From fd15f9d2ab6a7e5bbc07ff2e8b10c064984492ce Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Thu, 18 Aug 2022 17:09:17 +0000
Subject: firewall: T4622: Add TCP MSS option

Ability to drop|accept packets based on TCP MSS size
set firewall name <tag> rule <tag> tcp mss '501-1460'
---
 interface-definitions/include/firewall/tcp-flags.xml.i | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'interface-definitions/include/firewall')

diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
index b99896687..5a7b5a8d3 100644
--- a/interface-definitions/include/firewall/tcp-flags.xml.i
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -114,6 +114,23 @@
         </node>
       </children>
     </node>
+    <leafNode name="mss">
+      <properties>
+        <help>Maximum segment size (MSS)</help>
+        <valueHelp>
+          <format>u32:1-16384</format>
+          <description>Maximum segment size</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;min&gt;-&lt;max&gt;</format>
+          <description>TCP MSS range (use '-' as delimiter)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-16384"/>
+          <validator name="range" argument="--min=1 --max=16384"/>
+        </constraint>
+      </properties>
+    </leafNode>
   </children>
 </node>
 <!-- include end -->
-- 
cgit v1.2.3


From 74994f9b10588fce2cbd1acc9ec09fdbaf5ae8ad Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Tue, 30 Aug 2022 17:18:17 +0200
Subject: firewall: T3568: rename XML building blocks to match CLI node name

---
 interface-definitions/firewall.xml.in              |  8 +++----
 .../include/firewall/default-action.xml.i          | 25 ++++++++++++++++++++++
 .../include/firewall/enable-default-log.xml.i      |  8 +++++++
 .../include/firewall/name-default-action.xml.i     | 25 ----------------------
 .../include/firewall/name-default-log.xml.i        |  8 -------
 interface-definitions/policy-route.xml.in          |  4 ++--
 interface-definitions/zone-policy.xml.in           |  2 +-
 7 files changed, 40 insertions(+), 40 deletions(-)
 create mode 100644 interface-definitions/include/firewall/default-action.xml.i
 create mode 100644 interface-definitions/include/firewall/enable-default-log.xml.i
 delete mode 100644 interface-definitions/include/firewall/name-default-action.xml.i
 delete mode 100644 interface-definitions/include/firewall/name-default-log.xml.i

(limited to 'interface-definitions/include/firewall')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 2e9452dfd..d28abccd6 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -342,8 +342,8 @@
           </constraint>
         </properties>
         <children>
-          #include <include/firewall/name-default-action.xml.i>
-          #include <include/firewall/name-default-log.xml.i>
+          #include <include/firewall/default-action.xml.i>
+          #include <include/firewall/enable-default-log.xml.i>
           #include <include/generic-description.xml.i>
           <tagNode name="rule">
             <properties>
@@ -530,8 +530,8 @@
           </constraint>
         </properties>
         <children>
-          #include <include/firewall/name-default-action.xml.i>
-          #include <include/firewall/name-default-log.xml.i>
+          #include <include/firewall/default-action.xml.i>
+          #include <include/firewall/enable-default-log.xml.i>
           #include <include/generic-description.xml.i>
           <tagNode name="rule">
             <properties>
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
new file mode 100644
index 000000000..b11dfd2e8
--- /dev/null
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/default-action.xml.i -->
+<leafNode name="default-action">
+  <properties>
+    <help>Default-action for rule-set</help>
+    <completionHelp>
+      <list>drop reject accept</list>
+    </completionHelp>
+    <valueHelp>
+      <format>drop</format>
+      <description>Drop if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>reject</format>
+      <description>Drop and notify source if no prior rules are hit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>accept</format>
+      <description>Accept if no prior rules are hit</description>
+    </valueHelp>
+    <constraint>
+      <regex>(drop|reject|accept)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/enable-default-log.xml.i b/interface-definitions/include/firewall/enable-default-log.xml.i
new file mode 100644
index 000000000..1e64edc6e
--- /dev/null
+++ b/interface-definitions/include/firewall/enable-default-log.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from firewall/enable-default-log.xml.i -->
+<leafNode name="enable-default-log">
+  <properties>
+    <help>Option to log packets hitting default-action</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i
deleted file mode 100644
index 512b0296f..000000000
--- a/interface-definitions/include/firewall/name-default-action.xml.i
+++ /dev/null
@@ -1,25 +0,0 @@
-<!-- include start from firewall/name-default-action.xml.i -->
-<leafNode name="default-action">
-  <properties>
-    <help>Default-action for rule-set</help>
-    <completionHelp>
-      <list>drop reject accept</list>
-    </completionHelp>
-    <valueHelp>
-      <format>drop</format>
-      <description>Drop if no prior rules are hit</description>
-    </valueHelp>
-    <valueHelp>
-      <format>reject</format>
-      <description>Drop and notify source if no prior rules are hit</description>
-    </valueHelp>
-    <valueHelp>
-      <format>accept</format>
-      <description>Accept if no prior rules are hit</description>
-    </valueHelp>
-    <constraint>
-      <regex>(drop|reject|accept)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-<!-- include end -->
diff --git a/interface-definitions/include/firewall/name-default-log.xml.i b/interface-definitions/include/firewall/name-default-log.xml.i
deleted file mode 100644
index 1d0ff9497..000000000
--- a/interface-definitions/include/firewall/name-default-log.xml.i
+++ /dev/null
@@ -1,8 +0,0 @@
-<!-- include start from firewall/name-default-log.xml.i -->
-<leafNode name="enable-default-log">
-  <properties>
-    <help>Option to log packets hitting default-action</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index a10c9b08f..c2a9a8d94 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -12,7 +12,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/name-default-log.xml.i>
+          #include <include/firewall/enable-default-log.xml.i>
           <tagNode name="rule">
             <properties>
               <help>Policy rule number</help>
@@ -61,7 +61,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/name-default-log.xml.i>
+          #include <include/firewall/enable-default-log.xml.i>
           <tagNode name="rule">
             <properties>
               <help>Policy rule number</help>
diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in
index dca4c59d1..dc3408c3d 100644
--- a/interface-definitions/zone-policy.xml.in
+++ b/interface-definitions/zone-policy.xml.in
@@ -19,7 +19,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/name-default-log.xml.i>
+          #include <include/firewall/enable-default-log.xml.i>
           <leafNode name="default-action">
             <properties>
               <help>Default-action for traffic coming into this zone</help>
-- 
cgit v1.2.3


