From 2ec023752bdd400835eb69a8f1f9d2873cef61fa Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 19 Jan 2024 21:01:52 +0100
Subject: firewall: T5729: T5681: T5217: backport subsystem from current branch

This is a combined backport for all accumulated changes done to the firewall
subsystem on the current branch.
---
 .../include/firewall/action-forward.xml.i          | 10 ++++--
 .../include/firewall/action-l2.xml.i               |  4 +--
 .../include/firewall/action.xml.i                  |  8 +++--
 .../include/firewall/common-rule-bridge.xml.i      |  7 +++-
 .../include/firewall/common-rule-inet.xml.i        | 11 ++++--
 .../include/firewall/common-rule-ipv4-raw.xml.i    |  1 +
 .../include/firewall/default-action-bridge.xml.i   |  6 ++--
 .../include/firewall/default-action.xml.i          |  2 +-
 .../include/firewall/firewall-mark.xml.i           |  2 +-
 interface-definitions/include/firewall/log.xml.i   |  3 +-
 .../include/firewall/match-interface.xml.i         |  2 +-
 .../include/firewall/match-vlan.xml.i              | 12 +++----
 .../include/firewall/offload-target.xml.i          |  2 +-
 interface-definitions/include/firewall/state.xml.i |  2 +-
 .../include/firewall/synproxy.xml.i                | 40 ++++++++++++++++++++++
 .../include/firewall/tcp-flags.xml.i               | 18 +---------
 .../include/firewall/tcp-mss.xml.i                 | 25 ++++++++++++++
 17 files changed, 113 insertions(+), 42 deletions(-)
 create mode 100644 interface-definitions/include/firewall/synproxy.xml.i
 create mode 100644 interface-definitions/include/firewall/tcp-mss.xml.i

(limited to 'interface-definitions/include/firewall')

diff --git a/interface-definitions/include/firewall/action-forward.xml.i b/interface-definitions/include/firewall/action-forward.xml.i
index 87da72c97..4e59f3c6f 100644
--- a/interface-definitions/include/firewall/action-forward.xml.i
+++ b/interface-definitions/include/firewall/action-forward.xml.i
@@ -3,7 +3,7 @@
   <properties>
     <help>Rule action</help>
     <completionHelp>
-      <list>accept continue jump reject return drop queue offload</list>
+      <list>accept continue jump reject return drop queue offload synproxy</list>
     </completionHelp>
     <valueHelp>
       <format>accept</format>
@@ -37,9 +37,13 @@
       <format>offload</format>
       <description>Offload packet via flowtable</description>
     </valueHelp>
+    <valueHelp>
+      <format>synproxy</format>
+      <description>Synproxy connections</description>
+    </valueHelp>
     <constraint>
-      <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
     </constraint>
   </properties>
 </leafNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action-l2.xml.i b/interface-definitions/include/firewall/action-l2.xml.i
index 43fd211b4..84af576c8 100644
--- a/interface-definitions/include/firewall/action-l2.xml.i
+++ b/interface-definitions/include/firewall/action-l2.xml.i
@@ -1,4 +1,4 @@
-<!-- include start from firewall/action-l2.xml.i -->
+<!-- include start from firewall/action.xml.i -->
 <leafNode name="action">
   <properties>
     <help>Rule action</help>
@@ -34,4 +34,4 @@
     </constraint>
   </properties>
 </leafNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i
index 5dd1bfaff..e1f0c6cb6 100644
--- a/interface-definitions/include/firewall/action.xml.i
+++ b/interface-definitions/include/firewall/action.xml.i
@@ -3,7 +3,7 @@
   <properties>
     <help>Rule action</help>
     <completionHelp>
-      <list>accept continue jump reject return drop queue offload</list>
+      <list>accept continue jump reject return drop queue offload synproxy</list>
     </completionHelp>
     <valueHelp>
       <format>accept</format>
@@ -37,8 +37,12 @@
       <format>offload</format>
       <description>Offload packet via flowtable</description>
     </valueHelp>
+    <valueHelp>
+      <format>synproxy</format>
+      <description>Synproxy connections</description>
+    </valueHelp>
     <constraint>
-      <regex>(accept|continue|jump|reject|return|drop|queue|offload)</regex>
+      <regex>(accept|continue|jump|reject|return|drop|queue|offload|synproxy)</regex>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
index dcdd970ac..6de770c79 100644
--- a/interface-definitions/include/firewall/common-rule-bridge.xml.i
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -9,7 +9,12 @@
     #include <include/firewall/mac-address.xml.i>
   </children>
 </node>
-#include <include/generic-disable-node.xml.i>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
 <leafNode name="jump-target">
   <properties>
     <help>Set jump target. Action jump must be defined to use this setting</help>
