From ca6b7340714c6161337f508978b9834722be58dc Mon Sep 17 00:00:00 2001
From: Rain <6818611+Rain@users.noreply.github.com>
Date: Sat, 8 Oct 2022 18:04:01 -0400
Subject: firewall: T4612: Support arbitrary netmasks

Add support for arbitrary netmasks on source/destination addresses in
firewall rules. This is particularly useful with DHCPv6-PD when the
delegated prefix changes periodically.
---
 .../include/firewall/address-mask-ipv6.xml.i               | 14 ++++++++++++++
 interface-definitions/include/firewall/address-mask.xml.i  | 14 ++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 interface-definitions/include/firewall/address-mask-ipv6.xml.i
 create mode 100644 interface-definitions/include/firewall/address-mask.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/address-mask-ipv6.xml.i b/interface-definitions/include/firewall/address-mask-ipv6.xml.i
new file mode 100644
index 000000000..8c0483209
--- /dev/null
+++ b/interface-definitions/include/firewall/address-mask-ipv6.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/address-mask-ipv6.xml.i -->
+<leafNode name="address-mask">
+  <properties>
+    <help>IP mask</help>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>IP mask to apply</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv6"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/address-mask.xml.i b/interface-definitions/include/firewall/address-mask.xml.i
new file mode 100644
index 000000000..7f6f17d1e
--- /dev/null
+++ b/interface-definitions/include/firewall/address-mask.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/address-mask.xml.i -->
+<leafNode name="address-mask">
+  <properties>
+    <help>IP mask</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 mask to apply</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
-- 
cgit v1.2.3


From 89fbe73b9fb9ad178a2a35bdf9c7c477dc72f054 Mon Sep 17 00:00:00 2001
From: John Estabrook <jestabro@vyos.io>
Date: Fri, 21 Oct 2022 08:41:26 -0500
Subject: graphql: T4768: change name of api child node from 'gql' to 'graphql'

---
 interface-definitions/https.xml.in                 |  2 +-
 .../include/version/https-version.xml.i            |  2 +-
 smoketest/scripts/cli/test_service_https.py        | 10 ++--
 src/conf_mode/http-api.py                          |  2 +-
 src/migration-scripts/https/3-to-4                 | 53 ++++++++++++++++++++++
 src/services/vyos-http-api-server                  | 10 ++--
 6 files changed, 66 insertions(+), 13 deletions(-)
 create mode 100755 src/migration-scripts/https/3-to-4

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in
index d096c4ff1..28656b594 100644
--- a/interface-definitions/https.xml.in
+++ b/interface-definitions/https.xml.in
@@ -107,7 +107,7 @@
                   <valueless/>
                 </properties>
               </leafNode>
-              <node name="gql">
+              <node name="graphql">
                 <properties>
                   <help>GraphQL support</help>
                 </properties>
diff --git a/interface-definitions/include/version/https-version.xml.i b/interface-definitions/include/version/https-version.xml.i
index 586083649..111076974 100644
--- a/interface-definitions/include/version/https-version.xml.i
+++ b/interface-definitions/include/version/https-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/https-version.xml.i -->
-<syntaxVersion component='https' version='3'></syntaxVersion>
+<syntaxVersion component='https' version='4'></syntaxVersion>
 <!-- include end -->
diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py
index 72c1d4e43..719125f0f 100755
--- a/smoketest/scripts/cli/test_service_https.py
+++ b/smoketest/scripts/cli/test_service_https.py
@@ -143,10 +143,10 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
         # caught by the resolver, and returns success 'False', so one must
         # check the return value.
 
-        self.cli_set(base_path + ['api', 'gql'])
+        self.cli_set(base_path + ['api', 'graphql'])
         self.cli_commit()
 
-        gql_url = f'https://{address}/graphql'
+        graphql_url = f'https://{address}/graphql'
 
         query_valid_key = f"""
         {{
@@ -160,7 +160,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
         }}
         """
 
-        r = request('POST', gql_url, verify=False, headers=headers, json={'query': query_valid_key})
+        r = request('POST', graphql_url, verify=False, headers=headers, json={'query': query_valid_key})
         success = r.json()['data']['SystemStatus']['success']
         self.assertTrue(success)
 
@@ -176,7 +176,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
         }
         """
 
-        r = request('POST', gql_url, verify=False, headers=headers, json={'query': query_invalid_key})
+        r = request('POST', graphql_url, verify=False, headers=headers, json={'query': query_invalid_key})
         success = r.json()['data']['SystemStatus']['success']
         self.assertFalse(success)
 
@@ -192,7 +192,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase):
         }
         """
 
-        r = request('POST', gql_url, verify=False, headers=headers, json={'query': query_no_key})
+        r = request('POST', graphql_url, verify=False, headers=headers, json={'query': query_no_key})
         self.assertEqual(r.status_code, 400)
 
 if __name__ == '__main__':
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
index c196e272b..be80613c6 100755
--- a/src/conf_mode/http-api.py
+++ b/src/conf_mode/http-api.py
@@ -86,7 +86,7 @@ def get_config(config=None):
     if 'api_keys' in api_dict:
         keys_added = True
 
-    if 'gql' in api_dict:
+    if 'graphql' in api_dict:
         api_dict = dict_merge(defaults(base), api_dict)
 
     http_api.update(api_dict)
diff --git a/src/migration-scripts/https/3-to-4 b/src/migration-scripts/https/3-to-4
new file mode 100755
index 000000000..5ee528b31
--- /dev/null
+++ b/src/migration-scripts/https/3-to-4
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T4768 rename node 'gql' to 'graphql'.
+
+import sys
+
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 2):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+
+old_base = ['service', 'https', 'api', 'gql']
+if not config.exists(old_base):
+    # Nothing to do
+    sys.exit(0)
+
+new_base = ['service', 'https', 'api', 'graphql']
+config.set(new_base)
+
+nodes = config.list_nodes(old_base)
+for node in nodes:
+    config.copy(old_base + [node], new_base + [node])
+
+config.delete(old_base)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    sys.exit(1)
diff --git a/src/services/vyos-http-api-server b/src/services/vyos-http-api-server
index 4ace981ca..632c1e87d 100755
--- a/src/services/vyos-http-api-server
+++ b/src/services/vyos-http-api-server
@@ -688,16 +688,16 @@ if __name__ == '__main__':
     app.state.vyos_debug = server_config['debug']
     app.state.vyos_strict = server_config['strict']
     app.state.vyos_origins = server_config.get('cors', {}).get('allow_origin', [])
-    if 'gql' in server_config:
-        app.state.vyos_gql = True
-        if isinstance(server_config['gql'], dict) and 'introspection' in server_config['gql']:
+    if 'graphql' in server_config:
+        app.state.vyos_graphql = True
+        if isinstance(server_config['graphql'], dict) and 'introspection' in server_config['graphql']:
             app.state.vyos_introspection = True
         else:
             app.state.vyos_introspection = False
     else:
-        app.state.vyos_gql = False
+        app.state.vyos_graphql = False
 
-    if app.state.vyos_gql:
+    if app.state.vyos_graphql:
         graphql_init(app)
 
     try:
-- 
cgit v1.2.3


From 07afb79785ac5005a02df60df1ea427bdabe7de7 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sat, 29 Oct 2022 20:58:04 +0200
Subject: static: T4784: add description node for static route/route6 tagNodes

---
 interface-definitions/include/static/static-route.xml.i  | 1 +
 interface-definitions/include/static/static-route6.xml.i | 1 +
 2 files changed, 2 insertions(+)

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i
index 2de5dc58f..04ee999c7 100644
--- a/interface-definitions/include/static/static-route.xml.i
+++ b/interface-definitions/include/static/static-route.xml.i
@@ -14,6 +14,7 @@
     #include <include/static/static-route-blackhole.xml.i>
     #include <include/static/static-route-reject.xml.i>
     #include <include/dhcp-interface.xml.i>
+    #include <include/generic-description.xml.i>
     <tagNode name="interface">
       <properties>
         <help>Next-hop IPv4 router interface</help>
diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i
index 35feef41c..6131ac7fe 100644
--- a/interface-definitions/include/static/static-route6.xml.i
+++ b/interface-definitions/include/static/static-route6.xml.i
@@ -13,6 +13,7 @@
   <children>
     #include <include/static/static-route-blackhole.xml.i>
     #include <include/static/static-route-reject.xml.i>
+    #include <include/generic-description.xml.i>
     <tagNode name="interface">
       <properties>
         <help>IPv6 gateway interface name</help>
-- 
cgit v1.2.3


From 22c3dcbb01d731f0dab0ffefa2e5a0be7009baf1 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 31 Oct 2022 15:09:58 +0100
Subject: ipsec: T4787: add support for road-warrior/remote-access RADIUS
 timeout

This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
---
 data/templates/ipsec/charon/eap-radius.conf.j2     |  4 +++-
 interface-definitions/include/radius-timeout.xml.i | 16 ++++++++++++++++
 interface-definitions/vpn-ipsec.xml.in             |  1 +
 interface-definitions/vpn-openconnect.xml.in       | 15 +--------------
 src/conf_mode/vpn_ipsec.py                         | 17 +++++++++++++++--
 5 files changed, 36 insertions(+), 17 deletions(-)
 create mode 100644 interface-definitions/include/radius-timeout.xml.i

(limited to 'interface-definitions/include')

diff --git a/data/templates/ipsec/charon/eap-radius.conf.j2 b/data/templates/ipsec/charon/eap-radius.conf.j2
index 8495011fe..364377473 100644
--- a/data/templates/ipsec/charon/eap-radius.conf.j2
+++ b/data/templates/ipsec/charon/eap-radius.conf.j2
@@ -49,8 +49,10 @@ eap-radius {
     # Base to use for calculating exponential back off.
     # retransmit_base = 1.4
 
+{% if remote_access.radius.timeout is vyos_defined %}
     # Timeout in seconds before sending first retransmit.
-    # retransmit_timeout = 2.0
+    retransmit_timeout = {{ remote_access.radius.timeout | float }}
+{% endif %}
 
     # Number of times to retransmit a packet before giving up.
     # retransmit_tries = 4
diff --git a/interface-definitions/include/radius-timeout.xml.i b/interface-definitions/include/radius-timeout.xml.i
new file mode 100644
index 000000000..22bb6d312
--- /dev/null
+++ b/interface-definitions/include/radius-timeout.xml.i
@@ -0,0 +1,16 @@
+<!-- include start from radius-timeout.xml.i -->
+<leafNode name="timeout">
+  <properties>
+    <help>Session timeout</help>
+    <valueHelp>
+      <format>u32:1-240</format>
+      <description>Session timeout in seconds (default: 2)</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-240"/>
+    </constraint>
+    <constraintErrorMessage>Timeout must be between 1 and 240 seconds</constraintErrorMessage>
+  </properties>
+  <defaultValue>2</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in
index 4776c53dc..64966b540 100644
--- a/interface-definitions/vpn-ipsec.xml.in
+++ b/interface-definitions/vpn-ipsec.xml.in
@@ -888,6 +888,7 @@
               <node name="radius">
                 <children>
                   #include <include/radius-nas-identifier.xml.i>
+                  #include <include/radius-timeout.xml.i>
                   <tagNode name="server">
                     <children>
                       #include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 3b3a83bd4..8b60f2e6e 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -140,20 +140,7 @@
               #include <include/radius-server-ipv4.xml.i>
               <node name="radius">
                 <children>
-                  <leafNode name="timeout">
-                    <properties>
-                      <help>Session timeout</help>
-                      <valueHelp>
-                        <format>u32:1-240</format>
-                        <description>Session timeout in seconds (default: 2)</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 1-240"/>
-                      </constraint>
-                      <constraintErrorMessage>Timeout must be between 1 and 240 seconds</constraintErrorMessage>
-                    </properties>
-                    <defaultValue>2</defaultValue>
-                  </leafNode>
+                  #include <include/radius-timeout.xml.i>
                   <leafNode name="groupconfig">
                     <properties>
                       <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS.</help>
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 77a425f8b..cfefcfbe8 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -117,13 +117,26 @@ def get_config(config=None):
                     ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values,
                         ipsec['ike_group'][group]['proposal'][proposal])
 
-    if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']:
+    # XXX: T2665: we can not safely rely on the defaults() when there are
+    # tagNodes in place, it is better to blend in the defaults manually.
+    if dict_search('remote_access.connection', ipsec):
         default_values = defaults(base + ['remote-access', 'connection'])
         for rw in ipsec['remote_access']['connection']:
             ipsec['remote_access']['connection'][rw] = dict_merge(default_values,
               ipsec['remote_access']['connection'][rw])
 
-    if 'remote_access' in ipsec and 'radius' in ipsec['remote_access'] and 'server' in ipsec['remote_access']['radius']:
+    # XXX: T2665: we can not safely rely on the defaults() when there are
+    # tagNodes in place, it is better to blend in the defaults manually.
+    if dict_search('remote_access.radius.server', ipsec):
+        # Fist handle the "base" stuff like RADIUS timeout
+        default_values = defaults(base + ['remote-access', 'radius'])
+        if 'server' in default_values:
+            del default_values['server']
+        ipsec['remote_access']['radius'] = dict_merge(default_values,
+                                                      ipsec['remote_access']['radius'])
+
+        # Take care about individual RADIUS servers implemented as tagNodes - this
+        # requires special treatment
         default_values = defaults(base + ['remote-access', 'radius', 'server'])
         for server in ipsec['remote_access']['radius']['server']:
             ipsec['remote_access']['radius']['server'][server] = dict_merge(default_values,
-- 
cgit v1.2.3


From 4ae434d50337b6a1543176b0b86e938fc0663626 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 3 Nov 2022 17:39:19 +0100
Subject: xml: T4795: provide common and re-usable XML definitions for policy

