From 2c8e41465ee3e4ee8fe5048df3265c7b10ee3b91 Mon Sep 17 00:00:00 2001
From: Indrajit Raychaudhuri <irc@indrajit.com>
Date: Mon, 18 Dec 2023 02:45:12 -0600
Subject: firewall: T5834: Rename 'enable-default-log' to 'default-log'

Rename chain level defaults log option from `enable-default-log` to
`default-log` for consistency.

(cherry picked from commit 245e758aa2ea8779186d0c92d79d33170d036992)
---
 interface-definitions/firewall.xml.in                            | 2 +-
 interface-definitions/include/firewall/bridge-custom-name.xml.i  | 4 ++--
 interface-definitions/include/firewall/bridge-hook-forward.xml.i | 3 ++-
 interface-definitions/include/firewall/default-log.xml.i         | 8 ++++++++
 interface-definitions/include/firewall/enable-default-log.xml.i  | 8 --------
 interface-definitions/include/firewall/ipv4-custom-name.xml.i    | 4 ++--
 interface-definitions/include/firewall/ipv4-hook-forward.xml.i   | 4 ++--
 interface-definitions/include/firewall/ipv4-hook-input.xml.i     | 4 ++--
 interface-definitions/include/firewall/ipv4-hook-output.xml.i    | 4 ++--
 interface-definitions/include/firewall/ipv6-custom-name.xml.i    | 4 ++--
 interface-definitions/include/firewall/ipv6-hook-forward.xml.i   | 4 ++--
 interface-definitions/include/firewall/ipv6-hook-input.xml.i     | 4 ++--
 interface-definitions/include/firewall/ipv6-hook-output.xml.i    | 4 ++--
 interface-definitions/policy-route.xml.in                        | 4 ++--
 14 files changed, 31 insertions(+), 30 deletions(-)
 create mode 100644 interface-definitions/include/firewall/default-log.xml.i
 delete mode 100644 interface-definitions/include/firewall/enable-default-log.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 70afdc995..a4023058f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -368,7 +368,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
+          #include <include/firewall/default-log.xml.i>
           <leafNode name="default-action">
             <properties>
               <help>Default-action for traffic coming into this zone</help>
diff --git a/interface-definitions/include/firewall/bridge-custom-name.xml.i b/interface-definitions/include/firewall/bridge-custom-name.xml.i
index a85fd5a19..654493c0e 100644
--- a/interface-definitions/include/firewall/bridge-custom-name.xml.i
+++ b/interface-definitions/include/firewall/bridge-custom-name.xml.i
@@ -8,7 +8,7 @@
   </properties>
   <children>
     #include <include/firewall/default-action.xml.i>
-    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/firewall/default-log.xml.i>
     #include <include/generic-description.xml.i>
     <leafNode name="default-jump-target">
       <properties>
@@ -36,4 +36,4 @@
     </tagNode>
   </children>
 </tagNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/bridge-hook-forward.xml.i b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
index 23d757070..99f66ec77 100644
--- a/interface-definitions/include/firewall/bridge-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/bridge-hook-forward.xml.i
@@ -10,6 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -31,4 +32,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/default-log.xml.i b/interface-definitions/include/firewall/default-log.xml.i
new file mode 100644
index 000000000..dceacdb89
--- /dev/null
+++ b/interface-definitions/include/firewall/default-log.xml.i
@@ -0,0 +1,8 @@
+<!-- include start from firewall/default-log.xml.i -->
+<leafNode name="default-log">
+  <properties>
+    <help>Log packets hitting default-action</help>
+    <valueless/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/enable-default-log.xml.i b/interface-definitions/include/firewall/enable-default-log.xml.i
deleted file mode 100644
index 0efd8341b..000000000
--- a/interface-definitions/include/firewall/enable-default-log.xml.i
+++ /dev/null
@@ -1,8 +0,0 @@
-<!-- include start from firewall/enable-default-log.xml.i -->
-<leafNode name="enable-default-log">
-  <properties>
-    <help>Log packets hitting default-action</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/ipv4-custom-name.xml.i b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
index c6420fe1f..8199d15fe 100644
--- a/interface-definitions/include/firewall/ipv4-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv4-custom-name.xml.i
@@ -8,7 +8,7 @@
   </properties>
   <children>
     #include <include/firewall/default-action.xml.i>
-    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/firewall/default-log.xml.i>
