From 6ce5fedb602c5ea0df52049a5e9c4fb4f5a86122 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Fri, 5 Jan 2024 12:13:17 +0000 Subject: T4839: firewall: Add dynamic address group in firewall configuration, and appropiate commands to populate such groups using source and destination address of the packet. --- interface-definitions/firewall.xml.in | 29 ++++++++++++++++++ .../firewall/add-dynamic-address-groups.xml.i | 34 ++++++++++++++++++++++ .../firewall/add-dynamic-ipv6-address-groups.xml.i | 34 ++++++++++++++++++++++ .../include/firewall/common-rule-ipv4.xml.i | 25 ++++++++++++++++ .../include/firewall/common-rule-ipv6.xml.i | 25 ++++++++++++++++ .../source-destination-dynamic-group-ipv6.xml.i | 17 +++++++++++ .../source-destination-dynamic-group.xml.i | 17 +++++++++++ 7 files changed, 181 insertions(+) create mode 100644 interface-definitions/include/firewall/add-dynamic-address-groups.xml.i create mode 100644 interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i create mode 100644 interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i create mode 100644 interface-definitions/include/firewall/source-destination-dynamic-group.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index a4023058f..662ba24ab 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -115,6 +115,35 @@ #include + + + Firewall dynamic group + + + + + Firewall dynamic address group + + [a-zA-Z0-9][\w\-\.]* + + + + #include + + + + + Firewall dynamic IPv6 address group + + [a-zA-Z0-9][\w\-\.]* + + + + #include + + + + Firewall interface-group diff --git a/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i b/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i new file mode 100644 index 000000000..769761cb6 --- /dev/null +++ b/interface-definitions/include/firewall/add-dynamic-address-groups.xml.i @@ -0,0 +1,34 @@ + + + + Dynamic address-group + + firewall group dynamic-group address-group + + + + + + Set timeout + + <number>s + Timeout value in seconds + + + <number>m + Timeout value in minutes + + + <number>h + Timeout value in hours + + + <number>d + Timeout value in days + + + \d+(s|m|h|d) + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i b/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i new file mode 100644 index 000000000..7bd91c58a --- /dev/null +++ b/interface-definitions/include/firewall/add-dynamic-ipv6-address-groups.xml.i @@ -0,0 +1,34 @@ + + + + Dynamic ipv6-address-group + + firewall group dynamic-group ipv6-address-group + + + + + + Set timeout + + <number>s + Timeout value in seconds + + + <number>m + Timeout value in minutes + + + <number>h + Timeout value in hours + + + <number>d + Timeout value in days + + + \d+(s|m|h|d) + + + + \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv4.xml.i b/interface-definitions/include/firewall/common-rule-ipv4.xml.i index 4ed179ae7..158c7a662 100644 --- a/interface-definitions/include/firewall/common-rule-ipv4.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv4.xml.i @@ -1,6 +1,29 @@ #include #include + + + Add ip address to dynamic address-group + + + + + Add source ip addresses to dynamic address-group + + + #include + + + + + Add destination ip addresses to dynamic address-group + + + #include + + + + Destination parameters @@ -13,6 +36,7 @@ #include #include #include + #include @@ -67,6 +91,7 @@ #include #include #include + #include \ No newline at end of file diff --git a/interface-definitions/include/firewall/common-rule-ipv6.xml.i b/interface-definitions/include/firewall/common-rule-ipv6.xml.i index 6219557db..78eeb361e 100644 --- a/interface-definitions/include/firewall/common-rule-ipv6.xml.i +++ b/interface-definitions/include/firewall/common-rule-ipv6.xml.i @@ -1,6 +1,29 @@ #include #include + + + Add ipv6 address to dynamic ipv6-address-group + + + + + Add source ipv6 addresses to dynamic ipv6-address-group + + + #include + + + + + Add destination ipv6 addresses to dynamic ipv6-address-group + + + #include + + + + Destination parameters @@ -13,6 +36,7 @@ #include #include #include + #include @@ -67,6 +91,7 @@ #include #include #include + #include \ No newline at end of file diff --git a/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i b/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i new file mode 100644 index 000000000..845f8fe7c --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-dynamic-group-ipv6.xml.i @@ -0,0 +1,17 @@ + + + + Group + + + + + Group of dynamic ipv6 addresses + + firewall group dynamic-group ipv6-address-group + + + + + + diff --git a/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i b/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i new file mode 100644 index 000000000..29ab98c68 --- /dev/null +++ b/interface-definitions/include/firewall/source-destination-dynamic-group.xml.i @@ -0,0 +1,17 @@ + + + + Group + + + + + Group of dynamic addresses + + firewall group dynamic-group address-group + + + + + + -- cgit v1.2.3