Remove duplicated code and move to single-source of truth.
---
 interface-definitions/firewall.xml.in              |   2 +-
 .../include/firewall/common-rule.xml.i             |  17 +-
 .../include/firewall/mac-address.xml.i             |  18 +
 .../include/policy/route-common-rule-ipv6.xml.i    | 557 ---------------------
 .../include/policy/route-common-rule.xml.i         | 406 ---------------
 .../include/policy/route-common.xml.i              | 348 +++++++++++++
 .../include/policy/route-ipv4.xml.i                |  45 ++
 .../include/policy/route-ipv6.xml.i                | 196 ++++++++
 interface-definitions/policy-route.xml.in          |   6 +-
 9 files changed, 613 insertions(+), 982 deletions(-)
 create mode 100644 interface-definitions/include/firewall/mac-address.xml.i
 delete mode 100644 interface-definitions/include/policy/route-common-rule-ipv6.xml.i
 delete mode 100644 interface-definitions/include/policy/route-common-rule.xml.i
 create mode 100644 interface-definitions/include/policy/route-common.xml.i
 create mode 100644 interface-definitions/include/policy/route-ipv4.xml.i
 create mode 100644 interface-definitions/include/policy/route-ipv6.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 673461036..c8685a187 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -218,7 +218,7 @@
                 <properties>
                   <help>Mac-group member</help>
                   <valueHelp>
-                    <format>&lt;MAC address&gt;</format>
+                    <format>macaddr</format>
                     <description>MAC address to match</description>
                   </valueHelp>
                   <constraint>
diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
index a4f66f5cb..75ad427f9 100644
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ b/interface-definitions/include/firewall/common-rule.xml.i
@@ -219,22 +219,7 @@
   <children>
     #include <include/firewall/address.xml.i>
     #include <include/firewall/source-destination-group.xml.i>
-    <leafNode name="mac-address">
-      <properties>
-        <help>Source MAC address</help>
-        <valueHelp>
-          <format>&lt;MAC address&gt;</format>
-          <description>MAC address to match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>!&lt;MAC address&gt;</format>
-          <description>Match everything except the specified MAC address</description>
-        </valueHelp>
-        <constraint>
-          <validator name="mac-address-firewall"/>
-        </constraint>
-      </properties>
-    </leafNode>
+    #include <include/firewall/mac-address.xml.i>
     #include <include/firewall/port.xml.i>
   </children>
 </node>
diff --git a/interface-definitions/include/firewall/mac-address.xml.i b/interface-definitions/include/firewall/mac-address.xml.i
new file mode 100644
index 000000000..83aaf1ce1
--- /dev/null
+++ b/interface-definitions/include/firewall/mac-address.xml.i
@@ -0,0 +1,18 @@
+<!-- include start from firewall/mac-address.xml.i -->
+<leafNode name="mac-address">
+  <properties>
+    <help>MAC address</help>
+    <valueHelp>
+      <format>macaddr;</format>
+      <description>MAC address to match</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!macaddr</format>
+      <description>Match everything except the specified MAC address</description>
+    </valueHelp>
+    <constraint>
+      <validator name="mac-address-firewall"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
deleted file mode 100644
index 662206336..000000000
--- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i
+++ /dev/null
@@ -1,557 +0,0 @@
-<!-- include start from policy/route-common-rule.xml.i -->
-#include <include/policy/route-rule-action.xml.i>
-#include <include/generic-description.xml.i>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum average matching rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-<leafNode name="protocol">
-  <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
-    <completionHelp>
-      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
-    </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
-  </properties>
-  <defaultValue>all</defaultValue>
-</leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last N seconds</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Source addresses seen in the last N seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="set">
-  <properties>
-    <help>Packet modifications</help>
-  </properties>
-  <children>
-    <leafNode name="dscp">
-      <properties>
-        <help>Packet Differentiated Services Codepoint (DSCP)</help>
-        <valueHelp>
-          <format>u32:0-63</format>
-          <description>DSCP number</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-63"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="mark">
-      <properties>
-        <help>Packet marking</help>
-        <valueHelp>
-          <format>u32:1-2147483647</format>
-          <description>Packet marking</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-2147483647"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="table">
-      <properties>
-        <help>Routing table to forward packet with</help>
-        <valueHelp>
-          <format>u32:1-200</format>
-          <description>Table number</description>
-        </valueHelp>
-        <valueHelp>
-          <format>main</format>
-          <description>Main table</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-200"/>
-          <regex>(main)</regex>
-        </constraint>
-        <completionHelp>
-          <list>main</list>
-          <path>protocols static table</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-    <leafNode name="tcp-mss">
-      <properties>
-        <help>TCP Maximum Segment Size</help>
-        <valueHelp>
-          <format>u32:500-1460</format>
-          <description>Explicitly set TCP MSS value</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 500-1460"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="source">
-  <properties>
-    <help>Source parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/address-ipv6.xml.i>
-    #include <include/firewall/source-destination-group.xml.i>
-    <leafNode name="mac-address">
-      <properties>
-        <help>Source MAC address</help>
-        <valueHelp>
-          <format>&lt;MAC address&gt;</format>
-          <description>MAC address to match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>!&lt;MAC address&gt;</format>
-          <description>Match everything except the specified MAC address</description>
-        </valueHelp>
-        <constraint>
-          <validator name="mac-address-firewall"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    #include <include/firewall/port.xml.i>
-  </children>
-</node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="monthdays">
-      <properties>
-        <help>Monthdays to match rule on</help>
-      </properties>
-    </leafNode>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="utc">
-      <properties>
-        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Weekdays to match rule on</help>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="icmpv6">
-  <properties>
-    <help>ICMPv6 type and code information</help>
-  </properties>
-  <children>
-    <leafNode name="type">
-      <properties>
-        <help>ICMP type-name</help>
-        <completionHelp>
-          <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big</list>
-        </completionHelp>
-        <valueHelp>
-          <format>any</format>
-          <description>Any ICMP type/code</description>
-        </valueHelp>
-        <valueHelp>
-          <format>echo-reply</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>pong</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>destination-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>protocol-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>port-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>fragmentation-needed</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source-route-failed</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-unknown</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-unknown</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-prohibited</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-prohibited</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS-network-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS-host-unreachable</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>communication-prohibited</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-precedence-violation</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>precedence-cutoff</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source-quench</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>network-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>host-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS-network-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>TOS host-redirect</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>echo-request</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ping</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>router-advertisement</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>router-solicitation</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>time-exceeded</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ttl-exceeded</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ttl-zero-during-transit</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ttl-zero-during-reassembly</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>parameter-problem</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ip-header-bad</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>required-option-missing</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>timestamp-request</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>timestamp-reply</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>address-mask-request</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>address-mask-reply</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <valueHelp>
-          <format>packet-too-big</format>
-          <description>ICMP type/code name</description>
-        </valueHelp>
-        <constraint>
-          <regex>(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)</regex>
-          <validator name="numeric" argument="--range 0-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i
deleted file mode 100644
index 35fccca50..000000000
--- a/interface-definitions/include/policy/route-common-rule.xml.i
+++ /dev/null
@@ -1,406 +0,0 @@
-<!-- include start from policy/route-common-rule.xml.i -->
-#include <include/policy/route-rule-action.xml.i>
-#include <include/generic-description.xml.i>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum average matching rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-<leafNode name="protocol">
-  <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
-    <completionHelp>
-      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
-    </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
-  </properties>
-  <defaultValue>all</defaultValue>
-</leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last N seconds</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Source addresses seen in the last N seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="set">
-  <properties>
-    <help>Packet modifications</help>
-  </properties>
-  <children>
-    <leafNode name="dscp">
-      <properties>
-        <help>Packet Differentiated Services Codepoint (DSCP)</help>
-        <valueHelp>
-          <format>u32:0-63</format>
-          <description>DSCP number</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-63"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="mark">
-      <properties>
-        <help>Packet marking</help>
-        <valueHelp>
-          <format>u32:1-2147483647</format>
-          <description>Packet marking</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-2147483647"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="table">
-      <properties>
-        <help>Routing table to forward packet with</help>
-        <valueHelp>
-          <format>u32:1-200</format>
-          <description>Table number</description>
-        </valueHelp>
-        <valueHelp>
-          <format>main</format>
-          <description>Main table</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-200"/>
-          <regex>(main)</regex>
-        </constraint>
-        <completionHelp>
-          <list>main</list>
-          <path>protocols static table</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-    <leafNode name="tcp-mss">
-      <properties>
-        <help>TCP Maximum Segment Size</help>
-        <valueHelp>
-          <format>u32:500-1460</format>
-          <description>Explicitly set TCP MSS value</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 500-1460"/>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="source">
-  <properties>
-    <help>Source parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/address.xml.i>
-    #include <include/firewall/source-destination-group.xml.i>
-    <leafNode name="mac-address">
-      <properties>
-        <help>Source MAC address</help>
-        <valueHelp>
-          <format>&lt;MAC address&gt;</format>
-          <description>MAC address to match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>!&lt;MAC address&gt;</format>
-          <description>Match everything except the specified MAC address</description>
-        </valueHelp>
-        <constraint>
-          <validator name="mac-address-firewall"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    #include <include/firewall/port.xml.i>
-  </children>
-</node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="monthdays">
-      <properties>
-        <help>Monthdays to match rule on</help>
-      </properties>
-    </leafNode>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-      </properties>
-    </leafNode>
-    <leafNode name="utc">
-      <properties>
-        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Weekdays to match rule on</help>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="icmp">
-  <properties>
-    <help>ICMP type and code information</help>
-  </properties>
-  <children>
-    <leafNode name="code">
-      <properties>
-        <help>ICMP code (0-255)</help>
-        <valueHelp>
-          <format>u32:0-255</format>
-          <description>ICMP code (0-255)</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="type">
-      <properties>
-        <help>ICMP type (0-255)</help>
-        <valueHelp>
-          <format>u32:0-255</format>
-          <description>ICMP type (0-255)</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    #include <include/firewall/icmp-type-name.xml.i>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
new file mode 100644
index 000000000..8b959c2a4
--- /dev/null
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -0,0 +1,348 @@
+<!-- include start from policy/route-common.xml.i -->
+#include <include/policy/route-rule-action.xml.i>
+#include <include/generic-description.xml.i>
+<leafNode name="disable">
+  <properties>
+    <help>Option to disable firewall rule</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum average matching rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<leafNode name="log">
+  <properties>
+    <help>Option to log packets matching rule</help>
+    <completionHelp>
+      <list>enable disable</list>
+    </completionHelp>
+    <valueHelp>
+      <format>enable</format>
+      <description>Enable log</description>
+    </valueHelp>
+    <valueHelp>
+      <format>disable</format>
+      <description>Disable log</description>
+    </valueHelp>
+    <constraint>
+      <regex>(enable|disable)</regex>
+    </constraint>
+  </properties>
+</leafNode>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+  <defaultValue>all</defaultValue>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last N seconds</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Source addresses seen in the last N seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="set">
+  <properties>
+    <help>Packet modifications</help>
+  </properties>
+  <children>
+    <leafNode name="dscp">
+      <properties>
+        <help>Packet Differentiated Services Codepoint (DSCP)</help>
+        <valueHelp>
+          <format>u32:0-63</format>
+          <description>DSCP number</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-63"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="mark">
+      <properties>
+        <help>Packet marking</help>
+        <valueHelp>
+          <format>u32:1-2147483647</format>
+          <description>Packet marking</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="table">
+      <properties>
+        <help>Routing table to forward packet with</help>
+        <valueHelp>
+          <format>u32:1-200</format>
+          <description>Table number</description>
+        </valueHelp>
+        <valueHelp>
+          <format>main</format>
+          <description>Main table</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-200"/>
+          <regex>(main)</regex>
+        </constraint>
+        <completionHelp>
+          <list>main</list>
+          <path>protocols static table</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="tcp-mss">
+      <properties>
+        <help>TCP Maximum Segment Size</help>
+        <valueHelp>
+          <format>u32:500-1460</format>
+          <description>Explicitly set TCP MSS value</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 500-1460"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="state">
+  <properties>
+    <help>Session state</help>
+  </properties>
+  <children>
+    <leafNode name="established">
+      <properties>
+        <help>Established state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="invalid">
+      <properties>
+        <help>Invalid state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="new">
+      <properties>
+        <help>New state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="related">
+      <properties>
+        <help>Related state</help>
+        <completionHelp>
+          <list>enable disable</list>
+        </completionHelp>
+        <valueHelp>
+          <format>enable</format>
+          <description>Enable</description>
+        </valueHelp>
+        <valueHelp>
+          <format>disable</format>
+          <description>Disable</description>
+        </valueHelp>
+        <constraint>
+          <regex>(enable|disable)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/tcp-flags.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="monthdays">
+      <properties>
+        <help>Monthdays to match rule on</help>
+      </properties>
+    </leafNode>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="utc">
+      <properties>
+        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Weekdays to match rule on</help>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-ipv4.xml.i b/interface-definitions/include/policy/route-ipv4.xml.i
new file mode 100644
index 000000000..1f717a1a4
--- /dev/null
+++ b/interface-definitions/include/policy/route-ipv4.xml.i
@@ -0,0 +1,45 @@
+<!-- include start from policy/route-ipv4.xml.i -->
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+  </children>
+</node>
+<node name="icmp">
+  <properties>
+    <help>ICMP type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="code">
+      <properties>
+        <help>ICMP code (0-255)</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP code (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="type">
+      <properties>
+        <help>ICMP type (0-255)</help>
+        <valueHelp>
+          <format>u32:0-255</format>
+          <description>ICMP type (0-255)</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    #include <include/firewall/icmp-type-name.xml.i>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-ipv6.xml.i b/interface-definitions/include/policy/route-ipv6.xml.i
new file mode 100644
index 000000000..d636a654b
--- /dev/null
+++ b/interface-definitions/include/policy/route-ipv6.xml.i
@@ -0,0 +1,196 @@
+<!-- include start from policy/route-ipv6.xml.i -->
+<node name="source">
+  <properties>
+    <help>Source parameters</help>
+  </properties>
+  <children>
+    #include <include/firewall/address-ipv6.xml.i>
+    #include <include/firewall/source-destination-group.xml.i>
+    #include <include/firewall/mac-address.xml.i>
+    #include <include/firewall/port.xml.i>
+  </children>
+</node>
+<node name="icmpv6">
+  <properties>
+    <help>ICMPv6 type and code information</help>
+  </properties>
+  <children>
+    <leafNode name="type">
+      <properties>
+        <help>ICMP type-name</help>
+        <completionHelp>
+          <list>any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big</list>
+        </completionHelp>
+        <valueHelp>
+          <format>any</format>
+          <description>Any ICMP type/code</description>
+        </valueHelp>
+        <valueHelp>
+          <format>echo-reply</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>pong</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>destination-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>protocol-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>port-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>fragmentation-needed</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source-route-failed</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-unknown</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-unknown</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-prohibited</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-prohibited</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS-network-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS-host-unreachable</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>communication-prohibited</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-precedence-violation</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>precedence-cutoff</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>source-quench</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>network-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>host-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS-network-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>TOS host-redirect</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>echo-request</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ping</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>router-advertisement</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>router-solicitation</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>time-exceeded</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ttl-exceeded</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ttl-zero-during-transit</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ttl-zero-during-reassembly</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>parameter-problem</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ip-header-bad</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>required-option-missing</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>timestamp-request</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>timestamp-reply</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>address-mask-request</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>address-mask-reply</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <valueHelp>
+          <format>packet-too-big</format>
+          <description>ICMP type/code name</description>
+        </valueHelp>
+        <constraint>
+          <regex>(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)</regex>
+          <validator name="numeric" argument="--range 0-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index f480f3bd5..44b96c2e6 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -46,7 +46,8 @@
                   #include <include/firewall/port.xml.i>
                 </children>
               </node>
-              #include <include/policy/route-common-rule-ipv6.xml.i>
+              #include <include/policy/route-common.xml.i>
+              #include <include/policy/route-ipv6.xml.i>
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
               #include <include/firewall/hop-limit.xml.i>
@@ -98,7 +99,8 @@
                   #include <include/firewall/port.xml.i>
                 </children>
               </node>
-              #include <include/policy/route-common-rule.xml.i>
+              #include <include/policy/route-common.xml.i>
+              #include <include/policy/route-ipv4.xml.i>
               #include <include/firewall/dscp.xml.i>
               #include <include/firewall/packet-length.xml.i>
               #include <include/firewall/ttl.xml.i>
-- 
cgit v1.2.3


From 3f5464d0ee857d204dc58867065380340008f79b Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 3 Nov 2022 17:47:55 +0100
Subject: validators: T4795: migrate mac-address python validator to
 validate-value

Instead of spawning the Python interpreter for every mac-address to
validate, rather use the base validate-value OCaml implementation which
is much faster.

This removes redundant code and also makes the CLI more responsive.

Validator is moved out to a dedicated file instead of using XML inlined <regex>
for the reason of re-usability. So if that regex needs to be touched again - it
can all happen in one single file.
---
 .../include/firewall/mac-address.xml.i             |  5 ++--
 src/validators/mac-address                         | 29 ++--------------------
 src/validators/mac-address-exclude                 |  2 ++
 src/validators/mac-address-firewall                | 27 --------------------
 4 files changed, 7 insertions(+), 56 deletions(-)
 create mode 100755 src/validators/mac-address-exclude
 delete mode 100755 src/validators/mac-address-firewall

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/mac-address.xml.i b/interface-definitions/include/firewall/mac-address.xml.i
index 83aaf1ce1..db3e1e312 100644
--- a/interface-definitions/include/firewall/mac-address.xml.i
+++ b/interface-definitions/include/firewall/mac-address.xml.i
@@ -3,7 +3,7 @@
   <properties>
     <help>MAC address</help>
     <valueHelp>
-      <format>macaddr;</format>
+      <format>macaddr</format>
       <description>MAC address to match</description>
     </valueHelp>
     <valueHelp>
@@ -11,7 +11,8 @@
       <description>Match everything except the specified MAC address</description>
     </valueHelp>
     <constraint>
-      <validator name="mac-address-firewall"/>
+      <validator name="mac-address"/>
+      <validator name="mac-address-exclude"/>
     </constraint>
   </properties>
 </leafNode>
diff --git a/src/validators/mac-address b/src/validators/mac-address
index 7d020f387..bb859a603 100755
--- a/src/validators/mac-address
+++ b/src/validators/mac-address
@@ -1,27 +1,2 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import re
-import sys
-
-pattern = "^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$"
-
-if __name__ == '__main__':
-    if len(sys.argv) != 2:
-        sys.exit(1)
-    if not re.match(pattern, sys.argv[1]):
-        sys.exit(1)
-    sys.exit(0)
+#!/usr/bin/env sh
+${vyos_libexec_dir}/validate-value --regex "([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})" --value "$1"
diff --git a/src/validators/mac-address-exclude b/src/validators/mac-address-exclude
new file mode 100755
index 000000000..c44913023
--- /dev/null
+++ b/src/validators/mac-address-exclude
@@ -0,0 +1,2 @@
+#!/usr/bin/env sh
+${vyos_libexec_dir}/validate-value --regex "!([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})" --value "$1"
diff --git a/src/validators/mac-address-firewall b/src/validators/mac-address-firewall
deleted file mode 100755
index 70551f86d..000000000
--- a/src/validators/mac-address-firewall
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import re
-import sys
-
-pattern = "^!?([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$"
-
-if __name__ == '__main__':
-    if len(sys.argv) != 2:
-        sys.exit(1)
-    if not re.match(pattern, sys.argv[1]):
-        sys.exit(1)
-    sys.exit(0)
-- 
cgit v1.2.3


From 051e063fdf2e459a0716a35778b33ea6bb2fdcb6 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 31 Oct 2022 14:26:51 +0100
Subject: firewall: T970: Refactor domain resolver, add firewall
 source/destination `fqdn` node

---
 data/templates/firewall/nftables-defines.j2        |   8 +
 data/templates/firewall/nftables.j2                |  14 +-
 interface-definitions/firewall.xml.in              |  25 ++-
 interface-definitions/include/firewall/fqdn.xml.i  |  14 ++
 .../firewall/source-destination-group-ipv6.xml.i   |   8 +
 python/vyos/firewall.py                            |  90 ++++------
 smoketest/scripts/cli/test_firewall.py             |  16 ++
 src/conf_mode/firewall.py                          |  60 +++----
 src/helpers/vyos-domain-group-resolve.py           |  60 -------
 src/helpers/vyos-domain-resolver.py                | 182 +++++++++++++++++++++
 src/systemd/vyos-domain-group-resolve.service      |  11 --
 src/systemd/vyos-domain-resolver.service           |  13 ++
 12 files changed, 328 insertions(+), 173 deletions(-)
 create mode 100644 interface-definitions/include/firewall/fqdn.xml.i
 delete mode 100755 src/helpers/vyos-domain-group-resolve.py
 create mode 100755 src/helpers/vyos-domain-resolver.py
 delete mode 100644 src/systemd/vyos-domain-group-resolve.service
 create mode 100644 src/systemd/vyos-domain-resolver.service