     #include <include/generic-description.xml.i>
     <leafNode name="default-jump-target">
       <properties>
@@ -39,4 +39,4 @@
     </tagNode>
   </children>
 </tagNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
index 100f1c3d9..de2c70482 100644
--- a/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-forward.xml.i
@@ -10,7 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
-        #include <include/firewall/enable-default-log.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -36,4 +36,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-input.xml.i b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
index 22546640b..5d32657ea 100644
--- a/interface-definitions/include/firewall/ipv4-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-input.xml.i
@@ -10,7 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
-        #include <include/firewall/enable-default-log.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -33,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv4-hook-output.xml.i b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
index 80c30cdeb..2b537ce5e 100644
--- a/interface-definitions/include/firewall/ipv4-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv4-hook-output.xml.i
@@ -10,7 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
-        #include <include/firewall/enable-default-log.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -33,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-custom-name.xml.i b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
index 2cc45a60c..5748b3927 100644
--- a/interface-definitions/include/firewall/ipv6-custom-name.xml.i
+++ b/interface-definitions/include/firewall/ipv6-custom-name.xml.i
@@ -8,7 +8,7 @@
   </properties>
   <children>
     #include <include/firewall/default-action.xml.i>
-    #include <include/firewall/enable-default-log.xml.i>
+    #include <include/firewall/default-log.xml.i>
     #include <include/generic-description.xml.i>
     <leafNode name="default-jump-target">
       <properties>
@@ -39,4 +39,4 @@
     </tagNode>
   </children>
 </tagNode>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
index fb38267eb..b53f09f59 100644
--- a/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-forward.xml.i
@@ -10,7 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
-        #include <include/firewall/enable-default-log.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -36,4 +36,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-input.xml.i b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
index 49d4493cc..493611fb1 100644
--- a/interface-definitions/include/firewall/ipv6-hook-input.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-input.xml.i
@@ -10,7 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
-        #include <include/firewall/enable-default-log.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -33,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/ipv6-hook-output.xml.i b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
index 452b9027f..ffe1c72b8 100644
--- a/interface-definitions/include/firewall/ipv6-hook-output.xml.i
+++ b/interface-definitions/include/firewall/ipv6-hook-output.xml.i
@@ -10,7 +10,7 @@
       </properties>
       <children>
         #include <include/firewall/default-action-base-chains.xml.i>
-        #include <include/firewall/enable-default-log.xml.i>
+        #include <include/firewall/default-log.xml.i>
         #include <include/generic-description.xml.i>
         <tagNode name="rule">
           <properties>
@@ -33,4 +33,4 @@
     </node>
   </children>
 </node>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in
index d4ec75786..92e7a0cb4 100644
--- a/interface-definitions/policy-route.xml.in
+++ b/interface-definitions/policy-route.xml.in
@@ -12,7 +12,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
+          #include <include/firewall/default-log.xml.i>
           #include <include/generic-interface-multi-wildcard.xml.i>
           <tagNode name="rule">
             <properties>
@@ -67,7 +67,7 @@
         </properties>
         <children>
           #include <include/generic-description.xml.i>
-          #include <include/firewall/enable-default-log.xml.i>
+          #include <include/firewall/default-log.xml.i>
           #include <include/generic-interface-multi-wildcard.xml.i>
           <tagNode name="rule">
             <properties>
-- 
cgit v1.2.3


From 201501ace13020e187dfbba4b125eb3f8664046d Mon Sep 17 00:00:00 2001
