From 1c2209c1dc84993d0f766f3d14df1fb3adf9dda2 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Tue, 23 May 2023 14:48:15 -0300
Subject: T5160: firewall refactor: new cli structure. Update only all xml

---
 interface-definitions/firewall.xml.in | 704 +---------------------------------
 1 file changed, 14 insertions(+), 690 deletions(-)

(limited to 'interface-definitions/firewall.xml.in')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 1cdc7b819..9b36f92e8 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -6,66 +6,7 @@
       <help>Firewall</help>
     </properties>
     <children>
-      <leafNode name="all-ping">
-        <properties>
-          <help>Policy for handling of all IPv4 ICMP echo requests</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable processing of all IPv4 ICMP echo requests</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable processing of all IPv4 ICMP echo requests</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>enable</defaultValue>
-      </leafNode>
-      <leafNode name="broadcast-ping">
-        <properties>
-          <help>Policy for handling broadcast IPv4 ICMP echo and timestamp requests</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
-      <leafNode name="config-trap">
-        <properties>
-          <help>SNMP trap generation on firewall configuration changes</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable sending SNMP trap on firewall configuration change</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable sending SNMP trap on firewall configuration change</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
+      #include <include/firewall/global-options.xml.i>
       <node name="group">
         <properties>
           <help>Firewall group</help>
@@ -343,645 +284,28 @@
           </tagNode>
         </children>
       </node>
-      <tagNode name="interface">
+      <node name="ip">
         <properties>
-          <help>Interface name to apply firewall configuration</help>
-          <completionHelp>
-            <script>${vyos_completion_dir}/list_interfaces</script>
-          </completionHelp>
-          <constraint>
-            #include <include/constraint/interface-name-with-wildcard.xml.i>
-          </constraint>
+          <help>IPv4 firewall</help>
         </properties>
         <children>
-          <node name="in">
-            <properties>
-              <help>Forwarded packets on inbound interface</help>
-            </properties>
-            <children>
-              #include <include/firewall/name.xml.i>
-            </children>
-          </node>
-          <node name="out">
-            <properties>
-              <help>Forwarded packets on outbound interface</help>
-            </properties>
-            <children>
-              #include <include/firewall/name.xml.i>
-            </children>
-          </node>
-          <node name="local">
-            <properties>
-              <help>Packets destined for this router</help>
-            </properties>
-            <children>
-              #include <include/firewall/name.xml.i>
-            </children>
-          </node>
-        </children>
-      </tagNode>
-      <leafNode name="ip-src-route">
-        <properties>
-          <help>Policy for handling IPv4 packets with source route option</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable processing of IPv4 packets with source route option</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable processing of IPv4 packets with source route option</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
-      <tagNode name="ipv6-name">
-        <properties>
-          <help>IPv6 firewall rule-set name</help>
-          <constraint>
-            <regex>[a-zA-Z0-9][\w\-\.]*</regex>
-          </constraint>
-        </properties>
-        <children>
-          #include <include/firewall/default-action.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
-          #include <include/generic-description.xml.i>
-          <leafNode name="default-jump-target">
-            <properties>
-              <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
-              <completionHelp>
-                <path>firewall ipv6-name</path>
-              </completionHelp>
-            </properties>
-          </leafNode>
-          <tagNode name="rule">
-            <properties>
-              <help>Firewall rule number (IPv6)</help>
-              <valueHelp>
-                <format>u32:1-999999</format>
-                <description>Number for this Firewall rule</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-999999"/>
-              </constraint>
-              <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
-            </properties>
-            <children>
-              #include <include/firewall/action.xml.i>
-              #include <include/generic-description.xml.i>
-              <node name="destination">
-                <properties>
-                  <help>Destination parameters</help>
-                </properties>
-                <children>
-                  #include <include/firewall/address-ipv6.xml.i>
-                  #include <include/firewall/fqdn.xml.i>
-                  #include <include/firewall/geoip.xml.i>
-                  #include <include/firewall/source-destination-group-ipv6.xml.i>
-                  #include <include/firewall/port.xml.i>
-                  #include <include/firewall/address-mask-ipv6.xml.i>
-                </children>
-              </node>
-              <node name="source">
-                <properties>
-                  <help>Source parameters</help>
-                </properties>
-                <children>
-                  #include <include/firewall/address-ipv6.xml.i>
-                  #include <include/firewall/fqdn.xml.i>
-                  #include <include/firewall/geoip.xml.i>
-                  #include <include/firewall/source-destination-group-ipv6.xml.i>
-                  #include <include/firewall/port.xml.i>
-                  #include <include/firewall/address-mask-ipv6.xml.i>
-                </children>
-              </node>
-              #include <include/firewall/common-rule.xml.i>
