From 5a8e3089b35e2eca2f896a01410fcdf6ac928278 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Sun, 3 Sep 2023 13:08:00 +0200
Subject: conntrack: T4309: T4903: Refactor `system conntrack ignore` rule
 generation, add IPv6 support and firewall groups

---
 .../firewall/source-destination-group-ipv4.xml.i   |  41 ++++
 .../include/version/conntrack-version.xml.i        |   2 +-
 interface-definitions/system-conntrack.xml.in      | 215 +++++++++++++++------
 3 files changed, 197 insertions(+), 61 deletions(-)
 create mode 100644 interface-definitions/include/firewall/source-destination-group-ipv4.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
new file mode 100644
index 000000000..8c34fb933
--- /dev/null
+++ b/interface-definitions/include/firewall/source-destination-group-ipv4.xml.i
@@ -0,0 +1,41 @@
+<!-- include start from firewall/source-destination-group-ipv4.xml.i -->
+<node name="group">
+  <properties>
+    <help>Group</help>
+  </properties>
+  <children>
+    <leafNode name="address-group">
+      <properties>
+        <help>Group of addresses</help>
+        <completionHelp>
+          <path>firewall group address-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="domain-group">
+      <properties>
+        <help>Group of domains</help>
+        <completionHelp>
+          <path>firewall group domain-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="network-group">
+      <properties>
+        <help>Group of networks</help>
+        <completionHelp>
+          <path>firewall group network-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="port-group">
+      <properties>
+        <help>Group of ports</help>
+        <completionHelp>
+          <path>firewall group port-group</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/version/conntrack-version.xml.i b/interface-definitions/include/version/conntrack-version.xml.i
index 696f76362..c0f632c70 100644
--- a/interface-definitions/include/version/conntrack-version.xml.i
+++ b/interface-definitions/include/version/conntrack-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/conntrack-version.xml.i -->
-<syntaxVersion component='conntrack' version='3'></syntaxVersion>
+<syntaxVersion component='conntrack' version='4'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in
index 8dad048b8..3abf9bbf0 100644
--- a/interface-definitions/system-conntrack.xml.in
+++ b/interface-definitions/system-conntrack.xml.in
@@ -40,82 +40,177 @@
               <help>Customized rules to ignore selective connection tracking</help>
             </properties>
             <children>
-              <tagNode name="rule">
+              <node name="ipv4">
                 <properties>
-                  <help>Rule number</help>
-                  <valueHelp>
-                    <format>u32:1-999999</format>
-                    <description>Number of conntrack ignore rule</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="numeric" argument="--range 1-999999"/>
-                  </constraint>
-                  <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
+                  <help>IPv4 rules</help>
                 </properties>
                 <children>
-                  #include <include/generic-description.xml.i>
-                  <node name="destination">
+                  <tagNode name="rule">
                     <properties>
-                      <help>Destination parameters</help>
+                      <help>Rule number</help>
+                      <valueHelp>
+                        <format>u32:1-999999</format>
+                        <description>Number of conntrack ignore rule</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-999999"/>
+                      </constraint>
+                      <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                     </properties>
                     <children>
-                      #include <include/nat-address.xml.i>
-                      #include <include/nat-port.xml.i>
+                      #include <include/generic-description.xml.i>
+                      <node name="destination">
+                        <properties>
+                          <help>Destination parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/source-destination-group-ipv4.xml.i>
+                          #include <include/nat-address.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
+                      <leafNode name="inbound-interface">
+                        <properties>
+                          <help>Interface to ignore connections tracking on</help>
+                          <completionHelp>
+                            <list>any</list>
+                            <script>${vyos_completion_dir}/list_interfaces</script>
+                          </completionHelp>
+                        </properties>
+                      </leafNode>
+                      #include <include/ip-protocol.xml.i>
+                      <leafNode name="protocol">
+                        <properties>
+                          <help>Protocol to match (protocol name, number, or "all")</help>
+                          <completionHelp>
+                            <script>${vyos_completion_dir}/list_protocols.sh</script>
+                            <list>all tcp_udp</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>all</format>
+                            <description>All IP protocols</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>tcp_udp</format>
+                            <description>Both TCP and UDP</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>u32:0-255</format>
+                            <description>IP protocol number</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>!&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="ip-protocol"/>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                      <node name="source">