From: Indrajit Raychaudhuri <irc@indrajit.com>
Date: Mon, 18 Dec 2023 02:57:01 -0600
Subject: firewall: T5834: Migration for 'enable-default-log' to 'default-log'

(cherry picked from commit 7c40b70af9def9242b30d1fc949288d9da2bd027)
---
 .../include/version/firewall-version.xml.i         |  2 +-
 .../include/version/policy-version.xml.i           |  2 +-
 src/migration-scripts/firewall/13-to-14            | 59 ++++++++++++++++++++++
 src/migration-scripts/policy/7-to-8                | 56 ++++++++++++++++++++
 4 files changed, 117 insertions(+), 2 deletions(-)
 create mode 100755 src/migration-scripts/firewall/13-to-14
 create mode 100755 src/migration-scripts/policy/7-to-8

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/version/firewall-version.xml.i b/interface-definitions/include/version/firewall-version.xml.i
index 299eebb00..6702ee041 100644
--- a/interface-definitions/include/version/firewall-version.xml.i
+++ b/interface-definitions/include/version/firewall-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/firewall-version.xml.i -->
-<syntaxVersion component='firewall' version='13'></syntaxVersion>
+<syntaxVersion component='firewall' version='14'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/include/version/policy-version.xml.i b/interface-definitions/include/version/policy-version.xml.i
index 4fbe757f5..db727fea9 100644
--- a/interface-definitions/include/version/policy-version.xml.i
+++ b/interface-definitions/include/version/policy-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/policy-version.xml.i -->
-<syntaxVersion component='policy' version='7'></syntaxVersion>
+<syntaxVersion component='policy' version='8'></syntaxVersion>
 <!-- include end -->
diff --git a/src/migration-scripts/firewall/13-to-14 b/src/migration-scripts/firewall/13-to-14
new file mode 100755
index 000000000..f45ff0674
--- /dev/null
+++ b/src/migration-scripts/firewall/13-to-14
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5834: Rename 'enable-default-log' to 'default-log'
+# From
+    # set firewall ... filter enable-default-log
+    # set firewall ... name <name> enable-default-log
+# To
+    # set firewall ... filter default-log
+    # set firewall ... name <name> default-log
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['firewall']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for family in ['ipv4', 'ipv6', 'bridge']:
+    if config.exists(base + [family]):
+        for hook in ['forward', 'input', 'output', 'name']:
+            if config.exists(base + [family, hook]):
+                for priority in config.list_nodes(base + [family, hook]):
+                    if config.exists(base + [family, hook, priority, 'enable-default-log']):
+                        config.rename(base + [family, hook, priority, 'enable-default-log'], 'default-log')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
diff --git a/src/migration-scripts/policy/7-to-8 b/src/migration-scripts/policy/7-to-8
new file mode 100755
index 000000000..73eece1a6
--- /dev/null
+++ b/src/migration-scripts/policy/7-to-8
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# T5834: Rename 'enable-default-log' to 'default-log'
+# From
+    # set policy [route | route 6] <route> enable-default-log
+# To
+    # set policy [route | route 6] <route> default-log
+
+from sys import argv
+from sys import exit
+
+from vyos.configtree import ConfigTree
+
+if len(argv) < 2:
+    print("Must specify file name!")
+    exit(1)
+
+file_name = argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+base = ['policy']
+config = ConfigTree(config_file)
+
+if not config.exists(base):
+    # Nothing to do
+    exit(0)
+
+for family in ['route', 'route6']:
+    if config.exists(base + [family]):
+
+        for policy_name in config.list_nodes(base + [family]):
+            if config.exists(base + [family, policy_name, 'enable-default-log']):
+                config.rename(base + [family, policy_name, 'enable-default-log'], 'default-log')
+
+try:
+    with open(file_name, 'w') as f:
+        f.write(config.to_string())
+except OSError as e:
+    print("Failed to save the modified config: {}".format(e))
+    exit(1)
-- 
cgit v1.2.3


From 3d579863c98627fbe83efc6033ccc37b81e68d96 Mon Sep 17 00:00:00 2001
From: Indrajit Raychaudhuri <irc@indrajit.com>
Date: Fri, 22 Dec 2023 17:14:04 -0600
Subject: firewall: T5834: Remove vestigial include file

This file is a left over from previous refactoring and no longer
referenced anywhere in the interface definitions.

