From 770edf016838523c248e3c8a36c5f327a0b98415 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Fri, 24 May 2024 16:44:41 +0000
Subject: T3900: T6394: extend functionalities in firewall; move netfilter
 sysctl timeout parameters defined in conntrack to firewall global-opton
 section.

---
 .../conntrack/timeout-common-protocols.xml.i       | 172 ---------------------
 .../include/firewall/action-and-notrack.xml.i      |   2 +-
 .../include/firewall/global-options.xml.i          |   8 +
 .../firewall/timeout-common-protocols.xml.i        | 171 ++++++++++++++++++++
 .../include/version/firewall-version.xml.i         |   2 +-
 5 files changed, 181 insertions(+), 174 deletions(-)
 delete mode 100644 interface-definitions/include/conntrack/timeout-common-protocols.xml.i
 create mode 100644 interface-definitions/include/firewall/timeout-common-protocols.xml.i

(limited to 'interface-definitions/include')

diff --git a/interface-definitions/include/conntrack/timeout-common-protocols.xml.i b/interface-definitions/include/conntrack/timeout-common-protocols.xml.i
deleted file mode 100644
index 2676d846e..000000000
--- a/interface-definitions/include/conntrack/timeout-common-protocols.xml.i
+++ /dev/null
@@ -1,172 +0,0 @@
-<!-- include start from conntrack/timeout-common-protocols.xml.i -->
-<leafNode name="icmp">
-  <properties>
-    <help>ICMP timeout in seconds</help>
-    <valueHelp>
-      <format>u32:1-21474836</format>
-      <description>ICMP timeout in seconds</description>
-    </valueHelp>
-    <constraint>
-      <validator name="numeric" argument="--range 1-21474836"/>
-    </constraint>
-  </properties>
-  <defaultValue>30</defaultValue>
-</leafNode>
-<leafNode name="other">
-  <properties>
-    <help>Generic connection timeout in seconds</help>
-    <valueHelp>
-      <format>u32:1-21474836</format>
-      <description>Generic connection timeout in seconds</description>
-    </valueHelp>
-    <constraint>
-      <validator name="numeric" argument="--range 1-21474836"/>
-    </constraint>
-  </properties>
-  <defaultValue>600</defaultValue>
-</leafNode>
-<node name="tcp">
-  <properties>
-    <help>TCP connection timeout options</help>
-  </properties>
-  <children>
-    <leafNode name="close-wait">
-      <properties>
-        <help>TCP CLOSE-WAIT timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP CLOSE-WAIT timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>60</defaultValue>
-    </leafNode>
-    <leafNode name="close">
-      <properties>
-        <help>TCP CLOSE timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP CLOSE timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>10</defaultValue>
-    </leafNode>
-    <leafNode name="established">
-      <properties>
-        <help>TCP ESTABLISHED timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP ESTABLISHED timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>432000</defaultValue>
-    </leafNode>
-    <leafNode name="fin-wait">
-      <properties>
-        <help>TCP FIN-WAIT timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP FIN-WAIT timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>120</defaultValue>
-    </leafNode>
-    <leafNode name="last-ack">
-      <properties>
-        <help>TCP LAST-ACK timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP LAST-ACK timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>30</defaultValue>
-    </leafNode>
-    <leafNode name="syn-recv">
-      <properties>
-        <help>TCP SYN-RECEIVED timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP SYN-RECEIVED timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>60</defaultValue>
-    </leafNode>
-    <leafNode name="syn-sent">
-      <properties>
-        <help>TCP SYN-SENT timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP SYN-SENT timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>120</defaultValue>
-    </leafNode>
-    <leafNode name="time-wait">
-      <properties>
-        <help>TCP TIME-WAIT timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>TCP TIME-WAIT timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>120</defaultValue>
-    </leafNode>
-  </children>
-</node>
-<node name="udp">
-  <properties>
-    <help>UDP timeout options</help>
-  </properties>
-  <children>
-    <leafNode name="other">
-      <properties>
-        <help>UDP generic timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>UDP generic timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>30</defaultValue>
-    </leafNode>
-    <leafNode name="stream">
-      <properties>
-        <help>UDP stream timeout in seconds</help>
-        <valueHelp>
-          <format>u32:1-21474836</format>
-          <description>UDP stream timeout in seconds</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-21474836"/>
-        </constraint>
-      </properties>
-      <defaultValue>180</defaultValue>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
diff --git a/interface-definitions/include/firewall/action-and-notrack.xml.i b/interface-definitions/include/firewall/action-and-notrack.xml.i
index e063c58d5..de11f7dd5 100644
--- a/interface-definitions/include/firewall/action-and-notrack.xml.i