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 3b5cb724d..6f56ecc85 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -7,7 +7,12 @@
 #include <include/firewall/connection-mark.xml.i>
 #include <include/firewall/conntrack-helper.xml.i>
 #include <include/firewall/nft-queue.xml.i>
-#include <include/generic-disable-node.xml.i>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
 <node name="fragment">
   <properties>
     <help>IP fragment match</help>
@@ -179,8 +184,10 @@
     </leafNode>
   </children>
 </node>
+#include <include/firewall/synproxy.xml.i>
 #include <include/firewall/state.xml.i>
 #include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
 <node name="time">
   <properties>
     <help>Time to match rule</help>
@@ -249,4 +256,4 @@
     </leafNode>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index b253ee048..0d749aa27 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -260,6 +260,7 @@
   </children>
 </node>
 #include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
 <node name="time">
   <properties>
     <help>Time to match rule</help>
diff --git a/interface-definitions/include/firewall/default-action-bridge.xml.i b/interface-definitions/include/firewall/default-action-bridge.xml.i
index 577165976..858c7aeeb 100644
--- a/interface-definitions/include/firewall/default-action-bridge.xml.i
+++ b/interface-definitions/include/firewall/default-action-bridge.xml.i
@@ -1,7 +1,7 @@
-<!-- include start from firewall/default-action-bridge.xml.i -->
+<!-- include start from firewall/default-action.xml.i -->
 <leafNode name="default-action">
   <properties>
-    <help>Default action for rule-set</help>
+    <help>Default-action for rule-set</help>
     <completionHelp>
       <list>drop jump return accept continue</list>
     </completionHelp>
@@ -31,4 +31,4 @@
   </properties>
   <defaultValue>drop</defaultValue>
 </leafNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i
index 6a49d800e..53a161495 100644
--- a/interface-definitions/include/firewall/default-action.xml.i
+++ b/interface-definitions/include/firewall/default-action.xml.i
@@ -1,7 +1,7 @@
 <!-- include start from firewall/default-action.xml.i -->
 <leafNode name="default-action">
   <properties>
-    <help>Default action for rule-set</help>
+    <help>Default-action for rule-set</help>
     <completionHelp>
       <list>drop jump reject return accept continue</list>
     </completionHelp>
diff --git a/interface-definitions/include/firewall/firewall-mark.xml.i b/interface-definitions/include/firewall/firewall-mark.xml.i
index a4cee12d8..36a939ba3 100644
--- a/interface-definitions/include/firewall/firewall-mark.xml.i
+++ b/interface-definitions/include/firewall/firewall-mark.xml.i
@@ -23,4 +23,4 @@
     </constraint>
   </properties>
 </leafNode>
-<!-- include end -->
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i
index 795ed77be..21548f3fb 100644
--- a/interface-definitions/include/firewall/log.xml.i
+++ b/interface-definitions/include/firewall/log.xml.i
@@ -4,4 +4,5 @@
     <help>Log packets hitting this rule</help>
     <valueless/>
   </properties>
-</leafNode>
\ No newline at end of file
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/match-interface.xml.i b/interface-definitions/include/firewall/match-interface.xml.i
index 9f720ab37..5da6f51fb 100644
--- a/interface-definitions/include/firewall/match-interface.xml.i
+++ b/interface-definitions/include/firewall/match-interface.xml.i
@@ -40,4 +40,4 @@
     </valueHelp>
   </properties>
 </leafNode>
-<!-- include end -->
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/match-vlan.xml.i b/interface-definitions/include/firewall/match-vlan.xml.i
index d0820f7d8..44ad02c99 100644
--- a/interface-definitions/include/firewall/match-vlan.xml.i
+++ b/interface-definitions/include/firewall/match-vlan.xml.i
@@ -6,14 +6,14 @@
   <children>
     <leafNode name="id">
       <properties>
-        <help>VLAN id</help>
+        <help>Vlan id</help>
         <valueHelp>
           <format>u32:0-4096</format>
-          <description>VLAN id</description>
+          <description>Vlan id</description>
         </valueHelp>
         <valueHelp>
           <format>&lt;start-end&gt;</format>
-          <description>VLAN id range to match</description>
+          <description>Vlan id range to match</description>
         </valueHelp>
         <constraint>
           <validator name="numeric" argument="--allow-range --range 0-4095"/>
@@ -22,14 +22,14 @@
     </leafNode>
     <leafNode name="priority">
       <properties>
-        <help>VLAN priority(pcp)</help>
+        <help>Vlan priority(pcp)</help>