(cherry picked from commit f8f382b2195da8db8b730f107ffba16e67dac822)
---
 .../include/firewall/common-rule.xml.i             | 386 ---------------------
 1 file changed, 386 deletions(-)
 delete mode 100644 interface-definitions/include/firewall/common-rule.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i
deleted file mode 100644
index 7417a3c58..000000000
--- a/interface-definitions/include/firewall/common-rule.xml.i
+++ /dev/null
@@ -1,386 +0,0 @@
-<!-- include start from firewall/common-rule.xml.i -->
-#include <include/firewall/action.xml.i>
-#include <include/generic-description.xml.i>
-<node name="destination">
-  <properties>
-    <help>Destination parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/mac-address.xml.i>
-  </children>
-</node>
-<leafNode name="disable">
-  <properties>
-    <help>Option to disable firewall rule</help>
-    <valueless/>
-  </properties>
-</leafNode>
-<node name="fragment">
-  <properties>
-    <help>IP fragment match</help>
-  </properties>
-  <children>
-    <leafNode name="match-frag">
-      <properties>
-        <help>Second and further fragments of fragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-non-frag">
-      <properties>
-        <help>Head fragments or unfragmented packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="inbound-interface">
-  <properties>
-    <help>Match inbound-interface</help>
-  </properties>
-  <children>
-    #include <include/firewall/match-interface.xml.i>
-  </children>
-</node>
-<node name="outbound-interface">
-  <properties>
-    <help>Match outbound-interface</help>
-  </properties>
-  <children>
-    #include <include/firewall/match-interface.xml.i>
-  </children>
-</node>
-<node name="ipsec">
-  <properties>
-    <help>Inbound IPsec packets</help>
-  </properties>
-  <children>
-    <leafNode name="match-ipsec">
-      <properties>
-        <help>Inbound IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-    <leafNode name="match-none">
-      <properties>
-        <help>Inbound non-IPsec packets</help>
-        <valueless/>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="limit">
-  <properties>
-    <help>Rate limit using a token bucket filter</help>
-  </properties>
-  <children>
-    <leafNode name="burst">
-      <properties>
-        <help>Maximum number of packets to allow in excess of rate</help>
-        <valueHelp>
-          <format>u32:0-4294967295</format>
-          <description>Maximum number of packets to allow in excess of rate</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-4294967295"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="rate">
-      <properties>
-        <help>Maximum average matching rate</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>integer/unit (Example: 5/minute)</description>
-        </valueHelp>
-        <constraint>
-          <regex>\d+/(second|minute|hour|day)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="log">
-  <properties>
-    <help>Option to log packets matching rule</help>
-    <completionHelp>
-      <list>enable disable</list>
-    </completionHelp>
-    <valueHelp>
-      <format>enable</format>
-      <description>Enable log</description>
-    </valueHelp>
-    <valueHelp>
-      <format>disable</format>
-      <description>Disable log</description>
-    </valueHelp>
-    <constraint>
-      <regex>(enable|disable)</regex>
-    </constraint>
-  </properties>
-</leafNode>
-#include <include/firewall/rule-log-options.xml.i>
-<node name="connection-status">
-  <properties>
-    <help>Connection status</help>
-  </properties>
-  <children>
-    <leafNode name="nat">
-      <properties>
-        <help>NAT connection status</help>
-        <completionHelp>
-          <list>destination source</list>
-        </completionHelp>
-        <valueHelp>
-          <format>destination</format>
-          <description>Match connections that are subject to destination NAT</description>
-        </valueHelp>
-        <valueHelp>
-          <format>source</format>
-          <description>Match connections that are subject to source NAT</description>
-        </valueHelp>
-        <constraint>
-          <regex>^(destination|source)$</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<leafNode name="protocol">
-  <properties>
-    <help>Protocol to match (protocol name, number, or "all")</help>
-    <completionHelp>
-      <script>${vyos_completion_dir}/list_protocols.sh</script>
-      <list>all tcp_udp</list>
-    </completionHelp>
-    <valueHelp>
-      <format>all</format>
-      <description>All IP protocols</description>
-    </valueHelp>
-    <valueHelp>
-      <format>tcp_udp</format>
-      <description>Both TCP and UDP</description>
-    </valueHelp>
-    <valueHelp>
-      <format>u32:0-255</format>
-      <description>IP protocol number</description>