(limited to 'interface-definitions/include')

diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 5336f7ee6..dd06dee28 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -27,6 +27,14 @@
     }
 {%         endfor %}
 {%     endif %}
+{%     if group.domain_group is vyos_defined %}
+{%         for name, name_config in group.domain_group.items() %}
+    set D_{{ name }} {
+        type {{ ip_type }}
+        flags interval
+    }
+{%         endfor %}
+{%     endif %}
 {%     if group.mac_group is vyos_defined %}
 {%         for group_name, group_conf in group.mac_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index a0f0b8c11..2c7115134 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -67,14 +67,12 @@ table ip vyos_filter {
         {{ conf | nft_default_rule(name_text) }}
     }
 {%     endfor %}
-{%     if group is vyos_defined and group.domain_group is vyos_defined %}
-{%         for name, name_config in group.domain_group.items() %}
-    set D_{{ name }} {
+{%     for set_name in ip_fqdn %}
+    set FQDN_{{ set_name }} {
         type ipv4_addr
         flags interval
     }
-{%         endfor %}
-{%     endif %}
+{%     endfor %}
 {%     for set_name in ns.sets %}
     set RECENT_{{ set_name }} {
         type ipv4_addr
@@ -178,6 +176,12 @@ table ip6 vyos_filter {
         {{ conf | nft_default_rule(name_text, ipv6=True) }}
     }
 {%     endfor %}
+{%     for set_name in ip6_fqdn %}
+    set FQDN_{{ set_name }} {
+        type ipv6_addr
+        flags interval
+    }
+{%     endfor %}
 {%     for set_name in ns.sets %}
     set RECENT6_{{ set_name }} {
         type ipv6_addr
diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 673461036..2d8f17351 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -126,7 +126,7 @@
                     <description>Domain address to match</description>
                   </valueHelp>
                   <constraint>
-                    <regex>[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,99}?(\/.*)?</regex>
+                    <validator name="fqdn"/>
                   </constraint>
                   <multi/>
                 </properties>
@@ -408,6 +408,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -419,6 +420,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address-ipv6.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group-ipv6.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -572,6 +574,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -583,6 +586,7 @@
                 </properties>
                 <children>
                   #include <include/firewall/address.xml.i>
+                  #include <include/firewall/fqdn.xml.i>
                   #include <include/firewall/geoip.xml.i>
                   #include <include/firewall/source-destination-group.xml.i>
                   #include <include/firewall/port.xml.i>
@@ -656,6 +660,25 @@
         </properties>
         <defaultValue>disable</defaultValue>
       </leafNode>
+      <leafNode name="resolver-cache">
+        <properties>
+          <help>Retains last successful value if domain resolution fails</help>
+          <valueless/>
+        </properties>
+      </leafNode>
+      <leafNode name="resolver-interval">
+        <properties>
+          <help>Domain resolver update interval</help>
+          <valueHelp>
+            <format>u32:10-3600</format>
+            <description>Interval (seconds)</description>
+          </valueHelp>
+          <constraint>
+            <validator name="numeric" argument="--range 10-3600"/>
+          </constraint>
+        </properties>
+        <defaultValue>300</defaultValue>
+      </leafNode>
       <leafNode name="send-redirects">
         <properties>
           <help>Policy for sending IPv4 ICMP redirect messages</help>
diff --git a/interface-definitions/include/firewall/fqdn.xml.i b/interface-definitions/include/firewall/fqdn.xml.i
new file mode 100644
index 000000000..9eb3925b5
--- /dev/null
+++ b/interface-definitions/include/firewall/fqdn.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from firewall/fqdn.xml.i -->
+<leafNode name="fqdn">
+  <properties>
+    <help>Fully qualified domain name</help>
+    <valueHelp>
+      <format>&lt;fqdn&gt;</format>
+      <description>Fully qualified domain name</description>
+    </valueHelp>
+    <constraint>
+      <validator name="fqdn"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
index c2cc7edb3..2a42d236c 100644
--- a/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
+++ b/interface-definitions/include/firewall/source-destination-group-ipv6.xml.i
@@ -12,6 +12,14 @@
         </completionHelp>
       </properties>
     </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
     #include <include/firewall/mac-group.xml.i>
     <leafNode name="network-group">
       <properties>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 4075e55b0..db4878c9d 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -20,6 +20,9 @@ import os
 import re
 
 from pathlib import Path
+from socket import AF_INET
+from socket import AF_INET6
+from socket import getaddrinfo
 from time import strftime
 
 from vyos.remote import download
@@ -31,65 +34,29 @@ from vyos.util import dict_search_args
 from vyos.util import dict_search_recursive
 from vyos.util import run
 
+def fqdn_config_parse(firewall):
+    firewall['ip_fqdn'] = {}
+    firewall['ip6_fqdn'] = {}
+
+    for domain, path in dict_search_recursive(firewall, 'fqdn'):
+        fw_name = path[1] # name/ipv6-name
+        rule = path[3] # rule id
+        suffix = path[4][0] # source/destination (1 char)
+        set_name = f'{fw_name}_{rule}_{suffix}'
+            
+        if path[0] == 'name':
+            firewall['ip_fqdn'][set_name] = domain
+        elif path[0] == 'ipv6_name':
+            firewall['ip6_fqdn'][set_name] = domain
+
+def fqdn_resolve(fqdn, ipv6=False):
+    try:
+        res = getaddrinfo(fqdn, None, AF_INET6 if ipv6 else AF_INET)
+        return set(item[4][0] for item in res)
+    except:
+        return None
 
-# Functions for firewall group domain-groups
-def get_ips_domains_dict(list_domains):
-    """
-    Get list of IPv4 addresses by list of domains
-    Ex: get_ips_domains_dict(['ex1.com', 'ex2.com'])
-        {'ex1.com': ['192.0.2.1'], 'ex2.com': ['192.0.2.2', '192.0.2.3']}
-    """
-    from socket import gethostbyname_ex
-    from socket import gaierror
-
-    ip_dict = {}
-    for domain in list_domains:
-        try:
-            _, _, ips = gethostbyname_ex(domain)
-            ip_dict[domain] = ips
-        except gaierror:
-            pass
-
-    return ip_dict
-
-def nft_init_set(group_name, table="vyos_filter", family="ip"):
-    """
-    table ip vyos_filter {
-        set GROUP_NAME
-            type ipv4_addr
-           flags interval
-        }
-    """
-    return call(f'nft add set ip {table} {group_name} {{ type ipv4_addr\\; flags interval\\; }}')
-
-
-def nft_add_set_elements(group_name, elements, table="vyos_filter", family="ip"):
-    """
-    table ip vyos_filter {
-        set GROUP_NAME {
-            type ipv4_addr
-            flags interval
-            elements = { 192.0.2.1, 192.0.2.2 }
-        }
-    """
-    elements = ", ".join(elements)
-    return call(f'nft add element {family} {table} {group_name} {{ {elements} }} ')
-
-def nft_flush_set(group_name, table="vyos_filter", family="ip"):
-    """
-    Flush elements of nft set
-    """
-    return call(f'nft flush set {family} {table} {group_name}')
-
-def nft_update_set_elements(group_name, elements, table="vyos_filter", family="ip"):
-    """
-    Update elements of nft set
-    """
-    flush_set = nft_flush_set(group_name, table="vyos_filter", family="ip")
-    nft_add_set = nft_add_set_elements(group_name, elements, table="vyos_filter", family="ip")
-    return flush_set, nft_add_set
-
-# END firewall group domain-group (sets)
+# End Domain Resolver
 
 def find_nftables_rule(table, chain, rule_matches=[]):
     # Find rule in table/chain that matches all criteria and return the handle
@@ -151,6 +118,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
                     suffix = f'!= {suffix[1:]}'
                 output.append(f'{ip_name} {prefix}addr {suffix}')
 
+            if 'fqdn' in side_conf:
+                fqdn = side_conf['fqdn']
+                operator = ''
+                if fqdn[0] == '!':
+                    operator = '!='
+                output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{fw_name}_{rule_id}_{prefix}')
+
             if dict_search_args(side_conf, 'geoip', 'country_code'):
                 operator = ''
                 if dict_search_args(side_conf, 'geoip', 'inverse_match') != None:
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 821925bcd..e172e086d 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -17,11 +17,13 @@
 import unittest
 
 from glob import glob
+from time import sleep
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.configsession import ConfigSessionError
 from vyos.util import cmd
+from vyos.util import run
 
 sysfs_config = {
     'all_ping': {'sysfs': '/proc/sys/net/ipv4/icmp_echo_ignore_all', 'default': '0', 'test_value': 'disable'},
@@ -76,6 +78,17 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
                     break
             self.assertTrue(not matched if inverse else matched, msg=search)
 
+    def wait_for_domain_resolver(self, table, set_name, element, max_wait=10):
+        # Resolver no longer blocks commit, need to wait for daemon to populate set
+        count = 0
+        while count < max_wait:
+            code = run(f'sudo nft get element {table} {set_name} {{ {element} }}')
+            if code == 0:
+                return True
+            count += 1
+            sleep(1)
+        return False
+
     def test_geoip(self):
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'drop'])
         self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se'])
@@ -125,6 +138,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'interface', 'eth0', 'in', 'name', 'smoketest'])
 
         self.cli_commit()
+
+        self.wait_for_domain_resolver('ip vyos_filter', 'D_smoketest_domain', '192.0.2.5')
+
         nftables_search = [
             ['iifname "eth0"', 'jump NAME_smoketest'],
             ['ip saddr @N_smoketest_network', 'ip daddr 172.16.10.10', 'th dport @P_smoketest_port', 'return'],
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index cbd9cbe90..2bb765e65 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -27,12 +27,8 @@ from vyos.configdict import dict_merge
 from vyos.configdict import node_changed
 from vyos.configdiff import get_config_diff, Diff
 # from vyos.configverify import verify_interface_exists
+from vyos.firewall import fqdn_config_parse
 from vyos.firewall import geoip_update
-from vyos.firewall import get_ips_domains_dict
-from vyos.firewall import nft_add_set_elements
-from vyos.firewall import nft_flush_set
-from vyos.firewall import nft_init_set
-from vyos.firewall import nft_update_set_elements
 from vyos.template import render
 from vyos.util import call
 from vyos.util import cmd
@@ -173,6 +169,8 @@ def get_config(config=None):
 
     firewall['geoip_updated'] = geoip_updated(conf, firewall)
 
+    fqdn_config_parse(firewall)
+
     return firewall
 
 def verify_rule(firewall, rule_conf, ipv6):
@@ -232,29 +230,28 @@ def verify_rule(firewall, rule_conf, ipv6):
         if side in rule_conf:
             side_conf = rule_conf[side]
 
-            if dict_search_args(side_conf, 'geoip', 'country_code'):
-                if 'address' in side_conf:
-                    raise ConfigError('Address and GeoIP cannot both be defined')
-
-                if dict_search_args(side_conf, 'group', 'address_group'):
-                    raise ConfigError('Address-group and GeoIP cannot both be defined')
-
-                if dict_search_args(side_conf, 'group', 'network_group'):
-                    raise ConfigError('Network-group and GeoIP cannot both be defined')
+            if len({'address', 'fqdn', 'geoip'} & set(side_conf)) > 1:
+                raise ConfigError('Only one of address, fqdn or geoip can be specified')
 
             if 'group' in side_conf:
-                if {'address_group', 'network_group'} <= set(side_conf['group']):
-                    raise ConfigError('Only one address-group or network-group can be specified')
+                if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1:
+                    raise ConfigError('Only one address-group, network-group or domain-group can be specified')
 
                 for group in valid_groups:
                     if group in side_conf['group']:
                         group_name = side_conf['group'][group]
 
+                        fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group
+                        error_group = fw_group.replace("_", "-")
+
+                        if group in ['address_group', 'network_group', 'domain_group']:
+                            types = [t for t in ['address', 'fqdn', 'geoip'] if t in side_conf]
+                            if types:
+                                raise ConfigError(f'{error_group} and {types[0]} cannot both be defined')
+
                         if group_name and group_name[0] == '!':
                             group_name = group_name[1:]
 
-                        fw_group = f'ipv6_{group}' if ipv6 and group in ['address_group', 'network_group'] else group
-                        error_group = fw_group.replace("_", "-")
                         group_obj = dict_search_args(firewall, 'group', fw_group, group_name)
 
                         if group_obj is None:
@@ -477,26 +474,13 @@ def apply(firewall):
     if install_result == 1:
         raise ConfigError(f'Failed to apply firewall: {output}')
 
-    # set firewall group domain-group xxx
-    if 'group' in firewall:
-        if 'domain_group' in firewall['group']:
-            # T970 Enable a resolver (systemd daemon) that checks
-            # domain-group addresses and update entries for domains by timeout
-            # If router loaded without internet connection or for synchronization
-            call('systemctl restart vyos-domain-group-resolve.service')
-            for group, group_config in firewall['group']['domain_group'].items():
-                domains = []
-                if group_config.get('address') is not None:
-                    for address in group_config.get('address'):
-                        domains.append(address)
-                # Add elements to domain-group, try to resolve domain => ip
-                # and add elements to nft set
-                ip_dict = get_ips_domains_dict(domains)
-                elements = sum(ip_dict.values(), [])
-                nft_init_set(f'D_{group}')
-                nft_add_set_elements(f'D_{group}', elements)
-        else:
-            call('systemctl stop vyos-domain-group-resolve.service')
+    # T970 Enable a resolver (systemd daemon) that checks
+    # domain-group addresses and update entries for domains by timeout
+    # If router loaded without internet connection or for synchronization
+    domain_action = 'stop'
+    if dict_search_args(firewall, 'group', 'domain_group') or firewall['ip_fqdn'] or firewall['ip6_fqdn']:
+        domain_action = 'restart'
+    call(f'systemctl {domain_action} vyos-domain-resolver.service')
 
     apply_sysfs(firewall)
 
diff --git a/src/helpers/vyos-domain-group-resolve.py b/src/helpers/vyos-domain-group-resolve.py
deleted file mode 100755
index 6b677670b..000000000
--- a/src/helpers/vyos-domain-group-resolve.py
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-
-import time
-
-from vyos.configquery import ConfigTreeQuery
-from vyos.firewall import get_ips_domains_dict
-from vyos.firewall import nft_add_set_elements
-from vyos.firewall import nft_flush_set
-from vyos.firewall import nft_init_set
-from vyos.firewall import nft_update_set_elements
-from vyos.util import call
-
-
-base = ['firewall', 'group', 'domain-group']
-check_required = True
-# count_failed = 0
-# Timeout in sec between checks
-timeout = 300
-
-domain_state = {}
-
-if __name__ == '__main__':
-
-    while check_required:
-        config = ConfigTreeQuery()
-        if config.exists(base):
-            domain_groups = config.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
-            for set_name, domain_config in domain_groups.items():
-                list_domains = domain_config['address']
-                elements = []
-                ip_dict = get_ips_domains_dict(list_domains)
-
-                for domain in list_domains:
-                    # Resolution succeeded, update domain state
-                    if domain in ip_dict:
-                        domain_state[domain] = ip_dict[domain]
-                        elements += ip_dict[domain]
-                    # Resolution failed, use previous domain state
-                    elif domain in domain_state:
-                        elements += domain_state[domain]
-
-                # Resolve successful
-                if elements:
-                    nft_update_set_elements(f'D_{set_name}', elements)
-        time.sleep(timeout)
diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py
new file mode 100755
index 000000000..2f71f15db
--- /dev/null
+++ b/src/helpers/vyos-domain-resolver.py
@@ -0,0 +1,182 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import os
+import time
+
+from vyos.configdict import dict_merge
+from vyos.configquery import ConfigTreeQuery
+from vyos.firewall import fqdn_config_parse
+from vyos.firewall import fqdn_resolve
+from vyos.util import cmd
+from vyos.util import commit_in_progress
+from vyos.util import dict_search_args
+from vyos.util import run
+from vyos.xml import defaults
+
+base = ['firewall']
+timeout = 300
+cache = False
+
+domain_state = {}
+
+ipv4_tables = {
+    'ip mangle',
+    'ip vyos_filter',
+}
+
+ipv6_tables = {
+    'ip6 mangle',
+    'ip6 vyos_filter'
+}
+
+def get_config(conf):
+    firewall = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True,
+                                    no_tag_node_value_mangle=True)
+
+    default_values = defaults(base)
+    for tmp in ['name', 'ipv6_name']:
+        if tmp in default_values:
+            del default_values[tmp]
+
+    if 'zone' in default_values:
+        del default_values['zone']
+
+    firewall = dict_merge(default_values, firewall)
+
+    global timeout, cache
+
+    if 'resolver_interval' in firewall:
+        timeout = int(firewall['resolver_interval'])
+
+    if 'resolver_cache' in firewall:
+        cache = True
+
+    fqdn_config_parse(firewall)
+
+    return firewall
+
+def resolve(domains, ipv6=False):
+    global domain_state
+
+    ip_list = set()
+
+    for domain in domains:
+        resolved = fqdn_resolve(domain, ipv6=ipv6)
+
+        if resolved and cache:
+            domain_state[domain] = resolved
+        elif not resolved:
+            if domain not in domain_state:
+                continue
+            resolved = domain_state[domain]
+
+        ip_list = ip_list | resolved
+    return ip_list
+
+def nft_output(table, set_name, ip_list):
+    output = [f'flush set {table} {set_name}']
+    if ip_list:
+        ip_str = ','.join(ip_list)
+        output.append(f'add element {table} {set_name} {{ {ip_str} }}')
+    return output
+
+def nft_valid_sets():
+    try:
+        valid_sets = []
+        sets_json = cmd('nft -j list sets')
+        sets_obj = json.loads(sets_json)
+
+        for obj in sets_obj['nftables']:
+            if 'set' in obj:
+                family = obj['set']['family']
+                table = obj['set']['table']
+                name = obj['set']['name']
+                valid_sets.append((f'{family} {table}', name))
+
+        return valid_sets
+    except:
+        return []
+
+def update(firewall):
+    conf_lines = []
+    count = 0
+
+    valid_sets = nft_valid_sets()
+
+    domain_groups = dict_search_args(firewall, 'group', 'domain_group')
+    if domain_groups:
+        for set_name, domain_config in domain_groups.items():
+            if 'address' not in domain_config:
+                continue
+
+            nft_set_name = f'D_{set_name}'
+            domains = domain_config['address']
+
+            ip_list = resolve(domains, ipv6=False)
+            for table in ipv4_tables:
+                if (table, nft_set_name) in valid_sets:
+                    conf_lines += nft_output(table, nft_set_name, ip_list)
+
+            ip6_list = resolve(domains, ipv6=True)
+            for table in ipv6_tables:
+                if (table, nft_set_name) in valid_sets:
+                    conf_lines += nft_output(table, nft_set_name, ip6_list)
+            count += 1
+
+    for set_name, domain in firewall['ip_fqdn'].items():
+        table = 'ip vyos_filter'
+        nft_set_name = f'FQDN_{set_name}'
+
+        ip_list = resolve([domain], ipv6=False)
+
+        if (table, nft_set_name) in valid_sets:
+            conf_lines += nft_output(table, nft_set_name, ip_list)
+        count += 1
+
+    for set_name, domain in firewall['ip6_fqdn'].items():
+        table = 'ip6 vyos_filter'
+        nft_set_name = f'FQDN_{set_name}'
+
+        ip_list = resolve([domain], ipv6=True)
+        if (table, nft_set_name) in valid_sets:
+            conf_lines += nft_output(table, nft_set_name, ip_list)
+        count += 1
+
+    nft_conf_str = "\n".join(conf_lines) + "\n"
+    code = run(f'nft -f -', input=nft_conf_str)
+
+    print(f'Updated {count} sets - result: {code}')
+
+if __name__ == '__main__':
+    print(f'VyOS domain resolver')
+
+    count = 1
+    while commit_in_progress():
+        if ( count % 60 == 0 ):
+            print(f'Commit still in progress after {count}s - waiting')
+        count += 1
+        time.sleep(1)
+
+    conf = ConfigTreeQuery()
+    firewall = get_config(conf)
+
+    print(f'interval: {timeout}s - cache: {cache}')
+
+    while True:
+        update(firewall)
+        time.sleep(timeout)
diff --git a/src/systemd/vyos-domain-group-resolve.service b/src/systemd/vyos-domain-group-resolve.service
deleted file mode 100644
index 29628fddb..000000000
--- a/src/systemd/vyos-domain-group-resolve.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=VyOS firewall domain-group resolver
-After=vyos-router.service
-
-[Service]
-Type=simple
-Restart=always
-ExecStart=/usr/bin/python3 /usr/libexec/vyos/vyos-domain-group-resolve.py
-
-[Install]
-WantedBy=multi-user.target
diff --git a/src/systemd/vyos-domain-resolver.service b/src/systemd/vyos-domain-resolver.service
new file mode 100644
index 000000000..c56b51f0c
--- /dev/null
+++ b/src/systemd/vyos-domain-resolver.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=VyOS firewall domain resolver
+After=vyos-router.service
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/bin/python3 -u /usr/libexec/vyos/vyos-domain-resolver.py
+StandardError=journal
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
-- 
cgit v1.2.3


