From 8dbc3c5e67cc1fd043a78dd3446a1a733ebd814f Mon Sep 17 00:00:00 2001
From: Nataliia Solomko <natalirs1985@gmail.com>
Date: Fri, 13 Jun 2025 12:20:40 +0300
Subject: firewall: T6951:  Add a configuration command for ethertypes that
 bridge firewalls should always accept

---
 .../include/firewall/global-options.xml.i          | 49 ++++++++++++++++++++--
 .../include/version/firewall-version.xml.i         |  2 +-
 2 files changed, 46 insertions(+), 5 deletions(-)

(limited to 'interface-definitions/include')
diff --git a/interface-definitions/include/firewall/global-options.xml.i b/interface-definitions/include/firewall/global-options.xml.i
index 794da4f9d..e19f3a7c5 100644
--- a/interface-definitions/include/firewall/global-options.xml.i
+++ b/interface-definitions/include/firewall/global-options.xml.i
@@ -49,12 +49,53 @@
         <help>Apply configured firewall rules to traffic switched by bridges</help>
       </properties>
       <children>
-        <leafNode name="invalid-connections">
+        <node name="accept-invalid">
           <properties>
-            <help>Accept ARP, 802.1q, 802.1ad, DHCP, PPPoE and WoL despite being marked as invalid connections</help>
-            <valueless/>
+            <help>Accept connections despite they are marked as invalid</help>
           </properties>
-        </leafNode>
+          <children>
+            <leafNode name="ethernet-type">
+              <properties>
+                <help>Ethernet type</help>
+                <completionHelp>
+                  <list>arp dhcp pppoe 802.1q 802.1ad pppoe-discovery wol</list>
+                </completionHelp>
+                <valueHelp>
+                  <format>arp</format>
+                  <description>Adress Resolution Protocol (ARP)</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>dhcp</format>
+                  <description>Dynamic Host Configuration Protocol (DHCP)</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>pppoe</format>
+                  <description>Point to Point over Ethernet (PPPoE) Session</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>pppoe-discovery</format>
+                  <description>PPPoE Discovery</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>802.1q</format>
+                  <description>Customer VLAN tag type (802.1Q)</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>802.1ad</format>
+                  <description>Service VLAN tag type (802.1ad)</description>
+                </valueHelp>
+                <valueHelp>
+                  <format>wol</format>
+                  <description>Wake-on-LAN magic packet</description>
+                </valueHelp>
+                <constraint>
+                  <regex>(arp|dhcp|pppoe|pppoe-discovery|802.1q|802.1ad|wol)</regex>
+                </constraint>
+                <multi/>
+              </properties>
+            </leafNode>
+          </children>
+        </node>
         <leafNode name="ipv4">
           <properties>
             <help>Apply configured IPv4 firewall rules</help>
diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
index 1a8098297..1f3b779d5 100644
--- a/interface-definitions/include/version/firewall-version.xml.i
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='18'></syntaxVersion>
+<syntaxVersion component='firewall' version='19'></syntaxVersion>
 <!-- include end -->
-- 
cgit v1.2.3