-    </valueHelp>
-    <valueHelp>
-      <format>&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <valueHelp>
-      <format>!&lt;protocol&gt;</format>
-      <description>IP protocol name</description>
-    </valueHelp>
-    <constraint>
-      <validator name="ip-protocol"/>
-    </constraint>
-  </properties>
-</leafNode>
-<node name="recent">
-  <properties>
-    <help>Parameters for matching recently seen sources</help>
-  </properties>
-  <children>
-    <leafNode name="count">
-      <properties>
-        <help>Source addresses seen more than N times</help>
-        <valueHelp>
-          <format>u32:1-255</format>
-          <description>Source addresses seen more than N times</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 1-255"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="time">
-      <properties>
-        <help>Source addresses seen in the last second/minute/hour</help>
-        <completionHelp>
-          <list>second minute hour</list>
-        </completionHelp>
-        <valueHelp>
-          <format>second</format>
-          <description>Source addresses seen COUNT times in the last second</description>
-        </valueHelp>
-        <valueHelp>
-          <format>minute</format>
-          <description>Source addresses seen COUNT times in the last minute</description>
-        </valueHelp>
-        <valueHelp>
-          <format>hour</format>
-          <description>Source addresses seen COUNT times in the last hour</description>
-        </valueHelp>
-        <constraint>
-          <regex>(second|minute|hour)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<node name="source">
-  <properties>
-    <help>Source parameters</help>
-  </properties>
-  <children>
-    #include <include/firewall/address.xml.i>
-    #include <include/firewall/source-destination-group.xml.i>
-    #include <include/firewall/mac-address.xml.i>
-    #include <include/firewall/port.xml.i>
-  </children>
-</node>
-<node name="state">
-  <properties>
-    <help>Session state</help>
-  </properties>
-  <children>
-    <leafNode name="established">
-      <properties>
-        <help>Established state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="invalid">
-      <properties>
-        <help>Invalid state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="new">
-      <properties>
-        <help>New state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="related">
-      <properties>
-        <help>Related state</help>
-        <completionHelp>
-          <list>enable disable</list>
-        </completionHelp>
-        <valueHelp>
-          <format>enable</format>
-          <description>Enable</description>
-        </valueHelp>
-        <valueHelp>
-          <format>disable</format>
-          <description>Disable</description>
-        </valueHelp>
-        <constraint>
-          <regex>(enable|disable)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-#include <include/firewall/tcp-flags.xml.i>
-<node name="time">
-  <properties>
-    <help>Time to match rule</help>
-  </properties>
-  <children>
-    <leafNode name="startdate">
-      <properties>
-        <help>Date to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="starttime">
-      <properties>
-        <help>Time of day to start matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stopdate">
-      <properties>
-        <help>Date to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter date using following notation - YYYY-MM-DD</description>
-        </valueHelp>
-        <constraint>
-          <regex>(\d{4}\-\d{2}\-\d{2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="stoptime">
-      <properties>
-        <help>Time of day to stop matching rule</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Enter time using using 24 hour notation - hh:mm:ss</description>
-        </valueHelp>
-        <constraint>
-          <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="weekdays">
-      <properties>
-        <help>Comma separated weekdays to match rule on</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Name of day (Monday, Tuesday, Wednesday, Thursdays, Friday, Saturday, Sunday)</description>
-        </valueHelp>
-        <valueHelp>
-          <format>u32:0-6</format>
-          <description>Day number (0 = Sunday ... 6 = Saturday)</description>
-        </valueHelp>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
-- 
cgit v1.2.3


From 57faafc8f8597f62d5edb5529349a565d7d2e865 Mon Sep 17 00:00:00 2001
From: Indrajit Raychaudhuri <irc@indrajit.com>
Date: Fri, 22 Dec 2023 17:22:20 -0600
Subject: firewall: T5834: Improve log message and simplify log-option include

`include/firewall/rule-log-options.xml.i` is now more aptly renamed to
`include/firewall/log-options.xml.i`.