+                        <properties>
+                          <help>Source parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/source-destination-group-ipv4.xml.i>
+                          #include <include/nat-address.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
                     </children>
-                  </node>
-                  <leafNode name="inbound-interface">
-                    <properties>
-                      <help>Interface to ignore connections tracking on</help>
-                      <completionHelp>
-                        <list>any</list>
-                        <script>${vyos_completion_dir}/list_interfaces</script>
-                      </completionHelp>
-                    </properties>
-                  </leafNode>
-                  #include <include/ip-protocol.xml.i>
-                  <leafNode name="protocol">
+                  </tagNode>
+                </children>
+              </node>
+              <node name="ipv6">
+                <properties>
+                  <help>IPv6 rules</help>
+                </properties>
+                <children>
+                  <tagNode name="rule">
                     <properties>
-                      <help>Protocol to match (protocol name, number, or "all")</help>
-                      <completionHelp>
-                        <script>${vyos_completion_dir}/list_protocols.sh</script>
-                        <list>all tcp_udp</list>
-                      </completionHelp>
-                      <valueHelp>
-                        <format>all</format>
-                        <description>All IP protocols</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>tcp_udp</format>
-                        <description>Both TCP and UDP</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>u32:0-255</format>
-                        <description>IP protocol number</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>&lt;protocol&gt;</format>
-                        <description>IP protocol name</description>
-                      </valueHelp>
+                      <help>Rule number</help>
                       <valueHelp>
-                        <format>!&lt;protocol&gt;</format>
-                        <description>IP protocol name</description>
+                        <format>u32:1-999999</format>
+                        <description>Number of conntrack ignore rule</description>
                       </valueHelp>
                       <constraint>
-                        <validator name="ip-protocol"/>
+                        <validator name="numeric" argument="--range 1-999999"/>
                       </constraint>
-                    </properties>
-                  </leafNode>
-                  <node name="source">
-                    <properties>
-                      <help>Source parameters</help>
+                      <constraintErrorMessage>Ignore rule number must be between 1 and 999999</constraintErrorMessage>
                     </properties>
                     <children>
-                      #include <include/nat-address.xml.i>
-                      #include <include/nat-port.xml.i>
+                      #include <include/generic-description.xml.i>
+                      <node name="destination">
+                        <properties>
+                          <help>Destination parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/address-ipv6.xml.i>
+                          #include <include/firewall/source-destination-group-ipv6.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
+                      <leafNode name="inbound-interface">
+                        <properties>
+                          <help>Interface to ignore connections tracking on</help>
+                          <completionHelp>
+                            <list>any</list>
+                            <script>${vyos_completion_dir}/list_interfaces</script>
+                          </completionHelp>
+                        </properties>
+                      </leafNode>
+                      #include <include/ip-protocol.xml.i>
+                      <leafNode name="protocol">
+                        <properties>
+                          <help>Protocol to match (protocol name, number, or "all")</help>
+                          <completionHelp>
+                            <script>${vyos_completion_dir}/list_protocols.sh</script>
+                            <list>all tcp_udp</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>all</format>
+                            <description>All IP protocols</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>tcp_udp</format>
+                            <description>Both TCP and UDP</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>u32:0-255</format>
+                            <description>IP protocol number</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>!&lt;protocol&gt;</format>
+                            <description>IP protocol name</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="ip-protocol"/>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                      <node name="source">
+                        <properties>
+                          <help>Source parameters</help>
+                        </properties>
+                        <children>
+                          #include <include/firewall/address-ipv6.xml.i>
+                          #include <include/firewall/source-destination-group-ipv6.xml.i>
+                          #include <include/nat-port.xml.i>
+                        </children>
+                      </node>
                     </children>
-                  </node>
+                  </tagNode>
                 </children>
-              </tagNode>
+              </node>
+              
             </children>
           </node>
           <node name="log">
-- 
cgit v1.2.3