         <valueHelp>
           <format>u32:0-7</format>
-          <description>VLAN priority</description>
+          <description>Vlan priority</description>
         </valueHelp>
         <valueHelp>
           <format>&lt;start-end&gt;</format>
-          <description>VLAN priority range to match</description>
+          <description>Vlan priority range to match</description>
         </valueHelp>
         <constraint>
           <validator name="numeric" argument="--allow-range --range 0-7"/>
diff --git a/interface-definitions/include/firewall/offload-target.xml.i b/interface-definitions/include/firewall/offload-target.xml.i
index b1ae39100..940ed8091 100644
--- a/interface-definitions/include/firewall/offload-target.xml.i
+++ b/interface-definitions/include/firewall/offload-target.xml.i
@@ -7,4 +7,4 @@
     </completionHelp>
   </properties>
 </leafNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/state.xml.i b/interface-definitions/include/firewall/state.xml.i
index 47ce3c91d..dee9722e5 100644
--- a/interface-definitions/include/firewall/state.xml.i
+++ b/interface-definitions/include/firewall/state.xml.i
@@ -27,4 +27,4 @@
     <multi/>
   </properties>
 </leafNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/synproxy.xml.i b/interface-definitions/include/firewall/synproxy.xml.i
new file mode 100644
index 000000000..a65126ea9
--- /dev/null
+++ b/interface-definitions/include/firewall/synproxy.xml.i
@@ -0,0 +1,40 @@
+<!-- include start from firewall/synproxy.xml.i -->
+<node name="synproxy">
+  <properties>
+    <help>Synproxy options</help>
+  </properties>
+  <children>
+    <node name="tcp">
+      <properties>
+        <help>TCP synproxy options</help>
+      </properties>
+      <children>
+        <leafNode name="mss">
+          <properties>
+            <help>TCP Maximum segment size</help>
+            <valueHelp>
+              <format>u32:501-65535</format>
+              <description>Maximum segment size for synproxy connections</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 501-65535"/>
+            </constraint>
+          </properties>
+        </leafNode>
+        <leafNode name="window-scale">
+          <properties>
+            <help>TCP window scale for synproxy connections</help>
+            <valueHelp>
+              <format>u32:1-14</format>
+              <description>TCP window scale</description>
+            </valueHelp>
+            <constraint>
+              <validator name="numeric" argument="--range 1-14"/>
+            </constraint>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/tcp-flags.xml.i b/interface-definitions/include/firewall/tcp-flags.xml.i
index e2ce7b9fd..36546c2e4 100644
--- a/interface-definitions/include/firewall/tcp-flags.xml.i
+++ b/interface-definitions/include/firewall/tcp-flags.xml.i
@@ -1,7 +1,7 @@
 <!-- include start from firewall/tcp-flags.xml.i -->
 <node name="tcp">
   <properties>
-    <help>TCP flags to match</help>
+    <help>TCP options to match</help>
   </properties>
   <children>
     <node name="flags">
@@ -114,22 +114,6 @@
         </node>
       </children>
     </node>
-    <leafNode name="mss">
-      <properties>
-        <help>Maximum segment size (MSS)</help>
-        <valueHelp>
-          <format>u32:1-16384</format>
-          <description>Maximum segment size</description>
-        </valueHelp>
-        <valueHelp>
-          <format>&lt;min&gt;-&lt;max&gt;</format>
-          <description>TCP MSS range (use '-' as delimiter)</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--allow-range --range 1-16384"/>
-        </constraint>
-      </properties>
-    </leafNode>
   </children>
 </node>
 <!-- include end -->
diff --git a/interface-definitions/include/firewall/tcp-mss.xml.i b/interface-definitions/include/firewall/tcp-mss.xml.i
new file mode 100644
index 000000000..dc49b4272
--- /dev/null
+++ b/interface-definitions/include/firewall/tcp-mss.xml.i
@@ -0,0 +1,25 @@
+<!-- include start from firewall/tcp-mss.xml.i -->
+<node name="tcp">
+  <properties>
+    <help>TCP options to match</help>
+  </properties>
+  <children>
+    <leafNode name="mss">
+      <properties>
+        <help>Maximum segment size (MSS)</help>
+        <valueHelp>
+          <format>u32:1-16384</format>
+          <description>Maximum segment size</description>
+        </valueHelp>
+        <valueHelp>
+          <format>&lt;min&gt;-&lt;max&gt;</format>
+          <description>TCP MSS range (use '-' as delimiter)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--allow-range --range 1-16384"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
-- 
cgit v1.2.3