From b4b491d424fba6f3d417135adc1865e338a480a1 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 31 Oct 2022 21:08:42 +0100
Subject: nat: T1877: T970: Add firewall groups to NAT

---
 data/templates/firewall/nftables-nat.j2      |  4 ++
 interface-definitions/include/nat-rule.xml.i |  2 +
 python/vyos/firewall.py                      |  2 +
 python/vyos/nat.py                           | 56 +++++++++++++++++++--
 smoketest/scripts/cli/test_nat.py            | 35 +++++++++++++
 src/conf_mode/firewall.py                    | 22 ++++++---
 src/conf_mode/nat.py                         | 73 +++++++++++++++++++++++-----
 src/helpers/vyos-domain-resolver.py          |  1 +
 8 files changed, 174 insertions(+), 21 deletions(-)

(limited to 'interface-definitions/include')

diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index c5c0a2c86..f0be3cf5d 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -1,5 +1,7 @@
 #!/usr/sbin/nft -f
 
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
 {% if helper_functions is vyos_defined('remove') %}
 {# NAT if going to be disabled - remove rules and targets from nftables #}
 {%     set base_command = 'delete rule ip raw' %}
@@ -59,5 +61,7 @@ table ip vyos_nat {
     chain VYOS_PRE_SNAT_HOOK {
         return
     }
+
+{{ group_tmpl.groups(firewall_group, False) }}
 }
 {% endif %}
diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i
index 84941aa6a..8f2029388 100644
--- a/interface-definitions/include/nat-rule.xml.i
+++ b/interface-definitions/include/nat-rule.xml.i
@@ -20,6 +20,7 @@
       <children>
         #include <include/nat-address.xml.i>
         #include <include/nat-port.xml.i>
+        #include <include/firewall/source-destination-group.xml.i>
       </children>
     </node>
     #include <include/generic-disable-node.xml.i>
@@ -285,6 +286,7 @@
       <children>
         #include <include/nat-address.xml.i>
         #include <include/nat-port.xml.i>
+        #include <include/firewall/source-destination-group.xml.i>
       </children>
     </node>
   </children>
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index db4878c9d..59ec4948f 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -34,6 +34,8 @@ from vyos.util import dict_search_args
 from vyos.util import dict_search_recursive
 from vyos.util import run
 
+# Domain Resolver
+
 def fqdn_config_parse(firewall):
     firewall['ip_fqdn'] = {}
     firewall['ip6_fqdn'] = {}
diff --git a/python/vyos/nat.py b/python/vyos/nat.py
index 31bbdc386..3d01829a7 100644
--- a/python/vyos/nat.py
+++ b/python/vyos/nat.py
@@ -85,8 +85,13 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
             translation_str += f' {",".join(options)}'
 
     for target in ['source', 'destination']:
+        if target not in rule_conf:
+            continue
+
+        side_conf = rule_conf[target]
         prefix = target[:1]
-        addr = dict_search_args(rule_conf, target, 'address')
+
+        addr = dict_search_args(side_conf, 'address')
         if addr and not (ignore_type_addr and target == nat_type):
             operator = ''
             if addr[:1] == '!':
@@ -94,7 +99,7 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
                 addr = addr[1:]
             output.append(f'{ip_prefix} {prefix}addr {operator} {addr}')
 
-        addr_prefix = dict_search_args(rule_conf, target, 'prefix')
+        addr_prefix = dict_search_args(side_conf, 'prefix')
         if addr_prefix and ipv6:
             operator = ''
             if addr_prefix[:1] == '!':
@@ -102,7 +107,7 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
                 addr_prefix = addr[1:]
             output.append(f'ip6 {prefix}addr {operator} {addr_prefix}')
 
-        port = dict_search_args(rule_conf, target, 'port')
+        port = dict_search_args(side_conf, 'port')
         if port:
             protocol = rule_conf['protocol']
             if protocol == 'tcp_udp':
@@ -113,6 +118,51 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
                 port = port[1:]
             output.append(f'{protocol} {prefix}port {operator} {{ {port} }}')
 
+        if 'group' in side_conf:
+            group = side_conf['group']
+            if 'address_group' in group and not (ignore_type_addr and target == nat_type):
+                group_name = group['address_group']
+                operator = ''
+                if group_name[0] == '!':
+                    operator = '!='
+                    group_name = group_name[1:]
+                output.append(f'{ip_prefix} {prefix}addr {operator} @A_{group_name}')
+            # Generate firewall group domain-group
+            elif 'domain_group' in group and not (ignore_type_addr and target == nat_type):
+                group_name = group['domain_group']
+                operator = ''
+                if group_name[0] == '!':
+                    operator = '!='
+                    group_name = group_name[1:]
+                output.append(f'{ip_prefix} {prefix}addr {operator} @D_{group_name}')
+            elif 'network_group' in group and not (ignore_type_addr and target == nat_type):
+                group_name = group['network_group']
+                operator = ''
+                if group_name[0] == '!':
+                    operator = '!='
+                    group_name = group_name[1:]
+                output.append(f'{ip_prefix} {prefix}addr {operator} @N_{group_name}')
+            if 'mac_group' in group:
+                group_name = group['mac_group']
+                operator = ''
+                if group_name[0] == '!':
+                    operator = '!='
+                    group_name = group_name[1:]
+                output.append(f'ether {prefix}addr {operator} @M_{group_name}')
+            if 'port_group' in group:
+                proto = rule_conf['protocol']
+                group_name = group['port_group']
+
+                if proto == 'tcp_udp':
+                    proto = 'th'
+
+                operator = ''
+                if group_name[0] == '!':
+                    operator = '!='
+                    group_name = group_name[1:]
+
+                output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
+
     output.append('counter')
 
     if 'log' in rule_conf:
diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py
index 2ae90fcaf..9f4e3b831 100755
--- a/smoketest/scripts/cli/test_nat.py
+++ b/smoketest/scripts/cli/test_nat.py
@@ -58,6 +58,17 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
                     break
             self.assertTrue(not matched if inverse else matched, msg=search)
 
+    def wait_for_domain_resolver(self, table, set_name, element, max_wait=10):
+        # Resolver no longer blocks commit, need to wait for daemon to populate set
+        count = 0
+        while count < max_wait:
+            code = run(f'sudo nft get element {table} {set_name} {{ {element} }}')
+            if code == 0:
+                return True
+            count += 1
+            sleep(1)
+        return False
+
     def test_snat(self):
         rules = ['100', '110', '120', '130', '200', '210', '220', '230']
         outbound_iface_100 = 'eth0'
@@ -84,6 +95,30 @@ class TestNAT(VyOSUnitTestSHIM.TestCase):
 
         self.verify_nftables(nftables_search, 'ip vyos_nat')
 
+    def test_snat_groups(self):
+        address_group = 'smoketest_addr'
+        address_group_member = '192.0.2.1'
+        rule = '100'
+        outbound_iface = 'eth0'
+
+        self.cli_set(['firewall', 'group', 'address-group', address_group, 'address', address_group_member])
+
+        self.cli_set(src_path + ['rule', rule, 'source', 'group', 'address-group', address_group])
+        self.cli_set(src_path + ['rule', rule, 'outbound-interface', outbound_iface])
+        self.cli_set(src_path + ['rule', rule, 'translation', 'address', 'masquerade'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            [f'set A_{address_group}'],
+            [f'elements = {{ {address_group_member} }}'],
+            [f'ip saddr @A_{address_group}', f'oifname "{outbound_iface}"', 'masquerade']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_nat')
+
+        self.cli_delete(['firewall'])
+
     def test_dnat(self):
         rules = ['100', '110', '120', '130', '200', '210', '220', '230']
         inbound_iface_100 = 'eth0'
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py
index 2bb765e65..783adec46 100755
--- a/src/conf_mode/firewall.py
+++ b/src/conf_mode/firewall.py
@@ -41,6 +41,7 @@ from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
 
+nat_conf_script = '/usr/libexec/vyos/conf_mode/nat.py'
 policy_route_conf_script = '/usr/libexec/vyos/conf_mode/policy-route.py'
 
 nftables_conf = '/run/nftables.conf'
@@ -158,7 +159,7 @@ def get_config(config=None):
         for zone in firewall['zone']:
             firewall['zone'][zone] = dict_merge(default_values, firewall['zone'][zone])
 
-    firewall['policy_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
+    firewall['group_resync'] = bool('group' in firewall or node_changed(conf, base + ['group']))
 
     if 'config_trap' in firewall and firewall['config_trap'] == 'enable':
         diff = get_config_diff(conf)
@@ -463,6 +464,12 @@ def post_apply_trap(firewall):
 
                 cmd(base_cmd + ' '.join(objects))
 
+def resync_nat():
+    # Update nat as firewall groups were updated
+    tmp, out = rc_cmd(nat_conf_script)
+    if tmp > 0:
+        Warning(f'Failed to re-apply nat configuration! {out}')
+
 def resync_policy_route():
     # Update policy route as firewall groups were updated
     tmp, out = rc_cmd(policy_route_conf_script)
@@ -474,19 +481,20 @@ def apply(firewall):
     if install_result == 1:
         raise ConfigError(f'Failed to apply firewall: {output}')
 
+    apply_sysfs(firewall)
+
+    if firewall['group_resync']:
+        resync_nat()
+        resync_policy_route()
+
     # T970 Enable a resolver (systemd daemon) that checks
-    # domain-group addresses and update entries for domains by timeout
+    # domain-group/fqdn addresses and update entries for domains by timeout
     # If router loaded without internet connection or for synchronization
     domain_action = 'stop'
     if dict_search_args(firewall, 'group', 'domain_group') or firewall['ip_fqdn'] or firewall['ip6_fqdn']:
         domain_action = 'restart'
     call(f'systemctl {domain_action} vyos-domain-resolver.service')
 
-    apply_sysfs(firewall)
-
-    if firewall['policy_resync']:
-        resync_policy_route()
-
     if firewall['geoip_updated']:
         # Call helper script to Update set contents
         if 'name' in firewall['geoip_updated'] or 'ipv6_name' in firewall['geoip_updated']:
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 978c043e9..9f8221514 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -32,6 +32,7 @@ from vyos.util import cmd
 from vyos.util import run
 from vyos.util import check_kmod
 from vyos.util import dict_search
+from vyos.util import dict_search_args
 from vyos.validate import is_addr_assigned
 from vyos.xml import defaults
 from vyos import ConfigError
@@ -47,6 +48,13 @@ else:
 nftables_nat_config = '/run/nftables_nat.conf'
 nftables_static_nat_conf = '/run/nftables_static-nat-rules.nft'
 
+valid_groups = [
+    'address_group',
+    'domain_group',
+    'network_group',
+    'port_group'
+]
+
 def get_handler(json, chain, target):
     """ Get nftable rule handler number of given chain/target combination.
     Handler is required when adding NAT/Conntrack helper targets """
@@ -60,7 +68,7 @@ def get_handler(json, chain, target):
     return None
 
 
-def verify_rule(config, err_msg):
+def verify_rule(config, err_msg, groups_dict):
     """ Common verify steps used for both source and destination NAT """
 
     if (dict_search('translation.port', config) != None or
@@ -78,6 +86,45 @@ def verify_rule(config, err_msg):
                              'statically maps a whole network of addresses onto another\n' \
                              'network of addresses')
 
+    for side in ['destination', 'source']:
+        if side in config:
+            side_conf = config[side]
+
+            if len({'address', 'fqdn'} & set(side_conf)) > 1:
+                raise ConfigError('Only one of address, fqdn or geoip can be specified')
+
+            if 'group' in side_conf:
+                if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1:
+                    raise ConfigError('Only one address-group, network-group or domain-group can be specified')
+
+                for group in valid_groups:
+                    if group in side_conf['group']:
+                        group_name = side_conf['group'][group]
+                        error_group = group.replace("_", "-")
+
+                        if group in ['address_group', 'network_group', 'domain_group']:
+                            types = [t for t in ['address', 'fqdn'] if t in side_conf]
+                            if types:
+                                raise ConfigError(f'{error_group} and {types[0]} cannot both be defined')
+
+                        if group_name and group_name[0] == '!':
+                            group_name = group_name[1:]
+
+                        group_obj = dict_search_args(groups_dict, group, group_name)
+
+                        if group_obj is None:
+                            raise ConfigError(f'Invalid {error_group} "{group_name}" on firewall rule')
+
+                        if not group_obj:
+                            Warning(f'{error_group} "{group_name}" has no members!')
+
+            if dict_search_args(side_conf, 'group', 'port_group'):
+                if 'protocol' not in config:
+                    raise ConfigError('Protocol must be defined if specifying a port-group')
+
+                if config['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
+                    raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port-group')
+
 def get_config(config=None):
     if config:
         conf = config
@@ -105,16 +152,20 @@ def get_config(config=None):
     condensed_json = jmespath.search(pattern, nftable_json)
 
     if not conf.exists(base):
-        nat['helper_functions'] = 'remove'
-
-        # Retrieve current table handler positions
-        nat['pre_ct_ignore'] = get_handler(condensed_json, 'PREROUTING', 'VYOS_CT_HELPER')
-        nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK')
-        nat['out_ct_ignore'] = get_handler(condensed_json, 'OUTPUT', 'VYOS_CT_HELPER')
-        nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT', 'NAT_CONNTRACK')
+        if get_handler(condensed_json, 'PREROUTING', 'VYOS_CT_HELPER'):
+            nat['helper_functions'] = 'remove'
+
+            # Retrieve current table handler positions
+            nat['pre_ct_ignore'] = get_handler(condensed_json, 'PREROUTING', 'VYOS_CT_HELPER')
+            nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK')
+            nat['out_ct_ignore'] = get_handler(condensed_json, 'OUTPUT', 'VYOS_CT_HELPER')
+            nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT', 'NAT_CONNTRACK')
         nat['deleted'] = ''
         return nat
 
+    nat['firewall_group'] = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'), get_first_key=True,
+                                    no_tag_node_value_mangle=True)
+
     # check if NAT connection tracking helpers need to be set up - this has to
     # be done only once
     if not get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK'):
@@ -157,7 +208,7 @@ def verify(nat):
                         Warning(f'IP address {ip} does not exist on the system!')
 