-              #include <include/firewall/dscp.xml.i>
-              #include <include/firewall/packet-options.xml.i>
-              #include <include/firewall/hop-limit.xml.i>
-              #include <include/firewall/connection-mark.xml.i>
-              <node name="icmpv6">
-                <properties>
-                  <help>ICMPv6 type and code information</help>
-                </properties>
-                <children>
-                  <leafNode name="code">
-                    <properties>
-                      <help>ICMPv6 code</help>
-                      <valueHelp>
-                        <format>u32:0-255</format>
-                        <description>ICMPv6 code (0-255)</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 0-255"/>
-                      </constraint>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="type">
-                    <properties>
-                      <help>ICMPv6 type</help>
-                      <valueHelp>
-                        <format>u32:0-255</format>
-                        <description>ICMPv6 type (0-255)</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 0-255"/>
-                      </constraint>
-                    </properties>
-                  </leafNode>
-                  #include <include/firewall/icmpv6-type-name.xml.i>
-                </children>
-              </node>
-              <leafNode name="jump-target">
-                <properties>
-                  <help>Set jump target. Action jump must be defined to use this setting</help>
-                  <completionHelp>
-                    <path>firewall ipv6-name</path>
-                  </completionHelp>
-                </properties>
-              </leafNode>
-              #include <include/firewall/nft-queue.xml.i>
-            </children>
-          </tagNode>
-        </children>
-      </tagNode>
-      <leafNode name="ipv6-receive-redirects">
-        <properties>
-          <help>Policy for handling received ICMPv6 redirect messages</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable processing of received ICMPv6 redirect messages</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable processing of received ICMPv6 redirect messages</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
-      <leafNode name="ipv6-src-route">
-        <properties>
-          <help>Policy for handling IPv6 packets with routing extension header</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable processing of IPv6 packets with routing header type 2</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable processing of IPv6 packets with routing header</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
-      <leafNode name="log-martians">
-        <properties>
-          <help>Policy for logging IPv4 packets with invalid addresses</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable logging of IPv4 packets with invalid addresses</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable logging of Ipv4 packets with invalid addresses</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>enable</defaultValue>
-      </leafNode>
-      <tagNode name="name">
-        <properties>
-          <help>IPv4 firewall rule-set name</help>
-          <constraint>
-            <regex>[a-zA-Z0-9][\w\-\.]*</regex>
-          </constraint>
-        </properties>
-        <children>
-          #include <include/firewall/default-action.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
-          #include <include/generic-description.xml.i>
-          <leafNode name="default-jump-target">
-            <properties>
-              <help>Set jump target. Action jump must be defined in default-action to use this setting</help>
-              <completionHelp>
-                <path>firewall name</path>
-              </completionHelp>
-            </properties>
-          </leafNode>
-          <tagNode name="rule">
-            <properties>
-              <help>Firewall rule number (IPv4)</help>
-              <valueHelp>
-                <format>u32:1-999999</format>
-                <description>Number for this Firewall rule</description>
-              </valueHelp>
-              <constraint>
-                <validator name="numeric" argument="--range 1-999999"/>
-              </constraint>
-              <constraintErrorMessage>Firewall rule number must be between 1 and 999999</constraintErrorMessage>
-            </properties>
-            <children>
-              #include <include/firewall/action.xml.i>
-              #include <include/generic-description.xml.i>
-              <node name="destination">
-                <properties>
-                  <help>Destination parameters</help>
-                </properties>
-                <children>
-                  #include <include/firewall/address.xml.i>
-                  #include <include/firewall/fqdn.xml.i>
-                  #include <include/firewall/geoip.xml.i>
-                  #include <include/firewall/source-destination-group.xml.i>
-                  #include <include/firewall/port.xml.i>
-                  #include <include/firewall/address-mask.xml.i>
-                </children>
-              </node>
-              <node name="source">
-                <properties>
-                  <help>Source parameters</help>
-                </properties>
-                <children>
-                  #include <include/firewall/address.xml.i>
-                  #include <include/firewall/fqdn.xml.i>
-                  #include <include/firewall/geoip.xml.i>
-                  #include <include/firewall/source-destination-group.xml.i>
-                  #include <include/firewall/port.xml.i>
-                  #include <include/firewall/address-mask.xml.i>
-                </children>
-              </node>
-              #include <include/firewall/common-rule.xml.i>
-              #include <include/firewall/dscp.xml.i>
-              #include <include/firewall/packet-options.xml.i>
-              #include <include/firewall/connection-mark.xml.i>
-              <node name="icmp">
-                <properties>