From 69f79beee2070906b68f2b910296c362e7216278 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Tue, 30 Aug 2022 17:36:19 +0200
Subject: firewall: T4655: implement XML defaultValue for name and ipv6-name

This extends the implementation of commit 0cc7e0a49094 ("firewall: T4655: Fix
default action 'drop' for the firewall") in a way that we can now also use the
XML <defaultValue> node under "firewall name" and "firewall ipv6-name". This
is a much cleaner approach which also adds the default value automatically to
the CLIs completion helper ("?").
---
 .../include/firewall/default-action.xml.i          |  1 +
 python/vyos/template.py                            |  2 +-
 src/conf_mode/firewall.py                          | 30 +++++++++++++++++++---
 3 files changed, 28 insertions(+), 5 deletions(-)

(limited to 'interface-definitions/include/firewall')

diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
index b11dfd2e8..92a2fcaaf 100644
--- a/interface-definitions/include/firewall/default-action.xml.i
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -21,5 +21,6 @@
       <regex>(drop|reject|accept)</regex>
     </constraint>
   </properties>
+  <defaultValue>drop</defaultValue>
 </leafNode>
 <!-- include end -->
diff --git a/python/vyos/template.py b/python/vyos/template.py
index 62303bd55..9804308c1 100644
--- a/python/vyos/template.py
+++ b/python/vyos/template.py
@@ -550,7 +550,7 @@ def nft_rule(rule_conf, fw_name, rule_id, ip_name='ip'):
 @register_filter('nft_default_rule')
 def nft_default_rule(fw_conf, fw_name):
     output = ['counter']
-    default_action = fw_conf.get('default_action', 'drop')
+    default_action = fw_conf['default_action']
 
     if 'enable_default_log' in fw_conf:
         action_suffix = default_action[:1].upper()
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 07eca722f..f0ea1a1e5 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -206,9 +206,31 @@ def get_config(config=None):
     firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
                                     no_tag_node_value_mangle=True)
 
+    # We have gathered the dict representation of the CLI, but there are
+    # default options which we need to update into the dictionary retrived.
+    # XXX: T2665: we currently have no nice way for defaults under tag
+    # nodes, thus we load the defaults "by hand"
     default_values = defaults(base)
+    for tmp in ['name', 'ipv6_name']:
+        if tmp in default_values:
+            del default_values[tmp]
+
     firewall = dict_merge(default_values, firewall)
 
+    # Merge in defaults for IPv4 ruleset
+    if 'name' in firewall:
+        default_values = defaults(base + ['name'])
+        for name in firewall['name']:
+            firewall['name'][name] = dict_merge(default_values,
+                                                firewall['name'][name])
+
+    # Merge in defaults for IPv6 ruleset
+    if 'ipv6_name' in firewall:
+        default_values = defaults(base + ['ipv6-name'])
+        for ipv6_name in firewall['ipv6_name']:
+            firewall['ipv6_name'][ipv6_name] = dict_merge(default_values,
+                                                          firewall['ipv6_name'][ipv6_name])
+
     firewall['policy_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
     firewall['interfaces'] = get_firewall_interfaces(conf)
     firewall['zone_policy'] = get_firewall_zones(conf)
@@ -315,7 +337,7 @@ def verify_nested_group(group_name, group, groups, seen):
 
         if g in seen:
             raise ConfigError(f'Group "{group_name}" has a circular reference')
-            
+
         seen.append(g)
 
         if 'include' in groups[g]:
@@ -378,7 +400,7 @@ def cleanup_commands(firewall):
         if firewall['geoip_updated']:
             geoip_key = 'deleted_ipv6_name' if table == 'ip6 filter' else 'deleted_name'
             geoip_list = dict_search_args(firewall, 'geoip_updated', geoip_key) or []
- 
+
         json_str = cmd(f'nft -t -j list table {table}')
         obj = loads(json_str)
 
@@ -420,7 +442,7 @@ def cleanup_commands(firewall):
                 if set_name.startswith('GEOIP_CC_') and set_name in geoip_list:
                     commands_sets.append(f'delete set {table} {set_name}')
                     continue
-                
+
                 if set_name.startswith("RECENT_"):
                     commands_sets.append(f'delete set {table} {set_name}')
                     continue
@@ -520,7 +542,7 @@ def apply(firewall):
     if install_result == 1:
         raise ConfigError('Failed to apply firewall')
 
-    # set fireall group domain-group xxx
+    # set firewall group domain-group xxx
     if 'group' in firewall:
         if 'domain_group' in firewall['group']:
             # T970 Enable a resolver (systemd daemon) that checks
-- 
cgit v1.2.3