             # common rule verification
-            verify_rule(config, err_msg)
+            verify_rule(config, err_msg, nat['firewall_group'])
 
 
     if dict_search('destination.rule', nat):
@@ -175,7 +226,7 @@ def verify(nat):
                     raise ConfigError(f'{err_msg} translation requires address and/or port')
 
             # common rule verification
-            verify_rule(config, err_msg)
+            verify_rule(config, err_msg, nat['firewall_group'])
 
     if dict_search('static.rule', nat):
         for rule, config in dict_search('static.rule', nat).items():
@@ -186,7 +237,7 @@ def verify(nat):
                                   'inbound-interface not specified')
 
             # common rule verification
-            verify_rule(config, err_msg)
+            verify_rule(config, err_msg, nat['firewall_group'])
 
     return None
 
diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py
index 2f71f15db..035c208b2 100755
--- a/src/helpers/vyos-domain-resolver.py
+++ b/src/helpers/vyos-domain-resolver.py
@@ -37,6 +37,7 @@ domain_state = {}
 ipv4_tables = {
     'ip mangle',
     'ip vyos_filter',
+    'ip vyos_nat'
 }
 
 ipv6_tables = {
-- 
cgit v1.2.3


From 586b24e0af1ae57c47c772229fc94ab50dfc1e4f Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Wed, 2 Nov 2022 15:32:11 +0100
Subject: policy: T2199: T4605: Migrate policy route interface to `policy
 route|route6 <name> interface <ifname>`

* Include refactor to policy route to allow for deletion of mangle table instead of complex cleanup
* T4605: Rename mangle table to vyos_mangle
---
 data/templates/firewall/nftables-policy.j2         |  31 +++--
 .../include/interface/interface-policy-vif-c.xml.i |  26 ----
 .../include/interface/interface-policy-vif.xml.i   |  26 ----
 .../include/interface/interface-policy.xml.i       |  26 ----
 .../include/interface/vif-s.xml.i                  |   2 -
 interface-definitions/include/interface/vif.xml.i  |   1 -
 .../include/version/policy-version.xml.i           |   2 +-
 interface-definitions/interfaces-bonding.xml.in    |   1 -
 interface-definitions/interfaces-bridge.xml.in     |   1 -
 interface-definitions/interfaces-dummy.xml.in      |   1 -
 interface-definitions/interfaces-ethernet.xml.in   |   1 -
 interface-definitions/interfaces-geneve.xml.in     |   1 -
 interface-definitions/interfaces-input.xml.in      |   1 -
 interface-definitions/interfaces-l2tpv3.xml.in     |   1 -
 interface-definitions/interfaces-macsec.xml.in     |   1 -
 interface-definitions/interfaces-openvpn.xml.in    |   1 -
 interface-definitions/interfaces-pppoe.xml.in      |   1 -
 .../interfaces-pseudo-ethernet.xml.in              |   1 -
 interface-definitions/interfaces-tunnel.xml.in     |   1 -
 interface-definitions/interfaces-vti.xml.in        |   1 -
 interface-definitions/interfaces-vxlan.xml.in      |   1 -
 interface-definitions/interfaces-wireguard.xml.in  |   1 -
 interface-definitions/interfaces-wireless.xml.in   |   1 -
 interface-definitions/interfaces-wwan.xml.in       |   1 -
 interface-definitions/policy-route.xml.in          |   2 +
 smoketest/scripts/cli/test_policy_route.py         |  58 +++++----
 src/conf_mode/policy-route-interface.py            | 132 ---------------------
 src/conf_mode/policy-route.py                      | 106 +----------------
 src/helpers/vyos-domain-resolver.py                |   4 +-
 src/migration-scripts/policy/4-to-5                |  92 ++++++++++++++
 src/op_mode/policy_route.py                        |  42 +------
 31 files changed, 154 insertions(+), 413 deletions(-)
 delete mode 100644 interface-definitions/include/interface/interface-policy-vif-c.xml.i
 delete mode 100644 interface-definitions/include/interface/interface-policy-vif.xml.i
 delete mode 100644 interface-definitions/include/interface/interface-policy.xml.i
 delete mode 100755 src/conf_mode/policy-route-interface.py
 create mode 100755 src/migration-scripts/policy/4-to-5

(limited to 'interface-definitions/include')

diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 40118930b..6cb3b2f95 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -2,21 +2,24 @@
 
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
 
-{% if cleanup_commands is vyos_defined %}
-{%     for command in cleanup_commands %}
-{{ command }}
-{%     endfor %}
+{% if first_install is not vyos_defined %}
+delete table ip vyos_mangle
+delete table ip6 vyos_mangle
 {% endif %}
-
-table ip mangle {
-{% if first_install is vyos_defined %}
+table ip vyos_mangle {
     chain VYOS_PBR_PREROUTING {
         type filter hook prerouting priority -150; policy accept;
+{% if route is vyos_defined %}
+{%     for route_text, conf in route.items() if conf.interface is vyos_defined %}
+        iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR_{{ route_text }}
+{%     endfor %}
+{% endif %}
     }
+
     chain VYOS_PBR_POSTROUTING {
         type filter hook postrouting priority -150; policy accept;
     }
-{% endif %}
+
 {% if route is vyos_defined %}
 {%     for route_text, conf in route.items() %}
     chain VYOS_PBR_{{ route_text }} {
@@ -32,15 +35,20 @@ table ip mangle {
 {{ group_tmpl.groups(firewall_group, False) }}
 }
 
-table ip6 mangle {
-{% if first_install is vyos_defined %}
+table ip6 vyos_mangle {
     chain VYOS_PBR6_PREROUTING {
         type filter hook prerouting priority -150; policy accept;
+{% if route6 is vyos_defined %}
+{%     for route_text, conf in route6.items() if conf.interface is vyos_defined %}
+        iifname { {{ ",".join(conf.interface) }} } counter jump VYOS_PBR6_{{ route_text }}
+{%     endfor %}
+{% endif %}
     }
+
     chain VYOS_PBR6_POSTROUTING {
         type filter hook postrouting priority -150; policy accept;
     }
-{% endif %}
+
 {% if route6 is vyos_defined %}
 {%     for route_text, conf in route6.items() %}
     chain VYOS_PBR6_{{ route_text }} {
@@ -52,5 +60,6 @@ table ip6 mangle {
     }
 {%     endfor %}
 {% endif %}
+
 {{ group_tmpl.groups(firewall_group, True) }}
 }
diff --git a/interface-definitions/include/interface/interface-policy-vif-c.xml.i b/interface-definitions/include/interface/interface-policy-vif-c.xml.i
deleted file mode 100644
index 866fcd5c0..000000000
--- a/interface-definitions/include/interface/interface-policy-vif-c.xml.i
+++ /dev/null
@@ -1,26 +0,0 @@
-<!-- include start from interface/interface-policy-vif-c.xml.i -->
-<node name="policy" owner="${vyos_conf_scripts_dir}/policy-route-interface.py $VAR(../../../@).$VAR(../../@).$VAR(../@)">
-  <properties>
-    <priority>620</priority>
-    <help>Policy route options</help>
-  </properties>
-  <children>
-    <leafNode name="route">
-      <properties>
-        <help>IPv4 policy route ruleset for interface</help>
-        <completionHelp>
-          <path>policy route</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-    <leafNode name="route6">
-      <properties>
-        <help>IPv6 policy route ruleset for interface</help>
-        <completionHelp>
-          <path>policy route6</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/interface/interface-policy-vif.xml.i b/interface-definitions/include/interface/interface-policy-vif.xml.i
deleted file mode 100644
index 83510fe59..000000000
--- a/interface-definitions/include/interface/interface-policy-vif.xml.i
+++ /dev/null
@@ -1,26 +0,0 @@
-<!-- include start from interface/interface-policy-vif.xml.i -->
-<node name="policy" owner="${vyos_conf_scripts_dir}/policy-route-interface.py $VAR(../../@).$VAR(../@)">
-  <properties>
-    <priority>620</priority>
-    <help>Policy route options</help>
-  </properties>
-  <children>
-    <leafNode name="route">
-      <properties>
-        <help>IPv4 policy route ruleset for interface</help>
-        <completionHelp>
-          <path>policy route</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-    <leafNode name="route6">
-      <properties>
-        <help>IPv6 policy route ruleset for interface</help>
-        <completionHelp>
-          <path>policy route6</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/interface/interface-policy.xml.i b/interface-definitions/include/interface/interface-policy.xml.i
deleted file mode 100644
index 42a8fd009..000000000
--- a/interface-definitions/include/interface/interface-policy.xml.i
+++ /dev/null
@@ -1,26 +0,0 @@
-<!-- include start from interface/interface-policy.xml.i -->
-<node name="policy" owner="${vyos_conf_scripts_dir}/policy-route-interface.py $VAR(../@)">
-  <properties>
-    <priority>620</priority>
-    <help>Policy route options</help>
-  </properties>
-  <children>
-    <leafNode name="route">
-      <properties>
-        <help>IPv4 policy route ruleset for interface</help>
-        <completionHelp>
-          <path>policy route</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-    <leafNode name="route6">
-      <properties>
-        <help>IPv6 policy route ruleset for interface</help>
-        <completionHelp>
-          <path>policy route6</path>
-        </completionHelp>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i
index 916349ade..6d50d7238 100644
--- a/interface-definitions/include/interface/vif-s.xml.i
+++ b/interface-definitions/include/interface/vif-s.xml.i
@@ -18,7 +18,6 @@
     #include <include/interface/dhcpv6-options.xml.i>
     #include <include/interface/disable-link-detect.xml.i>
     #include <include/interface/disable.xml.i>
-    #include <include/interface/interface-policy-vif.xml.i>
     <leafNode name="protocol">
       <properties>
         <help>Protocol used for service VLAN (default: 802.1ad)</help>
@@ -67,7 +66,6 @@
         #include <include/interface/mtu-68-16000.xml.i>
         #include <include/interface/redirect.xml.i>
         #include <include/interface/vrf.xml.i>
-        #include <include/interface/interface-policy-vif-c.xml.i>
       </children>
     </tagNode>
     #include <include/interface/redirect.xml.i>
diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i
index 73a8c98ff..3f8f113ea 100644
--- a/interface-definitions/include/interface/vif.xml.i
+++ b/interface-definitions/include/interface/vif.xml.i
@@ -18,7 +18,6 @@
     #include <include/interface/dhcpv6-options.xml.i>
     #include <include/interface/disable-link-detect.xml.i>
     #include <include/interface/disable.xml.i>
-    #include <include/interface/interface-policy-vif.xml.i>
     <leafNode name="egress-qos">
       <properties>
         <help>VLAN egress QoS</help>
diff --git a/interface-definitions/include/version/policy-version.xml.i b/interface-definitions/include/version/policy-version.xml.i
index 89bde20c7..f1494eaa3 100644
--- a/interface-definitions/include/version/policy-version.xml.i
+++ b/interface-definitions/include/version/policy-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/policy-version.xml.i -->
-<syntaxVersion component='policy' version='4'></syntaxVersion>
+<syntaxVersion component='policy' version='5'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index 41e4a68a8..96e0e5d89 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -56,7 +56,6 @@
           #include <include/interface/disable.xml.i>
           #include <include/interface/vrf.xml.i>
           #include <include/interface/mirror.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="hash-policy">
             <properties>
               <help>Bonding transmit hash policy</help>
diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in
index d633077d9..d52e213b6 100644
--- a/interface-definitions/interfaces-bridge.xml.in
+++ b/interface-definitions/interfaces-bridge.xml.in
@@ -41,7 +41,6 @@
           #include <include/interface/disable.xml.i>
           #include <include/interface/vrf.xml.i>
           #include <include/interface/mtu-68-16000.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="forwarding-delay">
             <properties>
               <help>Forwarding delay</help>
diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in
index fb36741f7..eb525b547 100644
--- a/interface-definitions/interfaces-dummy.xml.in
+++ b/interface-definitions/interfaces-dummy.xml.in
@@ -19,7 +19,6 @@
           #include <include/interface/address-ipv4-ipv6.xml.i>
           #include <include/interface/description.xml.i>
           #include <include/interface/disable.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <node name="ip">
             <properties>
               <help>IPv4 routing parameters</help>
diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in
index 77f130e1c..e9ae0acfe 100644
--- a/interface-definitions/interfaces-ethernet.xml.in
+++ b/interface-definitions/interfaces-ethernet.xml.in
@@ -31,7 +31,6 @@
           </leafNode>
           #include <include/interface/disable-link-detect.xml.i>
           #include <include/interface/disable.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="duplex">
             <properties>
               <help>Duplex mode</help>
diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in
index b959c787d..f8e9909f8 100644
--- a/interface-definitions/interfaces-geneve.xml.in
+++ b/interface-definitions/interfaces-geneve.xml.in
@@ -23,7 +23,6 @@
           #include <include/interface/ipv6-options.xml.i>
           #include <include/interface/mac.xml.i>
           #include <include/interface/mtu-1450-16000.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <node name="parameters">
             <properties>
               <help>GENEVE tunnel parameters</help>
diff --git a/interface-definitions/interfaces-input.xml.in b/interface-definitions/interfaces-input.xml.in
index d01c760f8..97502d954 100644
--- a/interface-definitions/interfaces-input.xml.in
+++ b/interface-definitions/interfaces-input.xml.in
@@ -19,7 +19,6 @@
         <children>
           #include <include/interface/description.xml.i>
           #include <include/interface/disable.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           #include <include/interface/redirect.xml.i>
         </children>
       </tagNode>
diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in
index bde68dd5a..0ebc3253d 100644
--- a/interface-definitions/interfaces-l2tpv3.xml.in
+++ b/interface-definitions/interfaces-l2tpv3.xml.in
@@ -32,7 +32,6 @@
             <defaultValue>5000</defaultValue>
           </leafNode>
           #include <include/interface/disable.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="encapsulation">
             <properties>
               <help>Encapsulation type</help>
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 5c9f4cd76..441236ec2 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -21,7 +21,6 @@
           #include <include/interface/dhcpv6-options.xml.i>
           #include <include/interface/ipv4-options.xml.i>
           #include <include/interface/ipv6-options.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           #include <include/interface/mirror.xml.i>
           <node name="security">
             <properties>
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index 3876e31da..7cfb9ee7a 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -34,7 +34,6 @@
             </children>
           </node>
           #include <include/interface/description.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="device-type">
             <properties>
               <help>OpenVPN interface device-type</help>
diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in
index 84f76a7ee..719060fa9 100644
--- a/interface-definitions/interfaces-pppoe.xml.in
+++ b/interface-definitions/interfaces-pppoe.xml.in
@@ -19,7 +19,6 @@
           #include <include/pppoe-access-concentrator.xml.i>
           #include <include/interface/authentication.xml.i>
           #include <include/interface/dial-on-demand.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           #include <include/interface/no-default-route.xml.i>
           #include <include/interface/default-route-distance.xml.i>
           #include <include/interface/dhcpv6-options.xml.i>
diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in
index 4eb9bf111..2fe07ffd5 100644
--- a/interface-definitions/interfaces-pseudo-ethernet.xml.in
+++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in
@@ -28,7 +28,6 @@
           #include <include/source-interface-ethernet.xml.i>
           #include <include/interface/mac.xml.i>
           #include <include/interface/mirror.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="mode">
             <properties>
               <help>Receive mode (default: private)</help>
diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in
index fe49d337a..333a5b178 100644
--- a/interface-definitions/interfaces-tunnel.xml.in
+++ b/interface-definitions/interfaces-tunnel.xml.in
@@ -29,7 +29,6 @@
           #include <include/source-address-ipv4-ipv6.xml.i>
           #include <include/interface/tunnel-remote.xml.i>
           #include <include/source-interface.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="6rd-prefix">
             <properties>
               <help>6rd network prefix</help>
diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in
index eeaea0dc3..11f001dc0 100644
--- a/interface-definitions/interfaces-vti.xml.in
+++ b/interface-definitions/interfaces-vti.xml.in
@@ -25,7 +25,6 @@
           #include <include/interface/mirror.xml.i>
           #include <include/interface/redirect.xml.i>
           #include <include/interface/vrf.xml.i>
-          #include <include/interface/interface-policy.xml.i>
         </children>
       </tagNode>
     </children>
diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in
index 4902ff36d..331f930d3 100644
--- a/interface-definitions/interfaces-vxlan.xml.in
+++ b/interface-definitions/interfaces-vxlan.xml.in
@@ -54,7 +54,6 @@
           #include <include/interface/mac.xml.i>
           #include <include/interface/mtu-1200-16000.xml.i>
           #include <include/interface/mirror.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <leafNode name="mtu">
             <defaultValue>1450</defaultValue>
           </leafNode>
diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in
index 23f50d146..35e223588 100644
--- a/interface-definitions/interfaces-wireguard.xml.in
+++ b/interface-definitions/interfaces-wireguard.xml.in
@@ -21,7 +21,6 @@
           #include <include/interface/disable.xml.i>
           #include <include/port-number.xml.i>
           #include <include/interface/mtu-68-16000.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           #include <include/interface/mirror.xml.i>
           <leafNode name="mtu">
             <defaultValue>1420</defaultValue>
diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in
index 9e7fc29bc..5271df624 100644
--- a/interface-definitions/interfaces-wireless.xml.in
+++ b/interface-definitions/interfaces-wireless.xml.in
@@ -20,7 +20,6 @@
         </properties>
         <children>
           #include <include/interface/address-ipv4-ipv6-dhcp.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           <node name="capabilities">
             <properties>
               <help>HT and VHT capabilities for your card</help>
diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in
index b0b8367dc..758784540 100644
--- a/interface-definitions/interfaces-wwan.xml.in
+++ b/interface-definitions/interfaces-wwan.xml.in
@@ -39,7 +39,6 @@
           #include <include/interface/ipv4-options.xml.i>
           #include <include/interface/ipv6-options.xml.i>
           #include <include/interface/dial-on-demand.xml.i>
-          #include <include/interface/interface-policy.xml.i>
           #include <include/interface/redirect.xml.i>
           #include <include/interface/vrf.xml.i>
         </children>
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index 44b96c2e6..48a5bf7d1 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -12,6 +12,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
+          #include <include/generic-interface-multi.xml.i>
           #include <include/firewall/enable-default-log.xml.i>
           <tagNode name="rule">
             <properties>
@@ -65,6 +66,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
+          #include <include/generic-interface-multi.xml.i>
           #include <include/firewall/enable-default-log.xml.i>
           <tagNode name="rule">
             <properties>
diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py
index 046e385bb..11b3c678e 100755
--- a/smoketest/scripts/cli/test_policy_route.py
+++ b/smoketest/scripts/cli/test_policy_route.py
@@ -42,18 +42,25 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         super(TestPolicyRoute, cls).tearDownClass()
 
     def tearDown(self):
-        self.cli_delete(['interfaces', 'ethernet', interface, 'policy'])
         self.cli_delete(['policy', 'route'])
         self.cli_delete(['policy', 'route6'])
         self.cli_commit()
 
