i>
               #include <include/interface-enable-arp-accept.xml.i>
               #include <include/interface-enable-arp-announce.xml.i>
               #include <include/interface-enable-arp-ignore.xml.i>
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index d200fc7a8..47ec94bd3 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -147,6 +147,10 @@ class Interface(Control):
             'validate': assert_boolean,
             'location': '/proc/sys/net/ipv4/conf/{ifname}/arp_ignore',
         },
+        'ipv4_forwarding': {
+            'validate': assert_boolean,
+            'location': '/proc/sys/net/ipv4/conf/{ifname}/forwarding',
+        },
         'ipv6_accept_ra': {
             'validate': lambda ara: assert_range(ara,0,3),
             'location': '/proc/sys/net/ipv6/conf/{ifname}/accept_ra',
@@ -461,6 +465,12 @@ class Interface(Control):
         """
         return self.set_interface('arp_ignore', arp_ignore)
 
+    def set_ipv4_forwarding(self, forwarding):
+        """
+        Configure IPv4 forwarding.
+        """
+        return self.set_interface('ipv4_forwarding', forwarding)
+
     def set_ipv6_accept_ra(self, accept_ra):
         """
         Accept Router Advertisements; autoconfigure using them.
@@ -974,6 +984,11 @@ class Interface(Control):
         value = '1' if (tmp != None) else '0'
         self.set_proxy_arp_pvlan(value)
 
+        # IPv4 forwarding
+        tmp = vyos_dict_search('ip.disable_forwarding', config)
+        value = '0' if (tmp != None) else '1'
+        self.set_ipv4_forwarding(value)
+
         # IPv6 forwarding
         tmp = vyos_dict_search('ipv6.disable_forwarding', config)
         value = '0' if (tmp != None) else '1'
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 047c19dd0..d94a5d962 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -241,6 +241,7 @@ class BasicInterfaceTest:
                 # Options
                 self.session.set(path + ['ip', 'arp-cache-timeout', arp_tmo])
                 self.session.set(path + ['ip', 'disable-arp-filter'])
+                self.session.set(path + ['ip', 'disable-forwarding'])
                 self.session.set(path + ['ip', 'enable-arp-accept'])
                 self.session.set(path + ['ip', 'enable-arp-announce'])
                 self.session.set(path + ['ip', 'enable-arp-ignore'])
@@ -266,6 +267,9 @@ class BasicInterfaceTest:
                 tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/arp_ignore')
                 self.assertEqual('1', tmp)
 
+                tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/forwarding')
+                self.assertEqual('0', tmp)
+
                 tmp = read_file(f'/proc/sys/net/ipv4/conf/{interface}/proxy_arp')
                 self.assertEqual('1', tmp)
 
-- 
cgit v1.2.3