From 599c5405e7ff5b76aa774b8cc97a82fbc053d46c Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Thu, 30 Mar 2023 12:55:30 +0000
Subject: T5128: Policy Route: allow wildcard on interface

---
 .../constraint/interface-name-with-wildcard.xml.in    |  4 ++++
 .../include/generic-interface-multi-wildcard.xml.i    | 19 +++++++++++++++++++
 interface-definitions/policy-route.xml.in             |  4 ++--
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 interface-definitions/include/constraint/interface-name-with-wildcard.xml.in
 create mode 100644 interface-definitions/include/generic-interface-multi-wildcard.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in b/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in
new file mode 100644
index 000000000..09867b380
--- /dev/null
+++ b/interface-definitions/include/constraint/interface-name-with-wildcard.xml.in
@@ -0,0 +1,4 @@
+<!-- include start from constraint/interface-name-with-wildcard.xml.in -->
+<regex>(bond|br|dum|en|ersp|eth|gnv|ifb|lan|l2tp|l2tpeth|macsec|peth|ppp|pppoe|pptp|sstp|tun|veth|vti|vtun|vxlan|wg|wlan|wwan)([0-9]?)(\*?)(.+)?|lo</regex>
+<validator name="file-path --lookup-path /sys/class/net --directory"/>
+<!-- include end -->
diff --git a/interface-definitions/include/generic-interface-multi-wildcard.xml.i b/interface-definitions/include/generic-interface-multi-wildcard.xml.i
new file mode 100644
index 000000000..354841a85
--- /dev/null
+++ b/interface-definitions/include/generic-interface-multi-wildcard.xml.i
@@ -0,0 +1,19 @@
+
+<!-- include start from generic-interface-multi-wildcard.xml.i -->
+<leafNode name="interface">
+  <properties>
+    <help>Interface name to apply policy route configuration</help>
+    <completionHelp>
+      <script>${vyos_completion_dir}/list_interfaces</script>
+    </completionHelp>
+    <valueHelp>
+      <format>txt</format>
+      <description>Interface name</description>
+    </valueHelp>
+    <constraint>
+      #include <include/constraint/interface-name-with-wildcard.xml.in>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index bbd6dbf56..d4ec75786 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -12,8 +12,8 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/generic-interface-multi.xml.i>
           #include <include/firewall/enable-default-log.xml.i>
+          #include <include/generic-interface-multi-wildcard.xml.i>
           <tagNode name="rule">
             <properties>
               <help>Policy rule number</help>
@@ -67,8 +67,8 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/generic-interface-multi.xml.i>
           #include <include/firewall/enable-default-log.xml.i>
+          #include <include/generic-interface-multi-wildcard.xml.i>
           <tagNode name="rule">
             <properties>
               <help>Policy rule number</help>
-- 
cgit v1.2.3


From c41af9698abaeb1dc656933570c14fc9d75c9ce5 Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Fri, 31 Mar 2023 13:05:50 +0000
Subject: T5128: Add contraint for firewall interface. Also update smoketest to
 include at least one wildcarded interface

---
 interface-definitions/firewall.xml.in  | 3 +++
 smoketest/scripts/cli/test_firewall.py | 3 +++
 2 files changed, 6 insertions(+)

(limited to 'interface-definitions')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 624d61759..edbf1e03a 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -349,6 +349,9 @@
           <completionHelp>
             <script>${vyos_completion_dir}/list_interfaces</script>
           </completionHelp>
+          <constraint>
+            #include <include/constraint/interface-name-with-wildcard.xml.in>
+          </constraint>
         </properties>
         <children>
           <node name="in">
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index e071b7df9..99d3b3ca1 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -198,6 +198,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
     def test_ipv4_basic_rules(self):
         name = 'smoketest'
         interface = 'eth0'
+        interface_wc = 'l2tp*'
         mss_range = '501-1460'
         conn_mark = '555'
 
@@ -240,6 +241,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark])
 
         self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
+        self.cli_set(['firewall', 'interface', interface_wc, 'in', 'name', name])
 
         self.cli_commit()
 
@@ -247,6 +249,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
 
         nftables_search = [
             [f'iifname "{interface}"', f'jump NAME_{name}'],
+            [f'iifname "{interface_wc}"', f'jump NAME_{name}'],
             ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" log level debug', 'ip ttl 15', 'return'],
             ['tcp flags syn / syn,ack', 'tcp dport 8888', 'log prefix "[smoketest-2-R]" log level err', 'ip ttl > 102', 'reject'],
             ['tcp dport 22', 'limit rate 5/minute', 'return'],
-- 
cgit v1.2.3