+        # Verify nftables cleanup
         nftables_search = [
             ['set N_smoketest_network'],
             ['set N_smoketest_network1'],
             ['chain VYOS_PBR_smoketest']
         ]
 
-        self.verify_nftables(nftables_search, 'ip mangle', inverse=True)
+        self.verify_nftables(nftables_search, 'ip vyos_mangle', inverse=True)
+
+        # Verify ip rule cleanup
+        ip_rule_search = [
+            ['fwmark ' + hex(table_mark_offset - int(table_id)), 'lookup ' + table_id]
+        ]
+
+        self.verify_rules(ip_rule_search, inverse=True)
 
     def verify_nftables(self, nftables_search, table, inverse=False):
         nftables_output = cmd(f'sudo nft list table {table}')
@@ -66,6 +73,17 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
                     break
             self.assertTrue(not matched if inverse else matched, msg=search)
 
+    def verify_rules(self, rules_search, inverse=False):
+        rule_output = cmd('ip rule show')
+
+        for search in rules_search:
+            matched = False
+            for line in rule_output.split("\n"):
+                if all(item in line for item in search):
+                    matched = True
+                    break
+            self.assertTrue(not matched if inverse else matched, msg=search)
+
     def test_pbr_group(self):
         self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network', 'network', '172.16.99.0/24'])
         self.cli_set(['firewall', 'group', 'network-group', 'smoketest_network1', 'network', '172.16.101.0/24'])
@@ -74,8 +92,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'source', 'group', 'network-group', 'smoketest_network'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'group', 'network-group', 'smoketest_network1'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'mark', mark])
-
-        self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route', 'smoketest'])
+        self.cli_set(['policy', 'route', 'smoketest', 'interface', interface])
 
         self.cli_commit()
 
@@ -84,7 +101,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['ip daddr @N_smoketest_network1', 'ip saddr @N_smoketest_network'],
         ]
 
-        self.verify_nftables(nftables_search, 'ip mangle')
+        self.verify_nftables(nftables_search, 'ip vyos_mangle')
 
         self.cli_delete(['firewall'])
 
@@ -92,8 +109,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'source', 'address', '172.16.20.10'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10'])
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'mark', mark])
-
-        self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route', 'smoketest'])
+        self.cli_set(['policy', 'route', 'smoketest', 'interface', interface])
 
         self.cli_commit()
 
@@ -104,7 +120,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'meta mark set ' + mark_hex],
         ]
 
-        self.verify_nftables(nftables_search, 'ip mangle')
+        self.verify_nftables(nftables_search, 'ip vyos_mangle')
 
     def test_pbr_table(self):
         self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'protocol', 'tcp'])
@@ -116,8 +132,8 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'destination', 'port', '8888'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'set', 'table', table_id])
 
-        self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route', 'smoketest'])
-        self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route6', 'smoketest6'])
+        self.cli_set(['policy', 'route', 'smoketest', 'interface', interface])
+        self.cli_set(['policy', 'route6', 'smoketest6', 'interface', interface])
 
         self.cli_commit()
 
@@ -130,7 +146,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['tcp flags syn / syn,ack', 'tcp dport 8888', 'meta mark set ' + mark_hex]
         ]
 
-        self.verify_nftables(nftables_search, 'ip mangle')
+        self.verify_nftables(nftables_search, 'ip vyos_mangle')
 
         # IPv6
 
@@ -139,7 +155,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['meta l4proto { tcp, udp }', 'th dport 8888', 'meta mark set ' + mark_hex]
         ]
 
-        self.verify_nftables(nftables6_search, 'ip6 mangle')
+        self.verify_nftables(nftables6_search, 'ip6 vyos_mangle')
 
         # IP rule fwmark -> table
 
@@ -147,15 +163,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['fwmark ' + hex(table_mark_offset - int(table_id)), 'lookup ' + table_id]
         ]
 
-        ip_rule_output = cmd('ip rule show')
-
-        for search in ip_rule_search:
-            matched = False
-            for line in ip_rule_output.split("\n"):
-                if all(item in line for item in search):
-                    matched = True
-                    break
-            self.assertTrue(matched)
+        self.verify_rules(ip_rule_search)
 
 
     def test_pbr_matching_criteria(self):
@@ -203,8 +211,8 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '5', 'dscp-exclude', '14-19'])
         self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '5', 'set', 'table', table_id])
 
-        self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route', 'smoketest'])
-        self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route6', 'smoketest6'])
+        self.cli_set(['policy', 'route', 'smoketest', 'interface', interface])
+        self.cli_set(['policy', 'route6', 'smoketest6', 'interface', interface])
 
         self.cli_commit()
 
@@ -220,7 +228,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['ip dscp { 0x29, 0x39-0x3b }', 'meta mark set ' + mark_hex]
         ]
 
-        self.verify_nftables(nftables_search, 'ip mangle')
+        self.verify_nftables(nftables_search, 'ip vyos_mangle')
 
         # IPv6
         nftables6_search = [
@@ -232,7 +240,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase):
             ['ip6 dscp != { 0x0e-0x13, 0x3d }', 'meta mark set ' + mark_hex]
         ]
 
-        self.verify_nftables(nftables6_search, 'ip6 mangle')
+        self.verify_nftables(nftables6_search, 'ip6 vyos_mangle')
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/conf_mode/policy-route-interface.py b/src/conf_mode/policy-route-interface.py
deleted file mode 100755
index 58c5fd93d..000000000
--- a/src/conf_mode/policy-route-interface.py
+++ /dev/null
@@ -1,132 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-import re
-
-from sys import argv
-from sys import exit
-
-from vyos.config import Config
-from vyos.ifconfig import Section
-from vyos.template import render
-from vyos.util import cmd
-from vyos.util import run
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-def get_config(config=None):
-    if config:
-        conf = config
-    else:
-        conf = Config()
-
-    ifname = argv[1]
-    ifpath = Section.get_config_path(ifname)
-    if_policy_path = f'interfaces {ifpath} policy'
-
-    if_policy = conf.get_config_dict(if_policy_path, key_mangling=('-', '_'), get_first_key=True,
-                                    no_tag_node_value_mangle=True)
-
-    if_policy['ifname'] = ifname
-    if_policy['policy'] = conf.get_config_dict(['policy'], key_mangling=('-', '_'), get_first_key=True,
-                                    no_tag_node_value_mangle=True)
-
-    return if_policy
-
-def verify_chain(table, chain):
-    # Verify policy route applied
-    code = run(f'nft list chain {table} {chain}')
-    return code == 0
-
-def verify(if_policy):
-    # bail out early - looks like removal from running config
-    if not if_policy:
-        return None
-
-    for route in ['route', 'route6']:
-        if route in if_policy:
-            if route not in if_policy['policy']:
-                raise ConfigError('Policy route not configured')
-
-            route_name = if_policy[route]
-
-            if route_name not in if_policy['policy'][route]:
-                raise ConfigError(f'Invalid policy route name "{name}"')
-
-            nft_prefix = 'VYOS_PBR6_' if route == 'route6' else 'VYOS_PBR_'
-            nft_table = 'ip6 mangle' if route == 'route6' else 'ip mangle'
-
-            if not verify_chain(nft_table, nft_prefix + route_name):
-                raise ConfigError('Policy route did not apply')
-
-    return None
-
-def generate(if_policy):
-    return None
-
-def cleanup_rule(table, chain, ifname, new_name=None):
-    results = cmd(f'nft -a list chain {table} {chain}').split("\n")
-    retval = None
-    for line in results:
-        if f'ifname "{ifname}"' in line:
-            if new_name and f'jump {new_name}' in line:
-                # new_name is used to clear rules for any previously referenced chains
-                # returns true when rule exists and doesn't need to be created
-                retval = True
-                continue
-
-            handle_search = re.search('handle (\d+)', line)
-            if handle_search:
-                cmd(f'nft delete rule {table} {chain} handle {handle_search[1]}')
-    return retval
-
-def apply(if_policy):
-    ifname = if_policy['ifname']
-
-    route_chain = 'VYOS_PBR_PREROUTING'
-    ipv6_route_chain = 'VYOS_PBR6_PREROUTING'
-
-    if 'route' in if_policy:
-        name = 'VYOS_PBR_' + if_policy['route']
-        rule_exists = cleanup_rule('ip mangle', route_chain, ifname, name)
-
-        if not rule_exists:
-            cmd(f'nft insert rule ip mangle {route_chain} iifname {ifname} counter jump {name}')
-    else:
-        cleanup_rule('ip mangle', route_chain, ifname)
-
-    if 'route6' in if_policy:
-        name = 'VYOS_PBR6_' + if_policy['route6']
-        rule_exists = cleanup_rule('ip6 mangle', ipv6_route_chain, ifname, name)
-
-        if not rule_exists:
-            cmd(f'nft insert rule ip6 mangle {ipv6_route_chain} iifname {ifname} counter jump {name}')
-    else:
-        cleanup_rule('ip6 mangle', ipv6_route_chain, ifname)
-
-    return None
-
-if __name__ == '__main__':
-    try:
-        c = get_config()
-        verify(c)
-        generate(c)
-        apply(c)
-    except ConfigError as e:
-        print(e)
-        exit(1)
diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py
index 00539b9c7..1d016695e 100755
--- a/src/conf_mode/policy-route.py
+++ b/src/conf_mode/policy-route.py
@@ -15,7 +15,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import os
-import re
 
 from json import loads
 from sys import exit
@@ -25,7 +24,6 @@ from vyos.config import Config
 from vyos.template import render
 from vyos.util import cmd
 from vyos.util import dict_search_args
-from vyos.util import dict_search_recursive
 from vyos.util import run
 from vyos import ConfigError
 from vyos import airbag
@@ -34,48 +32,13 @@ airbag.enable()
 mark_offset = 0x7FFFFFFF
 nftables_conf = '/run/nftables_policy.conf'
 
-ROUTE_PREFIX = 'VYOS_PBR_'
-ROUTE6_PREFIX = 'VYOS_PBR6_'
-
-preserve_chains = [
-    'VYOS_PBR_PREROUTING',
-    'VYOS_PBR_POSTROUTING',
-    'VYOS_PBR6_PREROUTING',
-    'VYOS_PBR6_POSTROUTING'
-]
-
 valid_groups = [
     'address_group',
+    'domain_group',
     'network_group',
     'port_group'
 ]
 
-group_set_prefix = {
-    'A_': 'address_group',
-    'A6_': 'ipv6_address_group',
-#    'D_': 'domain_group',
-    'M_': 'mac_group',
-    'N_': 'network_group',
-    'N6_': 'ipv6_network_group',
-    'P_': 'port_group'
-}
-
-def get_policy_interfaces(conf):
-    out = {}
-    interfaces = conf.get_config_dict(['interfaces'], key_mangling=('-', '_'), get_first_key=True,
-                                    no_tag_node_value_mangle=True)
-    def find_interfaces(iftype_conf, output={}, prefix=''):
-        for ifname, if_conf in iftype_conf.items():
-            if 'policy' in if_conf:
-                output[prefix + ifname] = if_conf['policy']
-            for vif in ['vif', 'vif_s', 'vif_c']:
-                if vif in if_conf:
-                    output.update(find_interfaces(if_conf[vif], output, f'{prefix}{ifname}.'))
-        return output
-    for iftype, iftype_conf in interfaces.items():
-        out.update(find_interfaces(iftype_conf))
-    return out
-
 def get_config(config=None):
     if config:
         conf = config
@@ -88,7 +51,6 @@ def get_config(config=None):
 
     policy['firewall_group'] = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'), get_first_key=True,
                                     no_tag_node_value_mangle=True)
-    policy['interfaces'] = get_policy_interfaces(conf)
 
     return policy
 
@@ -132,8 +94,8 @@ def verify_rule(policy, name, rule_conf, ipv6, rule_id):
             side_conf = rule_conf[side]
 
             if 'group' in side_conf:
-                if {'address_group', 'network_group'} <= set(side_conf['group']):
-                    raise ConfigError('Only one address-group or network-group can be specified')
+                if len({'address_group', 'domain_group', 'network_group'} & set(side_conf['group'])) > 1:
+                    raise ConfigError('Only one address-group, domain-group or network-group can be specified')
 
                 for group in valid_groups:
                     if group in side_conf['group']:
@@ -168,73 +130,11 @@ def verify(policy):
                     for rule_id, rule_conf in pol_conf['rule'].items():
                         verify_rule(policy, name, rule_conf, ipv6, rule_id)
 
-    for ifname, if_policy in policy['interfaces'].items():
-        name = dict_search_args(if_policy, 'route')
-        ipv6_name = dict_search_args(if_policy, 'route6')
-
-        if name and not dict_search_args(policy, 'route', name):
-            raise ConfigError(f'Policy route "{name}" is still referenced on interface {ifname}')
-
-        if ipv6_name and not dict_search_args(policy, 'route6', ipv6_name):
-            raise ConfigError(f'Policy route6 "{ipv6_name}" is still referenced on interface {ifname}')
-
     return None
 
-def cleanup_commands(policy):
-    commands = []
-    commands_chains = []
-    commands_sets = []
-    for table in ['ip mangle', 'ip6 mangle']:
-        route_node = 'route' if table == 'ip mangle' else 'route6'
-        chain_prefix = ROUTE_PREFIX if table == 'ip mangle' else ROUTE6_PREFIX
-
-        json_str = cmd(f'nft -t -j list table {table}')
-        obj = loads(json_str)
-        if 'nftables' not in obj:
-            continue
-        for item in obj['nftables']:
-            if 'chain' in item:
-                chain = item['chain']['name']
-                if chain in preserve_chains or not chain.startswith("VYOS_PBR"):
-                    continue
-
-                if dict_search_args(policy, route_node, chain.replace(chain_prefix, "", 1)) != None:
-                    commands.append(f'flush chain {table} {chain}')
-                else:
-                    commands_chains.append(f'delete chain {table} {chain}')
-
-            if 'rule' in item:
-                rule = item['rule']
-                chain = rule['chain']
-                handle = rule['handle']
-
-                if chain not in preserve_chains:
-                    continue
-
-                target, _ = next(dict_search_recursive(rule['expr'], 'target'))
-
-                if target.startswith(chain_prefix):
-                    if dict_search_args(policy, route_node, target.replace(chain_prefix, "", 1)) == None:
-                        commands.append(f'delete rule {table} {chain} handle {handle}')
-
-            if 'set' in item:
-                set_name = item['set']['name']
-
-                for prefix, group_type in group_set_prefix.items():
-                    if set_name.startswith(prefix):
-                        group_name = set_name.replace(prefix, "", 1)
-                        if dict_search_args(policy, 'firewall_group', group_type, group_name) != None:
-                            commands_sets.append(f'flush set {table} {set_name}')
-                        else:
-                            commands_sets.append(f'delete set {table} {set_name}')
-
-    return commands + commands_chains + commands_sets
-
 def generate(policy):
     if not os.path.exists(nftables_conf):
         policy['first_install'] = True
-    else:
-        policy['cleanup_commands'] = cleanup_commands(policy)
 
     render(nftables_conf, 'firewall/nftables-policy.j2', policy)
     return None
diff --git a/src/helpers/vyos-domain-resolver.py b/src/helpers/vyos-domain-resolver.py
index 035c208b2..e31d9238e 100755
--- a/src/helpers/vyos-domain-resolver.py
+++ b/src/helpers/vyos-domain-resolver.py
@@ -35,13 +35,13 @@ cache = False
 domain_state = {}
 
 ipv4_tables = {
-    'ip mangle',
+    'ip vyos_mangle',
     'ip vyos_filter',
     'ip vyos_nat'
 }
 