-                  <help>ICMP type and code information</help>
-                </properties>
-                <children>
-                  <leafNode name="code">
-                    <properties>
-                      <help>ICMP code</help>
-                      <valueHelp>
-                        <format>u32:0-255</format>
-                        <description>ICMP code (0-255)</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 0-255"/>
-                      </constraint>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="type">
-                    <properties>
-                      <help>ICMP type</help>
-                      <valueHelp>
-                        <format>u32:0-255</format>
-                        <description>ICMP type (0-255)</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 0-255"/>
-                      </constraint>
-                    </properties>
-                  </leafNode>
-                  #include <include/firewall/icmp-type-name.xml.i>
-                </children>
-              </node>
-              <leafNode name="jump-target">
-                <properties>
-                  <help>Set jump target. Action jump must be defined to use this setting</help>
-                  <completionHelp>
-                    <path>firewall name</path>
-                  </completionHelp>
-                </properties>
-              </leafNode>
-              #include <include/firewall/ttl.xml.i>
-              #include <include/firewall/nft-queue.xml.i>
-            </children>
-          </tagNode>
-        </children>
-      </tagNode>
-      <leafNode name="receive-redirects">
-        <properties>
-          <help>Policy for handling received IPv4 ICMP redirect messages</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable processing of received IPv4 ICMP redirect messages</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable processing of received IPv4 ICMP redirect messages</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
-      <leafNode name="resolver-cache">
-        <properties>
-          <help>Retains last successful value if domain resolution fails</help>
-          <valueless/>
-        </properties>
-      </leafNode>
-      <leafNode name="resolver-interval">
-        <properties>
-          <help>Domain resolver update interval</help>
-          <valueHelp>
-            <format>u32:10-3600</format>
-            <description>Interval (seconds)</description>
-          </valueHelp>
-          <constraint>
-            <validator name="numeric" argument="--range 10-3600"/>
-          </constraint>
-        </properties>
-        <defaultValue>300</defaultValue>
-      </leafNode>
-      <leafNode name="send-redirects">
-        <properties>
-          <help>Policy for sending IPv4 ICMP redirect messages</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable sending IPv4 ICMP redirect messages</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable sending IPv4 ICMP redirect messages</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>enable</defaultValue>
-      </leafNode>
-      <leafNode name="source-validation">
-        <properties>
-          <help>Policy for source validation by reversed path, as specified in RFC3704</help>
-          <completionHelp>
-            <list>strict loose disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>strict</format>
-            <description>Enable Strict Reverse Path Forwarding as defined in RFC3704</description>
-          </valueHelp>
-          <valueHelp>
-            <format>loose</format>
-            <description>Enable Loose Reverse Path Forwarding as defined in RFC3704</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>No source validation</description>
-          </valueHelp>
-          <constraint>
-            <regex>(strict|loose|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
-      <node name="state-policy">
-        <properties>
-          <help>Global firewall state-policy</help>
-        </properties>
-        <children>
-          <node name="established">
-            <properties>
-              <help>Global firewall policy for packets part of an established connection</help>
-            </properties>
-            <children>
-              #include <include/firewall/action-accept-drop-reject.xml.i>
-              #include <include/firewall/log.xml.i>
-              #include <include/firewall/rule-log-level.xml.i>
-            </children>
-          </node>
-          <node name="invalid">
-            <properties>
-              <help>Global firewall policy for packets part of an invalid connection</help>
-            </properties>
-            <children>
-              #include <include/firewall/action-accept-drop-reject.xml.i>
-              #include <include/firewall/log.xml.i>
-              #include <include/firewall/rule-log-level.xml.i>
-            </children>
-          </node>
-          <node name="related">
-            <properties>
-              <help>Global firewall policy for packets part of a related connection</help>
-            </properties>
-            <children>
-              #include <include/firewall/action-accept-drop-reject.xml.i>
-              #include <include/firewall/log.xml.i>
-              #include <include/firewall/rule-log-level.xml.i>
-            </children>
-          </node>
+          #include <include/firewall/ipv4-hook-forward.xml.i>
+          #include <include/firewall/ipv4-hook-input.xml.i>
+          #include <include/firewall/ipv4-hook-output.xml.i>
+          #include <include/firewall/ipv4-custom-name.xml.i>
         </children>
       </node>
-      <leafNode name="syn-cookies">
-        <properties>
-          <help>Policy for using TCP SYN cookies with IPv4</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable use of TCP SYN cookies with IPv4</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable use of TCP SYN cookies with IPv4</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>enable</defaultValue>
-      </leafNode>
-      <leafNode name="twa-hazards-protection">
+      <node name="ipv6">
         <properties>
-          <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