(cherry picked from commit 53a48f499ae9bcc2f657136bb7779b38aad1c242)
---
 .../include/firewall/common-rule-bridge.xml.i      |  4 +-
 .../include/firewall/common-rule-inet.xml.i        |  2 +-
 .../include/firewall/common-rule-ipv4-raw.xml.i    |  2 +-
 .../include/firewall/log-options.xml.i             | 89 ++++++++++++++++++++++
 interface-definitions/include/firewall/log.xml.i   |  2 +-
 .../include/firewall/rule-log-options.xml.i        | 89 ----------------------
 6 files changed, 94 insertions(+), 94 deletions(-)
 create mode 100644 interface-definitions/include/firewall/log-options.xml.i
 delete mode 100644 interface-definitions/include/firewall/rule-log-options.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/firewall/common-rule-bridge.xml.i b/interface-definitions/include/firewall/common-rule-bridge.xml.i
index ebf95a111..dcdd970ac 100644
--- a/interface-definitions/include/firewall/common-rule-bridge.xml.i
+++ b/interface-definitions/include/firewall/common-rule-bridge.xml.i
@@ -19,7 +19,7 @@
   </properties>
 </leafNode>
 #include <include/firewall/log.xml.i>
-#include <include/firewall/rule-log-options.xml.i>
+#include <include/firewall/log-options.xml.i>
 <node name="source">
   <properties>
     <help>Source parameters</help>
@@ -31,4 +31,4 @@
 #include <include/firewall/inbound-interface.xml.i>
 #include <include/firewall/outbound-interface.xml.i>
 #include <include/firewall/match-vlan.xml.i>
-<!-- include end -->
\ No newline at end of file
+<!-- include end -->
diff --git a/interface-definitions/include/firewall/common-rule-inet.xml.i b/interface-definitions/include/firewall/common-rule-inet.xml.i
index 030adfe7c..3b5cb724d 100644
--- a/interface-definitions/include/firewall/common-rule-inet.xml.i
+++ b/interface-definitions/include/firewall/common-rule-inet.xml.i
@@ -78,7 +78,7 @@
   </children>
 </node>
 #include <include/firewall/log.xml.i>
-#include <include/firewall/rule-log-options.xml.i>
+#include <include/firewall/log-options.xml.i>
 <node name="connection-status">
   <properties>
     <help>Connection status</help>
diff --git a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
index a1071a09a..b253ee048 100644
--- a/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
+++ b/interface-definitions/include/firewall/common-rule-ipv4-raw.xml.i
@@ -144,7 +144,7 @@
     </constraint>
   </properties>
 </leafNode>
-#include <include/firewall/rule-log-options.xml.i>
+#include <include/firewall/log-options.xml.i>
 <node name="connection-status">
   <properties>
     <help>Connection status</help>
diff --git a/interface-definitions/include/firewall/log-options.xml.i b/interface-definitions/include/firewall/log-options.xml.i
new file mode 100644
index 000000000..e8b0cdec3
--- /dev/null
+++ b/interface-definitions/include/firewall/log-options.xml.i
@@ -0,0 +1,89 @@
+<!-- include start from firewall/rule-log-options.xml.i -->
+<node name="log-options">
+   <properties>
+    <help>Log options</help>
+  </properties>
+  <children>
+    <leafNode name="group">
+      <properties>
+        <help>Set log group</help>
+        <valueHelp>
+          <format>u32:0-65535</format>
+          <description>Log group to send messages to</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-65535"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="snapshot-length">
+      <properties>
+        <help>Length of packet payload to include in netlink message</help>
+        <valueHelp>
+          <format>u32:0-9000</format>
+          <description>Length of packet payload to include in netlink message</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-9000"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="queue-threshold">
+      <properties>
+        <help>Number of packets to queue inside the kernel before sending them to userspace</help>
+        <valueHelp>
+          <format>u32:0-65535</format>
+          <description>Number of packets to queue inside the kernel before sending them to userspace</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-65535"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="level">
+      <properties>
+        <help>Set log-level</help>
+        <completionHelp>
+          <list>emerg alert crit err warn notice info debug</list>
+        </completionHelp>
+        <valueHelp>
+          <format>emerg</format>
+          <description>Emerg log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>alert</format>
+          <description>Alert log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>crit</format>