 ipv6_tables = {
-    'ip6 mangle',
+    'ip6 vyos_mangle',
     'ip6 vyos_filter'
 }
 
diff --git a/src/migration-scripts/policy/4-to-5 b/src/migration-scripts/policy/4-to-5
new file mode 100755
index 000000000..33c9e6ade
--- /dev/null
+++ b/src/migration-scripts/policy/4-to-5
@@ -0,0 +1,92 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2022 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T2199: Migrate interface policy nodes to policy route <name> interface <ifname>
+
+import re
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+from vyos.ifconfig import Section
+
+if (len(argv) < 1):
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base4 = ['policy', 'route']
+base6 = ['policy', 'route6']
+config = ConfigTree(config_file)
+
+if not config.exists(base4) and not config.exists(base6):
+    # Nothing to do
+    exit(0)
+
+def migrate_interface(config, iftype, ifname, vif=None, vifs=None, vifc=None):
+    if_path = ['interfaces', iftype, ifname]
+    ifname_full = ifname
+
+    if vif:
+        if_path += ['vif', vif]
+        ifname_full = f'{ifname}.{vif}'
+    elif vifs:
+        if_path += ['vif-s', vifs]
+        ifname_full = f'{ifname}.{vifs}'
+        if vifc:
+            if_path += ['vif-c', vifc]
+            ifname_full = f'{ifname}.{vifs}.{vifc}'
+
+    if not config.exists(if_path + ['policy']):
+        return
+
+    if config.exists(if_path + ['policy', 'route']):
+        route_name = config.return_value(if_path + ['policy', 'route'])
+        config.set(base4 + [route_name, 'interface'], value=ifname_full, replace=False)
+
+    if config.exists(if_path + ['policy', 'route6']):
+        route_name = config.return_value(if_path + ['policy', 'route6'])
+        config.set(base6 + [route_name, 'interface'], value=ifname_full, replace=False)
+
+    config.delete(if_path + ['policy'])
+
+for iftype in config.list_nodes(['interfaces']):
+    for ifname in config.list_nodes(['interfaces', iftype]):
+        migrate_interface(config, iftype, ifname)
+
+        if config.exists(['interfaces', iftype, ifname, 'vif']):
+            for vif in config.list_nodes(['interfaces', iftype, ifname, 'vif']):
+                migrate_interface(config, iftype, ifname, vif=vif)
+
+        if config.exists(['interfaces', iftype, ifname, 'vif-s']):
+            for vifs in config.list_nodes(['interfaces', iftype, ifname, 'vif-s']):
+                migrate_interface(config, iftype, ifname, vifs=vifs)
+
+                if config.exists(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']):
+                    for vifc in config.list_nodes(['interfaces', iftype, ifname, 'vif-s', vifs, 'vif-c']):
+                        migrate_interface(config, iftype, ifname, vifs=vifs, vifc=vifc)
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/op_mode/policy_route.py b/src/op_mode/policy_route.py
index 5be40082f..5953786f3 100755
--- a/src/op_mode/policy_route.py
+++ b/src/op_mode/policy_route.py
@@ -22,53 +22,13 @@ from vyos.config import Config
 from vyos.util import cmd
 from vyos.util import dict_search_args
 
-def get_policy_interfaces(conf, policy, name=None, ipv6=False):
-    interfaces = conf.get_config_dict(['interfaces'], key_mangling=('-', '_'),
-                                      get_first_key=True, no_tag_node_value_mangle=True)
-
-    routes = ['route', 'route6']
-
-    def parse_if(ifname, if_conf):
-        if 'policy' in if_conf:
-            for route in routes:
-                if route in if_conf['policy']:
-                    route_name = if_conf['policy'][route]
-                    name_str = f'({ifname},{route})'
-
-                    if not name:
-                        policy[route][route_name]['interface'].append(name_str)
-                    elif not ipv6 and name == route_name:
-                        policy['interface'].append(name_str)
-
-        for iftype in ['vif', 'vif_s', 'vif_c']:
-            if iftype in if_conf:
-                for vifname, vif_conf in if_conf[iftype].items():
-                    parse_if(f'{ifname}.{vifname}', vif_conf)
-
-    for iftype, iftype_conf in interfaces.items():
-        for ifname, if_conf in iftype_conf.items():
-            parse_if(ifname, if_conf)
-
-def get_config_policy(conf, name=None, ipv6=False, interfaces=True):
+def get_config_policy(conf, name=None, ipv6=False):
     config_path = ['policy']
     if name:
         config_path += ['route6' if ipv6 else 'route', name]
 
     policy = conf.get_config_dict(config_path, key_mangling=('-', '_'),
                                 get_first_key=True, no_tag_node_value_mangle=True)
-    if policy and interfaces:
-        if name:
-            policy['interface'] = []
-        else:
-            if 'route' in policy:
-                for route_name, route_conf in policy['route'].items():
-                    route_conf['interface'] = []
-
-            if 'route6' in policy:
-                for route_name, route_conf in policy['route6'].items():
-                    route_conf['interface'] = []
-
-        get_policy_interfaces(conf, policy, name, ipv6)
 
     return policy
 
-- 
cgit v1.2.3


From ff8da7dcd5a20c4075d4eeae08e519c3b271517c Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Tue, 29 Nov 2022 07:16:51 +0100
Subject: xml: telegraf: T4680: add missing comment in
 listen-address-single.xml.i

---
 interface-definitions/include/listen-address-single.xml.i | 1 +
 1 file changed, 1 insertion(+)

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/listen-address-single.xml.i b/interface-definitions/include/listen-address-single.xml.i
index b5841cabb..30293b338 100644
--- a/interface-definitions/include/listen-address-single.xml.i
+++ b/interface-definitions/include/listen-address-single.xml.i
@@ -1,3 +1,4 @@
+<!-- include start from listen-address-single.xml.i -->
 <leafNode name="listen-address">
   <properties>
     <help>Local IP addresses to listen on</help>
-- 
cgit v1.2.3


From fdeb731f831f1f42332e5c5b318cd1016cf98f03 Mon Sep 17 00:00:00 2001
From: fett0 <fernando.gmaidana@gmail.com>
Date: Fri, 2 Dec 2022 17:57:07 +0000
Subject:  T4858: Fix l3vpn Route Distinguisher validator

---
 interface-definitions/include/bgp/afi-rd.xml.i | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/bgp/afi-rd.xml.i b/interface-definitions/include/bgp/afi-rd.xml.i
index 767502094..beb1447df 100644
--- a/interface-definitions/include/bgp/afi-rd.xml.i
+++ b/interface-definitions/include/bgp/afi-rd.xml.i
@@ -17,7 +17,7 @@
               <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description>
             </valueHelp>
             <constraint>
-              <regex>((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}</regex>
+              <validator name="bgp-rd-rt" argument="--route-distinguisher"/>
             </constraint>
           </properties>
         </leafNode>
-- 
cgit v1.2.3


From e4befa4987404aecc83e3e48b3d52dd4b64f7d99 Mon Sep 17 00:00:00 2001
From: fett0 <fernando.gmaidana@gmail.com>
Date: Fri, 2 Dec 2022 21:38:36 +0000
Subject:  T4854: route reflector allows to apply route-maps

---
 data/templates/frr/bgpd.frr.j2                                 | 3 +++
 interface-definitions/include/bgp/protocol-common-config.xml.i | 6 ++++++
 smoketest/scripts/cli/test_protocols_bgp.py                    | 2 ++
 3 files changed, 11 insertions(+)

(limited to 'interface-definitions/include')

diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index e8d135c78..5febd7c66 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -517,6 +517,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {% if parameters.network_import_check is vyos_defined %}
  bgp network import-check
 {% endif %}
+{% if parameters.route_reflector_allow_outbound_policy is vyos_defined %}
+bgp route-reflector allow-outbound-policy
+{% endif %}
 {% if parameters.no_client_to_client_reflection is vyos_defined %}
  no bgp client-to-client reflection
 {% endif %}
diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i
index 70176144d..fe192434d 100644
--- a/interface-definitions/include/bgp/protocol-common-config.xml.i
+++ b/interface-definitions/include/bgp/protocol-common-config.xml.i
@@ -1431,6 +1431,12 @@
         <valueless/>
       </properties>
     </leafNode>
+    <leafNode name="route-reflector-allow-outbound-policy">
+      <properties>
+        <help>Route reflector client allow policy outbound</help>
+        <valueless/>
+      </properties>
+    </leafNode>
     <leafNode name="no-client-to-client-reflection">
       <properties>
         <help>Disable client to client route reflection</help>
diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py
index d2dad8c1a..debc8270c 100755
--- a/smoketest/scripts/cli/test_protocols_bgp.py
+++ b/smoketest/scripts/cli/test_protocols_bgp.py
@@ -294,6 +294,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
         self.cli_set(base_path + ['parameters', 'minimum-holdtime', min_hold_time])
         self.cli_set(base_path + ['parameters', 'no-suppress-duplicates'])
         self.cli_set(base_path + ['parameters', 'reject-as-sets'])
+        self.cli_set(base_path + ['parameters', 'route-reflector-allow-outbound-policy'])       
         self.cli_set(base_path + ['parameters', 'shutdown'])
         self.cli_set(base_path + ['parameters', 'suppress-fib-pending'])
 
@@ -322,6 +323,7 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase):
         self.assertIn(f' bgp bestpath peer-type multipath-relax', frrconfig)
         self.assertIn(f' bgp minimum-holdtime {min_hold_time}', frrconfig)
         self.assertIn(f' bgp reject-as-sets', frrconfig)
+        self.assertIn(f' bgp route-reflector allow-outbound-policy', frrconfig)
         self.assertIn(f' bgp shutdown', frrconfig)
         self.assertIn(f' bgp suppress-fib-pending', frrconfig)
         self.assertNotIn(f'bgp ebgp-requires-policy', frrconfig)
-- 
cgit v1.2.3


From a52a52c433d43e4df986fdb7192d9a8357df446a Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 11 Dec 2022 19:32:02 +0100
Subject: xml: ddns: T4792: split "server" CLI node into building block

---
 interface-definitions/dns-dynamic.xml.in             | 14 +-------------
 interface-definitions/include/server-ipv4-fqdn.xml.i | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 13 deletions(-)
 create mode 100644 interface-definitions/include/server-ipv4-fqdn.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in
index e41ba7f60..a39e412b2 100644
--- a/interface-definitions/dns-dynamic.xml.in
+++ b/interface-definitions/dns-dynamic.xml.in
@@ -237,19 +237,7 @@
                           <constraintErrorMessage>Please choose from the list of allowed protocols</constraintErrorMessage>
                         </properties>
                       </leafNode>
-                      <leafNode name="server">
-                        <properties>
-                          <help>Server to send DDNS update to</help>
-                          <valueHelp>
-                            <format>IPv4</format>
-                            <description>IP address of DDNS server</description>
-                          </valueHelp>
-                          <valueHelp>
-                            <format>FQDN</format>
-                            <description>Hostname of DDNS server</description>
-                          </valueHelp>
-                        </properties>
-                      </leafNode>
+                      #include <include/server-ipv4-fqdn.xml.i>
                       <leafNode name="zone">
                         <properties>
                           <help>DNS zone to update (only available with CloudFlare)</help>
diff --git a/interface-definitions/include/server-ipv4-fqdn.xml.i b/interface-definitions/include/server-ipv4-fqdn.xml.i
new file mode 100644
index 000000000..7bab9812c
--- /dev/null
+++ b/interface-definitions/include/server-ipv4-fqdn.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from server-ipv4-fqdn.xml.i -->
+<leafNode name="server">
+  <properties>
+    <help>Remote server to connect to</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>Server IPv4 address</description>
+    </valueHelp>
+    <valueHelp>
+      <format>hostname</format>
+      <description>Server hostname/FQDN</description>
+    </valueHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
-- 
cgit v1.2.3


From 9fe2353ee85fda18c181dab973cbcde6d2294e6c Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 11 Dec 2022 19:33:08 +0100
Subject: pppoe: xml: T4792: split "no-peer-dns" CLI node into building block

---
 interface-definitions/include/interface/no-peer-dns.xml.i | 8 ++++++++
 interface-definitions/interfaces-pppoe.xml.in             | 7 +------
 2 files changed, 9 insertions(+), 6 deletions(-)
 create mode 100644 interface-definitions/include/interface/no-peer-dns.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/interface/no-peer-dns.xml.i b/interface-definitions/include/interface/no-peer-dns.xml.i
new file mode 100644
index 000000000..d663f04c1
--- /dev/null
+++ b/interface-definitions/include/interface/no-peer-dns.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from interface/no-peer-dns.xml.i -->
+<leafNode name="no-peer-dns">
+  <properties>
+    <help>Do not use DNS servers provided by the peer</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in
index 719060fa9..35c4889ea 100644
--- a/interface-definitions/interfaces-pppoe.xml.in
+++ b/interface-definitions/interfaces-pppoe.xml.in
@@ -82,12 +82,7 @@
           <leafNode name="mtu">
             <defaultValue>1492</defaultValue>
           </leafNode>
-          <leafNode name="no-peer-dns">
-            <properties>
-              <help>Do not use DNS servers provided by the peer</help>
-              <valueless/>
-            </properties>
-          </leafNode>
+          #include <include/interface/no-peer-dns.xml.i>
           <leafNode name="remote-address">
             <properties>
               <help>IPv4 address of remote end of the PPPoE link</help>
-- 
cgit v1.2.3


From 046bb9ccd56ac5e97c638bb4a9ca856d3d36026a Mon Sep 17 00:00:00 2001
From: John Estabrook <jestabro@vyos.io>
Date: Tue, 13 Dec 2022 12:09:03 -0600
Subject: validators: T4798: replace python file-exists validator with
 file-path

---
 interface-definitions/include/certificate-ca.xml.i |  2 +-
 .../include/certificate-key.xml.i                  |  2 +-
 interface-definitions/include/certificate.xml.i    |  2 +-
 interface-definitions/protocols-rpki.xml.in        |  6 +--
 src/validators/file-exists                         | 61 ----------------------
 5 files changed, 6 insertions(+), 67 deletions(-)
 delete mode 100755 src/validators/file-exists

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/certificate-ca.xml.i b/interface-definitions/include/certificate-ca.xml.i
index b97378658..3cde2a48d 100644
--- a/interface-definitions/include/certificate-ca.xml.i
+++ b/interface-definitions/include/certificate-ca.xml.i
@@ -7,7 +7,7 @@
       <description>File in /config/auth directory</description>
     </valueHelp>
     <constraint>
-      <validator name="file-exists" argument="--directory /config/auth"/>
+      <validator name="file-path" argument="--strict --parent-dir /config/auth"/>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/certificate-key.xml.i b/interface-definitions/include/certificate-key.xml.i
index 1db9dd069..2c4d81fbb 100644
--- a/interface-definitions/include/certificate-key.xml.i
+++ b/interface-definitions/include/certificate-key.xml.i
@@ -7,7 +7,7 @@
       <description>File in /config/auth directory</description>
     </valueHelp>
     <constraint>
-      <validator name="file-exists" argument="--directory /config/auth"/>
+      <validator name="file-path" argument="--strict --parent-dir /config/auth"/>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/certificate.xml.i b/interface-definitions/include/certificate.xml.i
index fb5be45cc..6a5b2936c 100644
--- a/interface-definitions/include/certificate.xml.i
+++ b/interface-definitions/include/certificate.xml.i
@@ -7,7 +7,7 @@
       <description>File in /config/auth directory</description>
     </valueHelp>
     <constraint>
-      <validator name="file-exists" argument="--directory /config/auth"/>
+      <validator name="file-path" argument="--strict --parent-dir /config/auth"/>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/protocols-rpki.xml.in b/interface-definitions/protocols-rpki.xml.in
index 4535d3990..0098cacb6 100644
--- a/interface-definitions/protocols-rpki.xml.in
+++ b/interface-definitions/protocols-rpki.xml.in
@@ -51,7 +51,7 @@
                     <properties>
                       <help>RPKI SSH known hosts file</help>
                       <constraint>
-                        <validator name="file-exists"/>
+                        <validator name="file-path"/>
                       </constraint>
                     </properties>
                   </leafNode>
@@ -59,7 +59,7 @@
                     <properties>
                       <help>RPKI SSH private key file</help>
                       <constraint>
-                        <validator name="file-exists"/>
+                        <validator name="file-path"/>
                       </constraint>
                     </properties>
                   </leafNode>
@@ -67,7 +67,7 @@
                     <properties>
                       <help>RPKI SSH public key file path</help>
                       <constraint>
-                        <validator name="file-exists"/>
+                        <validator name="file-path"/>
                       </constraint>
                     </properties>
                   </leafNode>
diff --git a/src/validators/file-exists b/src/validators/file-exists
deleted file mode 100755
index 5cef6b199..000000000
--- a/src/validators/file-exists
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2019 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-# Description:
-# Check if a given file exists on the system. Used for files that
-# are referenced from the CLI and need to be preserved during an image upgrade.
-# Warn the user if these aren't under /config
-
-import os
-import sys
-import argparse
-
-
-def exit(strict, message):
-    if strict:
-        sys.exit(f'ERROR: {message}')
-    print(f'WARNING: {message}', file=sys.stderr)
-    sys.exit()
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser()
-    parser.add_argument("-d", "--directory", type=str, help="File must be present in this directory.")
-    parser.add_argument("-e", "--error", action="store_true", help="Tread warnings as errors - change exit code to '1'")
-    parser.add_argument("file", type=str, help="Path of file to validate")
-
-    args = parser.parse_args()
-
-    #
-    # Always check if the given file exists
-    #
-    if not os.path.exists(args.file):
-        exit(args.error, f"File '{args.file}' not found")
-
-    #
-    # Optional check if the file is under a certain directory path
-    #
-    if args.directory:
-        # remove directory path from path to verify
-        rel_filename = args.file.replace(args.directory, '').lstrip('/')
-
-        if not os.path.exists(args.directory + '/' + rel_filename):
-            exit(args.error,
-                f"'{args.file}' lies outside of '{args.directory}' directory.\n"
-                  "It will not get preserved during image upgrade!"
-            )
-
-    sys.exit()
-- 
cgit v1.2.3


