From e2bf8812f73a75356f56274968be8859a2186d73 Mon Sep 17 00:00:00 2001 From: talmakion Date: Sun, 28 Jul 2024 21:47:07 +1000 Subject: firewall: T4694: Adding rt ipsec exists/missing match to firewall configs (#3616) * Change ipsec match-ipsec/none to match-ipsec-in and match-none-in for fw rules * Add ipsec match-ipsec-out and match-none-out * Change all the points where the match-ipsec.xml.i include was used before, making sure the new includes (match-ipsec-in/out.xml.i) are used appropriately. There were a handful of spots where match-ipsec.xml.i had snuck back in for output hooked chains already (the common-rule-* includes) * Add the -out generators to rendered templates * Heavy modification to firewall config validators: * I needed to check for ipsec-in matches no matter how deeply nested under an output-hook chain(via jump-target) - this always generates an error. * Ended up retrofitting the jump-targets validator from root chains and for named custom chains. It checks for recursive loops and improper IPsec matches. * Added "test_ipsec_metadata_match" and "test_cyclic_jump_validation" smoketests --- .../include/firewall/match-ipsec-in.xml.i | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 interface-definitions/include/firewall/match-ipsec-in.xml.i (limited to 'interface-definitions/include/firewall/match-ipsec-in.xml.i') diff --git a/interface-definitions/include/firewall/match-ipsec-in.xml.i b/interface-definitions/include/firewall/match-ipsec-in.xml.i new file mode 100644 index 000000000..62ed6466b --- /dev/null +++ b/interface-definitions/include/firewall/match-ipsec-in.xml.i @@ -0,0 +1,21 @@ + + + + Inbound IPsec packets + + + + + Inbound traffic that was IPsec encapsulated + + + + + + Inbound traffic that was not IPsec encapsulated + + + + + + \ No newline at end of file -- cgit v1.2.3