+          <description>Critical log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>err</format>
+          <description>Error log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>warn</format>
+          <description>Warning log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>notice</format>
+          <description>Notice log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>info</format>
+          <description>Info log level</description>
+        </valueHelp>
+        <valueHelp>
+          <format>debug</format>
+          <description>Debug log level</description>
+        </valueHelp>
+        <constraint>
+          <regex>(emerg|alert|crit|err|warn|notice|info|debug)</regex>
+        </constraint>
+        <constraintErrorMessage>level must be alert, crit, debug, emerg, err, info, notice or warn</constraintErrorMessage>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/log.xml.i b/interface-definitions/include/firewall/log.xml.i
index 8f3fae1be..795ed77be 100644
--- a/interface-definitions/include/firewall/log.xml.i
+++ b/interface-definitions/include/firewall/log.xml.i
@@ -1,7 +1,7 @@
 <!-- include start from firewall/log.xml.i -->
 <leafNode name="log">
   <properties>
-    <help>Enable log</help>
+    <help>Log packets hitting this rule</help>
     <valueless/>
   </properties>
 </leafNode>
\ No newline at end of file
diff --git a/interface-definitions/include/firewall/rule-log-options.xml.i b/interface-definitions/include/firewall/rule-log-options.xml.i
deleted file mode 100644
index e8b0cdec3..000000000
--- a/interface-definitions/include/firewall/rule-log-options.xml.i
+++ /dev/null
@@ -1,89 +0,0 @@
-<!-- include start from firewall/rule-log-options.xml.i -->
-<node name="log-options">
-   <properties>
-    <help>Log options</help>
-  </properties>
-  <children>
-    <leafNode name="group">
-      <properties>
-        <help>Set log group</help>
-        <valueHelp>
-          <format>u32:0-65535</format>
-          <description>Log group to send messages to</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-65535"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="snapshot-length">
-      <properties>
-        <help>Length of packet payload to include in netlink message</help>
-        <valueHelp>
-          <format>u32:0-9000</format>
-          <description>Length of packet payload to include in netlink message</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-9000"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="queue-threshold">
-      <properties>
-        <help>Number of packets to queue inside the kernel before sending them to userspace</help>
-        <valueHelp>
-          <format>u32:0-65535</format>
-          <description>Number of packets to queue inside the kernel before sending them to userspace</description>
-        </valueHelp>
-        <constraint>
-          <validator name="numeric" argument="--range 0-65535"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <leafNode name="level">
-      <properties>
-        <help>Set log-level</help>
-        <completionHelp>
-          <list>emerg alert crit err warn notice info debug</list>
-        </completionHelp>
-        <valueHelp>
-          <format>emerg</format>
-          <description>Emerg log level</description>
-        </valueHelp>
-        <valueHelp>
-          <format>alert</format>
-          <description>Alert log level</description>
-        </valueHelp>
-        <valueHelp>
-          <format>crit</format>
-          <description>Critical log level</description>
-        </valueHelp>
-        <valueHelp>
-          <format>err</format>
-          <description>Error log level</description>
-        </valueHelp>
-        <valueHelp>
-          <format>warn</format>
-          <description>Warning log level</description>
-        </valueHelp>
-        <valueHelp>
-          <format>notice</format>
-          <description>Notice log level</description>
-        </valueHelp>
-        <valueHelp>
-          <format>info</format>
-          <description>Info log level</description>
-        </valueHelp>
-        <valueHelp>
-          <format>debug</format>
-          <description>Debug log level</description>
-        </valueHelp>
-        <constraint>
-          <regex>(emerg|alert|crit|err|warn|notice|info|debug)</regex>
-        </constraint>
-        <constraintErrorMessage>level must be alert, crit, debug, emerg, err, info, notice or warn</constraintErrorMessage>
-      </properties>
-    </leafNode>
-  </children>
-</node>
-<!-- include end -->
\ No newline at end of file
-- 
cgit v1.2.3