From f0bc6c62016d285f0645c4b3ba8b1451c40c637f Mon Sep 17 00:00:00 2001
From: John Estabrook <jestabro@vyos.io>
Date: Mon, 12 Dec 2022 15:06:08 -0600
Subject: validators: T4875: use file-path to replace validator
 'interface-name'

---
 interface-definitions/dns-domain-name.xml.in       |  2 +-
 interface-definitions/high-availability.xml.in     |  2 +-
 .../include/bgp/neighbor-update-source.xml.i       |  2 +-
 .../include/bgp/protocol-common-config.xml.i       |  2 +-
 .../include/constraint/interface-name.xml.in       |  4 +++
 interface-definitions/include/dhcp-interface.xml.i |  2 +-
 .../include/generic-interface-broadcast.xml.i      |  2 +-
 .../generic-interface-multi-broadcast.xml.i        |  2 +-
 .../include/generic-interface-multi.xml.i          |  2 +-
 .../include/generic-interface.xml.i                |  2 +-
 .../include/interface/redirect.xml.i               |  2 +-
 .../include/ospf/protocol-common-config.xml.i      |  2 +-
 .../include/ospfv3/protocol-common-config.xml.i    |  2 +-
 interface-definitions/include/rip/interface.xml.i  |  2 +-
 .../include/routing-passive-interface.xml.i        |  2 +-
 .../include/source-interface.xml.i                 |  2 +-
 .../include/static/static-route-interface.xml.i    |  2 +-
 .../include/static/static-route.xml.i              |  2 +-
 .../include/static/static-route6.xml.i             |  2 +-
 interface-definitions/interfaces-bonding.xml.in    |  4 +--
 interface-definitions/protocols-rip.xml.in         |  2 +-
 interface-definitions/protocols-ripng.xml.in       |  2 +-
 interface-definitions/protocols-static-arp.xml.in  |  2 +-
 interface-definitions/qos.xml.in                   |  2 +-
 interface-definitions/service-upnp.xml.in          |  4 +--
 src/validators/interface-name                      | 34 ----------------------
 26 files changed, 30 insertions(+), 60 deletions(-)
 create mode 100644 interface-definitions/include/constraint/interface-name.xml.in
 delete mode 100755 src/validators/interface-name

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/dns-domain-name.xml.in b/interface-definitions/dns-domain-name.xml.in
index 70b2fb271..9aca38735 100644
--- a/interface-definitions/dns-domain-name.xml.in
+++ b/interface-definitions/dns-domain-name.xml.in
@@ -25,7 +25,7 @@
           <constraint>
             <validator name="ipv4-address"/>
             <validator name="ipv6-address"/>
-            <validator name="interface-name"/>
+            #include <include/constraint/interface-name.xml.in>
           </constraint>
         </properties>
       </leafNode>
diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in
index 0631acdda..784e51151 100644
--- a/interface-definitions/high-availability.xml.in
+++ b/interface-definitions/high-availability.xml.in
@@ -199,7 +199,7 @@
                         <description>Interface name</description>
                       </valueHelp>
                       <constraint>
-                        <validator name="interface-name"/>
+                        #include <include/constraint/interface-name.xml.in>
                       </constraint>
                       <multi/>
                     </properties>
diff --git a/interface-definitions/include/bgp/neighbor-update-source.xml.i b/interface-definitions/include/bgp/neighbor-update-source.xml.i
index 37faf2cce..60c127e8f 100644
--- a/interface-definitions/include/bgp/neighbor-update-source.xml.i
+++ b/interface-definitions/include/bgp/neighbor-update-source.xml.i
@@ -22,7 +22,7 @@
     <constraint>
       <validator name="ipv4-address"/>
       <validator name="ipv6-address"/>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i
index fe192434d..366630f78 100644
--- a/interface-definitions/include/bgp/protocol-common-config.xml.i
+++ b/interface-definitions/include/bgp/protocol-common-config.xml.i
@@ -926,7 +926,7 @@
     <constraint>
       <validator name="ipv4-address"/>
       <validator name="ipv6-address"/>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
   <children>
diff --git a/interface-definitions/include/constraint/interface-name.xml.in b/interface-definitions/include/constraint/interface-name.xml.in
new file mode 100644
index 000000000..2d1f7b757
--- /dev/null
+++ b/interface-definitions/include/constraint/interface-name.xml.in
@@ -0,0 +1,4 @@
+<!-- include start from constraint/interface-name.xml.in -->
+<regex>(bond|br|dum|en|ersp|eth|gnv|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo</regex>
+<validator name="file-path --lookup-path /sys/class/net --directory"/>
+<!-- include end -->
diff --git a/interface-definitions/include/dhcp-interface.xml.i b/interface-definitions/include/dhcp-interface.xml.i
index 939b45f15..f5107ba2b 100644
--- a/interface-definitions/include/dhcp-interface.xml.i
+++ b/interface-definitions/include/dhcp-interface.xml.i
@@ -9,7 +9,7 @@
           <description>DHCP interface name</description>
         </valueHelp>
         <constraint>
-          <validator name="interface-name"/>
+          #include <include/constraint/interface-name.xml.in>
         </constraint>
       </properties>
     </leafNode>
diff --git a/interface-definitions/include/generic-interface-broadcast.xml.i b/interface-definitions/include/generic-interface-broadcast.xml.i
index 6f76dde1a..af35a888b 100644
--- a/interface-definitions/include/generic-interface-broadcast.xml.i
+++ b/interface-definitions/include/generic-interface-broadcast.xml.i
@@ -10,7 +10,7 @@
       <description>Interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/generic-interface-multi-broadcast.xml.i b/interface-definitions/include/generic-interface-multi-broadcast.xml.i
index 00638f3b7..1ae38fb43 100644
--- a/interface-definitions/include/generic-interface-multi-broadcast.xml.i
+++ b/interface-definitions/include/generic-interface-multi-broadcast.xml.i
@@ -10,7 +10,7 @@
       <description>Interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
     <multi/>
   </properties>
diff --git a/interface-definitions/include/generic-interface-multi.xml.i b/interface-definitions/include/generic-interface-multi.xml.i
index 65aae28ae..16916ff54 100644
--- a/interface-definitions/include/generic-interface-multi.xml.i
+++ b/interface-definitions/include/generic-interface-multi.xml.i
@@ -10,7 +10,7 @@
       <description>Interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
     <multi/>
   </properties>
diff --git a/interface-definitions/include/generic-interface.xml.i b/interface-definitions/include/generic-interface.xml.i
index 8b4cf1d65..36ddee417 100644
--- a/interface-definitions/include/generic-interface.xml.i
+++ b/interface-definitions/include/generic-interface.xml.i
@@ -10,7 +10,7 @@
       <description>Interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/interface/redirect.xml.i b/interface-definitions/include/interface/redirect.xml.i
index 3be9ee16b..8df8957ac 100644
--- a/interface-definitions/include/interface/redirect.xml.i
+++ b/interface-definitions/include/interface/redirect.xml.i
@@ -10,7 +10,7 @@
       <description>Interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i
index 0615063af..06609c10e 100644
--- a/interface-definitions/include/ospf/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospf/protocol-common-config.xml.i
@@ -358,7 +358,7 @@
       <description>Interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
   <children>
diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i
index 630534eea..c0aab912d 100644
--- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i
+++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i
@@ -118,7 +118,7 @@
       <description>Interface used for routing information exchange</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
   <children>
diff --git a/interface-definitions/include/rip/interface.xml.i b/interface-definitions/include/rip/interface.xml.i
index baeceac1c..e0792cdc1 100644
--- a/interface-definitions/include/rip/interface.xml.i
+++ b/interface-definitions/include/rip/interface.xml.i
@@ -10,7 +10,7 @@
       <description>Interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
   <children>
diff --git a/interface-definitions/include/routing-passive-interface.xml.i b/interface-definitions/include/routing-passive-interface.xml.i
index 095b683de..fe229aebe 100644
--- a/interface-definitions/include/routing-passive-interface.xml.i
+++ b/interface-definitions/include/routing-passive-interface.xml.i
@@ -16,7 +16,7 @@
     </valueHelp>
     <constraint>
       <regex>(default)</regex>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
     <multi/>
   </properties>
diff --git a/interface-definitions/include/source-interface.xml.i b/interface-definitions/include/source-interface.xml.i
index a9c2a0f9d..4c1fddb57 100644
--- a/interface-definitions/include/source-interface.xml.i
+++ b/interface-definitions/include/source-interface.xml.i
@@ -10,7 +10,7 @@
       <script>${vyos_completion_dir}/list_interfaces.py</script>
     </completionHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/static/static-route-interface.xml.i b/interface-definitions/include/static/static-route-interface.xml.i
index ed4f455e5..cc7a92612 100644
--- a/interface-definitions/include/static/static-route-interface.xml.i
+++ b/interface-definitions/include/static/static-route-interface.xml.i
@@ -10,7 +10,7 @@
       <description>Gateway interface name</description>
     </valueHelp>
     <constraint>
-      <validator name="interface-name"/>
+      #include <include/constraint/interface-name.xml.in>
     </constraint>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/static/static-route.xml.i b/interface-definitions/include/static/static-route.xml.i
index 04ee999c7..aeb2044c9 100644
--- a/interface-definitions/include/static/static-route.xml.i
+++ b/interface-definitions/include/static/static-route.xml.i
@@ -26,7 +26,7 @@
           <description>Gateway interface name</description>
         </valueHelp>
         <constraint>
-          <validator name="interface-name"/>
+          #include <include/constraint/interface-name.xml.in>
         </constraint>
       </properties>
       <children>
diff --git a/interface-definitions/include/static/static-route6.xml.i b/interface-definitions/include/static/static-route6.xml.i
index 6131ac7fe..d5e7a25bc 100644
--- a/interface-definitions/include/static/static-route6.xml.i
+++ b/interface-definitions/include/static/static-route6.xml.i
@@ -25,7 +25,7 @@
           <description>Gateway interface name</description>
         </valueHelp>
         <constraint>
-          <validator name="interface-name"/>
+          #include <include/constraint/interface-name.xml.in>
         </constraint>
       </properties>
       <children>
diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in
index 96e0e5d89..a8a558348 100644
--- a/interface-definitions/interfaces-bonding.xml.in
+++ b/interface-definitions/interfaces-bonding.xml.in
@@ -199,7 +199,7 @@
                     <description>Interface name</description>
                   </valueHelp>
                   <constraint>
-                    <validator name="interface-name"/>
+                    #include <include/constraint/interface-name.xml.in>
                   </constraint>
                   <multi/>
                 </properties>
@@ -218,7 +218,7 @@
                 <description>Interface name</description>
               </valueHelp>
               <constraint>
-                <validator name="interface-name"/>
+                #include <include/constraint/interface-name.xml.in>
               </constraint>
             </properties>
           </leafNode>
diff --git a/interface-definitions/protocols-rip.xml.in b/interface-definitions/protocols-rip.xml.in
index 2195b0316..33aae5015 100644
--- a/interface-definitions/protocols-rip.xml.in
+++ b/interface-definitions/protocols-rip.xml.in
@@ -39,7 +39,7 @@
                     <script>${vyos_completion_dir}/list_interfaces.py</script>
                   </completionHelp>
                   <constraint>
-                    <validator name="interface-name"/>
+                    #include <include/constraint/interface-name.xml.in>
                   </constraint>
                 </properties>
                 <children>
diff --git a/interface-definitions/protocols-ripng.xml.in b/interface-definitions/protocols-ripng.xml.in
index d7e4b2514..cd35dbf53 100644
--- a/interface-definitions/protocols-ripng.xml.in
+++ b/interface-definitions/protocols-ripng.xml.in
@@ -40,7 +40,7 @@
                     <script>${vyos_completion_dir}/list_interfaces.py</script>
                   </completionHelp>
                   <constraint>
-                    <validator name="interface-name"/>
+                    #include <include/constraint/interface-name.xml.in>
                   </constraint>
                 </properties>
                 <children>
diff --git a/interface-definitions/protocols-static-arp.xml.in b/interface-definitions/protocols-static-arp.xml.in
index 8b1b3b5e1..52caf435a 100644
--- a/interface-definitions/protocols-static-arp.xml.in
+++ b/interface-definitions/protocols-static-arp.xml.in
@@ -20,7 +20,7 @@
                     <description>Interface name</description>
                   </valueHelp>
                   <constraint>
-                    <validator name="interface-name"/>
+                    #include <include/constraint/interface-name.xml.in>
                   </constraint>
                 </properties>
                 <children>
diff --git a/interface-definitions/qos.xml.in b/interface-definitions/qos.xml.in
index e2dbcbeef..dc807781e 100644
--- a/interface-definitions/qos.xml.in
+++ b/interface-definitions/qos.xml.in
@@ -16,7 +16,7 @@
             <description>Interface name</description>
           </valueHelp>
           <constraint>
-            <validator name="interface-name"/>
+            #include <include/constraint/interface-name.xml.in>
           </constraint>
         </properties>
         <children>
diff --git a/interface-definitions/service-upnp.xml.in b/interface-definitions/service-upnp.xml.in
index ec23d87df..79d8ae42e 100644
--- a/interface-definitions/service-upnp.xml.in
+++ b/interface-definitions/service-upnp.xml.in
@@ -24,7 +24,7 @@
                 <script>${vyos_completion_dir}/list_interfaces.py</script>
               </completionHelp>
               <constraint>
-                <validator name="interface-name" />
+                #include <include/constraint/interface-name.xml.in>
               </constraint>
             </properties>
           </leafNode>
@@ -119,7 +119,7 @@
               </valueHelp>
               <multi/>
               <constraint>
-                <validator name="interface-name" />
+                #include <include/constraint/interface-name.xml.in>
                 <validator name="ipv4-address"/>
                 <validator name="ipv4-prefix"/>
                 <validator name="ipv6-address"/>
diff --git a/src/validators/interface-name b/src/validators/interface-name
deleted file mode 100755
index 105815eee..000000000
--- a/src/validators/interface-name
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import os
-import re
-
-from sys import argv
-from sys import exit
-
-pattern = '^(bond|br|dum|en|ersp|eth|gnv|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|vti|vtun|vxlan|wg|wlan|wwan)[0-9]+(.\d+)?|lo$'
-
-if __name__ == '__main__':
-    if len(argv) != 2:
-        exit(1)
-    interface = argv[1]
-
-    if re.match(pattern, interface):
-        exit(0)
-    if os.path.exists(f'/sys/class/net/{interface}'):
-        exit(0)
-    exit(1)
-- 
cgit v1.2.3


From 1c9bd9375765c3d0a9d603286bb9977b99a5535c Mon Sep 17 00:00:00 2001
From: initramfs <initramfs@initramfs.io>
Date: Thu, 15 Dec 2022 17:04:41 +0800
Subject: firewall: T4882: add missing ICMPv6 type names

---
 .../include/firewall/icmpv6-type-name.xml.i              | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/firewall/icmpv6-type-name.xml.i b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
index a2e68abfb..e17a20e17 100644
--- a/interface-definitions/include/firewall/icmpv6-type-name.xml.i
+++ b/interface-definitions/include/firewall/icmpv6-type-name.xml.i
@@ -3,7 +3,7 @@
   <properties>
     <help>ICMPv6 type-name</help>
     <completionHelp>
-      <list>destination-unreachable packet-too-big time-exceeded echo-request echo-reply mld-listener-query mld-listener-report mld-listener-reduction nd-router-solicit nd-router-advert nd-neighbor-solicit nd-neighbor-advert nd-redirect parameter-problem router-renumbering</list>
+      <list>destination-unreachable packet-too-big time-exceeded echo-request echo-reply mld-listener-query mld-listener-report mld-listener-reduction nd-router-solicit nd-router-advert nd-neighbor-solicit nd-neighbor-advert nd-redirect parameter-problem router-renumbering ind-neighbor-solicit ind-neighbor-advert mld2-listener-report</list>
     </completionHelp>
     <valueHelp>
       <format>destination-unreachable</format>
@@ -65,8 +65,20 @@
       <format>router-renumbering</format>
       <description>ICMPv6 type 138: router-renumbering</description>
     </valueHelp>
+    <valueHelp>
+      <format>ind-neighbor-solicit</format>
+      <description>ICMPv6 type 141: ind-neighbor-solicit</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ind-neighbor-advert</format>
+      <description>ICMPv6 type 142: ind-neighbor-advert</description>
+    </valueHelp>
+    <valueHelp>
+      <format>mld2-listener-report</format>
+      <description>ICMPv6 type 143: mld2-listener-report</description>
+    </valueHelp>
     <constraint>
-      <regex>(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering)</regex>
+      <regex>(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering|ind-neighbor-solicit|ind-neighbor-advert|mld2-listener-report)</regex>
     </constraint>
   </properties>
 </leafNode>
-- 
cgit v1.2.3