-          <completionHelp>
-            <list>enable disable</list>
-          </completionHelp>
-          <valueHelp>
-            <format>enable</format>
-            <description>Enable RFC1337 TIME-WAIT hazards protection</description>
-          </valueHelp>
-          <valueHelp>
-            <format>disable</format>
-            <description>Disable RFC1337 TIME-WAIT hazards protection</description>
-          </valueHelp>
-          <constraint>
-            <regex>(enable|disable)</regex>
-          </constraint>
-        </properties>
-        <defaultValue>disable</defaultValue>
-      </leafNode>
-      <tagNode name="zone">
-        <properties>
-          <help>Zone-policy</help>
-          <valueHelp>
-            <format>txt</format>
-            <description>Zone name</description>
-          </valueHelp>
-          <constraint>
-            <regex>[a-zA-Z0-9][\w\-\.]*</regex>
-          </constraint>
+          <help>IPv6 firewall</help>
         </properties>
         <children>
-          #include <include/generic-description.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
-          <leafNode name="default-action">
-            <properties>
-              <help>Default-action for traffic coming into this zone</help>
-              <completionHelp>
-                <list>drop reject</list>
-              </completionHelp>
-              <valueHelp>
-                <format>drop</format>
-                <description>Drop silently</description>
-              </valueHelp>
-              <valueHelp>
-                <format>reject</format>
-                <description>Drop and notify source</description>
-              </valueHelp>
-              <constraint>
-                <regex>(drop|reject)</regex>
-              </constraint>
-            </properties>
-            <defaultValue>drop</defaultValue>
-          </leafNode>
-          <tagNode name="from">
-            <properties>
-              <help>Zone from which to filter traffic</help>
-              <completionHelp>
-                <path>zone-policy zone</path>
-              </completionHelp>
-            </properties>
-            <children>
-              <node name="firewall">
-                <properties>
-                  <help>Firewall options</help>
-                </properties>
-                <children>
-                  <leafNode name="ipv6-name">
-                    <properties>
-                      <help>IPv6 firewall ruleset</help>
-                      <completionHelp>
-                        <path>firewall ipv6-name</path>
-                      </completionHelp>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="name">
-                    <properties>
-                      <help>IPv4 firewall ruleset</help>
-                      <completionHelp>
-                        <path>firewall name</path>
-                      </completionHelp>
-                    </properties>
-                  </leafNode>
-                </children>
-              </node>
-            </children>
-          </tagNode>
-          <leafNode name="interface">
-            <properties>
-              <help>Interface associated with zone</help>
-              <valueHelp>
-                <format>txt</format>
-                <description>Interface associated with zone</description>
-              </valueHelp>
-              <valueHelp>
-                <format>vrf</format>
-                <description>VRF associated with zone</description>
-              </valueHelp>
-              <completionHelp>
-                <script>${vyos_completion_dir}/list_interfaces</script>
-                <path>vrf name</path>
-              </completionHelp>
-              <multi/>
-            </properties>
-          </leafNode>
-          <node name="intra-zone-filtering">
-            <properties>
-              <help>Intra-zone filtering</help>
-            </properties>
-            <children>
-              <leafNode name="action">
-                <properties>
-                  <help>Action for intra-zone traffic</help>
-                  <completionHelp>
-                    <list>accept drop</list>
-                  </completionHelp>
-                  <valueHelp>
-                    <format>accept</format>
-                    <description>Accept traffic</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>drop</format>
-                    <description>Drop silently</description>
-                  </valueHelp>
-                  <constraint>
-                    <regex>(accept|drop)</regex>
-                  </constraint>
-                </properties>
-              </leafNode>
-              <node name="firewall">
-                <properties>
-                  <help>Use the specified firewall chain</help>
-                </properties>
-                <children>
-                  <leafNode name="ipv6-name">
-                    <properties>
-                      <help>IPv6 firewall ruleset</help>
-                      <completionHelp>
-                        <path>firewall ipv6-name</path>
-                      </completionHelp>
-                    </properties>
-                  </leafNode>
-                  <leafNode name="name">
-                    <properties>
-                      <help>IPv4 firewall ruleset</help>
-                      <completionHelp>
-                        <path>firewall name</path>
-                      </completionHelp>
-                    </properties>
-                  </leafNode>
-                </children>
-              </node>
-            </children>
-          </node>
-          <leafNode name="local-zone">
-            <properties>
-              <help>Zone to be local-zone</help>
-              <valueless/>
-            </properties>
-          </leafNode>
+          #include <include/firewall/ipv6-hook-forward.xml.i>
+          #include <include/firewall/ipv6-hook-input.xml.i>
+          #include <include/firewall/ipv6-hook-output.xml.i>
+          #include <include/firewall/ipv6-custom-name.xml.i>
         </children>
-      </tagNode>
+      </node>
     </children>
   </node>
 </interfaceDefinition>
-- 
cgit v1.2.3