+++ b/interface-definitions/include/firewall/action-and-notrack.xml.i
@@ -35,7 +35,7 @@
     </valueHelp>
     <valueHelp>
       <format>notrack</format>
-      <description>Igone connection tracking</description>
+      <description>Ignore connection tracking</description>
     </valueHelp>
     <constraint>
       <regex>(accept|continue|jump|notrack|reject|return|drop|queue)</regex>
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index 9cd0b3239..9039b76fd 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -244,6 +244,14 @@
       </properties>
       <defaultValue>enable</defaultValue>
     </leafNode>
+    <node name="timeout">
+      <properties>
+        <help>Connection timeout options</help>
+      </properties>
+      <children>
+        #include <include/firewall/timeout-common-protocols.xml.i>
+      </children>
+    </node>
     <leafNode name="twa-hazards-protection">
       <properties>
         <help>RFC1337 TCP TIME-WAIT assasination hazards protection</help>
diff --git a/interface-definitions/include/firewall/timeout-common-protocols.xml.i b/interface-definitions/include/firewall/timeout-common-protocols.xml.i
new file mode 100644
index 000000000..037d7d2b1
--- /dev/null
+++ b/interface-definitions/include/firewall/timeout-common-protocols.xml.i
@@ -0,0 +1,171 @@
+<!-- include start from firewall/timeout-common-protocols.xml.i -->
+<leafNode name="icmp">
+  <properties>
+    <help>ICMP timeout in seconds</help>
+    <valueHelp>
+      <format>u32:1-21474836</format>
+      <description>ICMP timeout in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-21474836"/>
+    </constraint>
+  </properties>
+  <defaultValue>30</defaultValue>
+</leafNode>
+<leafNode name="other">
+  <properties>
+    <help>Generic connection timeout in seconds</help>
+    <valueHelp>
+      <format>u32:1-21474836</format>
+      <description>Generic connection timeout in seconds</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-21474836"/>
+    </constraint>
+  </properties>
+  <defaultValue>600</defaultValue>
+</leafNode>
+<node name="tcp">
+  <properties>
+    <help>TCP connection timeout options</help>
+  </properties>
+  <children>
+    <leafNode name="close-wait">
+      <properties>
+        <help>TCP CLOSE-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP CLOSE-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>60</defaultValue>
+    </leafNode>
+    <leafNode name="close">
+      <properties>
+        <help>TCP CLOSE timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP CLOSE timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>10</defaultValue>
+    </leafNode>
+    <leafNode name="established">
+      <properties>
+        <help>TCP ESTABLISHED timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP ESTABLISHED timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>432000</defaultValue>
+    </leafNode>
+    <leafNode name="fin-wait">
+      <properties>
+        <help>TCP FIN-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP FIN-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>120</defaultValue>
+    </leafNode>
+    <leafNode name="last-ack">
+      <properties>
+        <help>TCP LAST-ACK timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP LAST-ACK timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>30</defaultValue>
+    </leafNode>
+    <leafNode name="syn-recv">
+      <properties>
+        <help>TCP SYN-RECEIVED timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP SYN-RECEIVED timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>60</defaultValue>
+    </leafNode>
+    <leafNode name="syn-sent">
+      <properties>
+        <help>TCP SYN-SENT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP SYN-SENT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>120</defaultValue>
+    </leafNode>
+    <leafNode name="time-wait">
+      <properties>
+        <help>TCP TIME-WAIT timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>TCP TIME-WAIT timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>120</defaultValue>
+    </leafNode>
+  </children>
+</node>
+<node name="udp">
+  <properties>
+    <help>UDP timeout options</help>
+  </properties>
+  <children>
+    <leafNode name="other">
+      <properties>
+        <help>UDP generic timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>UDP generic timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>30</defaultValue>
+    </leafNode>
+    <leafNode name="stream">
+      <properties>
+        <help>UDP stream timeout in seconds</help>
+        <valueHelp>
+          <format>u32:1-21474836</format>
+          <description>UDP stream timeout in seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-21474836"/>
+        </constraint>
+      </properties>
+      <defaultValue>180</defaultValue>
+    </leafNode>
+  </children>
+</node>
diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
index fa8e26f78..560ed9e5f 100644
--- a/interface-definitions/include/version/firewall-version.xml.i
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='15'></syntaxVersion>
+<syntaxVersion component='firewall' version='16'></syntaxVersion>
 <!-- include end -->
-- 
cgit v1.2.3